inspec-core 4.3.2 → 4.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +37 -21
- data/etc/deprecations.json +10 -0
- data/etc/plugin_filters.json +8 -0
- data/lib/bundles/inspec-compliance/api.rb +1 -1
- data/lib/bundles/inspec-compliance/configuration.rb +1 -1
- data/lib/bundles/inspec-compliance/http.rb +1 -1
- data/lib/bundles/inspec-compliance/support.rb +1 -1
- data/lib/bundles/inspec-compliance/target.rb +1 -1
- data/lib/bundles/inspec-supermarket.rb +3 -7
- data/lib/bundles/inspec-supermarket/api.rb +10 -13
- data/lib/bundles/inspec-supermarket/cli.rb +12 -15
- data/lib/bundles/inspec-supermarket/target.rb +7 -11
- data/lib/fetchers/git.rb +14 -15
- data/lib/fetchers/local.rb +6 -10
- data/lib/fetchers/mock.rb +3 -5
- data/lib/fetchers/url.rb +42 -44
- data/lib/inspec.rb +23 -24
- data/lib/inspec/archive/tar.rb +2 -6
- data/lib/inspec/archive/zip.rb +3 -7
- data/lib/inspec/backend.rb +8 -9
- data/lib/inspec/base_cli.rb +64 -65
- data/lib/inspec/cached_fetcher.rb +2 -3
- data/lib/inspec/cli.rb +136 -97
- data/lib/inspec/config.rb +71 -61
- data/lib/inspec/control_eval_context.rb +22 -18
- data/lib/inspec/dependencies/cache.rb +2 -3
- data/lib/inspec/dependencies/dependency_set.rb +2 -3
- data/lib/inspec/dependencies/lockfile.rb +8 -9
- data/lib/inspec/dependencies/requirement.rb +7 -8
- data/lib/inspec/dependencies/resolver.rb +5 -7
- data/lib/inspec/describe.rb +2 -6
- data/lib/inspec/dist.rb +20 -0
- data/lib/inspec/dsl.rb +4 -7
- data/lib/inspec/dsl_shared.rb +1 -2
- data/lib/inspec/env_printer.rb +11 -12
- data/lib/inspec/errors.rb +0 -4
- data/lib/inspec/exceptions.rb +0 -1
- data/lib/inspec/expect.rb +5 -8
- data/lib/inspec/fetcher.rb +7 -10
- data/lib/inspec/file_provider.rb +24 -24
- data/lib/inspec/formatters.rb +3 -3
- data/lib/inspec/formatters/base.rb +8 -8
- data/lib/inspec/globals.rb +2 -2
- data/lib/inspec/impact.rb +5 -7
- data/lib/inspec/input_registry.rb +84 -33
- data/lib/inspec/library_eval_context.rb +3 -6
- data/lib/inspec/log.rb +1 -5
- data/lib/inspec/metadata.rb +17 -16
- data/lib/inspec/method_source.rb +5 -9
- data/lib/inspec/objects.rb +10 -12
- data/lib/inspec/objects/control.rb +7 -9
- data/lib/inspec/objects/describe.rb +9 -11
- data/lib/inspec/objects/each_loop.rb +1 -3
- data/lib/inspec/objects/input.rb +24 -26
- data/lib/inspec/objects/list.rb +4 -6
- data/lib/inspec/objects/or_test.rb +2 -4
- data/lib/inspec/objects/ruby_helper.rb +3 -5
- data/lib/inspec/objects/tag.rb +0 -2
- data/lib/inspec/objects/test.rb +9 -11
- data/lib/inspec/objects/value.rb +3 -5
- data/lib/inspec/plugin/v1.rb +2 -2
- data/lib/inspec/plugin/v1/plugin_types/cli.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/fetcher.rb +2 -5
- data/lib/inspec/plugin/v1/plugin_types/resource.rb +4 -6
- data/lib/inspec/plugin/v1/plugin_types/secret.rb +1 -5
- data/lib/inspec/plugin/v1/plugin_types/source_reader.rb +1 -5
- data/lib/inspec/plugin/v1/plugins.rb +15 -19
- data/lib/inspec/plugin/v1/registry.rb +0 -4
- data/lib/inspec/plugin/v2.rb +8 -8
- data/lib/inspec/plugin/v2/activator.rb +1 -1
- data/lib/inspec/plugin/v2/config_file.rb +6 -6
- data/lib/inspec/plugin/v2/filter.rb +13 -13
- data/lib/inspec/plugin/v2/installer.rb +36 -24
- data/lib/inspec/plugin/v2/loader.rb +28 -28
- data/lib/inspec/plugin/v2/plugin_base.rb +15 -2
- data/lib/inspec/plugin/v2/plugin_types/cli.rb +5 -5
- data/lib/inspec/plugin/v2/plugin_types/input.rb +34 -0
- data/lib/inspec/plugin/v2/plugin_types/mock.rb +1 -1
- data/lib/inspec/plugin/v2/registry.rb +7 -7
- data/lib/inspec/polyfill.rb +0 -3
- data/lib/inspec/profile.rb +55 -63
- data/lib/inspec/profile_context.rb +27 -30
- data/lib/inspec/profile_vendor.rb +6 -9
- data/lib/inspec/reporters.rb +24 -24
- data/lib/inspec/reporters/automate.rb +17 -19
- data/lib/inspec/reporters/base.rb +1 -1
- data/lib/inspec/reporters/cli.rb +88 -91
- data/lib/inspec/reporters/json.rb +2 -4
- data/lib/inspec/reporters/json_automate.rb +1 -3
- data/lib/inspec/reporters/json_min.rb +1 -3
- data/lib/inspec/reporters/junit.rb +26 -28
- data/lib/inspec/reporters/yaml.rb +1 -3
- data/lib/inspec/require_loader.rb +0 -4
- data/lib/inspec/resource.rb +4 -125
- data/lib/inspec/resources.rb +121 -0
- data/lib/{resources → inspec/resources}/aide_conf.rb +24 -25
- data/lib/{resources → inspec/resources}/apache.rb +13 -14
- data/lib/{resources → inspec/resources}/apache_conf.rb +16 -17
- data/lib/{resources → inspec/resources}/apt.rb +17 -17
- data/lib/{resources → inspec/resources}/audit_policy.rb +7 -6
- data/lib/{resources → inspec/resources}/auditd.rb +62 -64
- data/lib/{resources → inspec/resources}/auditd_conf.rb +7 -8
- data/lib/{resources → inspec/resources}/bash.rb +6 -8
- data/lib/{resources → inspec/resources}/bond.rb +15 -14
- data/lib/{resources → inspec/resources}/bridge.rb +8 -8
- data/lib/{resources → inspec/resources}/chocolatey_package.rb +10 -8
- data/lib/{resources → inspec/resources}/command.rb +11 -10
- data/lib/{resources → inspec/resources}/cpan.rb +12 -12
- data/lib/{resources → inspec/resources}/cran.rb +9 -9
- data/lib/{resources → inspec/resources}/crontab.rb +47 -48
- data/lib/{resources → inspec/resources}/csv.rb +5 -5
- data/lib/{resources → inspec/resources}/dh_params.rb +5 -7
- data/lib/{resources → inspec/resources}/directory.rb +5 -7
- data/lib/{resources → inspec/resources}/docker.rb +63 -63
- data/lib/{resources → inspec/resources}/docker_container.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_image.rb +9 -9
- data/lib/{resources → inspec/resources}/docker_object.rb +8 -13
- data/lib/{resources → inspec/resources}/docker_plugin.rb +6 -6
- data/lib/{resources → inspec/resources}/docker_service.rb +7 -7
- data/lib/{resources → inspec/resources}/elasticsearch.rb +40 -42
- data/lib/{resources → inspec/resources}/etc_fstab.rb +23 -24
- data/lib/{resources → inspec/resources}/etc_group.rb +26 -27
- data/lib/{resources → inspec/resources}/etc_hosts.rb +11 -13
- data/lib/{resources → inspec/resources}/etc_hosts_allow_deny.rb +25 -27
- data/lib/{resources → inspec/resources}/file.rb +80 -79
- data/lib/{resources → inspec/resources}/filesystem.rb +20 -15
- data/lib/{resources → inspec/resources}/firewalld.rb +26 -26
- data/lib/{resources → inspec/resources}/gem.rb +12 -12
- data/lib/{resources → inspec/resources}/groups.rb +28 -27
- data/lib/{resources → inspec/resources}/grub_conf.rb +46 -48
- data/lib/{resources → inspec/resources}/host.rb +31 -29
- data/lib/{resources → inspec/resources}/http.rb +24 -24
- data/lib/{resources → inspec/resources}/iis_app.rb +6 -7
- data/lib/{resources → inspec/resources}/iis_app_pool.rb +21 -19
- data/lib/{resources → inspec/resources}/iis_site.rb +17 -15
- data/lib/{resources → inspec/resources}/inetd_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/ini.rb +7 -8
- data/lib/{resources → inspec/resources}/interface.rb +30 -30
- data/lib/{resources → inspec/resources}/iptables.rb +8 -8
- data/lib/{resources → inspec/resources}/json.rb +8 -10
- data/lib/{resources → inspec/resources}/kernel_module.rb +15 -15
- data/lib/{resources → inspec/resources}/kernel_parameter.rb +8 -8
- data/lib/{resources → inspec/resources}/key_rsa.rb +8 -10
- data/lib/{resources → inspec/resources}/ksh.rb +6 -8
- data/lib/{resources → inspec/resources}/limits_conf.rb +8 -9
- data/lib/{resources/login_def.rb → inspec/resources/login_defs.rb} +9 -10
- data/lib/{resources → inspec/resources}/mount.rb +6 -8
- data/lib/{resources → inspec/resources}/mssql_session.rb +16 -18
- data/lib/inspec/resources/mysql.rb +81 -0
- data/lib/{resources → inspec/resources}/mysql_conf.rb +13 -14
- data/lib/{resources → inspec/resources}/mysql_session.rb +16 -16
- data/lib/{resources → inspec/resources}/nginx.rb +16 -17
- data/lib/{resources → inspec/resources}/nginx_conf.rb +26 -27
- data/lib/{resources → inspec/resources}/npm.rb +9 -10
- data/lib/{resources → inspec/resources}/ntp_conf.rb +9 -10
- data/lib/{resources → inspec/resources}/oneget.rb +8 -8
- data/lib/{resources → inspec/resources}/oracledb_session.rb +33 -34
- data/lib/{resources → inspec/resources}/os.rb +6 -8
- data/lib/{resources → inspec/resources}/os_env.rb +11 -12
- data/lib/{resources → inspec/resources}/package.rb +66 -65
- data/lib/{resources → inspec/resources}/packages.rb +13 -13
- data/lib/{resources → inspec/resources}/parse_config.rb +8 -8
- data/lib/{resources → inspec/resources}/passwd.rb +18 -19
- data/lib/{resources → inspec/resources}/pip.rb +19 -19
- data/lib/{resources → inspec/resources}/platform.rb +9 -11
- data/lib/{resources → inspec/resources}/port.rb +134 -136
- data/lib/{resources → inspec/resources}/postgres.rb +40 -32
- data/lib/{resources → inspec/resources}/postgres_conf.rb +17 -17
- data/lib/{resources → inspec/resources}/postgres_hba_conf.rb +21 -23
- data/lib/{resources → inspec/resources}/postgres_ident_conf.rb +12 -14
- data/lib/{resources → inspec/resources}/postgres_session.rb +8 -9
- data/lib/{resources → inspec/resources}/powershell.rb +17 -13
- data/lib/{resources → inspec/resources}/processes.rb +29 -29
- data/lib/{resources/rabbitmq_conf.rb → inspec/resources/rabbitmq_config.rb} +10 -11
- data/lib/{resources → inspec/resources}/registry_key.rb +14 -14
- data/lib/inspec/resources/script.rb +1 -0
- data/lib/{resources → inspec/resources}/security_identifier.rb +11 -10
- data/lib/{resources → inspec/resources}/security_policy.rb +59 -58
- data/lib/{resources → inspec/resources}/service.rb +74 -75
- data/lib/{resources → inspec/resources}/shadow.rb +44 -45
- data/lib/{resources/ssh_conf.rb → inspec/resources/ssh_config.rb} +16 -17
- data/lib/{resources → inspec/resources}/ssl.rb +28 -29
- data/lib/inspec/resources/sys_info.rb +30 -0
- data/lib/{resources → inspec/resources}/toml.rb +5 -7
- data/lib/{resources → inspec/resources}/users.rb +65 -65
- data/lib/{resources → inspec/resources}/vbscript.rb +8 -9
- data/lib/{resources → inspec/resources}/virtualization.rb +60 -62
- data/lib/{resources → inspec/resources}/windows_feature.rb +9 -9
- data/lib/{resources → inspec/resources}/windows_hotfix.rb +5 -5
- data/lib/{resources → inspec/resources}/windows_task.rb +16 -15
- data/lib/{resources → inspec/resources}/wmi.rb +7 -8
- data/lib/{resources → inspec/resources}/x509_certificate.rb +9 -11
- data/lib/{resources/xinetd.rb → inspec/resources/xinetd_conf.rb} +27 -29
- data/lib/{resources → inspec/resources}/xml.rb +7 -7
- data/lib/{resources → inspec/resources}/yaml.rb +5 -6
- data/lib/{resources → inspec/resources}/yum.rb +10 -10
- data/lib/{resources → inspec/resources}/zfs_dataset.rb +6 -6
- data/lib/{resources → inspec/resources}/zfs_pool.rb +4 -4
- data/lib/inspec/rspec_extensions.rb +24 -8
- data/lib/inspec/rule.rb +14 -15
- data/lib/inspec/runner.rb +28 -28
- data/lib/inspec/runner_mock.rb +1 -5
- data/lib/inspec/runner_rspec.rb +18 -20
- data/lib/inspec/runtime_profile.rb +2 -5
- data/lib/inspec/schema.rb +142 -143
- data/lib/inspec/secrets.rb +3 -7
- data/lib/inspec/secrets/yaml.rb +3 -5
- data/lib/inspec/shell.rb +11 -15
- data/lib/inspec/shell_detector.rb +6 -7
- data/lib/inspec/source_reader.rb +4 -8
- data/lib/inspec/ui.rb +33 -39
- data/lib/inspec/ui_table_helper.rb +12 -0
- data/lib/{utils → inspec/utils}/command_wrapper.rb +4 -8
- data/lib/{utils → inspec/utils}/convert.rb +0 -4
- data/lib/{utils → inspec/utils}/database_helpers.rb +4 -8
- data/lib/inspec/utils/deprecation.rb +6 -0
- data/lib/{utils → inspec/utils}/deprecation/config_file.rb +19 -19
- data/lib/{utils → inspec/utils}/deprecation/deprecator.rb +12 -12
- data/lib/{utils → inspec/utils}/deprecation/errors.rb +1 -1
- data/lib/{utils → inspec/utils}/deprecation/global_method.rb +2 -2
- data/lib/{utils → inspec/utils}/enumerable_delegation.rb +0 -2
- data/lib/{utils → inspec/utils}/erlang_parser.rb +61 -65
- data/lib/{utils → inspec/utils}/file_reader.rb +1 -2
- data/lib/{utils → inspec/utils}/filter.rb +30 -33
- data/lib/{utils → inspec/utils}/filter_array.rb +0 -2
- data/lib/{utils → inspec/utils}/find_files.rb +9 -12
- data/lib/{utils → inspec/utils}/hash.rb +1 -5
- data/lib/inspec/utils/json_log.rb +15 -0
- data/lib/inspec/utils/latest_version.rb +13 -0
- data/lib/{utils → inspec/utils}/modulator.rb +0 -3
- data/lib/{utils → inspec/utils}/nginx_parser.rb +31 -35
- data/lib/{utils → inspec/utils}/object_traversal.rb +0 -3
- data/lib/{utils → inspec/utils}/parser.rb +45 -45
- data/lib/{utils → inspec/utils}/pkey_reader.rb +4 -2
- data/lib/{utils → inspec/utils}/simpleconfig.rb +8 -10
- data/lib/{utils → inspec/utils}/spdx.rb +1 -4
- data/lib/{utils → inspec/utils}/spdx.txt +0 -0
- data/lib/inspec/utils/telemetry.rb +3 -3
- data/lib/inspec/utils/telemetry/collector.rb +30 -9
- data/lib/inspec/utils/telemetry/data_series.rb +3 -1
- data/lib/inspec/utils/telemetry/global_methods.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/matchers/matchers.rb +22 -25
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +1 -1
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +52 -45
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/cli.rb +18 -16
- data/lib/plugins/inspec-compliance/lib/inspec-compliance.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +73 -73
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api/login.rb +66 -62
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +59 -57
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/configuration.rb +11 -11
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/http.rb +20 -22
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/support.rb +2 -4
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/target.rb +30 -27
- data/lib/plugins/inspec-habitat/Berksfile +2 -2
- data/lib/plugins/inspec-habitat/lib/inspec-habitat.rb +1 -1
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/cli.rb +15 -13
- data/lib/plugins/inspec-habitat/lib/inspec-habitat/profile.rb +64 -63
- data/lib/plugins/inspec-habitat/templates/habitat/hooks/run.erb +3 -3
- data/lib/plugins/inspec-habitat/templates/habitat/plan.sh.erb +11 -11
- data/lib/plugins/inspec-init/lib/inspec-init.rb +1 -1
- data/lib/plugins/inspec-init/lib/inspec-init/cli.rb +6 -8
- data/lib/plugins/inspec-init/lib/inspec-init/cli_plugin.rb +72 -74
- data/lib/plugins/inspec-init/lib/inspec-init/cli_profile.rb +9 -11
- data/lib/plugins/inspec-init/lib/inspec-init/renderer.rb +4 -4
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/Gemfile +0 -1
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/inspec-plugin-template.gemspec +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/cli_command.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/plugin.rb +0 -2
- data/lib/plugins/inspec-init/templates/plugins/inspec-plugin-template/lib/inspec-plugin-template/version.rb +0 -2
- data/lib/plugins/inspec-init/templates/profiles/os/controls/example.rb +6 -7
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli.rb +1 -2
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/cli_command.rb +72 -70
- data/lib/plugins/inspec-plugin-manager-cli/lib/inspec-plugin-manager-cli/plugin.rb +1 -1
- data/lib/plugins/shared/core_plugin_test_helper.rb +43 -38
- data/lib/source_readers/flat.rb +6 -10
- data/lib/source_readers/inspec.rb +8 -12
- metadata +139 -140
- data/lib/resources/mysql.rb +0 -82
- data/lib/resources/sys_info.rb +0 -28
- data/lib/utils/deprecation.rb +0 -6
- data/lib/utils/json_log.rb +0 -18
- data/lib/utils/latest_version.rb +0 -22
|
@@ -1,6 +1,5 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
require 'securerandom'
|
|
1
|
+
require "inspec/resources/powershell"
|
|
2
|
+
require "securerandom"
|
|
4
3
|
|
|
5
4
|
module Inspec::Resources
|
|
6
5
|
# This resource allows users to run vbscript on windows machines. We decided
|
|
@@ -19,10 +18,10 @@ module Inspec::Resources
|
|
|
19
18
|
# Since Windows does not delete tmp files automatically, we remove the VBScript
|
|
20
19
|
# after we executed it
|
|
21
20
|
# @see https://msdn.microsoft.com/en-us/library/aa364991.aspx
|
|
22
|
-
class VBScript <
|
|
23
|
-
name
|
|
24
|
-
supports platform:
|
|
25
|
-
desc
|
|
21
|
+
class VBScript < Powershell
|
|
22
|
+
name "vbscript"
|
|
23
|
+
supports platform: "windows"
|
|
24
|
+
desc ""
|
|
26
25
|
example <<~EXAMPLE
|
|
27
26
|
script = <<-EOH
|
|
28
27
|
# you vbscript
|
|
@@ -53,14 +52,14 @@ module Inspec::Resources
|
|
|
53
52
|
end
|
|
54
53
|
|
|
55
54
|
def to_s
|
|
56
|
-
|
|
55
|
+
"Windows VBScript"
|
|
57
56
|
end
|
|
58
57
|
|
|
59
58
|
private
|
|
60
59
|
|
|
61
60
|
def parse_stdout
|
|
62
61
|
res = inspec.backend.run_command(@command)
|
|
63
|
-
parsed_result = res.stdout.gsub(/#{@seperator}\r\n$/,
|
|
62
|
+
parsed_result = res.stdout.gsub(/#{@seperator}\r\n$/, "")
|
|
64
63
|
res.stdout = parsed_result
|
|
65
64
|
res
|
|
66
65
|
end
|
|
@@ -1,12 +1,10 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
require 'hashie/mash'
|
|
1
|
+
require "hashie/mash"
|
|
4
2
|
|
|
5
3
|
module Inspec::Resources
|
|
6
4
|
class Virtualization < Inspec.resource(1)
|
|
7
|
-
name
|
|
8
|
-
supports platform:
|
|
9
|
-
desc
|
|
5
|
+
name "virtualization"
|
|
6
|
+
supports platform: "linux"
|
|
7
|
+
desc "Use the virtualization InSpec audit resource to test the virtualization platform on which the system is running"
|
|
10
8
|
example <<~EXAMPLE
|
|
11
9
|
describe virtualization do
|
|
12
10
|
its('system') { should eq 'docker' }
|
|
@@ -42,21 +40,21 @@ module Inspec::Resources
|
|
|
42
40
|
end
|
|
43
41
|
|
|
44
42
|
def to_s
|
|
45
|
-
|
|
43
|
+
"Virtualization Detection"
|
|
46
44
|
end
|
|
47
45
|
|
|
48
46
|
private
|
|
49
47
|
|
|
50
48
|
def lxc_version_exists?
|
|
51
|
-
inspec.command(
|
|
49
|
+
inspec.command("lxc-version").exist?
|
|
52
50
|
end
|
|
53
51
|
|
|
54
52
|
def docker_exists?
|
|
55
|
-
inspec.command(
|
|
53
|
+
inspec.command("docker").exist?
|
|
56
54
|
end
|
|
57
55
|
|
|
58
56
|
def nova_exists?
|
|
59
|
-
inspec.command(
|
|
57
|
+
inspec.command("nova").exist?
|
|
60
58
|
end
|
|
61
59
|
|
|
62
60
|
# Detect Xen
|
|
@@ -68,12 +66,12 @@ module Inspec::Resources
|
|
|
68
66
|
# but rather be additive - btm
|
|
69
67
|
def detect_xen
|
|
70
68
|
# This file should exist on most Xen systems, normally empty for guests
|
|
71
|
-
return false unless inspec.file(
|
|
72
|
-
@virtualization_data[:system] =
|
|
73
|
-
if inspec.file(
|
|
74
|
-
@virtualization_data[:role] =
|
|
69
|
+
return false unless inspec.file("/proc/xen/capabilities").exist?
|
|
70
|
+
@virtualization_data[:system] = "xen"
|
|
71
|
+
if inspec.file("/proc/xen/capabilities").content =~ /control_d/i
|
|
72
|
+
@virtualization_data[:role] = "host"
|
|
75
73
|
else
|
|
76
|
-
@virtualization_data[:role] =
|
|
74
|
+
@virtualization_data[:role] = "guest"
|
|
77
75
|
end
|
|
78
76
|
|
|
79
77
|
true
|
|
@@ -81,16 +79,16 @@ module Inspec::Resources
|
|
|
81
79
|
|
|
82
80
|
# Detect Virtualbox from kernel module
|
|
83
81
|
def detect_virtualbox
|
|
84
|
-
return false unless inspec.file(
|
|
85
|
-
modules = inspec.file(
|
|
82
|
+
return false unless inspec.file("/proc/modules").exist?
|
|
83
|
+
modules = inspec.file("/proc/modules").content
|
|
86
84
|
if modules =~ /^vboxdrv/
|
|
87
|
-
Inspec::Log.debug(
|
|
88
|
-
@virtualization_data[:system] =
|
|
89
|
-
@virtualization_data[:role] =
|
|
85
|
+
Inspec::Log.debug("Plugin Virtualization: /proc/modules contains vboxdrv. Detecting as vbox host")
|
|
86
|
+
@virtualization_data[:system] = "vbox"
|
|
87
|
+
@virtualization_data[:role] = "host"
|
|
90
88
|
elsif modules =~ /^vboxguest/
|
|
91
|
-
Inspec::Log.debug(
|
|
92
|
-
@virtualization_data[:system] =
|
|
93
|
-
@virtualization_data[:role] =
|
|
89
|
+
Inspec::Log.debug("Plugin Virtualization: /proc/modules contains vboxguest. Detecting as vbox guest")
|
|
90
|
+
@virtualization_data[:system] = "vbox"
|
|
91
|
+
@virtualization_data[:role] = "guest"
|
|
94
92
|
else
|
|
95
93
|
return false
|
|
96
94
|
end
|
|
@@ -100,28 +98,28 @@ module Inspec::Resources
|
|
|
100
98
|
# if nova binary is present we're on an openstack host
|
|
101
99
|
def detect_openstack
|
|
102
100
|
return false unless nova_exists?
|
|
103
|
-
@virtualization_data[:system] =
|
|
104
|
-
@virtualization_data[:role] =
|
|
101
|
+
@virtualization_data[:system] = "openstack"
|
|
102
|
+
@virtualization_data[:role] = "host"
|
|
105
103
|
true
|
|
106
104
|
end
|
|
107
105
|
|
|
108
106
|
# Detect paravirt KVM/QEMU from cpuinfo, report as KVM
|
|
109
107
|
def detect_kvm_from_cpuinfo
|
|
110
|
-
return false unless inspec.file(
|
|
111
|
-
@virtualization_data[:system] =
|
|
112
|
-
@virtualization_data[:role] =
|
|
108
|
+
return false unless inspec.file("/proc/cpuinfo").content =~ /QEMU Virtual CPU|Common KVM processor|Common 32-bit KVM processor/
|
|
109
|
+
@virtualization_data[:system] = "kvm"
|
|
110
|
+
@virtualization_data[:role] = "guest"
|
|
113
111
|
true
|
|
114
112
|
end
|
|
115
113
|
|
|
116
114
|
# Detect KVM systems via /sys
|
|
117
115
|
# guests will have the hypervisor cpu feature that hosts don't have
|
|
118
116
|
def detect_kvm_from_sys
|
|
119
|
-
return false unless inspec.file(
|
|
120
|
-
@virtualization_data[:system] =
|
|
121
|
-
if inspec.file(
|
|
122
|
-
@virtualization_data[:role] =
|
|
117
|
+
return false unless inspec.file("/sys/devices/virtual/misc/kvm").exist?
|
|
118
|
+
@virtualization_data[:system] = "kvm"
|
|
119
|
+
if inspec.file("/proc/cpuinfo").content =~ /hypervisor/
|
|
120
|
+
@virtualization_data[:role] = "guest"
|
|
123
121
|
else
|
|
124
|
-
@virtualization_data[:role] =
|
|
122
|
+
@virtualization_data[:role] = "host"
|
|
125
123
|
end
|
|
126
124
|
true
|
|
127
125
|
end
|
|
@@ -129,12 +127,12 @@ module Inspec::Resources
|
|
|
129
127
|
# Detect OpenVZ / Virtuozzo.
|
|
130
128
|
# http://wiki.openvz.org/BC_proc_entries
|
|
131
129
|
def detect_openvz
|
|
132
|
-
if inspec.file(
|
|
133
|
-
@virtualization_data[:system] =
|
|
134
|
-
@virtualization_data[:role] =
|
|
135
|
-
elsif inspec.file(
|
|
136
|
-
@virtualization_data[:system] =
|
|
137
|
-
@virtualization_data[:role] =
|
|
130
|
+
if inspec.file("/proc/bc/0").exist?
|
|
131
|
+
@virtualization_data[:system] = "openvz"
|
|
132
|
+
@virtualization_data[:role] = "host"
|
|
133
|
+
elsif inspec.file("/proc/vz").exist?
|
|
134
|
+
@virtualization_data[:system] = "openvz"
|
|
135
|
+
@virtualization_data[:role] = "guest"
|
|
138
136
|
else
|
|
139
137
|
return false
|
|
140
138
|
end
|
|
@@ -143,23 +141,23 @@ module Inspec::Resources
|
|
|
143
141
|
|
|
144
142
|
# Detect Parallels virtual machine from pci devices
|
|
145
143
|
def detect_parallels
|
|
146
|
-
return false unless inspec.file(
|
|
147
|
-
@virtualization_data[:system] =
|
|
148
|
-
@virtualization_data[:role] =
|
|
144
|
+
return false unless inspec.file("/proc/bus/pci/devices").content =~ /1ab84000/
|
|
145
|
+
@virtualization_data[:system] = "parallels"
|
|
146
|
+
@virtualization_data[:role] = "guest"
|
|
149
147
|
true
|
|
150
148
|
end
|
|
151
149
|
|
|
152
150
|
# Detect Linux-VServer
|
|
153
151
|
def detect_linux_vserver
|
|
154
|
-
return false unless inspec.file(
|
|
155
|
-
proc_self_status = inspec.file(
|
|
152
|
+
return false unless inspec.file("/proc/self/status").exist?
|
|
153
|
+
proc_self_status = inspec.file("/proc/self/status").content
|
|
156
154
|
vxid = proc_self_status.match(/^(s_context|VxID):\s*(\d+)$/)
|
|
157
155
|
return false unless vxid && vxid[2]
|
|
158
|
-
@virtualization_data[:system] =
|
|
159
|
-
if vxid[2] ==
|
|
160
|
-
@virtualization_data[:role] =
|
|
156
|
+
@virtualization_data[:system] = "linux-vserver"
|
|
157
|
+
if vxid[2] == "0"
|
|
158
|
+
@virtualization_data[:role] = "host"
|
|
161
159
|
else
|
|
162
|
-
@virtualization_data[:role] =
|
|
160
|
+
@virtualization_data[:role] = "guest"
|
|
163
161
|
end
|
|
164
162
|
true
|
|
165
163
|
end
|
|
@@ -183,19 +181,19 @@ module Inspec::Resources
|
|
|
183
181
|
# Full notes, https://tickets.opscode.com/browse/OHAI-551
|
|
184
182
|
# Kernel docs, https://www.kernel.org/doc/Documentation/cgroups
|
|
185
183
|
def detect_lxc_docker
|
|
186
|
-
return false unless inspec.file(
|
|
187
|
-
cgroup_content = inspec.file(
|
|
184
|
+
return false unless inspec.file("/proc/self/cgroup").exist?
|
|
185
|
+
cgroup_content = inspec.file("/proc/self/cgroup").content
|
|
188
186
|
if cgroup_content =~ %r{^\d+:[^:]+:/(lxc|docker)/.+$} ||
|
|
189
187
|
cgroup_content =~ %r{^\d+:[^:]+:/[^/]+/(lxc|docker)-.+$} # rubocop:disable Layout/MultilineOperationIndentation
|
|
190
188
|
@virtualization_data[:system] = $1 # rubocop:disable Style/PerlBackrefs
|
|
191
|
-
@virtualization_data[:role] =
|
|
189
|
+
@virtualization_data[:role] = "guest"
|
|
192
190
|
elsif lxc_version_exists? && cgroup_content =~ %r{\d:[^:]+:/$}
|
|
193
191
|
# lxc-version shouldn't be installed by default
|
|
194
192
|
# Even so, it is likely we are on an LXC capable host that is not being used as such
|
|
195
193
|
# So we're cautious here to not overwrite other existing values (OHAI-573)
|
|
196
194
|
unless @virtualization_data[:system] && @virtualization_data[:role]
|
|
197
|
-
@virtualization_data[:system] =
|
|
198
|
-
@virtualization_data[:role] =
|
|
195
|
+
@virtualization_data[:system] = "lxc"
|
|
196
|
+
@virtualization_data[:role] = "host"
|
|
199
197
|
end
|
|
200
198
|
else
|
|
201
199
|
return false
|
|
@@ -204,21 +202,21 @@ module Inspec::Resources
|
|
|
204
202
|
end
|
|
205
203
|
|
|
206
204
|
def detect_docker
|
|
207
|
-
return false unless inspec.file(
|
|
208
|
-
@virtualization_data[:system] =
|
|
209
|
-
@virtualization_data[:role] =
|
|
205
|
+
return false unless inspec.file("/.dockerenv").exist? || inspec.file("/.dockerinit").exist?
|
|
206
|
+
@virtualization_data[:system] = "docker"
|
|
207
|
+
@virtualization_data[:role] = "guest"
|
|
210
208
|
true
|
|
211
209
|
end
|
|
212
210
|
|
|
213
211
|
# Detect LXD
|
|
214
212
|
# See https://github.com/lxc/lxd/blob/master/doc/dev-lxd.md
|
|
215
213
|
def detect_lxd
|
|
216
|
-
if inspec.file(
|
|
217
|
-
@virtualization_data[:system] =
|
|
218
|
-
@virtualization_data[:role] =
|
|
219
|
-
elsif inspec.file(
|
|
220
|
-
@virtualization_data[:system] =
|
|
221
|
-
@virtualization_data[:role] =
|
|
214
|
+
if inspec.file("/dev/lxd/sock").exist?
|
|
215
|
+
@virtualization_data[:system] = "lxd"
|
|
216
|
+
@virtualization_data[:role] = "guest"
|
|
217
|
+
elsif inspec.file("/var/lib/lxd/devlxd").exist?
|
|
218
|
+
@virtualization_data[:system] = "lxd"
|
|
219
|
+
@virtualization_data[:role] = "host"
|
|
222
220
|
else
|
|
223
221
|
return false
|
|
224
222
|
end
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
|
|
1
|
+
require "inspec/resources/command"
|
|
2
2
|
|
|
3
3
|
module Inspec::Resources
|
|
4
4
|
class WindowsFeature < Inspec.resource(1)
|
|
5
|
-
name
|
|
6
|
-
supports platform:
|
|
7
|
-
desc
|
|
5
|
+
name "windows_feature"
|
|
6
|
+
supports platform: "windows"
|
|
7
|
+
desc "Use the windows_feature InSpec audit resource to test features on Microsoft Windows."
|
|
8
8
|
example <<~EXAMPLE
|
|
9
9
|
# By default this resource will use Get-WindowsFeature.
|
|
10
10
|
# Failing that, it will use DISM.
|
|
@@ -72,7 +72,7 @@ module Inspec::Resources
|
|
|
72
72
|
if cmd.exit_status != 0
|
|
73
73
|
feature_info = {
|
|
74
74
|
name: feature,
|
|
75
|
-
description:
|
|
75
|
+
description: "N/A",
|
|
76
76
|
installed: false,
|
|
77
77
|
}
|
|
78
78
|
else
|
|
@@ -100,7 +100,7 @@ module Inspec::Resources
|
|
|
100
100
|
# non-server OS. This attempts to use the `dism` command to get the info.
|
|
101
101
|
if cmd.stderr =~ /The term 'Get-WindowsFeature' is not recognized/
|
|
102
102
|
feature_info[:name] = feature
|
|
103
|
-
feature_info[:error] =
|
|
103
|
+
feature_info[:error] = "Could not find `Get-WindowsFeature`"
|
|
104
104
|
else
|
|
105
105
|
# We cannot rely on `cmd.exit_status != 0` because by default the
|
|
106
106
|
# command will exit 1 even on success. So, if we cannot parse the JSON
|
|
@@ -109,9 +109,9 @@ module Inspec::Resources
|
|
|
109
109
|
result = JSON.parse(cmd.stdout)
|
|
110
110
|
|
|
111
111
|
feature_info = {
|
|
112
|
-
name: result[
|
|
113
|
-
description: result[
|
|
114
|
-
installed: result[
|
|
112
|
+
name: result["Name"],
|
|
113
|
+
description: result["Description"],
|
|
114
|
+
installed: result["Installed"],
|
|
115
115
|
}
|
|
116
116
|
rescue JSON::ParserError => _e
|
|
117
117
|
feature_info[:name] = feature
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
|
|
1
|
+
require "inspec/resources/powershell"
|
|
2
2
|
|
|
3
3
|
module Inspec::Resources
|
|
4
4
|
class WindowsHotfix < Inspec.resource(1)
|
|
5
|
-
name
|
|
6
|
-
supports platform:
|
|
7
|
-
desc
|
|
5
|
+
name "windows_hotfix"
|
|
6
|
+
supports platform: "windows"
|
|
7
|
+
desc "Use the windows_hotfix InSpec audit resource to test if the hotfix has been installed on the Windows system."
|
|
8
8
|
example <<~EXAMPLE
|
|
9
9
|
describe windows_hotfix('KB4012212') do
|
|
10
10
|
it { should be_installed }
|
|
@@ -17,7 +17,7 @@ module Inspec::Resources
|
|
|
17
17
|
@id = hotfix_id.upcase
|
|
18
18
|
@content = nil
|
|
19
19
|
os = inspec.os
|
|
20
|
-
return skip_resource
|
|
20
|
+
return skip_resource "The `windows_hotfix` resource is not a feature of your OS." unless os.windows?
|
|
21
21
|
query = "get-hotfix -id #{@id}"
|
|
22
22
|
cmd = inspec.powershell(query)
|
|
23
23
|
@content = cmd.stdout
|
|
@@ -1,9 +1,10 @@
|
|
|
1
|
-
|
|
1
|
+
require "inspec/resources/powershell"
|
|
2
|
+
|
|
2
3
|
module Inspec::Resources
|
|
3
|
-
class WindowsTasks < Inspec.resource(1)
|
|
4
|
-
name
|
|
5
|
-
supports platform:
|
|
6
|
-
desc
|
|
4
|
+
class WindowsTasks < Inspec.resource(1) # TODO: rename singular
|
|
5
|
+
name "windows_task"
|
|
6
|
+
supports platform: "windows"
|
|
7
|
+
desc "Use the windows_task InSpec audit resource to test task schedules on Microsoft Windows."
|
|
7
8
|
example <<~EXAMPLE
|
|
8
9
|
describe windows_task('\\Microsoft\\Windows\\Time Synchronization\\SynchronizeTime') do
|
|
9
10
|
it { should be_enabled }
|
|
@@ -38,12 +39,12 @@ module Inspec::Resources
|
|
|
38
39
|
# rubocop:disable Style/WordArray
|
|
39
40
|
def enabled?
|
|
40
41
|
return false if info.nil? || info[:state].nil?
|
|
41
|
-
[
|
|
42
|
+
["Ready", "Running"].include?(info[:state])
|
|
42
43
|
end
|
|
43
44
|
|
|
44
45
|
def disabled?
|
|
45
46
|
return false if info.nil? || info[:state].nil?
|
|
46
|
-
info[:scheduled_task_state] ==
|
|
47
|
+
info[:scheduled_task_state] == "Disabled" || info[:state] == "Disabled"
|
|
47
48
|
end
|
|
48
49
|
|
|
49
50
|
def logon_mode
|
|
@@ -84,14 +85,14 @@ module Inspec::Resources
|
|
|
84
85
|
end
|
|
85
86
|
|
|
86
87
|
@cache = {
|
|
87
|
-
uri: params[
|
|
88
|
-
state: params[
|
|
89
|
-
logon_mode: params[
|
|
90
|
-
last_result: params[
|
|
91
|
-
task_to_run: params[
|
|
92
|
-
run_as_user: params[
|
|
93
|
-
scheduled_task_state: params[
|
|
94
|
-
type:
|
|
88
|
+
uri: params["URI"],
|
|
89
|
+
state: params["State"],
|
|
90
|
+
logon_mode: params["Logon Mode"],
|
|
91
|
+
last_result: params["Last Result"],
|
|
92
|
+
task_to_run: params["Task To Run"],
|
|
93
|
+
run_as_user: params["Run As User"],
|
|
94
|
+
scheduled_task_state: params["Scheduled Task State"],
|
|
95
|
+
type: "windows-task",
|
|
95
96
|
}
|
|
96
97
|
end
|
|
97
98
|
|
|
@@ -1,6 +1,5 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
require 'utils/object_traversal'
|
|
1
|
+
require "inspec/resources/powershell"
|
|
2
|
+
require "inspec/utils/object_traversal"
|
|
4
3
|
|
|
5
4
|
module Inspec::Resources
|
|
6
5
|
# This resource simplifies the access to wmi
|
|
@@ -8,9 +7,9 @@ module Inspec::Resources
|
|
|
8
7
|
# WMIC /NAMESPACE:\\root\rsop\computer PATH RSOP_SecuritySettingNumeric WHERE "KeyName = 'MinimumPasswordAge' And precedence=1" GET Setting
|
|
9
8
|
# We use Get-WmiObject via Powershell to retrieve all values.
|
|
10
9
|
class WMI < Inspec.resource(1)
|
|
11
|
-
name
|
|
12
|
-
supports platform:
|
|
13
|
-
desc
|
|
10
|
+
name "wmi"
|
|
11
|
+
supports platform: "windows"
|
|
12
|
+
desc "request wmi information"
|
|
14
13
|
example <<~EXAMPLE
|
|
15
14
|
describe wmi({
|
|
16
15
|
class: 'RSOP_SecuritySettingNumeric',
|
|
@@ -29,7 +28,7 @@ module Inspec::Resources
|
|
|
29
28
|
if wmiclass.is_a?(Hash)
|
|
30
29
|
@options.merge!(wmiclass)
|
|
31
30
|
else
|
|
32
|
-
Inspec.deprecate(:wmi_non_hash_usage,
|
|
31
|
+
Inspec.deprecate(:wmi_non_hash_usage, "Using `wmi('wmisclass')` is deprecated. Please use`wmi({class: 'wmisclass'})`")
|
|
33
32
|
@options[:class] = wmiclass
|
|
34
33
|
end
|
|
35
34
|
end
|
|
@@ -61,7 +60,7 @@ module Inspec::Resources
|
|
|
61
60
|
args = @options.select { |key, _value| [:class, :namespace, :query, :filter].include?(key) }
|
|
62
61
|
|
|
63
62
|
# convert to Get-WmiObject arguments
|
|
64
|
-
params =
|
|
63
|
+
params = ""
|
|
65
64
|
args.each { |key, value| params += " -#{key} \"#{value.gsub('"', '`"')}\"" }
|
|
66
65
|
|
|
67
66
|
# run wmi command and filter empty wmi
|
|
@@ -1,15 +1,13 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
require
|
|
4
|
-
require 'hashie/mash'
|
|
5
|
-
require 'utils/file_reader'
|
|
1
|
+
require "openssl"
|
|
2
|
+
require "hashie/mash"
|
|
3
|
+
require "inspec/utils/file_reader"
|
|
6
4
|
|
|
7
5
|
module Inspec::Resources
|
|
8
6
|
class X509CertificateResource < Inspec.resource(1)
|
|
9
|
-
name
|
|
10
|
-
supports platform:
|
|
11
|
-
supports platform:
|
|
12
|
-
desc
|
|
7
|
+
name "x509_certificate"
|
|
8
|
+
supports platform: "unix"
|
|
9
|
+
supports platform: "windows"
|
|
10
|
+
desc "Used to test x.509 certificates"
|
|
13
11
|
example <<~EXAMPLE
|
|
14
12
|
describe x509_certificate('/etc/pki/www.mywebsite.com.pem') do
|
|
15
13
|
its('subject') { should match /CN=My Website/ }
|
|
@@ -47,8 +45,8 @@ module Inspec::Resources
|
|
|
47
45
|
|
|
48
46
|
# Forward these methods directly to OpenSSL::X509::Certificate instance
|
|
49
47
|
%w{version not_before not_after signature_algorithm public_key}.each do |m|
|
|
50
|
-
define_method m
|
|
51
|
-
@cert.
|
|
48
|
+
define_method m do |*args|
|
|
49
|
+
@cert.send(m, *args)
|
|
52
50
|
end
|
|
53
51
|
end
|
|
54
52
|
|