inspec-core 4.3.2 → 4.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +37 -21
- data/etc/deprecations.json +10 -0
- data/etc/plugin_filters.json +8 -0
- data/lib/bundles/inspec-compliance/api.rb +1 -1
- data/lib/bundles/inspec-compliance/configuration.rb +1 -1
- data/lib/bundles/inspec-compliance/http.rb +1 -1
- data/lib/bundles/inspec-compliance/support.rb +1 -1
- data/lib/bundles/inspec-compliance/target.rb +1 -1
- data/lib/bundles/inspec-supermarket.rb +3 -7
- data/lib/bundles/inspec-supermarket/api.rb +10 -13
- data/lib/bundles/inspec-supermarket/cli.rb +12 -15
- data/lib/bundles/inspec-supermarket/target.rb +7 -11
- data/lib/fetchers/git.rb +14 -15
- data/lib/fetchers/local.rb +6 -10
- data/lib/fetchers/mock.rb +3 -5
- data/lib/fetchers/url.rb +42 -44
- data/lib/inspec.rb +23 -24
- data/lib/inspec/archive/tar.rb +2 -6
- data/lib/inspec/archive/zip.rb +3 -7
- data/lib/inspec/backend.rb +8 -9
- data/lib/inspec/base_cli.rb +64 -65
- data/lib/inspec/cached_fetcher.rb +2 -3
- data/lib/inspec/cli.rb +136 -97
- data/lib/inspec/config.rb +71 -61
- data/lib/inspec/control_eval_context.rb +22 -18
- data/lib/inspec/dependencies/cache.rb +2 -3
- data/lib/inspec/dependencies/dependency_set.rb +2 -3
- data/lib/inspec/dependencies/lockfile.rb +8 -9
- data/lib/inspec/dependencies/requirement.rb +7 -8
- data/lib/inspec/dependencies/resolver.rb +5 -7
- data/lib/inspec/describe.rb +2 -6
- data/lib/inspec/dist.rb +20 -0
- data/lib/inspec/dsl.rb +4 -7
- data/lib/inspec/dsl_shared.rb +1 -2
- data/lib/inspec/env_printer.rb +11 -12
- data/lib/inspec/errors.rb +0 -4
- data/lib/inspec/exceptions.rb +0 -1
- data/lib/inspec/expect.rb +5 -8
- data/lib/inspec/fetcher.rb +7 -10
- data/lib/inspec/file_provider.rb +24 -24
- data/lib/inspec/formatters.rb +3 -3
- data/lib/inspec/formatters/base.rb +8 -8
- data/lib/inspec/globals.rb +2 -2
- data/lib/inspec/impact.rb +5 -7
- data/lib/inspec/input_registry.rb +84 -33
- data/lib/inspec/library_eval_context.rb +3 -6
- data/lib/inspec/log.rb +1 -5
- data/lib/inspec/metadata.rb +17 -16
- data/lib/inspec/method_source.rb +5 -9
- data/lib/inspec/objects.rb +10 -12
- data/lib/inspec/objects/control.rb +7 -9
- data/lib/inspec/objects/describe.rb +9 -11
- data/lib/inspec/objects/each_loop.rb +1 -3
- data/lib/inspec/objects/input.rb +24 -26
- data/lib/inspec/objects/list.rb +4 -6
- data/lib/inspec/objects/or_test.rb +2 -4
- data/lib/inspec/objects/ruby_helper.rb +3 -5
- data/lib/inspec/objects/tag.rb +0 -2
- data/lib/inspec/objects/test.rb +9 -11
- data/lib/inspec/objects/value.rb +3 -5
- data/lib/inspec/plugin/v1.rb +2 -2
- data/lib/inspec/plugin/v1/plugin_types/cli.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/fetcher.rb +2 -5
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +4 -6
- data/lib/inspec/plugin/v1/plugin_types/secret.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/source_reader.rb +1 -5
- data/lib/inspec/plugin/v1/plugins.rb +15 -19
- data/lib/inspec/plugin/v1/registry.rb +0 -4
- data/lib/inspec/plugin/v2.rb +8 -8
- data/lib/inspec/plugin/v2/activator.rb +1 -1
- data/lib/inspec/plugin/v2/config_file.rb +6 -6
- data/lib/inspec/plugin/v2/filter.rb +13 -13
- data/lib/inspec/plugin/v2/installer.rb +36 -24
- data/lib/inspec/plugin/v2/loader.rb +28 -28
- data/lib/inspec/plugin/v2/plugin_base.rb +15 -2
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +5 -5
- data/lib/inspec/plugin/v2/plugin_types/input.rb +34 -0
- data/lib/inspec/plugin/v2/plugin_types/mock.rb +1 -1
- data/lib/inspec/plugin/v2/registry.rb +7 -7
- data/lib/inspec/polyfill.rb +0 -3
- data/lib/inspec/profile.rb +55 -63
- data/lib/inspec/profile_context.rb +27 -30
- data/lib/inspec/profile_vendor.rb +6 -9
- data/lib/inspec/reporters.rb +24 -24
- data/lib/inspec/reporters/automate.rb +17 -19
- data/lib/inspec/reporters/base.rb +1 -1
- data/lib/inspec/reporters/cli.rb +88 -91
- data/lib/inspec/reporters/json.rb +2 -4
- data/lib/inspec/reporters/json_automate.rb +1 -3
- data/lib/inspec/reporters/json_min.rb +1 -3
- data/lib/inspec/reporters/junit.rb +26 -28
- data/lib/inspec/reporters/yaml.rb +1 -3
- data/lib/inspec/require_loader.rb +0 -4
- data/lib/inspec/resource.rb +4 -125
- data/lib/inspec/resources.rb +121 -0
- data/lib/{resources → inspec/resources}/aide_conf.rb +24 -25
- data/lib/{resources → inspec/resources}/apache.rb +13 -14
- data/lib/{resources → inspec/resources}/apache_conf.rb +16 -17
- data/lib/{resources → inspec/resources}/apt.rb +17 -17
- data/lib/{resources → inspec/resources}/audit_policy.rb +7 -6
- data/lib/{resources → inspec/resources}/auditd.rb +62 -64
- data/lib/{resources → inspec/resources}/auditd_conf.rb +7 -8
- data/lib/{resources → inspec/resources}/bash.rb +6 -8
- data/lib/{resources → inspec/resources}/bond.rb +15 -14
- data/lib/{resources → inspec/resources}/bridge.rb +8 -8
- data/lib/{resources → inspec/resources}/chocolatey_package.rb +10 -8
- data/lib/{resources → inspec/resources}/command.rb +11 -10
- data/lib/{resources → inspec/resources}/cpan.rb +12 -12
- data/lib/{resources → inspec/resources}/cran.rb +9 -9
- data/lib/{resources → inspec/resources}/crontab.rb +47 -48
- data/lib/{resources → inspec/resources}/csv.rb +5 -5
- data/lib/{resources → inspec/resources}/dh_params.rb +5 -7
- data/lib/{resources → inspec/resources}/directory.rb +5 -7
- data/lib/{resources → inspec/resources}/docker.rb +63 -63
- data/lib/{resources → inspec/resources}/docker_container.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_image.rb +9 -9
- data/lib/{resources → inspec/resources}/docker_object.rb +8 -13
- data/lib/{resources → inspec/resources}/docker_plugin.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_service.rb +7 -7
- data/lib/{resources → inspec/resources}/elasticsearch.rb +40 -42
- data/lib/{resources → inspec/resources}/etc_fstab.rb +23 -24
- data/lib/{resources → inspec/resources}/etc_group.rb +26 -27
- data/lib/{resources → inspec/resources}/etc_hosts.rb +11 -13
- data/lib/{resources → inspec/resources}/etc_hosts_allow_deny.rb +25 -27
- data/lib/{resources → inspec/resources}/file.rb +80 -79
- data/lib/{resources → inspec/resources}/filesystem.rb +20 -15
- data/lib/{resources → inspec/resources}/firewalld.rb +26 -26
- data/lib/{resources → inspec/resources}/gem.rb +12 -12
- data/lib/{resources → inspec/resources}/groups.rb +28 -27
- data/lib/{resources → inspec/resources}/grub_conf.rb +46 -48
- data/lib/{resources → inspec/resources}/host.rb +31 -29
- data/lib/{resources → inspec/resources}/http.rb +24 -24
- data/lib/{resources → inspec/resources}/iis_app.rb +6 -7
- data/lib/{resources → inspec/resources}/iis_app_pool.rb +21 -19
- data/lib/{resources → inspec/resources}/iis_site.rb +17 -15
- data/lib/{resources → inspec/resources}/inetd_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/ini.rb +7 -8
- data/lib/{resources → inspec/resources}/interface.rb +30 -30
- data/lib/{resources → inspec/resources}/iptables.rb +8 -8
- data/lib/{resources → inspec/resources}/json.rb +8 -10
- data/lib/{resources → inspec/resources}/kernel_module.rb +15 -15
- data/lib/{resources → inspec/resources}/kernel_parameter.rb +8 -8
- data/lib/{resources → inspec/resources}/key_rsa.rb +8 -10
- data/lib/{resources → inspec/resources}/ksh.rb +6 -8
- data/lib/{resources → inspec/resources}/limits_conf.rb +8 -9
- data/lib/{resources/login_def.rb → inspec/resources/login_defs.rb} +9 -10
- data/lib/{resources → inspec/resources}/mount.rb +6 -8
- data/lib/{resources → inspec/resources}/mssql_session.rb +16 -18
- data/lib/inspec/resources/mysql.rb +81 -0
- data/lib/{resources → inspec/resources}/mysql_conf.rb +13 -14
- data/lib/{resources → inspec/resources}/mysql_session.rb +16 -16
- data/lib/{resources → inspec/resources}/nginx.rb +16 -17
- data/lib/{resources → inspec/resources}/nginx_conf.rb +26 -27
- data/lib/{resources → inspec/resources}/npm.rb +9 -10
- data/lib/{resources → inspec/resources}/ntp_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/oneget.rb +8 -8
- data/lib/{resources → inspec/resources}/oracledb_session.rb +33 -34
- data/lib/{resources → inspec/resources}/os.rb +6 -8
- data/lib/{resources → inspec/resources}/os_env.rb +11 -12
- data/lib/{resources → inspec/resources}/package.rb +66 -65
- data/lib/{resources → inspec/resources}/packages.rb +13 -13
- data/lib/{resources → inspec/resources}/parse_config.rb +8 -8
- data/lib/{resources → inspec/resources}/passwd.rb +18 -19
- data/lib/{resources → inspec/resources}/pip.rb +19 -19
- data/lib/{resources → inspec/resources}/platform.rb +9 -11
- data/lib/{resources → inspec/resources}/port.rb +134 -136
- data/lib/{resources → inspec/resources}/postgres.rb +40 -32
- data/lib/{resources → inspec/resources}/postgres_conf.rb +17 -17
- data/lib/{resources → inspec/resources}/postgres_hba_conf.rb +21 -23
- data/lib/{resources → inspec/resources}/postgres_ident_conf.rb +12 -14
- data/lib/{resources → inspec/resources}/postgres_session.rb +8 -9
- data/lib/{resources → inspec/resources}/powershell.rb +17 -13
- data/lib/{resources → inspec/resources}/processes.rb +29 -29
- data/lib/{resources/rabbitmq_conf.rb → inspec/resources/rabbitmq_config.rb} +10 -11
- data/lib/{resources → inspec/resources}/registry_key.rb +14 -14
- data/lib/inspec/resources/script.rb +1 -0
- data/lib/{resources → inspec/resources}/security_identifier.rb +11 -10
- data/lib/{resources → inspec/resources}/security_policy.rb +59 -58
- data/lib/{resources → inspec/resources}/service.rb +74 -75
- data/lib/{resources → inspec/resources}/shadow.rb +44 -45
- data/lib/{resources/ssh_conf.rb → inspec/resources/ssh_config.rb} +16 -17
- data/lib/{resources → inspec/resources}/ssl.rb +28 -29
- data/lib/inspec/resources/sys_info.rb +30 -0
- data/lib/{resources → inspec/resources}/toml.rb +5 -7
- data/lib/{resources → inspec/resources}/users.rb +65 -65
- data/lib/{resources → inspec/resources}/vbscript.rb +8 -9
- data/lib/{resources → inspec/resources}/virtualization.rb +60 -62
- data/lib/{resources → inspec/resources}/windows_feature.rb +9 -9
- data/lib/{resources → inspec/resources}/windows_hotfix.rb +5 -5
- data/lib/{resources → inspec/resources}/windows_task.rb +16 -15
- data/lib/{resources → inspec/resources}/wmi.rb +7 -8
- data/lib/{resources → inspec/resources}/x509_certificate.rb +9 -11
- data/lib/{resources/xinetd.rb → inspec/resources/xinetd_conf.rb} +27 -29
- data/lib/{resources → inspec/resources}/xml.rb +7 -7
- data/lib/{resources → inspec/resources}/yaml.rb +5 -6
- data/lib/{resources → inspec/resources}/yum.rb +10 -10
- data/lib/{resources → inspec/resources}/zfs_dataset.rb +6 -6
- data/lib/{resources → inspec/resources}/zfs_pool.rb +4 -4
- data/lib/inspec/rspec_extensions.rb +24 -8
- data/lib/inspec/rule.rb +14 -15
- data/lib/inspec/runner.rb +28 -28
- data/lib/inspec/runner_mock.rb +1 -5
- data/lib/inspec/runner_rspec.rb +18 -20
- data/lib/inspec/runtime_profile.rb +2 -5
- data/lib/inspec/schema.rb +142 -143
- data/lib/inspec/secrets.rb +3 -7
- data/lib/inspec/secrets/yaml.rb +3 -5
- data/lib/inspec/shell.rb +11 -15
- data/lib/inspec/shell_detector.rb +6 -7
- data/lib/inspec/source_reader.rb +4 -8
- data/lib/inspec/ui.rb +33 -39
- data/lib/inspec/ui_table_helper.rb +12 -0
- data/lib/{utils → inspec/utils}/command_wrapper.rb +4 -8
- data/lib/{utils → inspec/utils}/convert.rb +0 -4
- data/lib/{utils → inspec/utils}/database_helpers.rb +4 -8
- data/lib/inspec/utils/deprecation.rb +6 -0
- data/lib/{utils → inspec/utils}/deprecation/config_file.rb +19 -19
- data/lib/{utils → inspec/utils}/deprecation/deprecator.rb +12 -12
- data/lib/{utils → inspec/utils}/deprecation/errors.rb +1 -1
- data/lib/{utils → inspec/utils}/deprecation/global_method.rb +2 -2
- data/lib/{utils → inspec/utils}/enumerable_delegation.rb +0 -2
- data/lib/{utils → inspec/utils}/erlang_parser.rb +61 -65
- data/lib/{utils → inspec/utils}/file_reader.rb +1 -2
- data/lib/{utils → inspec/utils}/filter.rb +30 -33
- data/lib/{utils → inspec/utils}/filter_array.rb +0 -2
- data/lib/{utils → inspec/utils}/find_files.rb +9 -12
- data/lib/{utils → inspec/utils}/hash.rb +1 -5
- data/lib/inspec/utils/json_log.rb +15 -0
- data/lib/inspec/utils/latest_version.rb +13 -0
- data/lib/{utils → inspec/utils}/modulator.rb +0 -3
- data/lib/{utils → inspec/utils}/nginx_parser.rb +31 -35
- data/lib/{utils → inspec/utils}/object_traversal.rb +0 -3
- data/lib/{utils → inspec/utils}/parser.rb +45 -45
- data/lib/{utils → inspec/utils}/pkey_reader.rb +4 -2
- data/lib/{utils → inspec/utils}/simpleconfig.rb +8 -10
- data/lib/{utils → inspec/utils}/spdx.rb +1 -4
- data/lib/{utils → inspec/utils}/spdx.txt +0 -0
- data/lib/inspec/utils/telemetry.rb +3 -3
- data/lib/inspec/utils/telemetry/collector.rb +30 -9
- data/lib/inspec/utils/telemetry/data_series.rb +3 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +22 -25
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +1 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +52 -45
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb +18 -16
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +73 -73
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +66 -62
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +59 -57
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/configuration.rb +11 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +20 -22
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb +2 -4
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +30 -27
- data/lib/plugins/inspec-habitat/Berksfile +2 -2
- data/lib/plugins/inspec-habitat/lib/inspec-habitat.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb +15 -13
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +64 -63
- data/lib/plugins/inspec-habitat/templates/habitat/hooks/run.erb +3 -3
- data/lib/plugins/inspec-habitat/templates/habitat/plan.sh.erb +11 -11
- data/lib/plugins/inspec-init/lib/inspec-init.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/cli.rb +6 -8
- data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +72 -74
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +9 -11
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +4 -4
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +0 -1
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb +0 -2
- data/lib/plugins/inspec-init/templates/profiles/os/controls/example.rb +6 -7
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli.rb +1 -2
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +72 -70
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/plugin.rb +1 -1
- data/lib/plugins/shared/core_plugin_test_helper.rb +43 -38
- data/lib/source_readers/flat.rb +6 -10
- data/lib/source_readers/inspec.rb +8 -12
- metadata +139 -140
- data/lib/resources/mysql.rb +0 -82
- data/lib/resources/sys_info.rb +0 -28
- data/lib/utils/deprecation.rb +0 -6
- data/lib/utils/json_log.rb +0 -18
- data/lib/utils/latest_version.rb +0 -22
@@ -1,14 +1,13 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Vulcano Security GmbH
|
3
2
|
|
4
|
-
require
|
5
|
-
require
|
3
|
+
require "inspec/utils/simpleconfig"
|
4
|
+
require "inspec/utils/file_reader"
|
6
5
|
|
7
6
|
module Inspec::Resources
|
8
|
-
class
|
9
|
-
name
|
10
|
-
supports platform:
|
11
|
-
desc
|
7
|
+
class SshConfig < Inspec.resource(1)
|
8
|
+
name "ssh_config"
|
9
|
+
supports platform: "unix"
|
10
|
+
desc "Use the `ssh_config` InSpec audit resource to test OpenSSH client configuration data located at `/etc/ssh/ssh_config` on Linux and Unix platforms."
|
12
11
|
example <<~EXAMPLE
|
13
12
|
describe ssh_config do
|
14
13
|
its('cipher') { should contain '3des' }
|
@@ -20,8 +19,8 @@ module Inspec::Resources
|
|
20
19
|
include FileReader
|
21
20
|
|
22
21
|
def initialize(conf_path = nil, type = nil)
|
23
|
-
@conf_path = conf_path ||
|
24
|
-
typename = (@conf_path.include?(
|
22
|
+
@conf_path = conf_path || "/etc/ssh/ssh_config"
|
23
|
+
typename = (@conf_path.include?("sshd") ? "Server" : "Client")
|
25
24
|
@type = type || "SSH #{typename} configuration #{conf_path}"
|
26
25
|
read_content
|
27
26
|
end
|
@@ -53,7 +52,7 @@ module Inspec::Resources
|
|
53
52
|
end
|
54
53
|
|
55
54
|
def to_s
|
56
|
-
|
55
|
+
"SSH Configuration"
|
57
56
|
end
|
58
57
|
|
59
58
|
private
|
@@ -70,16 +69,16 @@ module Inspec::Resources
|
|
70
69
|
conf = SimpleConfig.new(
|
71
70
|
read_content,
|
72
71
|
assignment_regex: /^\s*(\S+?)\s+(.*?)\s*$/,
|
73
|
-
multiple_values: true
|
72
|
+
multiple_values: true
|
74
73
|
)
|
75
74
|
@params = convert_hash(conf.params)
|
76
75
|
end
|
77
76
|
end
|
78
77
|
|
79
|
-
class
|
80
|
-
name
|
81
|
-
supports platform:
|
82
|
-
desc
|
78
|
+
class SshdConfig < SshConfig
|
79
|
+
name "sshd_config"
|
80
|
+
supports platform: "unix"
|
81
|
+
desc "Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command execution, and data exchanges."
|
83
82
|
example <<~EXAMPLE
|
84
83
|
describe sshd_config do
|
85
84
|
its('Protocol') { should eq '2' }
|
@@ -87,11 +86,11 @@ module Inspec::Resources
|
|
87
86
|
EXAMPLE
|
88
87
|
|
89
88
|
def initialize(path = nil)
|
90
|
-
super(path ||
|
89
|
+
super(path || "/etc/ssh/sshd_config")
|
91
90
|
end
|
92
91
|
|
93
92
|
def to_s
|
94
|
-
|
93
|
+
"SSHD Configuration"
|
95
94
|
end
|
96
95
|
end
|
97
96
|
end
|
@@ -1,16 +1,15 @@
|
|
1
|
-
# encoding: utf-8
|
2
1
|
# copyright: 2015, Chef Software Inc.
|
3
2
|
|
4
|
-
require
|
5
|
-
require
|
6
|
-
require
|
7
|
-
require
|
3
|
+
require "sslshake"
|
4
|
+
require "inspec/utils/filter"
|
5
|
+
require "uri"
|
6
|
+
require "parallel"
|
8
7
|
|
9
8
|
# Custom resource based on the InSpec resource DSL
|
10
9
|
class SSL < Inspec.resource(1)
|
11
|
-
name
|
12
|
-
supports platform:
|
13
|
-
supports platform:
|
10
|
+
name "ssl"
|
11
|
+
supports platform: "unix"
|
12
|
+
supports platform: "windows"
|
14
13
|
|
15
14
|
desc "
|
16
15
|
SSL test resource
|
@@ -33,11 +32,11 @@ class SSL < Inspec.resource(1)
|
|
33
32
|
EXAMPLE
|
34
33
|
|
35
34
|
VERSIONS = [
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
35
|
+
"ssl2",
|
36
|
+
"ssl3",
|
37
|
+
"tls1.0",
|
38
|
+
"tls1.1",
|
39
|
+
"tls1.2",
|
41
40
|
].freeze
|
42
41
|
|
43
42
|
attr_reader :host, :port, :timeout, :retries
|
@@ -46,10 +45,10 @@ class SSL < Inspec.resource(1)
|
|
46
45
|
@host = opts[:host]
|
47
46
|
if @host.nil?
|
48
47
|
# Transports like SSH and WinRM will provide a hostname
|
49
|
-
if inspec.backend.respond_to?(
|
48
|
+
if inspec.backend.respond_to?("hostname")
|
50
49
|
@host = inspec.backend.hostname
|
51
|
-
elsif inspec.backend.class.to_s ==
|
52
|
-
@host =
|
50
|
+
elsif inspec.backend.class.to_s == "Train::Transports::Local::Connection"
|
51
|
+
@host = "localhost"
|
53
52
|
end
|
54
53
|
end
|
55
54
|
@port = opts[:port] || 443
|
@@ -59,12 +58,12 @@ class SSL < Inspec.resource(1)
|
|
59
58
|
|
60
59
|
filter = FilterTable.create
|
61
60
|
filter.register_custom_matcher(:enabled?) do |x|
|
62
|
-
raise
|
63
|
-
x.handshake.values.any? { |i| i[
|
61
|
+
raise "Cannot determine host for SSL test. Please specify it or use a different target." if x.resource.host.nil?
|
62
|
+
x.handshake.values.any? { |i| i["success"] }
|
64
63
|
end
|
65
|
-
filter.register_column(:ciphers, field:
|
66
|
-
.register_column(:protocols, field:
|
67
|
-
.register_custom_property(:handshake)
|
64
|
+
filter.register_column(:ciphers, field: "cipher")
|
65
|
+
.register_column(:protocols, field: "protocol")
|
66
|
+
.register_custom_property(:handshake) do |x|
|
68
67
|
groups = x.entries.group_by(&:protocol)
|
69
68
|
res = Parallel.map(groups, in_threads: 8) do |proto, e|
|
70
69
|
[proto, SSLShake.hello(x.resource.host, port: x.resource.port,
|
@@ -72,7 +71,7 @@ class SSL < Inspec.resource(1)
|
|
72
71
|
timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
|
73
72
|
end
|
74
73
|
Hash[res]
|
75
|
-
|
74
|
+
end
|
76
75
|
.install_filter_methods_on_resource(self, :scan_config)
|
77
76
|
|
78
77
|
def to_s
|
@@ -83,14 +82,14 @@ class SSL < Inspec.resource(1)
|
|
83
82
|
|
84
83
|
def scan_config
|
85
84
|
[
|
86
|
-
{
|
87
|
-
{
|
88
|
-
{
|
89
|
-
{
|
90
|
-
{
|
85
|
+
{ "protocol" => "ssl2", "ciphers" => SSLShake::SSLv2::CIPHERS.keys },
|
86
|
+
{ "protocol" => "ssl3", "ciphers" => SSLShake::TLS::SSL3_CIPHERS.keys },
|
87
|
+
{ "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
|
88
|
+
{ "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
|
89
|
+
{ "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
|
91
90
|
].map do |line|
|
92
|
-
line[
|
93
|
-
{
|
91
|
+
line["ciphers"].map do |cipher|
|
92
|
+
{ "protocol" => line["protocol"], "cipher" => cipher }
|
94
93
|
end
|
95
94
|
end.flatten
|
96
95
|
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
require "inspec/resources/command"
|
2
|
+
require "inspec/resources/powershell"
|
3
|
+
|
4
|
+
module Inspec::Resources
|
5
|
+
# this resource returns additional system informatio
|
6
|
+
class System < Inspec.resource(1)
|
7
|
+
name "sys_info"
|
8
|
+
supports platform: "unix"
|
9
|
+
supports platform: "windows"
|
10
|
+
|
11
|
+
desc "Use the user InSpec system resource to test for operating system properties."
|
12
|
+
example <<~EXAMPLE
|
13
|
+
describe sys_info do
|
14
|
+
its('hostname') { should eq 'example.com' }
|
15
|
+
end
|
16
|
+
EXAMPLE
|
17
|
+
|
18
|
+
# returns the hostname of the local system
|
19
|
+
def hostname
|
20
|
+
os = inspec.os
|
21
|
+
if os.linux? || os.darwin?
|
22
|
+
inspec.command("hostname").stdout.chomp
|
23
|
+
elsif os.windows?
|
24
|
+
inspec.powershell("$env:computername").stdout.chomp
|
25
|
+
else
|
26
|
+
skip_resource "The `sys_info.hostname` resource is not supported on your OS yet."
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -1,12 +1,10 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
require 'tomlrb'
|
1
|
+
require "tomlrb"
|
2
|
+
require "inspec/resources/json"
|
5
3
|
|
6
4
|
module Inspec::Resources
|
7
5
|
class TomlConfig < JsonConfig
|
8
|
-
name
|
9
|
-
desc
|
6
|
+
name "toml"
|
7
|
+
desc "Use the toml InSpec resource to test configuration data in a TOML file"
|
10
8
|
example <<~EXAMPLE
|
11
9
|
describe toml('default.toml') do
|
12
10
|
its('key') { should eq('value') }
|
@@ -26,7 +24,7 @@ module Inspec::Resources
|
|
26
24
|
# used by JsonConfig to build up a full to_s method
|
27
25
|
# based on whether a file path, content, or command was supplied.
|
28
26
|
def resource_base_name
|
29
|
-
|
27
|
+
"TOML"
|
30
28
|
end
|
31
29
|
end
|
32
30
|
end
|
@@ -1,8 +1,8 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
require
|
4
|
-
require
|
5
|
-
require
|
1
|
+
require "inspec/utils/parser"
|
2
|
+
require "inspec/utils/convert"
|
3
|
+
require "inspec/utils/filter"
|
4
|
+
require "inspec/utils/simpleconfig"
|
5
|
+
require "inspec/resources/powershell"
|
6
6
|
|
7
7
|
module Inspec::Resources
|
8
8
|
# This file contains two resources, the `user` and `users` resource.
|
@@ -17,15 +17,15 @@ module Inspec::Resources
|
|
17
17
|
LinuxUser.new(inspec)
|
18
18
|
elsif os.windows?
|
19
19
|
WindowsUser.new(inspec)
|
20
|
-
elsif [
|
20
|
+
elsif ["darwin"].include?(os[:family])
|
21
21
|
DarwinUser.new(inspec)
|
22
|
-
elsif [
|
22
|
+
elsif ["freebsd"].include?(os[:family])
|
23
23
|
FreeBSDUser.new(inspec)
|
24
|
-
elsif [
|
24
|
+
elsif ["aix"].include?(os[:family])
|
25
25
|
AixUser.new(inspec)
|
26
26
|
elsif os.solaris?
|
27
27
|
SolarisUser.new(inspec)
|
28
|
-
elsif [
|
28
|
+
elsif ["hpux"].include?(os[:family])
|
29
29
|
HpuxUser.new(inspec)
|
30
30
|
end
|
31
31
|
end
|
@@ -52,10 +52,10 @@ module Inspec::Resources
|
|
52
52
|
class Users < Inspec.resource(1)
|
53
53
|
include UserManagementSelector
|
54
54
|
|
55
|
-
name
|
56
|
-
supports platform:
|
57
|
-
supports platform:
|
58
|
-
desc
|
55
|
+
name "users"
|
56
|
+
supports platform: "unix"
|
57
|
+
supports platform: "windows"
|
58
|
+
desc "Use the users InSpec audit resource to test local user profiles. Users can be filtered by groups to which they belong, the frequency of required password changes, the directory paths to home and shell."
|
59
59
|
example <<~EXAMPLE
|
60
60
|
describe users.where { uid == 0 }.entries do
|
61
61
|
it { should eq ['root'] }
|
@@ -66,7 +66,7 @@ module Inspec::Resources
|
|
66
66
|
def initialize
|
67
67
|
# select user provider
|
68
68
|
@user_provider = select_user_manager(inspec.os)
|
69
|
-
return skip_resource
|
69
|
+
return skip_resource "The `users` resource is not supported on your OS yet." if @user_provider.nil?
|
70
70
|
end
|
71
71
|
|
72
72
|
filter = FilterTable.create
|
@@ -87,7 +87,7 @@ module Inspec::Resources
|
|
87
87
|
filter.install_filter_methods_on_resource(self, :collect_user_details)
|
88
88
|
|
89
89
|
def to_s
|
90
|
-
|
90
|
+
"Users"
|
91
91
|
end
|
92
92
|
|
93
93
|
private
|
@@ -137,10 +137,10 @@ module Inspec::Resources
|
|
137
137
|
# end
|
138
138
|
class User < Inspec.resource(1)
|
139
139
|
include UserManagementSelector
|
140
|
-
name
|
141
|
-
supports platform:
|
142
|
-
supports platform:
|
143
|
-
desc
|
140
|
+
name "user"
|
141
|
+
supports platform: "unix"
|
142
|
+
supports platform: "windows"
|
143
|
+
desc "Use the user InSpec audit resource to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell."
|
144
144
|
example <<~EXAMPLE
|
145
145
|
describe user('root') do
|
146
146
|
it { should exist }
|
@@ -152,7 +152,7 @@ module Inspec::Resources
|
|
152
152
|
@username = username
|
153
153
|
# select user provider
|
154
154
|
@user_provider = select_user_manager(inspec.os)
|
155
|
-
return skip_resource
|
155
|
+
return skip_resource "The `user` resource is not supported on your OS yet." if @user_provider.nil?
|
156
156
|
end
|
157
157
|
|
158
158
|
def exists?
|
@@ -213,35 +213,35 @@ module Inspec::Resources
|
|
213
213
|
|
214
214
|
# implement 'mindays' method to be compatible with serverspec
|
215
215
|
def minimum_days_between_password_change
|
216
|
-
Inspec.deprecate(:resource_user_serverspec_compat,
|
216
|
+
Inspec.deprecate(:resource_user_serverspec_compat, "The user resource `minimum_days_between_password_change` property is deprecated. Please use `mindays`.")
|
217
217
|
mindays
|
218
218
|
end
|
219
219
|
|
220
220
|
# implement 'maxdays' method to be compatible with serverspec
|
221
221
|
def maximum_days_between_password_change
|
222
|
-
Inspec.deprecate(:resource_user_serverspec_compat,
|
222
|
+
Inspec.deprecate(:resource_user_serverspec_compat, "The user resource `maximum_days_between_password_change` property is deprecated. Please use `maxdays`.")
|
223
223
|
maxdays
|
224
224
|
end
|
225
225
|
|
226
226
|
# implements rspec has matcher, to be compatible with serverspec
|
227
227
|
# @see: https://github.com/rspec/rspec-expectations/blob/master/lib/rspec/matchers/built_in/has.rb
|
228
228
|
def has_uid?(compare_uid)
|
229
|
-
Inspec.deprecate(:resource_user_serverspec_compat,
|
229
|
+
Inspec.deprecate(:resource_user_serverspec_compat, "The user resource `has_uid?` matcher is deprecated.")
|
230
230
|
uid == compare_uid
|
231
231
|
end
|
232
232
|
|
233
233
|
def has_home_directory?(compare_home)
|
234
|
-
Inspec.deprecate(:resource_user_serverspec_compat,
|
234
|
+
Inspec.deprecate(:resource_user_serverspec_compat, "The user resource `has_home_directory?` matcher is deprecated. Please use `its('home')`.")
|
235
235
|
home == compare_home
|
236
236
|
end
|
237
237
|
|
238
238
|
def has_login_shell?(compare_shell)
|
239
|
-
Inspec.deprecate(:resource_user_serverspec_compat,
|
239
|
+
Inspec.deprecate(:resource_user_serverspec_compat, "The user resource `has_login_shell?` matcher is deprecated. Please use `its('shell')`.")
|
240
240
|
shell == compare_shell
|
241
241
|
end
|
242
242
|
|
243
243
|
def has_authorized_key?(_compare_key)
|
244
|
-
Inspec.deprecate(:resource_user_serverspec_compat,
|
244
|
+
Inspec.deprecate(:resource_user_serverspec_compat, "The user resource `has_authorized_key?` matcher is deprecated. There is no currently implemented alternative")
|
245
245
|
raise NotImplementedError
|
246
246
|
end
|
247
247
|
|
@@ -288,7 +288,7 @@ module Inspec::Resources
|
|
288
288
|
# groups: '',
|
289
289
|
# }
|
290
290
|
def identity(_username)
|
291
|
-
raise
|
291
|
+
raise "user provider must implement the `identity` method"
|
292
292
|
end
|
293
293
|
|
294
294
|
# returns optional information about a user, eg shell
|
@@ -309,7 +309,7 @@ module Inspec::Resources
|
|
309
309
|
|
310
310
|
# returns an array with users
|
311
311
|
def list_users
|
312
|
-
raise
|
312
|
+
raise "user provider must implement the `list_users` method"
|
313
313
|
end
|
314
314
|
|
315
315
|
# retuns all aspects of the user as one hash
|
@@ -326,9 +326,9 @@ module Inspec::Resources
|
|
326
326
|
|
327
327
|
# returns the full information list for a user
|
328
328
|
def collect_user_details
|
329
|
-
list_users.map
|
329
|
+
list_users.map do |username|
|
330
330
|
user_details(username.chomp)
|
331
|
-
|
331
|
+
end
|
332
332
|
end
|
333
333
|
end
|
334
334
|
|
@@ -337,7 +337,7 @@ module Inspec::Resources
|
|
337
337
|
attr_reader :inspec, :id_cmd, :list_users_cmd
|
338
338
|
def initialize(inspec)
|
339
339
|
@inspec = inspec
|
340
|
-
@id_cmd ||=
|
340
|
+
@id_cmd ||= "id"
|
341
341
|
@list_users_cmd ||= 'cut -d: -f1 /etc/passwd | grep -v "^#"'
|
342
342
|
super
|
343
343
|
end
|
@@ -353,10 +353,10 @@ module Inspec::Resources
|
|
353
353
|
def parse_value(line)
|
354
354
|
SimpleConfig.new(
|
355
355
|
line,
|
356
|
-
line_separator:
|
356
|
+
line_separator: ",",
|
357
357
|
assignment_regex: /^\s*([^\(]*?)\s*\(\s*(.*?)\)*$/,
|
358
358
|
group_re: nil,
|
359
|
-
multiple_values: false
|
359
|
+
multiple_values: false
|
360
360
|
).params
|
361
361
|
end
|
362
362
|
|
@@ -370,15 +370,15 @@ module Inspec::Resources
|
|
370
370
|
parse_id_entries(cmd.stdout.chomp),
|
371
371
|
assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
|
372
372
|
group_re: nil,
|
373
|
-
multiple_values: false
|
373
|
+
multiple_values: false
|
374
374
|
).params
|
375
375
|
|
376
376
|
{
|
377
|
-
uid: convert_to_i(parse_value(params[
|
378
|
-
username: parse_value(params[
|
379
|
-
gid: convert_to_i(parse_value(params[
|
380
|
-
groupname: parse_value(params[
|
381
|
-
groups: parse_value(params[
|
377
|
+
uid: convert_to_i(parse_value(params["uid"]).keys[0]),
|
378
|
+
username: parse_value(params["uid"]).values[0],
|
379
|
+
gid: convert_to_i(parse_value(params["gid"]).keys[0]),
|
380
|
+
groupname: parse_value(params["gid"]).values[0],
|
381
|
+
groups: parse_value(params["groups"]).values,
|
382
382
|
}
|
383
383
|
end
|
384
384
|
|
@@ -386,8 +386,8 @@ module Inspec::Resources
|
|
386
386
|
def parse_id_entries(raw)
|
387
387
|
data = []
|
388
388
|
until (index = raw.index(/\)\s{1}/)).nil?
|
389
|
-
data.push(raw[0, index+1]) # inclue closing )
|
390
|
-
raw = raw[index+2, raw.length-index-2]
|
389
|
+
data.push(raw[0, index + 1]) # inclue closing )
|
390
|
+
raw = raw[index + 2, raw.length - index - 2]
|
391
391
|
end
|
392
392
|
data.push(raw) if !raw.nil?
|
393
393
|
data.join("\n")
|
@@ -404,8 +404,8 @@ module Inspec::Resources
|
|
404
404
|
# returns: root:x:0:0:root:/root:/bin/bash
|
405
405
|
passwd = parse_passwd_line(cmd.stdout.chomp)
|
406
406
|
{
|
407
|
-
home: passwd[
|
408
|
-
shell: passwd[
|
407
|
+
home: passwd["home"],
|
408
|
+
shell: passwd["shell"],
|
409
409
|
}
|
410
410
|
end
|
411
411
|
|
@@ -417,13 +417,13 @@ module Inspec::Resources
|
|
417
417
|
cmd.stdout.chomp,
|
418
418
|
assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
|
419
419
|
group_re: nil,
|
420
|
-
multiple_values: false
|
420
|
+
multiple_values: false
|
421
421
|
).params
|
422
422
|
|
423
423
|
{
|
424
|
-
mindays: convert_to_i(params[
|
425
|
-
maxdays: convert_to_i(params[
|
426
|
-
warndays: convert_to_i(params[
|
424
|
+
mindays: convert_to_i(params["Minimum number of days between password change"]),
|
425
|
+
maxdays: convert_to_i(params["Maximum number of days between password change"]),
|
426
|
+
warndays: convert_to_i(params["Number of days of warning before password expires"]),
|
427
427
|
}
|
428
428
|
end
|
429
429
|
end
|
@@ -431,7 +431,7 @@ module Inspec::Resources
|
|
431
431
|
class SolarisUser < LinuxUser
|
432
432
|
def initialize(inspec)
|
433
433
|
@inspec = inspec
|
434
|
-
@id_cmd ||=
|
434
|
+
@id_cmd ||= "id -a"
|
435
435
|
super
|
436
436
|
end
|
437
437
|
end
|
@@ -456,24 +456,24 @@ module Inspec::Resources
|
|
456
456
|
lsuser = inspec.command("lsuser -C -a home shell #{username}")
|
457
457
|
return nil if lsuser.exit_status != 0
|
458
458
|
|
459
|
-
user = lsuser.stdout.chomp.split("\n").last.split(
|
459
|
+
user = lsuser.stdout.chomp.split("\n").last.split(":")
|
460
460
|
{
|
461
|
-
home:
|
461
|
+
home: user[1],
|
462
462
|
shell: user[2],
|
463
463
|
}
|
464
464
|
end
|
465
465
|
|
466
466
|
def credentials(username)
|
467
467
|
cmd = inspec.command(
|
468
|
-
"lssec -c -f /etc/security/user -s #{username} -a minage -a maxage -a pwdwarntime"
|
468
|
+
"lssec -c -f /etc/security/user -s #{username} -a minage -a maxage -a pwdwarntime"
|
469
469
|
)
|
470
470
|
return nil if cmd.exit_status != 0
|
471
471
|
|
472
|
-
user_sec = cmd.stdout.chomp.split("\n").last.split(
|
472
|
+
user_sec = cmd.stdout.chomp.split("\n").last.split(":")
|
473
473
|
|
474
474
|
{
|
475
|
-
mindays:
|
476
|
-
maxdays:
|
475
|
+
mindays: user_sec[1].to_i * 7,
|
476
|
+
maxdays: user_sec[2].to_i * 7,
|
477
477
|
warndays: user_sec[3].to_i,
|
478
478
|
}
|
479
479
|
end
|
@@ -483,7 +483,7 @@ module Inspec::Resources
|
|
483
483
|
def meta_info(username)
|
484
484
|
hpuxuser = inspec.command("logins -x -l #{username}")
|
485
485
|
return nil if hpuxuser.exit_status != 0
|
486
|
-
user = hpuxuser.stdout.chomp.split(
|
486
|
+
user = hpuxuser.stdout.chomp.split(" ")
|
487
487
|
{
|
488
488
|
home: user[4],
|
489
489
|
shell: user[5],
|
@@ -498,7 +498,7 @@ module Inspec::Resources
|
|
498
498
|
# @see http://superuser.com/questions/592921/mac-osx-users-vs-dscl-command-to-list-user
|
499
499
|
class DarwinUser < UnixUser
|
500
500
|
def initialize(inspec)
|
501
|
-
@list_users_cmd ||=
|
501
|
+
@list_users_cmd ||= "dscl . list /Users"
|
502
502
|
super
|
503
503
|
end
|
504
504
|
|
@@ -510,12 +510,12 @@ module Inspec::Resources
|
|
510
510
|
cmd.stdout.chomp,
|
511
511
|
assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
|
512
512
|
group_re: nil,
|
513
|
-
multiple_values: false
|
513
|
+
multiple_values: false
|
514
514
|
).params
|
515
515
|
|
516
516
|
{
|
517
|
-
home: params[
|
518
|
-
shell: params[
|
517
|
+
home: params["NFSHomeDirectory"],
|
518
|
+
shell: params["UserShell"],
|
519
519
|
}
|
520
520
|
end
|
521
521
|
end
|
@@ -524,10 +524,10 @@ module Inspec::Resources
|
|
524
524
|
# @see: https://www.freebsd.org/doc/handbook/users-synopsis.html
|
525
525
|
# @see: https://www.freebsd.org/cgi/man.cgi?pw(8)
|
526
526
|
# It offers the following commands:
|
527
|
-
# - adduser(8)
|
528
|
-
# - rmuser(8)
|
529
|
-
# - chpass(1)
|
530
|
-
# - passwd(1)
|
527
|
+
# - adduser(8) The recommended command-line application for adding new users.
|
528
|
+
# - rmuser(8) The recommended command-line application for removing users.
|
529
|
+
# - chpass(1) A flexible tool for changing user database information.
|
530
|
+
# - passwd(1) The command-line tool to change user passwords.
|
531
531
|
class FreeBSDUser < UnixUser
|
532
532
|
include PasswdParser
|
533
533
|
|
@@ -537,8 +537,8 @@ module Inspec::Resources
|
|
537
537
|
# returns: root:*:0:0:Charlie &:/root:/bin/csh
|
538
538
|
passwd = parse_passwd_line(cmd.stdout.chomp)
|
539
539
|
{
|
540
|
-
home: passwd[
|
541
|
-
shell: passwd[
|
540
|
+
home: passwd["home"],
|
541
|
+
shell: passwd["shell"],
|
542
542
|
}
|
543
543
|
end
|
544
544
|
end
|