inspec-core 4.38.9 → 4.49.0

data/lib/inspec/resources/cassandra.rb

@@ -0,0 +1,64 @@
+module Inspec::Resources
+  class Cassandra < Inspec.resource(1)
+    name "cassandra"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "The 'cassandra' resource is a helper for the 'cql_conf'"
+
+    attr_reader :conf_path
+
+    def initialize
+      case inspec.os[:family]
+      when "debian", "redhat", "linux", "suse"
+        determine_conf_dir_and_path_in_linux
+      when "windows"
+        determine_conf_dir_and_path_in_windows
+      end
+    end
+
+    def to_s
+      "CassandraDB"
+    end
+
+    private
+
+    def determine_conf_dir_and_path_in_linux
+      cassandra_home = inspec.os_env("CASSANDRA_HOME").content
+
+      if cassandra_home.nil? || cassandra_home.empty?
+        warn "$CASSANDRA_HOME environment variable not set in the system"
+        nil
+      else
+        conf_path = "#{cassandra_home}/cassandra.yaml"
+        if !inspec.file(conf_path).exist?
+          warn "Cassandra conf file not found in #{cassandra_home} directory."
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading cassandra conf file: #{e}"
+    end
+
+    def determine_conf_dir_and_path_in_windows
+      cassandra_home = inspec.os_env("CASSANDRA_HOME").content
+
+      if cassandra_home.nil? || cassandra_home.empty?
+        warn "CASSANDRA_HOME environment variable not set in the system"
+        nil
+      else
+        conf_path = "#{cassandra_home}\\conf\\cassandra.yaml"
+        if !inspec.file(conf_path).exist?
+          warn "Cassandra conf file not found in #{cassandra_home}\\conf directory."
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading cassandra conf file: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/cassandradb_conf.rb

@@ -0,0 +1,47 @@
+require "inspec/resources/json"
+require "inspec/resources/cassandra"
+
+module Inspec::Resources
+  class CassandradbConf < JsonConfig
+    name "cassandradb_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the cql_conf InSpec audit resource to test the contents of the configuration file for Cassandra DB"
+    example <<~EXAMPLE
+      describe cassandradb_conf do
+        its('listen_address') { should eq '0.0.0.0' }
+      end
+    EXAMPLE
+
+    def initialize(conf_path = nil)
+      cassandra = nil
+      if conf_path.nil?
+        cassandra = inspec.cassandra
+        @conf_path = cassandra.conf_path
+      else
+        @conf_path = conf_path
+      end
+
+      if cassandra && cassandra.resource_failed?
+        raise cassandra.resource_exception_message
+      elsif @conf_path.nil?
+        return skip_resource "Cassandra db conf path is not set"
+      end
+
+      super(@conf_path)
+    end
+
+    private
+
+    def parse(content)
+      YAML.load(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse `cassandra.yaml` file: #{e.message}"
+    end
+
+    def resource_base_name
+      "Cassandra Configuration"
+    end
+
+  end
+end

data/lib/inspec/resources/cassandradb_session.rb

@@ -0,0 +1,68 @@
+module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class CassandradbSession < Inspec.resource(1)
+    name "cassandradb_session"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the cassandradb_session InSpec resource to test commands against an Cassandra database"
+    example <<~EXAMPLE
+      cql = cassandradb_session(user: 'my_user', password: 'password', host: 'host', port: 'port')
+      describe cql.query("SELECT cluster_name FROM system.local") do
+        its('output') { should match /Test Cluster/ }
+      end
+    EXAMPLE
+
+    attr_reader :user, :password, :host, :port
+
+    def initialize(opts = {})
+      @user = opts[:user] || "cassandra"
+      @password = opts[:password] || "cassandra"
+      @host = opts[:host]
+      @port = opts[:port]
+    end
+
+    def query(q)
+      cassandra_cmd = create_cassandra_cmd(q)
+      cmd = inspec.command(cassandra_cmd)
+      out = cmd.stdout + "\n" + cmd.stderr
+      if cmd.exit_status != 0 || out =~ /Unable to connect to any servers/ || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "Cassandra query with errors: #{out}"
+      else
+        Lines.new(cmd.stdout.strip, "Cassandra query: #{q}")
+      end
+    end
+
+    def to_s
+      "Cassandra DB Session"
+    end
+
+    private
+
+    def create_cassandra_cmd(q)
+      # TODO: simple escape, must be handled by a library
+      # that does this securely
+      escaped_query = q.gsub(/\\/, "\\\\").gsub(/"/, '\\"').gsub(/\$/, '\\$')
+
+      # construct the query
+      command = "cqlsh"
+      command += " #{@host}" unless @host.nil?
+      command += " #{@port}" unless @port.nil?
+      command += " -u #{@user}"
+      command += " -p #{@password}"
+      command += " --execute '#{escaped_query}'"
+      command
+    end
+  end
+end

data/lib/inspec/resources/chrony_conf.rb

@@ -0,0 +1,55 @@
+# chrony_conf
+
+require "inspec/utils/simpleconfig"
+require "inspec/utils/file_reader"
+
+module Inspec::Resources
+  class ChronyConf < Inspec.resource(1)
+    name "chrony_conf"
+    supports platform: "unix"
+    desc "Use the chrony_conf InSpec audit resource to test the synchronization settings defined in the chrony.conf file. This file is typically located at /etc/chrony.conf."
+    example <<~EXAMPLE
+      describe chrony_conf do
+        its('server') { should_not cmp nil }
+        its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery' }
+        its('pool') { should include 'pool.ntp.org iburst' }
+        its('driftfile') { should cmp '/var/lib/ntp/drift' }
+        its('allow') { should cmp nil }
+        its('keyfile') { should cmp '/etc/chrony.keys' }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(path = nil)
+      @conf_path = path || "/etc/chrony.conf"
+      @content = read_file_content(@conf_path)
+    end
+
+    def method_missing(name)
+      param = read_params[name.to_s]
+      # extract first value if we have only one value in array
+      return param[0] if param.is_a?(Array) && (param.length == 1)
+
+      param
+    end
+
+    def to_s
+      "chrony.conf"
+    end
+
+    private
+
+    def read_params
+      return @params if defined?(@params)
+
+      # parse the file
+      conf = SimpleConfig.new(
+        @content,
+        assignment_regex: /^\s*(\S+)\s+(.*)\s*$/,
+        multiple_values: true
+      )
+      @params = conf.params
+    end
+  end
+end

data/lib/inspec/resources/csv.rb

@@ -11,14 +11,28 @@ module Inspec::Resources
       describe csv('example.csv') do
         its('name') { should eq(['John', 'Alice']) }
       end
+
+      describe csv('example.csv', false).params do
+        its[[0]] { should eq (['name', 'col1', 'col2']) }
+      emd
     EXAMPLE
 
+    def initialize(path, headers = true)
+      @headers = headers
+      super(path)
+    end
+
     # override the parse method from JsonConfig
     # Assuming a header row of name,col1,col2, it will output an array of hashes like so:
     #    [
     #      { 'name' => 'row1', 'col1' => 'value1', 'col2' => 'value2' },
     #      { 'name' => 'row2', 'col1' => 'value3', 'col2' => 'value4' }
     #    ]
+    # When headers is set to false it will return data as array of array
+    #    [
+    #      ['name', col1', 'col2'],
+    #      ['row2', 'value3', 'value4']
+    #    ]
     def parse(content)
       require "csv" unless defined?(CSV)
 
@@ -28,10 +42,14 @@ module Inspec::Resources
       end
 
       # implicit conversion of values
-      csv = CSV.new(content, headers: true, converters: %i{all blank_to_nil})
+      csv = CSV.new(content, headers: @headers, converters: %i{all blank_to_nil})
 
       # convert to hash
-      csv.to_a.map(&:to_hash)
+      if @headers
+        csv.to_a.map(&:to_hash)
+      else
+        csv.to_a
+      end
     rescue => e
       raise Inspec::Exceptions::ResourceFailed, "Unable to parse CSV: #{e.message}"
     end
@@ -42,7 +60,12 @@ module Inspec::Resources
     # #value method from JsonConfig (which uses ObjectTraverser.extract_value)
     # doesn't make sense here.
     def value(key)
-      @params.map { |x| x[key.first.to_s] }.compact
+      if @headers
+        @params.map { |x| x[key.first.to_s] }.compact
+      else
+        # when headers is set to false send the array as it is.
+        @params
+      end
     end
 
     private

data/lib/inspec/resources/groups.rb

@@ -22,6 +22,18 @@ module Inspec::Resources
     end
   end
 
+  # Class defined to check for members without case-sensitivity
+  class Members < Array
+    def initialize(group_members)
+      @group_members = group_members
+      super
+    end
+
+    def include?(user)
+      !(@group_members.select { |group_member| group_member.casecmp?(user) }.empty?)
+    end
+  end
+
   class Groups < Inspec.resource(1)
     include GroupManagementSelector
 
@@ -82,6 +94,7 @@ module Inspec::Resources
   #   its('gid') { should eq 0 }
   # end
   #
+
   class Group < Inspec.resource(1)
     include GroupManagementSelector
 
@@ -118,11 +131,13 @@ module Inspec::Resources
     end
 
     def members
-      flatten_entry(group_info, "members") || empty_value_for_members
+      members_list = flatten_entry(group_info, "members") || empty_value_for_members
+      inspec.os.windows? ? Members.new(members_list) : members_list
     end
 
     def members_array
-      flatten_entry(group_info, "members_array") || []
+      members_list = flatten_entry(group_info, "members_array") || []
+      inspec.os.windows? ? Members.new(members_list) : members_list
     end
 
     def local
@@ -150,7 +165,11 @@ module Inspec::Resources
     def group_info
       # we need a local copy for the block
       group = @group.dup
-      @groups_cache ||= inspec.groups.where { name == group }
+      if inspec.os.windows?
+        @groups_cache ||= inspec.groups.where { name.casecmp?(group) }
+      else
+        @groups_cache ||= inspec.groups.where { name == group }
+      end
     end
 
     def empty_value_for_members

data/lib/inspec/resources/ibmdb2_conf.rb

@@ -0,0 +1,57 @@
+module Inspec::Resources
+  class Ibmdb2Conf < Inspec.resource(1)
+    name "ibmdb2_conf"
+
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the ibmdb2_conf InSpec audit resource to test the configuration values of IBM Db2 database."
+    example <<~EXAMPLE
+      describe ibmdb2_conf(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1") do
+        its("output") { should_not be_empty }
+        its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")}
+      end
+    EXAMPLE
+
+    attr_reader :output
+
+    def initialize(opts = {})
+      if inspec.os.platform?("unix")
+        @db2_executable_file_path = opts[:db2_executable_file_path]
+        @db_instance = opts[:db_instance]
+        raise Inspec::Exceptions::ResourceFailed, "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." if @db2_executable_file_path.nil? || @db_instance.nil?
+      end
+      @output = run_command
+    end
+
+    def to_s
+      "IBM Db2 Conf"
+    end
+
+    private
+
+    def run_command
+      # attach to the db2 instance and get the configuration
+      if inspec.os.platform?("unix")
+        cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration")
+        out = cmd.stdout + "\n" + cmd.stderr
+
+        # check if following specific error is there. Sourcing the db2profile to resolve the error.
+        if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration")
+          out = cmd.stdout + "\n" + cmd.stderr
+        end
+      elsif inspec.os.platform?("windows")
+        # set-item command set the powershell to run the db2 commands.
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 get database manager configuration")
+        out = cmd.stdout + "\n" + cmd.stderr
+      end
+
+      if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}"
+      else
+        cmd.stdout.gsub(/\n|\r/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, " ") }
+      end
+    end
+  end
+end

data/lib/inspec/resources/ibmdb2_session.rb

@@ -0,0 +1,69 @@
+module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class Ibmdb2Session < Inspec.resource(1)
+    name "ibmdb2_session"
+
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the ibmdb2_session InSpec audit resource to test SQL commands run against a IBM Db2 database."
+    example <<~EXAMPLE
+      describe ibmdb2_session(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1", db_name: "sample").query('list database directory') do
+        its('output') { should_not match(/sample/) }
+      end
+    EXAMPLE
+
+    def initialize(opts = {})
+      @db_name = opts[:db_name]
+      if inspec.os.platform?("unix")
+        @db2_executable_file_path = opts[:db2_executable_file_path]
+        @db_instance = opts[:db_instance]
+        raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." if @db2_executable_file_path.nil? || @db_instance.nil? || @db_name.nil?
+      elsif inspec.os.platform?("windows")
+        raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db_name option provided." if @db_name.nil?
+      end
+    end
+
+    def query(q)
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      if inspec.os.platform?("unix")
+        # connect to the db and query on the database
+        cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
+        out = cmd.stdout + "\n" + cmd.stderr
+
+        # check if following specific error is there. Sourcing the db2profile to resolve the error.
+        if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
+          out = cmd.stdout + "\n" + cmd.stderr
+        end
+      elsif inspec.os.platform?("windows")
+        # set-item command set the powershell to run the db2 commands.
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 #{q}\;")
+        out = cmd.stdout + "\n" + cmd.stderr
+      end
+
+      if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}"
+      else
+        Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}")
+      end
+    end
+
+    def to_s
+      "IBM Db2 Session"
+    end
+  end
+end

data/lib/inspec/resources/mongodb_session.rb

@@ -0,0 +1,88 @@
+require "mongo"
+
+module Inspec::Resources
+  class Lines
+    attr_reader :params
+
+    def initialize(raw, desc)
+      @params = raw
+      @desc = desc
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class MongodbSession < Inspec.resource(1)
+    name "mongodb_session"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the mongodb_session InSpec audit resource to run MongoDB command against a MongoDB Database."
+    example <<~EXAMPLE
+      # default values:
+      # host: "127.0.0.1"
+      # port: "27017"
+      # auth_source - default to database name
+      # auth_mech - :scram
+
+      describe mongodb_session(user: "foo", password: "bar", database: "test").query(usersInfo: "ian").params["users"].first["roles"].first do
+        its(["role"]) { should eq "readWrite" }
+      end
+    EXAMPLE
+    attr_reader :user, :host, :port, :database, :params
+
+    def initialize(opts = {})
+      @user = opts[:user] || nil
+      @password = opts[:password] || nil
+      @host = opts[:host] || "127.0.0.1"
+      @port = opts[:port] || "27017"
+      @database = opts[:database] || nil
+      @auth_mech = opts[:auth_mech] || :scram
+      @auth_source = opts[:auth_source] || @database
+      @ssl = opts[:ssl] || false
+      @ssl_cert = opts[:ssl_cert] || nil
+      @ssl_key = opts[:ssl_key] || nil
+      @ssl_ca_cert = opts[:ssl_ca_cert] || nil
+      @auth_mech_properties = opts[:auth_mech_properties] || {}
+      @client = nil
+
+      fail_resource "Can't run MongoDB checks without authentication." unless user && @password
+      fail_resource "You must provide a database name for the session." unless database
+
+      create_session
+    end
+
+    def query(command)
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      Lines.new(@client.command(command).documents.first, "MongoDB query: #{command}")
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}"
+    end
+
+    private
+
+    def create_session
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      options = { user: "#{user}",
+        password: "#{@password}",
+        database: "#{database}",
+        auth_source: "#{@auth_source}",
+        auth_mech: @auth_mech,
+        }
+      options[:auth_mech_properties] = @auth_mech_properties unless @auth_mech_properties.empty?
+      options[:ssl] = @ssl
+      opitons[:ssl_key] = @ssl_key unless @ssl_key.nil?
+      options[:ssl_cert] = @ssl_cert unless @ssl_cert.nil?
+      options[:ssl_ca_cert] = @ssl_ca_cert unless @ssl_ca_cert.nil?
+
+      @client = Mongo::Client.new([ "#{host}:#{port}" ], options)
+
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command. Error: #{e.message}"
+    end
+  end
+end

data/lib/inspec/resources/mssql_sys_conf.rb

@@ -0,0 +1,48 @@
+require "inspec/resources/mssql_session"
+
+module Inspec::Resources
+  class MssqlSysConf < Inspec.resource(1)
+    name "mssql_sys_conf"
+    supports platform: "windows"
+    supports platform: "debian"
+    supports platform: "redhat"
+    supports platform: "suse"
+
+    desc "Use the mssql_sys_conf InSpec audit resource to test the database system configurations for Mssql DB"
+    example <<~EXAMPLE
+      describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do
+        its("value_in_use") { should cmp "0" }
+        its("value_configured") { should cmp "0" }
+      end
+    EXAMPLE
+
+    attr_reader :mssql_session, :sql_query
+
+    def initialize(conf_param_name, opts = {})
+      opts[:username] ||= "SA"
+      @mssql_session = inspec.mssql_session(opts)
+      setting = conf_param_name.to_s.gsub("_", " ").split.map(&:capitalize).join(" ")
+      determine_system_configurations(setting)
+    end
+
+    def value_in_use
+      sql_query.row(0).column("value_in_use").value
+    end
+
+    def value_configured
+      sql_query.row(0).column("value_configured").value
+    end
+
+    def to_s
+      "MsSql DB Configuration"
+    end
+
+    private
+
+    def determine_system_configurations(setting)
+      @sql_query = mssql_session.query("SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = '#{setting}'")
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Errors fetching database system configurations for Mssql database: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/opa.rb

@@ -0,0 +1,26 @@
+require "inspec/resources/json"
+
+module Inspec::Resources
+  class Opa < JsonConfig
+    name "opa"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    def initialize(content)
+      @content = content
+      super({ content: @content })
+    end
+
+    def result
+      @content == {} || @content["result"].empty? ? nil : @content
+    end
+
+    private
+
+    def parse(content)
+      @content = YAML.load(content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse OPA query output: #{e.message}"
+    end
+  end
+end

data/lib/inspec/resources/opa_api.rb

@@ -0,0 +1,39 @@
+require "inspec/resources/opa"
+
+module Inspec::Resources
+  class OpaApi < Opa
+    name "opa_api"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    def initialize(opts = {})
+      @url = opts[:url] || nil
+      @data = opts[:data] || nil
+      fail_resource "OPA url and data are mandatory." if @url.nil? || @url.empty? || @data.nil? || @data.empty?
+      @content = load_result
+      super(@content)
+    end
+
+    def allow
+      @content["result"]
+    end
+
+    def to_s
+      "OPA api"
+    end
+
+    private
+
+    def load_result
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      result = inspec.command("curl -X POST #{@url} -d @#{@data} -H 'Content-Type: application/json'")
+      if result.exit_status == 0
+        result.stdout.gsub("\n", "")
+      else
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing OPA query: #{error}"
+      end
+    end
+  end
+end