inspec-core 4.3.2 → 4.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +37 -21
- data/etc/deprecations.json +10 -0
- data/etc/plugin_filters.json +8 -0
- data/lib/bundles/inspec-compliance/api.rb +1 -1
- data/lib/bundles/inspec-compliance/configuration.rb +1 -1
- data/lib/bundles/inspec-compliance/http.rb +1 -1
- data/lib/bundles/inspec-compliance/support.rb +1 -1
- data/lib/bundles/inspec-compliance/target.rb +1 -1
- data/lib/bundles/inspec-supermarket.rb +3 -7
- data/lib/bundles/inspec-supermarket/api.rb +10 -13
- data/lib/bundles/inspec-supermarket/cli.rb +12 -15
- data/lib/bundles/inspec-supermarket/target.rb +7 -11
- data/lib/fetchers/git.rb +14 -15
- data/lib/fetchers/local.rb +6 -10
- data/lib/fetchers/mock.rb +3 -5
- data/lib/fetchers/url.rb +42 -44
- data/lib/inspec.rb +23 -24
- data/lib/inspec/archive/tar.rb +2 -6
- data/lib/inspec/archive/zip.rb +3 -7
- data/lib/inspec/backend.rb +8 -9
- data/lib/inspec/base_cli.rb +64 -65
- data/lib/inspec/cached_fetcher.rb +2 -3
- data/lib/inspec/cli.rb +136 -97
- data/lib/inspec/config.rb +71 -61
- data/lib/inspec/control_eval_context.rb +22 -18
- data/lib/inspec/dependencies/cache.rb +2 -3
- data/lib/inspec/dependencies/dependency_set.rb +2 -3
- data/lib/inspec/dependencies/lockfile.rb +8 -9
- data/lib/inspec/dependencies/requirement.rb +7 -8
- data/lib/inspec/dependencies/resolver.rb +5 -7
- data/lib/inspec/describe.rb +2 -6
- data/lib/inspec/dist.rb +20 -0
- data/lib/inspec/dsl.rb +4 -7
- data/lib/inspec/dsl_shared.rb +1 -2
- data/lib/inspec/env_printer.rb +11 -12
- data/lib/inspec/errors.rb +0 -4
- data/lib/inspec/exceptions.rb +0 -1
- data/lib/inspec/expect.rb +5 -8
- data/lib/inspec/fetcher.rb +7 -10
- data/lib/inspec/file_provider.rb +24 -24
- data/lib/inspec/formatters.rb +3 -3
- data/lib/inspec/formatters/base.rb +8 -8
- data/lib/inspec/globals.rb +2 -2
- data/lib/inspec/impact.rb +5 -7
- data/lib/inspec/input_registry.rb +84 -33
- data/lib/inspec/library_eval_context.rb +3 -6
- data/lib/inspec/log.rb +1 -5
- data/lib/inspec/metadata.rb +17 -16
- data/lib/inspec/method_source.rb +5 -9
- data/lib/inspec/objects.rb +10 -12
- data/lib/inspec/objects/control.rb +7 -9
- data/lib/inspec/objects/describe.rb +9 -11
- data/lib/inspec/objects/each_loop.rb +1 -3
- data/lib/inspec/objects/input.rb +24 -26
- data/lib/inspec/objects/list.rb +4 -6
- data/lib/inspec/objects/or_test.rb +2 -4
- data/lib/inspec/objects/ruby_helper.rb +3 -5
- data/lib/inspec/objects/tag.rb +0 -2
- data/lib/inspec/objects/test.rb +9 -11
- data/lib/inspec/objects/value.rb +3 -5
- data/lib/inspec/plugin/v1.rb +2 -2
- data/lib/inspec/plugin/v1/plugin_types/cli.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/fetcher.rb +2 -5
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +4 -6
- data/lib/inspec/plugin/v1/plugin_types/secret.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/source_reader.rb +1 -5
- data/lib/inspec/plugin/v1/plugins.rb +15 -19
- data/lib/inspec/plugin/v1/registry.rb +0 -4
- data/lib/inspec/plugin/v2.rb +8 -8
- data/lib/inspec/plugin/v2/activator.rb +1 -1
- data/lib/inspec/plugin/v2/config_file.rb +6 -6
- data/lib/inspec/plugin/v2/filter.rb +13 -13
- data/lib/inspec/plugin/v2/installer.rb +36 -24
- data/lib/inspec/plugin/v2/loader.rb +28 -28
- data/lib/inspec/plugin/v2/plugin_base.rb +15 -2
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +5 -5
- data/lib/inspec/plugin/v2/plugin_types/input.rb +34 -0
- data/lib/inspec/plugin/v2/plugin_types/mock.rb +1 -1
- data/lib/inspec/plugin/v2/registry.rb +7 -7
- data/lib/inspec/polyfill.rb +0 -3
- data/lib/inspec/profile.rb +55 -63
- data/lib/inspec/profile_context.rb +27 -30
- data/lib/inspec/profile_vendor.rb +6 -9
- data/lib/inspec/reporters.rb +24 -24
- data/lib/inspec/reporters/automate.rb +17 -19
- data/lib/inspec/reporters/base.rb +1 -1
- data/lib/inspec/reporters/cli.rb +88 -91
- data/lib/inspec/reporters/json.rb +2 -4
- data/lib/inspec/reporters/json_automate.rb +1 -3
- data/lib/inspec/reporters/json_min.rb +1 -3
- data/lib/inspec/reporters/junit.rb +26 -28
- data/lib/inspec/reporters/yaml.rb +1 -3
- data/lib/inspec/require_loader.rb +0 -4
- data/lib/inspec/resource.rb +4 -125
- data/lib/inspec/resources.rb +121 -0
- data/lib/{resources → inspec/resources}/aide_conf.rb +24 -25
- data/lib/{resources → inspec/resources}/apache.rb +13 -14
- data/lib/{resources → inspec/resources}/apache_conf.rb +16 -17
- data/lib/{resources → inspec/resources}/apt.rb +17 -17
- data/lib/{resources → inspec/resources}/audit_policy.rb +7 -6
- data/lib/{resources → inspec/resources}/auditd.rb +62 -64
- data/lib/{resources → inspec/resources}/auditd_conf.rb +7 -8
- data/lib/{resources → inspec/resources}/bash.rb +6 -8
- data/lib/{resources → inspec/resources}/bond.rb +15 -14
- data/lib/{resources → inspec/resources}/bridge.rb +8 -8
- data/lib/{resources → inspec/resources}/chocolatey_package.rb +10 -8
- data/lib/{resources → inspec/resources}/command.rb +11 -10
- data/lib/{resources → inspec/resources}/cpan.rb +12 -12
- data/lib/{resources → inspec/resources}/cran.rb +9 -9
- data/lib/{resources → inspec/resources}/crontab.rb +47 -48
- data/lib/{resources → inspec/resources}/csv.rb +5 -5
- data/lib/{resources → inspec/resources}/dh_params.rb +5 -7
- data/lib/{resources → inspec/resources}/directory.rb +5 -7
- data/lib/{resources → inspec/resources}/docker.rb +63 -63
- data/lib/{resources → inspec/resources}/docker_container.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_image.rb +9 -9
- data/lib/{resources → inspec/resources}/docker_object.rb +8 -13
- data/lib/{resources → inspec/resources}/docker_plugin.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_service.rb +7 -7
- data/lib/{resources → inspec/resources}/elasticsearch.rb +40 -42
- data/lib/{resources → inspec/resources}/etc_fstab.rb +23 -24
- data/lib/{resources → inspec/resources}/etc_group.rb +26 -27
- data/lib/{resources → inspec/resources}/etc_hosts.rb +11 -13
- data/lib/{resources → inspec/resources}/etc_hosts_allow_deny.rb +25 -27
- data/lib/{resources → inspec/resources}/file.rb +80 -79
- data/lib/{resources → inspec/resources}/filesystem.rb +20 -15
- data/lib/{resources → inspec/resources}/firewalld.rb +26 -26
- data/lib/{resources → inspec/resources}/gem.rb +12 -12
- data/lib/{resources → inspec/resources}/groups.rb +28 -27
- data/lib/{resources → inspec/resources}/grub_conf.rb +46 -48
- data/lib/{resources → inspec/resources}/host.rb +31 -29
- data/lib/{resources → inspec/resources}/http.rb +24 -24
- data/lib/{resources → inspec/resources}/iis_app.rb +6 -7
- data/lib/{resources → inspec/resources}/iis_app_pool.rb +21 -19
- data/lib/{resources → inspec/resources}/iis_site.rb +17 -15
- data/lib/{resources → inspec/resources}/inetd_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/ini.rb +7 -8
- data/lib/{resources → inspec/resources}/interface.rb +30 -30
- data/lib/{resources → inspec/resources}/iptables.rb +8 -8
- data/lib/{resources → inspec/resources}/json.rb +8 -10
- data/lib/{resources → inspec/resources}/kernel_module.rb +15 -15
- data/lib/{resources → inspec/resources}/kernel_parameter.rb +8 -8
- data/lib/{resources → inspec/resources}/key_rsa.rb +8 -10
- data/lib/{resources → inspec/resources}/ksh.rb +6 -8
- data/lib/{resources → inspec/resources}/limits_conf.rb +8 -9
- data/lib/{resources/login_def.rb → inspec/resources/login_defs.rb} +9 -10
- data/lib/{resources → inspec/resources}/mount.rb +6 -8
- data/lib/{resources → inspec/resources}/mssql_session.rb +16 -18
- data/lib/inspec/resources/mysql.rb +81 -0
- data/lib/{resources → inspec/resources}/mysql_conf.rb +13 -14
- data/lib/{resources → inspec/resources}/mysql_session.rb +16 -16
- data/lib/{resources → inspec/resources}/nginx.rb +16 -17
- data/lib/{resources → inspec/resources}/nginx_conf.rb +26 -27
- data/lib/{resources → inspec/resources}/npm.rb +9 -10
- data/lib/{resources → inspec/resources}/ntp_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/oneget.rb +8 -8
- data/lib/{resources → inspec/resources}/oracledb_session.rb +33 -34
- data/lib/{resources → inspec/resources}/os.rb +6 -8
- data/lib/{resources → inspec/resources}/os_env.rb +11 -12
- data/lib/{resources → inspec/resources}/package.rb +66 -65
- data/lib/{resources → inspec/resources}/packages.rb +13 -13
- data/lib/{resources → inspec/resources}/parse_config.rb +8 -8
- data/lib/{resources → inspec/resources}/passwd.rb +18 -19
- data/lib/{resources → inspec/resources}/pip.rb +19 -19
- data/lib/{resources → inspec/resources}/platform.rb +9 -11
- data/lib/{resources → inspec/resources}/port.rb +134 -136
- data/lib/{resources → inspec/resources}/postgres.rb +40 -32
- data/lib/{resources → inspec/resources}/postgres_conf.rb +17 -17
- data/lib/{resources → inspec/resources}/postgres_hba_conf.rb +21 -23
- data/lib/{resources → inspec/resources}/postgres_ident_conf.rb +12 -14
- data/lib/{resources → inspec/resources}/postgres_session.rb +8 -9
- data/lib/{resources → inspec/resources}/powershell.rb +17 -13
- data/lib/{resources → inspec/resources}/processes.rb +29 -29
- data/lib/{resources/rabbitmq_conf.rb → inspec/resources/rabbitmq_config.rb} +10 -11
- data/lib/{resources → inspec/resources}/registry_key.rb +14 -14
- data/lib/inspec/resources/script.rb +1 -0
- data/lib/{resources → inspec/resources}/security_identifier.rb +11 -10
- data/lib/{resources → inspec/resources}/security_policy.rb +59 -58
- data/lib/{resources → inspec/resources}/service.rb +74 -75
- data/lib/{resources → inspec/resources}/shadow.rb +44 -45
- data/lib/{resources/ssh_conf.rb → inspec/resources/ssh_config.rb} +16 -17
- data/lib/{resources → inspec/resources}/ssl.rb +28 -29
- data/lib/inspec/resources/sys_info.rb +30 -0
- data/lib/{resources → inspec/resources}/toml.rb +5 -7
- data/lib/{resources → inspec/resources}/users.rb +65 -65
- data/lib/{resources → inspec/resources}/vbscript.rb +8 -9
- data/lib/{resources → inspec/resources}/virtualization.rb +60 -62
- data/lib/{resources → inspec/resources}/windows_feature.rb +9 -9
- data/lib/{resources → inspec/resources}/windows_hotfix.rb +5 -5
- data/lib/{resources → inspec/resources}/windows_task.rb +16 -15
- data/lib/{resources → inspec/resources}/wmi.rb +7 -8
- data/lib/{resources → inspec/resources}/x509_certificate.rb +9 -11
- data/lib/{resources/xinetd.rb → inspec/resources/xinetd_conf.rb} +27 -29
- data/lib/{resources → inspec/resources}/xml.rb +7 -7
- data/lib/{resources → inspec/resources}/yaml.rb +5 -6
- data/lib/{resources → inspec/resources}/yum.rb +10 -10
- data/lib/{resources → inspec/resources}/zfs_dataset.rb +6 -6
- data/lib/{resources → inspec/resources}/zfs_pool.rb +4 -4
- data/lib/inspec/rspec_extensions.rb +24 -8
- data/lib/inspec/rule.rb +14 -15
- data/lib/inspec/runner.rb +28 -28
- data/lib/inspec/runner_mock.rb +1 -5
- data/lib/inspec/runner_rspec.rb +18 -20
- data/lib/inspec/runtime_profile.rb +2 -5
- data/lib/inspec/schema.rb +142 -143
- data/lib/inspec/secrets.rb +3 -7
- data/lib/inspec/secrets/yaml.rb +3 -5
- data/lib/inspec/shell.rb +11 -15
- data/lib/inspec/shell_detector.rb +6 -7
- data/lib/inspec/source_reader.rb +4 -8
- data/lib/inspec/ui.rb +33 -39
- data/lib/inspec/ui_table_helper.rb +12 -0
- data/lib/{utils → inspec/utils}/command_wrapper.rb +4 -8
- data/lib/{utils → inspec/utils}/convert.rb +0 -4
- data/lib/{utils → inspec/utils}/database_helpers.rb +4 -8
- data/lib/inspec/utils/deprecation.rb +6 -0
- data/lib/{utils → inspec/utils}/deprecation/config_file.rb +19 -19
- data/lib/{utils → inspec/utils}/deprecation/deprecator.rb +12 -12
- data/lib/{utils → inspec/utils}/deprecation/errors.rb +1 -1
- data/lib/{utils → inspec/utils}/deprecation/global_method.rb +2 -2
- data/lib/{utils → inspec/utils}/enumerable_delegation.rb +0 -2
- data/lib/{utils → inspec/utils}/erlang_parser.rb +61 -65
- data/lib/{utils → inspec/utils}/file_reader.rb +1 -2
- data/lib/{utils → inspec/utils}/filter.rb +30 -33
- data/lib/{utils → inspec/utils}/filter_array.rb +0 -2
- data/lib/{utils → inspec/utils}/find_files.rb +9 -12
- data/lib/{utils → inspec/utils}/hash.rb +1 -5
- data/lib/inspec/utils/json_log.rb +15 -0
- data/lib/inspec/utils/latest_version.rb +13 -0
- data/lib/{utils → inspec/utils}/modulator.rb +0 -3
- data/lib/{utils → inspec/utils}/nginx_parser.rb +31 -35
- data/lib/{utils → inspec/utils}/object_traversal.rb +0 -3
- data/lib/{utils → inspec/utils}/parser.rb +45 -45
- data/lib/{utils → inspec/utils}/pkey_reader.rb +4 -2
- data/lib/{utils → inspec/utils}/simpleconfig.rb +8 -10
- data/lib/{utils → inspec/utils}/spdx.rb +1 -4
- data/lib/{utils → inspec/utils}/spdx.txt +0 -0
- data/lib/inspec/utils/telemetry.rb +3 -3
- data/lib/inspec/utils/telemetry/collector.rb +30 -9
- data/lib/inspec/utils/telemetry/data_series.rb +3 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +22 -25
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +1 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +52 -45
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb +18 -16
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +73 -73
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +66 -62
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +59 -57
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/configuration.rb +11 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +20 -22
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb +2 -4
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +30 -27
- data/lib/plugins/inspec-habitat/Berksfile +2 -2
- data/lib/plugins/inspec-habitat/lib/inspec-habitat.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb +15 -13
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +64 -63
- data/lib/plugins/inspec-habitat/templates/habitat/hooks/run.erb +3 -3
- data/lib/plugins/inspec-habitat/templates/habitat/plan.sh.erb +11 -11
- data/lib/plugins/inspec-init/lib/inspec-init.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/cli.rb +6 -8
- data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +72 -74
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +9 -11
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +4 -4
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +0 -1
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb +0 -2
- data/lib/plugins/inspec-init/templates/profiles/os/controls/example.rb +6 -7
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli.rb +1 -2
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +72 -70
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/plugin.rb +1 -1
- data/lib/plugins/shared/core_plugin_test_helper.rb +43 -38
- data/lib/source_readers/flat.rb +6 -10
- data/lib/source_readers/inspec.rb +8 -12
- metadata +139 -140
- data/lib/resources/mysql.rb +0 -82
- data/lib/resources/sys_info.rb +0 -28
- data/lib/utils/deprecation.rb +0 -6
- data/lib/utils/json_log.rb +0 -18
- data/lib/utils/latest_version.rb +0 -22
@@ -1,15 +1,15 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
5
|
-
require
|
3
|
+
require "inspec/utils/filter"
|
4
|
+
require "ostruct"
|
5
|
+
require "inspec/resources/command"
|
6
6
|
|
7
7
|
module Inspec::Resources
|
8
8
|
class Processes < Inspec.resource(1)
|
9
|
-
name
|
10
|
-
supports platform:
|
11
|
-
supports platform:
|
12
|
-
desc
|
9
|
+
name "processes"
|
10
|
+
supports platform: "unix"
|
11
|
+
supports platform: "windows"
|
12
|
+
desc "Use the processes InSpec audit resource to test properties for programs that are running on the system."
|
13
13
|
example <<~EXAMPLE
|
14
14
|
describe processes('mysqld') do
|
15
15
|
its('entries.length') { should eq 1 }
|
@@ -33,10 +33,10 @@ module Inspec::Resources
|
|
33
33
|
if grep.class == String
|
34
34
|
# if windows ignore case as we can't make up our minds
|
35
35
|
if inspec.os.windows?
|
36
|
-
grep =
|
36
|
+
grep = "(?i)" + grep
|
37
37
|
else
|
38
|
-
grep =
|
39
|
-
grep =
|
38
|
+
grep = "(/[^/]*)*" + grep unless grep[0] == "/"
|
39
|
+
grep = "^" + grep + '(\s|$)'
|
40
40
|
end
|
41
41
|
grep = Regexp.new(grep)
|
42
42
|
end
|
@@ -56,23 +56,23 @@ module Inspec::Resources
|
|
56
56
|
end
|
57
57
|
|
58
58
|
def list
|
59
|
-
Inspec.deprecate(:property_processes_list,
|
59
|
+
Inspec.deprecate(:property_processes_list, "The processes `list` property is deprecated. Please use `entries` instead.")
|
60
60
|
@list
|
61
61
|
end
|
62
62
|
|
63
63
|
filter = FilterTable.create
|
64
|
-
filter.register_column(:labels, field:
|
65
|
-
.register_column(:pids, field:
|
66
|
-
.register_column(:cpus, field:
|
67
|
-
.register_column(:mem, field:
|
68
|
-
.register_column(:vsz, field:
|
69
|
-
.register_column(:rss, field:
|
70
|
-
.register_column(:tty, field:
|
71
|
-
.register_column(:states, field:
|
72
|
-
.register_column(:start, field:
|
73
|
-
.register_column(:time, field:
|
74
|
-
.register_column(:users, field:
|
75
|
-
.register_column(:commands, field:
|
64
|
+
filter.register_column(:labels, field: "label")
|
65
|
+
.register_column(:pids, field: "pid")
|
66
|
+
.register_column(:cpus, field: "cpu")
|
67
|
+
.register_column(:mem, field: "mem")
|
68
|
+
.register_column(:vsz, field: "vsz")
|
69
|
+
.register_column(:rss, field: "rss")
|
70
|
+
.register_column(:tty, field: "tty")
|
71
|
+
.register_column(:states, field: "stat")
|
72
|
+
.register_column(:start, field: "start")
|
73
|
+
.register_column(:time, field: "time")
|
74
|
+
.register_column(:users, field: "user")
|
75
|
+
.register_column(:commands, field: "command")
|
76
76
|
.install_filter_methods_on_resource(self, :filtered_processes)
|
77
77
|
|
78
78
|
private
|
@@ -104,7 +104,7 @@ module Inspec::Resources
|
|
104
104
|
command: 12,
|
105
105
|
}
|
106
106
|
else
|
107
|
-
command =
|
107
|
+
command = "ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command"
|
108
108
|
regex = /^\s*([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
|
109
109
|
field_map = {
|
110
110
|
pid: 1,
|
@@ -125,7 +125,7 @@ module Inspec::Resources
|
|
125
125
|
|
126
126
|
def ps_configuration_for_linux
|
127
127
|
if busybox_ps?
|
128
|
-
command =
|
128
|
+
command = "ps -o pid,vsz,rss,tty,stat,time,ruser,args"
|
129
129
|
regex = /^\s*(\d+)\s+(\d+(?:\.\d+)?[gm]?)\s+(\d+(?:\.\d+)?[gm]?)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$/
|
130
130
|
field_map = {
|
131
131
|
pid: 1,
|
@@ -138,7 +138,7 @@ module Inspec::Resources
|
|
138
138
|
command: 8,
|
139
139
|
}
|
140
140
|
else
|
141
|
-
command =
|
141
|
+
command = "ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
|
142
142
|
regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
|
143
143
|
field_map = {
|
144
144
|
label: 1,
|
@@ -160,15 +160,15 @@ module Inspec::Resources
|
|
160
160
|
end
|
161
161
|
|
162
162
|
def busybox_ps?
|
163
|
-
@busybox_ps ||= inspec.command(
|
163
|
+
@busybox_ps ||= inspec.command("ps --help").stderr.include?("BusyBox")
|
164
164
|
end
|
165
165
|
|
166
166
|
def convert_to_kilobytes(param)
|
167
167
|
return param.to_i unless param.is_a?(String)
|
168
168
|
|
169
|
-
if param.end_with?(
|
169
|
+
if param.end_with?("g")
|
170
170
|
(param[0..-2].to_f * 1024 * 1024).to_i
|
171
|
-
elsif param.end_with?(
|
171
|
+
elsif param.end_with?("m")
|
172
172
|
(param[0..-2].to_f * 1024).to_i
|
173
173
|
else
|
174
174
|
param.to_i
|
@@ -1,15 +1,14 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
require 'utils/erlang_parser'
|
4
|
-
require 'utils/file_reader'
|
1
|
+
require "inspec/utils/erlang_parser"
|
2
|
+
require "inspec/utils/file_reader"
|
5
3
|
|
6
4
|
module Inspec::Resources
|
7
|
-
class
|
8
|
-
name
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
5
|
+
class RabbitmqConfig < Inspec.resource(1)
|
6
|
+
name "rabbitmq_conf" # TODO: this is an alias. do we want this?
|
7
|
+
name "rabbitmq_config"
|
8
|
+
supports platform: "unix"
|
9
|
+
desc "Use the rabbitmq_config InSpec resource to test configuration data "\
|
10
|
+
"for the RabbitMQ service located in /etc/rabbitmq/rabbitmq.config on "\
|
11
|
+
"Linux and UNIX platforms."
|
13
12
|
example <<~EXAMPLE
|
14
13
|
describe rabbitmq_config.params('rabbit', 'ssl_listeners') do
|
15
14
|
it { should cmp 5671 }
|
@@ -19,7 +18,7 @@ module Inspec::Resources
|
|
19
18
|
include FileReader
|
20
19
|
|
21
20
|
def initialize(conf_path = nil)
|
22
|
-
@conf_path = conf_path ||
|
21
|
+
@conf_path = conf_path || "/etc/rabbitmq/rabbitmq.config"
|
23
22
|
@content = read_file_content(@conf_path, allow_empty: true)
|
24
23
|
end
|
25
24
|
|
@@ -1,11 +1,11 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
3
|
+
require "json"
|
4
|
+
require "inspec/resources/powershell"
|
5
5
|
|
6
6
|
# Three constructor methods are available:
|
7
7
|
# 1. resistry_key(path'):
|
8
|
-
# describe registry_key('
|
8
|
+
# describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
|
9
9
|
# its('Start') { should eq 2 }
|
10
10
|
# end
|
11
11
|
#
|
@@ -47,9 +47,9 @@ require 'json'
|
|
47
47
|
|
48
48
|
module Inspec::Resources
|
49
49
|
class RegistryKey < Inspec.resource(1)
|
50
|
-
name
|
51
|
-
supports platform:
|
52
|
-
desc
|
50
|
+
name "registry_key"
|
51
|
+
supports platform: "windows"
|
52
|
+
desc "Use the registry_key InSpec audit resource to test key values in the Microsoft Windows registry."
|
53
53
|
example <<~EXAMPLE
|
54
54
|
describe registry_key('path\to\key') do
|
55
55
|
its('name') { should eq 'value' }
|
@@ -71,7 +71,7 @@ module Inspec::Resources
|
|
71
71
|
@options[:path] = reg_key
|
72
72
|
end
|
73
73
|
|
74
|
-
return skip_resource
|
74
|
+
return skip_resource "The `registry_key` resource is not supported on your OS yet." if !inspec.os.windows?
|
75
75
|
end
|
76
76
|
|
77
77
|
def exists?
|
@@ -80,7 +80,7 @@ module Inspec::Resources
|
|
80
80
|
|
81
81
|
def has_value?(value)
|
82
82
|
val = registry_key(@options[:path])
|
83
|
-
!val.nil? && registry_property_value(val,
|
83
|
+
!val.nil? && registry_property_value(val, "(default)") == value ? true : false
|
84
84
|
end
|
85
85
|
|
86
86
|
def has_property?(property_name, property_type = nil)
|
@@ -140,13 +140,13 @@ module Inspec::Resources
|
|
140
140
|
def registry_property_value(regkey, property)
|
141
141
|
return nil if !registry_property_exists(regkey, property)
|
142
142
|
# always ensure the key is lower case
|
143
|
-
regkey[prep_prop(property)][
|
143
|
+
regkey[prep_prop(property)]["value"]
|
144
144
|
end
|
145
145
|
|
146
146
|
def registry_property_type(regkey, property)
|
147
147
|
return nil if !registry_property_exists(regkey, property)
|
148
148
|
# always ensure the key is lower case
|
149
|
-
regkey[prep_prop(property)][
|
149
|
+
regkey[prep_prop(property)]["type"]
|
150
150
|
end
|
151
151
|
|
152
152
|
def registry_key(path)
|
@@ -197,7 +197,7 @@ module Inspec::Resources
|
|
197
197
|
@registry_cache
|
198
198
|
end
|
199
199
|
|
200
|
-
def children_keys(path, filter =
|
200
|
+
def children_keys(path, filter = "")
|
201
201
|
return @children_cache if defined?(@children_cache)
|
202
202
|
filter = filter.source if filter.is_a? ::Regexp
|
203
203
|
script = <<-EOH
|
@@ -274,17 +274,17 @@ module Inspec::Resources
|
|
274
274
|
|
275
275
|
def format_key_from_options
|
276
276
|
key = @options[:key]
|
277
|
-
return
|
277
|
+
return "" unless key
|
278
278
|
|
279
279
|
key.start_with?('\\') ? key : "\\#{key}"
|
280
280
|
end
|
281
281
|
end
|
282
282
|
|
283
283
|
class WindowsRegistryKey < RegistryKey
|
284
|
-
name
|
284
|
+
name "windows_registry_key"
|
285
285
|
|
286
286
|
def initialize(name)
|
287
|
-
Inspec.deprecate(:resource_windows_registry_key,
|
287
|
+
Inspec.deprecate(:resource_windows_registry_key, "The `windows_registry_key` resource is deprecated. Please use `registry_key` instead.")
|
288
288
|
super(name)
|
289
289
|
end
|
290
290
|
end
|
@@ -0,0 +1 @@
|
|
1
|
+
require "inspec/resources/powershell"
|
@@ -1,11 +1,12 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# frozen_string_literal: true
|
3
2
|
|
3
|
+
require "inspec/resources/command"
|
4
|
+
|
4
5
|
module Inspec::Resources
|
5
6
|
class SecurityIdentifier < Inspec.resource(1)
|
6
|
-
name
|
7
|
-
supports platform:
|
8
|
-
desc
|
7
|
+
name "security_identifier"
|
8
|
+
supports platform: "windows"
|
9
|
+
desc "Resource that returns a Security Identifier for a given entity name in Windows."
|
9
10
|
example <<~EXAMPLE
|
10
11
|
describe security_identifier(group: 'Everyone') do
|
11
12
|
it { should exist }
|
@@ -17,7 +18,7 @@ module Inspec::Resources
|
|
17
18
|
supported_opt_keys = [:user, :group, :unspecified]
|
18
19
|
raise ArgumentError, "Invalid security_identifier param '#{opts}'. Please pass a hash with these supported keys: #{supported_opt_keys}" unless opts.respond_to?(:keys)
|
19
20
|
raise ArgumentError, "Unsupported security_identifier options '#{opts.keys - supported_opt_keys}'. Supported keys: #[supported_opt_keys]" unless (opts.keys - supported_opt_keys).empty?
|
20
|
-
raise ArgumentError,
|
21
|
+
raise ArgumentError, "Specifying more than one of :user :group or :unspecified for security_identifier is not supported" unless opts.keys && (opts.keys & supported_opt_keys).length == 1
|
21
22
|
if opts[:user]
|
22
23
|
@type = :user
|
23
24
|
@name = opts[:user]
|
@@ -30,7 +31,7 @@ module Inspec::Resources
|
|
30
31
|
@type = :unspecified
|
31
32
|
@name = opts[:unspecified]
|
32
33
|
end
|
33
|
-
raise ArgumentError,
|
34
|
+
raise ArgumentError, "Specify one of :user :group or :unspecified for security_identifier" unless @name
|
34
35
|
@sids = nil
|
35
36
|
end
|
36
37
|
|
@@ -66,19 +67,19 @@ module Inspec::Resources
|
|
66
67
|
end
|
67
68
|
|
68
69
|
def wmi_results(type)
|
69
|
-
query =
|
70
|
+
query = "wmic "
|
70
71
|
case type
|
71
72
|
when :group
|
72
|
-
query +=
|
73
|
+
query += "group"
|
73
74
|
when :user
|
74
|
-
query +=
|
75
|
+
query += "useraccount"
|
75
76
|
end
|
76
77
|
query += " where 'Name=\"#{@name}\"' get Name\",\"SID /format:csv"
|
77
78
|
# Example output:
|
78
79
|
# inspec> command("wmic useraccount where 'Name=\"Administrator\"' get Name\",\"SID /format:csv").stdout
|
79
80
|
# => "\r\n\r\nNode,Name,SID\r\n\r\nComputer1,Administrator,S-1-5-21-650485088-1194226989-968533923-500\r\n\r\n"
|
80
81
|
# Remove the \r characters, split on \n\n, ignore the CSV header row
|
81
|
-
inspec.command(query).stdout.strip.tr("\r",
|
82
|
+
inspec.command(query).stdout.strip.tr("\r", "").split("\n\n")[1..-1].map { |entry| entry.split(",") }
|
82
83
|
end
|
83
84
|
end
|
84
85
|
end
|
@@ -1,4 +1,3 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
#
|
3
2
|
# Security Configuration and Analysis
|
4
3
|
#
|
@@ -11,64 +10,66 @@
|
|
11
10
|
# All local GPO parameters can be examined via Registry, but not all security
|
12
11
|
# parameters. Therefore we need a combination of Registry and secedit output
|
13
12
|
|
14
|
-
require
|
13
|
+
require "hashie"
|
14
|
+
require "inspec/resources/command"
|
15
|
+
require "inspec/utils/simpleconfig"
|
15
16
|
|
16
17
|
module Inspec::Resources
|
17
18
|
# known and supported MS privilege rights
|
18
19
|
# @see https://technet.microsoft.com/en-us/library/dd277311.aspx
|
19
20
|
# @see https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
|
20
21
|
MS_PRIVILEGES_RIGHTS = [
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
22
|
+
"SeNetworkLogonRight",
|
23
|
+
"SeBackupPrivilege",
|
24
|
+
"SeChangeNotifyPrivilege",
|
25
|
+
"SeSystemtimePrivilege",
|
26
|
+
"SeCreatePagefilePrivilege",
|
27
|
+
"SeDebugPrivilege",
|
28
|
+
"SeRemoteShutdownPrivilege",
|
29
|
+
"SeAuditPrivilege",
|
30
|
+
"SeIncreaseQuotaPrivilege",
|
31
|
+
"SeIncreaseBasePriorityPrivilege",
|
32
|
+
"SeLoadDriverPrivilege",
|
33
|
+
"SeBatchLogonRight",
|
34
|
+
"SeServiceLogonRight",
|
35
|
+
"SeInteractiveLogonRight",
|
36
|
+
"SeSecurityPrivilege",
|
37
|
+
"SeSystemEnvironmentPrivilege",
|
38
|
+
"SeProfileSingleProcessPrivilege",
|
39
|
+
"SeSystemProfilePrivilege",
|
40
|
+
"SeAssignPrimaryTokenPrivilege",
|
41
|
+
"SeRestorePrivilege",
|
42
|
+
"SeShutdownPrivilege",
|
43
|
+
"SeTakeOwnershipPrivilege",
|
44
|
+
"SeUndockPrivilege",
|
45
|
+
"SeManageVolumePrivilege",
|
46
|
+
"SeRemoteInteractiveLogonRight",
|
47
|
+
"SeImpersonatePrivilege",
|
48
|
+
"SeCreateGlobalPrivilege",
|
49
|
+
"SeIncreaseWorking",
|
50
|
+
"SeTimeZonePrivilege",
|
51
|
+
"SeCreateSymbolicLinkPrivilege",
|
52
|
+
"SeDenyNetworkLogonRight", # Deny access to this computer from the network
|
53
|
+
"SeDenyInteractiveLogonRight", # Deny logon locally
|
54
|
+
"SeDenyBatchLogonRight", # Deny logon as a batch job
|
55
|
+
"SeDenyServiceLogonRight", # Deny logon as a service
|
56
|
+
"SeTcbPrivilege",
|
57
|
+
"SeMachineAccountPrivilege",
|
58
|
+
"SeCreateTokenPrivilege",
|
59
|
+
"SeCreatePermanentPrivilege",
|
60
|
+
"SeEnableDelegationPrivilege",
|
61
|
+
"SeLockMemoryPrivilege",
|
62
|
+
"SeSyncAgentPrivilege",
|
63
|
+
"SeUnsolicitedInputPrivilege",
|
64
|
+
"SeTrustedCredManAccessPrivilege",
|
65
|
+
"SeRelabelPrivilege", # the privilege to change a Windows integrity label (new to Windows Vista)
|
66
|
+
"SeDenyRemoteInteractiveLogonRight", # Deny logon through Terminal Services
|
66
67
|
].freeze
|
67
68
|
|
68
69
|
class SecurityPolicy < Inspec.resource(1)
|
69
|
-
name
|
70
|
-
supports platform:
|
71
|
-
desc
|
70
|
+
name "security_policy"
|
71
|
+
supports platform: "windows"
|
72
|
+
desc "Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform."
|
72
73
|
example <<~EXAMPLE
|
73
74
|
describe security_policy do
|
74
75
|
its('SeNetworkLogonRight') { should include 'S-1-5-11' }
|
@@ -107,7 +108,7 @@ module Inspec::Resources
|
|
107
108
|
end
|
108
109
|
|
109
110
|
def to_s
|
110
|
-
|
111
|
+
"Security Policy"
|
111
112
|
end
|
112
113
|
|
113
114
|
private
|
@@ -138,7 +139,7 @@ module Inspec::Resources
|
|
138
139
|
|
139
140
|
conf = SimpleConfig.new(
|
140
141
|
@content,
|
141
|
-
assignment_regex: /^\s*(.*)=\s*(\S*)\s
|
142
|
+
assignment_regex: /^\s*(.*)=\s*(\S*)\s*$/
|
142
143
|
)
|
143
144
|
@params = convert_hash(conf.params)
|
144
145
|
end
|
@@ -151,14 +152,14 @@ module Inspec::Resources
|
|
151
152
|
# special handling for SID array
|
152
153
|
elsif val =~ /[,]{0,1}\*\S/
|
153
154
|
if @translate_sid
|
154
|
-
val.split(
|
155
|
+
val.split(",").map do |v|
|
155
156
|
object_name = inspec.command("(New-Object System.Security.Principal.SecurityIdentifier(\"#{v.sub('*S', 'S')}\")).Translate( [System.Security.Principal.NTAccount]).Value").stdout.to_s.strip
|
156
|
-
object_name.empty? || object_name.nil? ? v.sub(
|
157
|
-
|
157
|
+
object_name.empty? || object_name.nil? ? v.sub("*S", "S") : object_name
|
158
|
+
end
|
158
159
|
else
|
159
|
-
val.split(
|
160
|
-
v.sub(
|
161
|
-
|
160
|
+
val.split(",").map do |v|
|
161
|
+
v.sub("*S", "S")
|
162
|
+
end
|
162
163
|
end
|
163
164
|
# special handling for string values with "
|
164
165
|
elsif !(m = /^\"(.*)\"$/.match(val)).nil?
|