inspec-core 4.3.2 → 4.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +37 -21
- data/etc/deprecations.json +10 -0
- data/etc/plugin_filters.json +8 -0
- data/lib/bundles/inspec-compliance/api.rb +1 -1
- data/lib/bundles/inspec-compliance/configuration.rb +1 -1
- data/lib/bundles/inspec-compliance/http.rb +1 -1
- data/lib/bundles/inspec-compliance/support.rb +1 -1
- data/lib/bundles/inspec-compliance/target.rb +1 -1
- data/lib/bundles/inspec-supermarket.rb +3 -7
- data/lib/bundles/inspec-supermarket/api.rb +10 -13
- data/lib/bundles/inspec-supermarket/cli.rb +12 -15
- data/lib/bundles/inspec-supermarket/target.rb +7 -11
- data/lib/fetchers/git.rb +14 -15
- data/lib/fetchers/local.rb +6 -10
- data/lib/fetchers/mock.rb +3 -5
- data/lib/fetchers/url.rb +42 -44
- data/lib/inspec.rb +23 -24
- data/lib/inspec/archive/tar.rb +2 -6
- data/lib/inspec/archive/zip.rb +3 -7
- data/lib/inspec/backend.rb +8 -9
- data/lib/inspec/base_cli.rb +64 -65
- data/lib/inspec/cached_fetcher.rb +2 -3
- data/lib/inspec/cli.rb +136 -97
- data/lib/inspec/config.rb +71 -61
- data/lib/inspec/control_eval_context.rb +22 -18
- data/lib/inspec/dependencies/cache.rb +2 -3
- data/lib/inspec/dependencies/dependency_set.rb +2 -3
- data/lib/inspec/dependencies/lockfile.rb +8 -9
- data/lib/inspec/dependencies/requirement.rb +7 -8
- data/lib/inspec/dependencies/resolver.rb +5 -7
- data/lib/inspec/describe.rb +2 -6
- data/lib/inspec/dist.rb +20 -0
- data/lib/inspec/dsl.rb +4 -7
- data/lib/inspec/dsl_shared.rb +1 -2
- data/lib/inspec/env_printer.rb +11 -12
- data/lib/inspec/errors.rb +0 -4
- data/lib/inspec/exceptions.rb +0 -1
- data/lib/inspec/expect.rb +5 -8
- data/lib/inspec/fetcher.rb +7 -10
- data/lib/inspec/file_provider.rb +24 -24
- data/lib/inspec/formatters.rb +3 -3
- data/lib/inspec/formatters/base.rb +8 -8
- data/lib/inspec/globals.rb +2 -2
- data/lib/inspec/impact.rb +5 -7
- data/lib/inspec/input_registry.rb +84 -33
- data/lib/inspec/library_eval_context.rb +3 -6
- data/lib/inspec/log.rb +1 -5
- data/lib/inspec/metadata.rb +17 -16
- data/lib/inspec/method_source.rb +5 -9
- data/lib/inspec/objects.rb +10 -12
- data/lib/inspec/objects/control.rb +7 -9
- data/lib/inspec/objects/describe.rb +9 -11
- data/lib/inspec/objects/each_loop.rb +1 -3
- data/lib/inspec/objects/input.rb +24 -26
- data/lib/inspec/objects/list.rb +4 -6
- data/lib/inspec/objects/or_test.rb +2 -4
- data/lib/inspec/objects/ruby_helper.rb +3 -5
- data/lib/inspec/objects/tag.rb +0 -2
- data/lib/inspec/objects/test.rb +9 -11
- data/lib/inspec/objects/value.rb +3 -5
- data/lib/inspec/plugin/v1.rb +2 -2
- data/lib/inspec/plugin/v1/plugin_types/cli.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/fetcher.rb +2 -5
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +4 -6
- data/lib/inspec/plugin/v1/plugin_types/secret.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/source_reader.rb +1 -5
- data/lib/inspec/plugin/v1/plugins.rb +15 -19
- data/lib/inspec/plugin/v1/registry.rb +0 -4
- data/lib/inspec/plugin/v2.rb +8 -8
- data/lib/inspec/plugin/v2/activator.rb +1 -1
- data/lib/inspec/plugin/v2/config_file.rb +6 -6
- data/lib/inspec/plugin/v2/filter.rb +13 -13
- data/lib/inspec/plugin/v2/installer.rb +36 -24
- data/lib/inspec/plugin/v2/loader.rb +28 -28
- data/lib/inspec/plugin/v2/plugin_base.rb +15 -2
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +5 -5
- data/lib/inspec/plugin/v2/plugin_types/input.rb +34 -0
- data/lib/inspec/plugin/v2/plugin_types/mock.rb +1 -1
- data/lib/inspec/plugin/v2/registry.rb +7 -7
- data/lib/inspec/polyfill.rb +0 -3
- data/lib/inspec/profile.rb +55 -63
- data/lib/inspec/profile_context.rb +27 -30
- data/lib/inspec/profile_vendor.rb +6 -9
- data/lib/inspec/reporters.rb +24 -24
- data/lib/inspec/reporters/automate.rb +17 -19
- data/lib/inspec/reporters/base.rb +1 -1
- data/lib/inspec/reporters/cli.rb +88 -91
- data/lib/inspec/reporters/json.rb +2 -4
- data/lib/inspec/reporters/json_automate.rb +1 -3
- data/lib/inspec/reporters/json_min.rb +1 -3
- data/lib/inspec/reporters/junit.rb +26 -28
- data/lib/inspec/reporters/yaml.rb +1 -3
- data/lib/inspec/require_loader.rb +0 -4
- data/lib/inspec/resource.rb +4 -125
- data/lib/inspec/resources.rb +121 -0
- data/lib/{resources → inspec/resources}/aide_conf.rb +24 -25
- data/lib/{resources → inspec/resources}/apache.rb +13 -14
- data/lib/{resources → inspec/resources}/apache_conf.rb +16 -17
- data/lib/{resources → inspec/resources}/apt.rb +17 -17
- data/lib/{resources → inspec/resources}/audit_policy.rb +7 -6
- data/lib/{resources → inspec/resources}/auditd.rb +62 -64
- data/lib/{resources → inspec/resources}/auditd_conf.rb +7 -8
- data/lib/{resources → inspec/resources}/bash.rb +6 -8
- data/lib/{resources → inspec/resources}/bond.rb +15 -14
- data/lib/{resources → inspec/resources}/bridge.rb +8 -8
- data/lib/{resources → inspec/resources}/chocolatey_package.rb +10 -8
- data/lib/{resources → inspec/resources}/command.rb +11 -10
- data/lib/{resources → inspec/resources}/cpan.rb +12 -12
- data/lib/{resources → inspec/resources}/cran.rb +9 -9
- data/lib/{resources → inspec/resources}/crontab.rb +47 -48
- data/lib/{resources → inspec/resources}/csv.rb +5 -5
- data/lib/{resources → inspec/resources}/dh_params.rb +5 -7
- data/lib/{resources → inspec/resources}/directory.rb +5 -7
- data/lib/{resources → inspec/resources}/docker.rb +63 -63
- data/lib/{resources → inspec/resources}/docker_container.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_image.rb +9 -9
- data/lib/{resources → inspec/resources}/docker_object.rb +8 -13
- data/lib/{resources → inspec/resources}/docker_plugin.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_service.rb +7 -7
- data/lib/{resources → inspec/resources}/elasticsearch.rb +40 -42
- data/lib/{resources → inspec/resources}/etc_fstab.rb +23 -24
- data/lib/{resources → inspec/resources}/etc_group.rb +26 -27
- data/lib/{resources → inspec/resources}/etc_hosts.rb +11 -13
- data/lib/{resources → inspec/resources}/etc_hosts_allow_deny.rb +25 -27
- data/lib/{resources → inspec/resources}/file.rb +80 -79
- data/lib/{resources → inspec/resources}/filesystem.rb +20 -15
- data/lib/{resources → inspec/resources}/firewalld.rb +26 -26
- data/lib/{resources → inspec/resources}/gem.rb +12 -12
- data/lib/{resources → inspec/resources}/groups.rb +28 -27
- data/lib/{resources → inspec/resources}/grub_conf.rb +46 -48
- data/lib/{resources → inspec/resources}/host.rb +31 -29
- data/lib/{resources → inspec/resources}/http.rb +24 -24
- data/lib/{resources → inspec/resources}/iis_app.rb +6 -7
- data/lib/{resources → inspec/resources}/iis_app_pool.rb +21 -19
- data/lib/{resources → inspec/resources}/iis_site.rb +17 -15
- data/lib/{resources → inspec/resources}/inetd_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/ini.rb +7 -8
- data/lib/{resources → inspec/resources}/interface.rb +30 -30
- data/lib/{resources → inspec/resources}/iptables.rb +8 -8
- data/lib/{resources → inspec/resources}/json.rb +8 -10
- data/lib/{resources → inspec/resources}/kernel_module.rb +15 -15
- data/lib/{resources → inspec/resources}/kernel_parameter.rb +8 -8
- data/lib/{resources → inspec/resources}/key_rsa.rb +8 -10
- data/lib/{resources → inspec/resources}/ksh.rb +6 -8
- data/lib/{resources → inspec/resources}/limits_conf.rb +8 -9
- data/lib/{resources/login_def.rb → inspec/resources/login_defs.rb} +9 -10
- data/lib/{resources → inspec/resources}/mount.rb +6 -8
- data/lib/{resources → inspec/resources}/mssql_session.rb +16 -18
- data/lib/inspec/resources/mysql.rb +81 -0
- data/lib/{resources → inspec/resources}/mysql_conf.rb +13 -14
- data/lib/{resources → inspec/resources}/mysql_session.rb +16 -16
- data/lib/{resources → inspec/resources}/nginx.rb +16 -17
- data/lib/{resources → inspec/resources}/nginx_conf.rb +26 -27
- data/lib/{resources → inspec/resources}/npm.rb +9 -10
- data/lib/{resources → inspec/resources}/ntp_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/oneget.rb +8 -8
- data/lib/{resources → inspec/resources}/oracledb_session.rb +33 -34
- data/lib/{resources → inspec/resources}/os.rb +6 -8
- data/lib/{resources → inspec/resources}/os_env.rb +11 -12
- data/lib/{resources → inspec/resources}/package.rb +66 -65
- data/lib/{resources → inspec/resources}/packages.rb +13 -13
- data/lib/{resources → inspec/resources}/parse_config.rb +8 -8
- data/lib/{resources → inspec/resources}/passwd.rb +18 -19
- data/lib/{resources → inspec/resources}/pip.rb +19 -19
- data/lib/{resources → inspec/resources}/platform.rb +9 -11
- data/lib/{resources → inspec/resources}/port.rb +134 -136
- data/lib/{resources → inspec/resources}/postgres.rb +40 -32
- data/lib/{resources → inspec/resources}/postgres_conf.rb +17 -17
- data/lib/{resources → inspec/resources}/postgres_hba_conf.rb +21 -23
- data/lib/{resources → inspec/resources}/postgres_ident_conf.rb +12 -14
- data/lib/{resources → inspec/resources}/postgres_session.rb +8 -9
- data/lib/{resources → inspec/resources}/powershell.rb +17 -13
- data/lib/{resources → inspec/resources}/processes.rb +29 -29
- data/lib/{resources/rabbitmq_conf.rb → inspec/resources/rabbitmq_config.rb} +10 -11
- data/lib/{resources → inspec/resources}/registry_key.rb +14 -14
- data/lib/inspec/resources/script.rb +1 -0
- data/lib/{resources → inspec/resources}/security_identifier.rb +11 -10
- data/lib/{resources → inspec/resources}/security_policy.rb +59 -58
- data/lib/{resources → inspec/resources}/service.rb +74 -75
- data/lib/{resources → inspec/resources}/shadow.rb +44 -45
- data/lib/{resources/ssh_conf.rb → inspec/resources/ssh_config.rb} +16 -17
- data/lib/{resources → inspec/resources}/ssl.rb +28 -29
- data/lib/inspec/resources/sys_info.rb +30 -0
- data/lib/{resources → inspec/resources}/toml.rb +5 -7
- data/lib/{resources → inspec/resources}/users.rb +65 -65
- data/lib/{resources → inspec/resources}/vbscript.rb +8 -9
- data/lib/{resources → inspec/resources}/virtualization.rb +60 -62
- data/lib/{resources → inspec/resources}/windows_feature.rb +9 -9
- data/lib/{resources → inspec/resources}/windows_hotfix.rb +5 -5
- data/lib/{resources → inspec/resources}/windows_task.rb +16 -15
- data/lib/{resources → inspec/resources}/wmi.rb +7 -8
- data/lib/{resources → inspec/resources}/x509_certificate.rb +9 -11
- data/lib/{resources/xinetd.rb → inspec/resources/xinetd_conf.rb} +27 -29
- data/lib/{resources → inspec/resources}/xml.rb +7 -7
- data/lib/{resources → inspec/resources}/yaml.rb +5 -6
- data/lib/{resources → inspec/resources}/yum.rb +10 -10
- data/lib/{resources → inspec/resources}/zfs_dataset.rb +6 -6
- data/lib/{resources → inspec/resources}/zfs_pool.rb +4 -4
- data/lib/inspec/rspec_extensions.rb +24 -8
- data/lib/inspec/rule.rb +14 -15
- data/lib/inspec/runner.rb +28 -28
- data/lib/inspec/runner_mock.rb +1 -5
- data/lib/inspec/runner_rspec.rb +18 -20
- data/lib/inspec/runtime_profile.rb +2 -5
- data/lib/inspec/schema.rb +142 -143
- data/lib/inspec/secrets.rb +3 -7
- data/lib/inspec/secrets/yaml.rb +3 -5
- data/lib/inspec/shell.rb +11 -15
- data/lib/inspec/shell_detector.rb +6 -7
- data/lib/inspec/source_reader.rb +4 -8
- data/lib/inspec/ui.rb +33 -39
- data/lib/inspec/ui_table_helper.rb +12 -0
- data/lib/{utils → inspec/utils}/command_wrapper.rb +4 -8
- data/lib/{utils → inspec/utils}/convert.rb +0 -4
- data/lib/{utils → inspec/utils}/database_helpers.rb +4 -8
- data/lib/inspec/utils/deprecation.rb +6 -0
- data/lib/{utils → inspec/utils}/deprecation/config_file.rb +19 -19
- data/lib/{utils → inspec/utils}/deprecation/deprecator.rb +12 -12
- data/lib/{utils → inspec/utils}/deprecation/errors.rb +1 -1
- data/lib/{utils → inspec/utils}/deprecation/global_method.rb +2 -2
- data/lib/{utils → inspec/utils}/enumerable_delegation.rb +0 -2
- data/lib/{utils → inspec/utils}/erlang_parser.rb +61 -65
- data/lib/{utils → inspec/utils}/file_reader.rb +1 -2
- data/lib/{utils → inspec/utils}/filter.rb +30 -33
- data/lib/{utils → inspec/utils}/filter_array.rb +0 -2
- data/lib/{utils → inspec/utils}/find_files.rb +9 -12
- data/lib/{utils → inspec/utils}/hash.rb +1 -5
- data/lib/inspec/utils/json_log.rb +15 -0
- data/lib/inspec/utils/latest_version.rb +13 -0
- data/lib/{utils → inspec/utils}/modulator.rb +0 -3
- data/lib/{utils → inspec/utils}/nginx_parser.rb +31 -35
- data/lib/{utils → inspec/utils}/object_traversal.rb +0 -3
- data/lib/{utils → inspec/utils}/parser.rb +45 -45
- data/lib/{utils → inspec/utils}/pkey_reader.rb +4 -2
- data/lib/{utils → inspec/utils}/simpleconfig.rb +8 -10
- data/lib/{utils → inspec/utils}/spdx.rb +1 -4
- data/lib/{utils → inspec/utils}/spdx.txt +0 -0
- data/lib/inspec/utils/telemetry.rb +3 -3
- data/lib/inspec/utils/telemetry/collector.rb +30 -9
- data/lib/inspec/utils/telemetry/data_series.rb +3 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +22 -25
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +1 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +52 -45
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb +18 -16
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +73 -73
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +66 -62
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +59 -57
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/configuration.rb +11 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +20 -22
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb +2 -4
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +30 -27
- data/lib/plugins/inspec-habitat/Berksfile +2 -2
- data/lib/plugins/inspec-habitat/lib/inspec-habitat.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb +15 -13
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +64 -63
- data/lib/plugins/inspec-habitat/templates/habitat/hooks/run.erb +3 -3
- data/lib/plugins/inspec-habitat/templates/habitat/plan.sh.erb +11 -11
- data/lib/plugins/inspec-init/lib/inspec-init.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/cli.rb +6 -8
- data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +72 -74
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +9 -11
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +4 -4
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +0 -1
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb +0 -2
- data/lib/plugins/inspec-init/templates/profiles/os/controls/example.rb +6 -7
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli.rb +1 -2
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +72 -70
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/plugin.rb +1 -1
- data/lib/plugins/shared/core_plugin_test_helper.rb +43 -38
- data/lib/source_readers/flat.rb +6 -10
- data/lib/source_readers/inspec.rb +8 -12
- metadata +139 -140
- data/lib/resources/mysql.rb +0 -82
- data/lib/resources/sys_info.rb +0 -28
- data/lib/utils/deprecation.rb +0 -6
- data/lib/utils/json_log.rb +0 -18
- data/lib/utils/latest_version.rb +0 -22
@@ -1,13 +1,11 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
require 'utils/command_wrapper'
|
4
|
-
require 'resources/command'
|
1
|
+
require "inspec/utils/command_wrapper"
|
2
|
+
require "inspec/resources/command"
|
5
3
|
|
6
4
|
module Inspec::Resources
|
7
5
|
class Ksh < Cmd
|
8
|
-
name
|
9
|
-
supports platform:
|
10
|
-
desc
|
6
|
+
name "ksh"
|
7
|
+
supports platform: "unix"
|
8
|
+
desc "Run a command or script in KornShell."
|
11
9
|
example <<~EXAMPLE
|
12
10
|
describe ksh('ls -al /') do
|
13
11
|
its('stdout') { should match /bin/ }
|
@@ -24,7 +22,7 @@ module Inspec::Resources
|
|
24
22
|
|
25
23
|
def initialize(command, options = {})
|
26
24
|
@raw_command = command
|
27
|
-
options[:shell] =
|
25
|
+
options[:shell] = "ksh" if options.is_a?(Hash)
|
28
26
|
super(CommandWrapper.wrap(command, options))
|
29
27
|
end
|
30
28
|
|
@@ -1,14 +1,13 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
5
|
-
require
|
3
|
+
require "inspec/utils/simpleconfig"
|
4
|
+
require "inspec/utils/file_reader"
|
6
5
|
|
7
6
|
module Inspec::Resources
|
8
7
|
class LimitsConf < Inspec.resource(1)
|
9
|
-
name
|
10
|
-
supports platform:
|
11
|
-
desc
|
8
|
+
name "limits_conf"
|
9
|
+
supports platform: "unix"
|
10
|
+
desc "Use the limits_conf InSpec audit resource to test configuration settings in the /etc/security/limits.conf file. The limits.conf defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit."
|
12
11
|
example <<~EXAMPLE
|
13
12
|
describe limits_conf do
|
14
13
|
its('*') { should include ['hard','core','0'] }
|
@@ -18,7 +17,7 @@ module Inspec::Resources
|
|
18
17
|
include FileReader
|
19
18
|
|
20
19
|
def initialize(path = nil)
|
21
|
-
@conf_path = path ||
|
20
|
+
@conf_path = path || "/etc/security/limits.conf"
|
22
21
|
@content = read_file_content(@conf_path)
|
23
22
|
end
|
24
23
|
|
@@ -34,13 +33,13 @@ module Inspec::Resources
|
|
34
33
|
@content,
|
35
34
|
assignment_regex: /^\s*(\S+?)\s+(.*?)\s+(.*?)\s+(.*?)\s*$/,
|
36
35
|
key_values: 3,
|
37
|
-
multiple_values: true
|
36
|
+
multiple_values: true
|
38
37
|
)
|
39
38
|
@params = conf.params
|
40
39
|
end
|
41
40
|
|
42
41
|
def to_s
|
43
|
-
|
42
|
+
"limits.conf"
|
44
43
|
end
|
45
44
|
end
|
46
45
|
end
|
@@ -1,8 +1,7 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
5
|
-
require
|
3
|
+
require "inspec/utils/simpleconfig"
|
4
|
+
require "inspec/utils/file_reader"
|
6
5
|
|
7
6
|
# Usage:
|
8
7
|
#
|
@@ -17,10 +16,10 @@ require 'utils/file_reader'
|
|
17
16
|
# end
|
18
17
|
|
19
18
|
module Inspec::Resources
|
20
|
-
class
|
21
|
-
name
|
22
|
-
supports platform:
|
23
|
-
desc
|
19
|
+
class LoginDefs < Inspec.resource(1)
|
20
|
+
name "login_defs"
|
21
|
+
supports platform: "unix"
|
22
|
+
desc "Use the login_defs InSpec audit resource to test configuration settings in the /etc/login.defs file. The logins.defs file defines site-specific configuration for the shadow password suite on Linux and UNIX platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted."
|
24
23
|
example <<~EXAMPLE
|
25
24
|
describe login_defs do
|
26
25
|
its('ENCRYPT_METHOD') { should eq 'SHA512' }
|
@@ -30,7 +29,7 @@ module Inspec::Resources
|
|
30
29
|
include FileReader
|
31
30
|
|
32
31
|
def initialize(path = nil)
|
33
|
-
@conf_path = path ||
|
32
|
+
@conf_path = path || "/etc/login.defs"
|
34
33
|
@content = read_file_content(@conf_path)
|
35
34
|
end
|
36
35
|
|
@@ -45,13 +44,13 @@ module Inspec::Resources
|
|
45
44
|
conf = SimpleConfig.new(
|
46
45
|
@content,
|
47
46
|
assignment_regex: /^\s*(\S+)\s+(\S*)\s*$/,
|
48
|
-
multiple_values: false
|
47
|
+
multiple_values: false
|
49
48
|
)
|
50
49
|
@params = conf.params
|
51
50
|
end
|
52
51
|
|
53
52
|
def to_s
|
54
|
-
|
53
|
+
"login.defs"
|
55
54
|
end
|
56
55
|
end
|
57
56
|
end
|
@@ -1,12 +1,10 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
require 'utils/simpleconfig'
|
1
|
+
require "inspec/utils/simpleconfig"
|
4
2
|
|
5
3
|
module Inspec::Resources
|
6
4
|
class Mount < Inspec.resource(1)
|
7
|
-
name
|
8
|
-
supports platform:
|
9
|
-
desc
|
5
|
+
name "mount"
|
6
|
+
supports platform: "unix"
|
7
|
+
desc "Use the mount InSpec audit resource to test if mount points."
|
10
8
|
example <<~EXAMPLE
|
11
9
|
describe mount('/') do
|
12
10
|
it { should be_mounted }
|
@@ -22,7 +20,7 @@ module Inspec::Resources
|
|
22
20
|
def initialize(path)
|
23
21
|
@path = path
|
24
22
|
@mount_manager = mount_manager_for_os
|
25
|
-
return skip_resource
|
23
|
+
return skip_resource "The `mount` resource is not supported on your OS yet." if @mount_manager.nil?
|
26
24
|
@file = inspec.backend.file(@path)
|
27
25
|
end
|
28
26
|
|
@@ -61,7 +59,7 @@ module Inspec::Resources
|
|
61
59
|
os = inspec.os
|
62
60
|
if os.linux?
|
63
61
|
LinuxMounts.new(inspec)
|
64
|
-
elsif [
|
62
|
+
elsif ["freebsd"].include?(os[:family])
|
65
63
|
BsdMounts.new(inspec)
|
66
64
|
end
|
67
65
|
end
|
@@ -1,7 +1,6 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
require
|
4
|
-
require 'utils/database_helpers'
|
1
|
+
require "inspec/resources/command"
|
2
|
+
require "hashie/mash"
|
3
|
+
require "inspec/utils/database_helpers"
|
5
4
|
|
6
5
|
module Inspec::Resources
|
7
6
|
# STABILITY: Experimental
|
@@ -11,9 +10,8 @@ module Inspec::Resources
|
|
11
10
|
# @see https://docs.microsoft.com/en-us/sql/relational-databases/scripting/sqlcmd-use-the-utility
|
12
11
|
# @see https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-connect-and-query-sqlcmd
|
13
12
|
class MssqlSession < Inspec.resource(1)
|
14
|
-
name
|
15
|
-
|
16
|
-
desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.'
|
13
|
+
name "mssql_session"
|
14
|
+
desc "Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database."
|
17
15
|
example <<~EXAMPLE
|
18
16
|
# Using SQL authentication
|
19
17
|
sql = mssql_session(user: 'myuser', pass: 'mypassword')
|
@@ -34,22 +32,22 @@ module Inspec::Resources
|
|
34
32
|
@user = opts[:user]
|
35
33
|
@password = opts[:password] || opts[:pass]
|
36
34
|
if opts[:pass]
|
37
|
-
Inspec.deprecate(:mssql_session_pass_option,
|
35
|
+
Inspec.deprecate(:mssql_session_pass_option, "The mssql_session `pass` option is deprecated. Please use `password`.")
|
38
36
|
end
|
39
37
|
@local_mode = opts[:local_mode]
|
40
38
|
unless local_mode?
|
41
|
-
@host = opts[:host] ||
|
39
|
+
@host = opts[:host] || "localhost"
|
42
40
|
if opts.key?(:port)
|
43
41
|
@port = opts[:port]
|
44
42
|
else
|
45
|
-
@port =
|
43
|
+
@port = "1433"
|
46
44
|
end
|
47
45
|
end
|
48
46
|
@instance = opts[:instance]
|
49
47
|
@db_name = opts[:db_name]
|
50
48
|
|
51
49
|
# check if sqlcmd is available
|
52
|
-
raise Inspec::Exceptions::ResourceSkipped,
|
50
|
+
raise Inspec::Exceptions::ResourceSkipped, "sqlcmd is missing" unless inspec.command("sqlcmd").exist?
|
53
51
|
# check that database is reachable
|
54
52
|
raise Inspec::Exceptions::ResourceSkipped, "Can't connect to the MS SQL Server." unless test_connection
|
55
53
|
end
|
@@ -82,7 +80,7 @@ module Inspec::Resources
|
|
82
80
|
end
|
83
81
|
|
84
82
|
def to_s
|
85
|
-
|
83
|
+
"MSSQL session"
|
86
84
|
end
|
87
85
|
|
88
86
|
private
|
@@ -92,11 +90,11 @@ module Inspec::Resources
|
|
92
90
|
end
|
93
91
|
|
94
92
|
def test_connection
|
95
|
-
!query(
|
93
|
+
!query("select getdate()").empty?
|
96
94
|
end
|
97
95
|
|
98
96
|
def parse_csv_result(cmd)
|
99
|
-
require
|
97
|
+
require "csv"
|
100
98
|
table = CSV.parse(cmd.stdout, { headers: true })
|
101
99
|
|
102
100
|
# remove first row, since it will be a seperator line
|
@@ -105,13 +103,13 @@ module Inspec::Resources
|
|
105
103
|
# convert to hash
|
106
104
|
headers = table.headers
|
107
105
|
|
108
|
-
results = table.map
|
106
|
+
results = table.map do |row|
|
109
107
|
res = {}
|
110
|
-
headers.each
|
108
|
+
headers.each do |header|
|
111
109
|
res[header.downcase] = row[header] if header
|
112
|
-
|
110
|
+
end
|
113
111
|
Hashie::Mash.new(res)
|
114
|
-
|
112
|
+
end
|
115
113
|
results
|
116
114
|
end
|
117
115
|
end
|
@@ -0,0 +1,81 @@
|
|
1
|
+
# copyright: 2015, Vulcano Security GmbH
|
2
|
+
|
3
|
+
module Inspec::Resources
|
4
|
+
class Mysql < Inspec.resource(1)
|
5
|
+
name "mysql"
|
6
|
+
supports platform: "unix"
|
7
|
+
desc "The 'mysql' resource is a helper for the 'mysql_conf' & 'mysql_session' resources. Please use those instead."
|
8
|
+
|
9
|
+
attr_reader :package, :service, :conf_dir, :conf_path, :data_dir, :log_dir, :log_path, :log_group, :log_dir_group
|
10
|
+
def initialize
|
11
|
+
# set OS-dependent filenames and paths
|
12
|
+
case inspec.os[:family]
|
13
|
+
when "debian"
|
14
|
+
init_ubuntu
|
15
|
+
when "redhat", "fedora"
|
16
|
+
init_redhat
|
17
|
+
when "arch"
|
18
|
+
init_arch
|
19
|
+
else
|
20
|
+
# TODO: could not detect
|
21
|
+
init_default
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
def init_ubuntu
|
26
|
+
@package = "mysql-server"
|
27
|
+
@service = "mysql"
|
28
|
+
@conf_path = "/etc/mysql/my.cnf"
|
29
|
+
@conf_dir = "/etc/mysql/"
|
30
|
+
@data_dir = "/var/lib/mysql/"
|
31
|
+
@log_dir = "/var/log/"
|
32
|
+
@log_path = "/var/log/mysql.log"
|
33
|
+
@log_group = "adm"
|
34
|
+
case inspec.os[:release]
|
35
|
+
when "14.04"
|
36
|
+
@log_dir_group = "syslog"
|
37
|
+
else
|
38
|
+
@log_dir_group = "root"
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def init_redhat
|
43
|
+
@package = "mysql-server"
|
44
|
+
@service = "mysqld"
|
45
|
+
@conf_path = "/etc/my.cnf"
|
46
|
+
@conf_dir = "/etc/"
|
47
|
+
@data_dir = "/var/lib/mysql/"
|
48
|
+
@log_dir = "/var/log/"
|
49
|
+
@log_path = "/var/log/mysqld.log"
|
50
|
+
@log_group = "mysql"
|
51
|
+
@log_dir_group = "root"
|
52
|
+
end
|
53
|
+
|
54
|
+
def init_arch
|
55
|
+
@package = "mariadb"
|
56
|
+
@service = "mysql"
|
57
|
+
@conf_path = "/etc/mysql/my.cnf"
|
58
|
+
@conf_dir = "/etc/mysql/"
|
59
|
+
@data_dir = "/var/lib/mysql/"
|
60
|
+
@log_dir = "/var/log/"
|
61
|
+
@log_path = "/var/log/mysql.log"
|
62
|
+
@log_group = "mysql"
|
63
|
+
@log_dir_group = "root"
|
64
|
+
end
|
65
|
+
|
66
|
+
def init_default
|
67
|
+
@service = "mysqld"
|
68
|
+
@conf_path = "/etc/my.cnf"
|
69
|
+
@conf_dir = "/etc/"
|
70
|
+
@data_dir = "/var/lib/mysql/"
|
71
|
+
@log_dir = "/var/log/"
|
72
|
+
@log_path = "/var/log/mysqld.log"
|
73
|
+
@log_group = "mysql"
|
74
|
+
@log_dir_group = "root"
|
75
|
+
end
|
76
|
+
|
77
|
+
def to_s
|
78
|
+
"MySQL"
|
79
|
+
end
|
80
|
+
end
|
81
|
+
end
|
@@ -1,11 +1,10 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
5
|
-
require
|
6
|
-
require
|
7
|
-
require
|
8
|
-
require
|
3
|
+
require "inspec/utils/simpleconfig"
|
4
|
+
require "inspec/utils/find_files"
|
5
|
+
require "inspec/utils/file_reader"
|
6
|
+
require "inspec/utils/hash"
|
7
|
+
require "inspec/resources/mysql"
|
9
8
|
|
10
9
|
module Inspec::Resources
|
11
10
|
class MysqlConfEntry
|
@@ -27,10 +26,10 @@ module Inspec::Resources
|
|
27
26
|
end
|
28
27
|
|
29
28
|
class MysqlConf < Inspec.resource(1)
|
30
|
-
name
|
31
|
-
supports platform:
|
32
|
-
supports platform:
|
33
|
-
desc
|
29
|
+
name "mysql_conf"
|
30
|
+
supports platform: "unix"
|
31
|
+
supports platform: "windows"
|
32
|
+
desc "Use the mysql_conf InSpec audit resource to test the contents of the configuration file for MySQL, typically located at /etc/mysql/my.cnf or /etc/my.cnf."
|
34
33
|
example <<~EXAMPLE
|
35
34
|
describe mysql_conf('path') do
|
36
35
|
its('setting') { should eq 'value' }
|
@@ -77,7 +76,7 @@ module Inspec::Resources
|
|
77
76
|
end
|
78
77
|
|
79
78
|
def read_content
|
80
|
-
@content =
|
79
|
+
@content = ""
|
81
80
|
@params = {}
|
82
81
|
|
83
82
|
to_read = [@conf_path]
|
@@ -106,13 +105,13 @@ module Inspec::Resources
|
|
106
105
|
dirs = conf.scan(/^!includedir\s+(.*)\s*/).flatten.compact.map { |x| abs_path(reldir, x) }
|
107
106
|
dirs.map do |dir|
|
108
107
|
# @TODO: non local glob
|
109
|
-
files += find_files(dir, depth: 1, type:
|
108
|
+
files += find_files(dir, depth: 1, type: "file")
|
110
109
|
end
|
111
110
|
files
|
112
111
|
end
|
113
112
|
|
114
113
|
def abs_path(dir, f)
|
115
|
-
return f if f.start_with?
|
114
|
+
return f if f.start_with? "/"
|
116
115
|
File.join(dir, f)
|
117
116
|
end
|
118
117
|
|
@@ -121,7 +120,7 @@ module Inspec::Resources
|
|
121
120
|
end
|
122
121
|
|
123
122
|
def to_s
|
124
|
-
|
123
|
+
"MySQL Configuration"
|
125
124
|
end
|
126
125
|
end
|
127
126
|
end
|
@@ -1,14 +1,14 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
3
|
+
require "inspec/resources/command"
|
4
|
+
require "shellwords"
|
5
5
|
|
6
6
|
module Inspec::Resources
|
7
7
|
class MysqlSession < Inspec.resource(1)
|
8
|
-
name
|
9
|
-
supports platform:
|
10
|
-
supports platform:
|
11
|
-
desc
|
8
|
+
name "mysql_session"
|
9
|
+
supports platform: "unix"
|
10
|
+
supports platform: "windows"
|
11
|
+
desc "Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database."
|
12
12
|
example <<~EXAMPLE
|
13
13
|
sql = mysql_session('my_user','password','host')
|
14
14
|
describe sql.query('show databases like \'test\';') do
|
@@ -16,17 +16,17 @@ module Inspec::Resources
|
|
16
16
|
end
|
17
17
|
EXAMPLE
|
18
18
|
|
19
|
-
def initialize(user = nil, pass = nil, host =
|
19
|
+
def initialize(user = nil, pass = nil, host = "localhost", port = nil, socket = nil)
|
20
20
|
@user = user
|
21
21
|
@pass = pass
|
22
22
|
@host = host
|
23
23
|
@port = port
|
24
24
|
@socket = socket
|
25
|
-
init_fallback if user.nil?
|
26
|
-
skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil?
|
25
|
+
init_fallback if user.nil? || pass.nil?
|
26
|
+
skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? || @pass.nil?
|
27
27
|
end
|
28
28
|
|
29
|
-
def query(q, db =
|
29
|
+
def query(q, db = "")
|
30
30
|
mysql_cmd = create_mysql_cmd(q, db)
|
31
31
|
cmd = inspec.command(mysql_cmd)
|
32
32
|
out = cmd.stdout + "\n" + cmd.stderr
|
@@ -40,7 +40,7 @@ module Inspec::Resources
|
|
40
40
|
end
|
41
41
|
|
42
42
|
def to_s
|
43
|
-
|
43
|
+
"MySQL Session"
|
44
44
|
end
|
45
45
|
|
46
46
|
private
|
@@ -49,13 +49,13 @@ module Inspec::Resources
|
|
49
49
|
Shellwords.escape(query)
|
50
50
|
end
|
51
51
|
|
52
|
-
def create_mysql_cmd(q, db =
|
52
|
+
def create_mysql_cmd(q, db = "")
|
53
53
|
# TODO: simple escape, must be handled by a library
|
54
54
|
# that does this securely
|
55
55
|
escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
|
56
56
|
|
57
57
|
# construct the query
|
58
|
-
command =
|
58
|
+
command = "mysql"
|
59
59
|
command += " -u#{escape_string(@user)}" unless @user.nil?
|
60
60
|
command += " -p#{escape_string(@pass)}" unless @pass.nil?
|
61
61
|
|
@@ -72,13 +72,13 @@ module Inspec::Resources
|
|
72
72
|
|
73
73
|
def init_fallback
|
74
74
|
# support debian mysql administration login
|
75
|
-
return if inspec.platform.in_family?(
|
76
|
-
debian = inspec.command(
|
75
|
+
return if inspec.platform.in_family?("windows")
|
76
|
+
debian = inspec.command("test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf").stdout
|
77
77
|
return if debian.empty?
|
78
78
|
|
79
79
|
user = debian.match(/^\s*user\s*=\s*([^ ]*)\s*$/)
|
80
80
|
pass = debian.match(/^\s*password\s*=\s*([^ ]*)\s*$/)
|
81
|
-
return if user.nil?
|
81
|
+
return if user.nil? || pass.nil?
|
82
82
|
@user = user[1]
|
83
83
|
@pass = pass[1]
|
84
84
|
end
|