inspec-core 4.41.20 → 4.52.9

data/lib/inspec/resources/mssql_sys_conf.rb

@@ -0,0 +1,48 @@
+require "inspec/resources/mssql_session"
+
+module Inspec::Resources
+  class MssqlSysConf < Inspec.resource(1)
+    name "mssql_sys_conf"
+    supports platform: "windows"
+    supports platform: "debian"
+    supports platform: "redhat"
+    supports platform: "suse"
+
+    desc "Use the mssql_sys_conf InSpec audit resource to test the database system configurations for Mssql DB"
+    example <<~EXAMPLE
+      describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do
+        its("value_in_use") { should cmp "0" }
+        its("value_configured") { should cmp "0" }
+      end
+    EXAMPLE
+
+    attr_reader :mssql_session, :sql_query
+
+    def initialize(conf_param_name, opts = {})
+      opts[:username] ||= "SA"
+      @mssql_session = inspec.mssql_session(opts)
+      setting = conf_param_name.to_s.gsub("_", " ").split.map(&:capitalize).join(" ")
+      determine_system_configurations(setting)
+    end
+
+    def value_in_use
+      sql_query.row(0).column("value_in_use").value
+    end
+
+    def value_configured
+      sql_query.row(0).column("value_configured").value
+    end
+
+    def to_s
+      "MsSql DB Configuration"
+    end
+
+    private
+
+    def determine_system_configurations(setting)
+      @sql_query = mssql_session.query("SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = '#{setting}'")
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Errors fetching database system configurations for Mssql database: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/opa.rb

@@ -6,12 +6,15 @@ module Inspec::Resources
     supports platform: "unix"
     supports platform: "windows"
 
-    attr_reader :result
     def initialize(content)
       @content = content
       super({ content: @content })
     end
 
+    def result
+      @content == {} || @content["result"].empty? ? nil : @content
+    end
+
     private
 
     def parse(content)

data/lib/inspec/resources/oracle.rb

@@ -0,0 +1,66 @@
+require "inspec/resources/powershell"
+
+module Inspec::Resources
+  class Oracle < Inspec.resource(1)
+    name "oracle"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "The 'oracle' resource is a helper for the 'oracledb_listener_conf'"
+
+    attr_reader :conf_path
+
+    def initialize
+      case inspec.os[:family]
+      when "debian", "redhat", "linux", "suse"
+        determine_conf_dir_and_path_in_linux
+      when "windows"
+        determine_conf_dir_and_path_in_windows
+      end
+    end
+
+    def to_s
+      "OracleDB"
+    end
+
+    private
+
+    def determine_conf_dir_and_path_in_linux
+      oracle_home = inspec.os_env("ORACLE_HOME").content
+
+      if oracle_home.nil? || oracle_home.empty?
+        warn "$ORACLE_HOME env value not set in the system"
+        nil
+      else
+        conf_path = "#{oracle_home}/network/admin/listener.ora"
+        if !inspec.file(conf_path).exist?
+          warn "No oracle listener settings found in $ORACLE_HOME/network/admin directory"
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading listener settings: #{e}"
+    end
+
+    def determine_conf_dir_and_path_in_windows
+      oracle_home = inspec.os_env("ORACLE_HOME").content
+
+      if oracle_home.nil? || oracle_home.empty?
+        warn "ORACLE_HOME env value not set in the system"
+        nil
+      else
+        conf_path = "#{oracle_home}\\network\\admin\\listener.ora"
+        if !inspec.file(conf_path).exist?
+          warn "No oracle listener settings found in ORACLE_HOME\\network\\admin directory"
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading listener settings: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/oracledb_conf.rb

@@ -0,0 +1,40 @@
+require "inspec/resources/oracledb_session"
+
+module Inspec::Resources
+  class OracledbConf < Inspec.resource(1)
+    name "oracledb_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the oracledb_conf InSpec audit resource to test the database settings for Oracle DB"
+    example <<~EXAMPLE
+      describe oracledb_conf(user: 'USER', password: 'PASSWORD') do
+        its("audit_sys_operations") { should cmp "true" }
+        its("sql92_security") { should cmp "true" }
+      end
+    EXAMPLE
+
+    attr_reader :oracledb_session
+
+    def initialize(opts = {})
+      @oracledb_session = inspec.oracledb_session(opts)
+    end
+
+    def method_missing(name)
+      setting = name.to_s.upcase
+      determine_database_setting(setting)
+    end
+
+    def to_s
+      "Oracle DB Configuration"
+    end
+
+    private
+
+    def determine_database_setting(setting)
+      sql_query = oracledb_session.query("SELECT UPPER(VALUE) AS UPPER_VALUE FROM V$SYSTEM_PARAMETER WHERE UPPER(NAME) = '#{setting}'")
+      sql_query.row(0).column("UPPER_VALUE").value
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Errors fetching database settings for Oracle database: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/oracledb_listener_conf.rb

@@ -0,0 +1,123 @@
+require "inspec/utils/object_traversal"
+require "inspec/utils/simpleconfig"
+require "inspec/utils/find_files"
+require "inspec/utils/file_reader"
+require "inspec/resources/oracle"
+
+module Inspec::Resources
+  class OracledbListenerConf < Inspec.resource(1)
+    name "oracledb_listener_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the oracledb_listener_conf InSpec audit resource to test the listener settings for Oracle DB"
+    example <<~EXAMPLE
+      describe oracledb_listener_conf do
+        its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' }
+      end
+    EXAMPLE
+
+    include FindFiles
+    include FileReader
+    include ObjectTraverser
+
+    def initialize(conf_path = nil)
+      oracle = nil
+      if conf_path.nil?
+        oracle = inspec.oracle
+        @conf_path = oracle.conf_path
+      else
+        @conf_path = conf_path
+      end
+
+      if oracle && oracle.resource_failed?
+        raise oracle.resource_exception_message
+      elsif @conf_path.nil?
+        return skip_resource "Oracle Listener conf path is not set"
+      end
+
+      @conf_dir = File.expand_path(File.dirname(@conf_path))
+      @files_contents = {}
+      @content = nil
+      @params = nil
+      read_content
+    end
+
+    def content
+      @content ||= read_content
+    end
+
+    def params(*opts)
+      @params || read_content
+      res = @params
+      opts.each do |opt|
+        res = res[opt] unless res.nil?
+      end
+      res
+    end
+
+    def value(key)
+      extract_value(key, @params)
+    end
+
+    def method_missing(*keys)
+      keys.shift if keys.is_a?(Array) && keys[0] == :[]
+      param = value(keys)
+      return nil if param.nil?
+      # extract first value if we have only one value in array
+      return param[0] if param.length == 1
+
+      param
+    end
+
+    def to_s
+      "Oracle Listener Configuration"
+    end
+
+    private
+
+    def read_content
+      @content = ""
+      @params = {}
+
+      to_read = [@conf_path]
+      until to_read.empty?
+        base_dir = File.dirname(to_read[0])
+        raw_conf = read_file(to_read[0])
+        @content += raw_conf
+
+        opts = {
+          assignment_regex: /^\s*([^=]*?)\s*=\s*[']?\s*(.*?)\s*[']?\s*$/,
+        }
+        params = SimpleConfig.new(raw_conf, opts).params
+        @params.merge!(params)
+
+        to_read = to_read.drop(1)
+        # see if there is more config files to include
+
+        to_read += include_files(params, base_dir).find_all do |fp|
+          not @files_contents.key? fp
+        end
+      end
+      @content
+    end
+
+    def include_files(params, base_dir)
+      include_files = Array(params["include"]) || []
+      include_files += Array(params["include_if_exists"]) || []
+      include_files.map! do |f|
+        Pathname.new(f).absolute? ? f : File.join(base_dir, f)
+      end
+
+      dirs = Array(params["include_dir"]) || []
+      dirs.each do |dir|
+        dir = File.join(base_dir, dir) if dir[0] != "/"
+        include_files += find_files(dir, depth: 1, type: "file")
+      end
+      include_files
+    end
+
+    def read_file(path)
+      @files_contents[path] ||= read_file_content(path)
+    end
+  end
+end

data/lib/inspec/resources/oracledb_session.rb

@@ -42,6 +42,7 @@ module Inspec::Resources
     end
 
     def query(sql)
+      raise Inspec::Exceptions::ResourceSkipped, "#{resource_exception_message}" if resource_skipped?
       raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
 
       if @sqlcl_bin && inspec.command(@sqlcl_bin).exist?
@@ -78,7 +79,14 @@ module Inspec::Resources
     # using a db_role
     # su, using a db_role
     def command_builder(format_options, query)
-      verified_query = verify_query(query)
+      if @db_role.nil? || @su_user.nil?
+        verified_query = verify_query(query)
+      else
+        escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
+        escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
+        verified_query = verify_query(escaped_query)
+      end
+
       sql_prefix, sql_postfix = "", ""
       if inspec.os.windows?
         sql_prefix = %{@'\n#{format_options}\n#{verified_query}\nEXIT\n'@ | }
@@ -87,11 +95,14 @@ module Inspec::Resources
       end
 
       if @db_role.nil?
-        "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}"
+        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
       elsif @su_user.nil?
-        "#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}"
+        %{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
       else
-        "su - #{@su_user} -c env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"
+        # oracle_query_string is echoed to be able to extract the query output clearly
+        # su - su_user in certain versions of oracle returns a message
+        # Example of msg with query output: The Oracle base remains unchanged with value /oracle\n\nVALUE\n3\n
+        %{su - #{@su_user} -c "echo 'oracle_query_string'; env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
       end
     end
 
@@ -101,9 +112,17 @@ module Inspec::Resources
     end
 
     def parse_csv_result(stdout)
-      output = stdout.sub(/\r/, "").strip
+      output = stdout.split("oracle_query_string")[-1]
+      # comma_query_sub replaces the csv delimiter "," in the output.
+      # Handles CSV parsing of data like this (DROP,3) etc
+      output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
-      CSV.parse(output, headers: true, header_converters: converter).map { |row| Hashie::Mash.new(row.to_h) }
+      CSV.parse(output, headers: true, header_converters: converter).map do |row|
+        next if row.entries.flatten.empty?
+
+        revised_row = row.entries.flatten.map { |entry| entry&.gsub("comma_query_sub", ",") }
+        Hashie::Mash.new([revised_row].to_h)
+      end
     end
   end
 end

data/lib/inspec/resources/packages.rb

@@ -26,6 +26,8 @@ module Inspec::Resources
         @pkgs = Debs.new(inspec)
       elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
         @pkgs = Rpms.new(inspec)
+      elsif ["alpine"].include?(os[:name])
+        @pkgs = AlpinePkgs.new(inspec)
       else
         return skip_resource "The packages resource is not yet supported on OS #{inspec.os.name}"
       end
@@ -108,4 +110,23 @@ module Inspec::Resources
       end
     end
   end
+
+  # RedHat family
+  class AlpinePkgs < PkgsManagement
+    def build_package_list
+      command = "apk list --no-network --installed"
+      cmd = inspec.command(command)
+      all = cmd.stdout.split("\n")
+      return [] if all.nil? || cmd.exit_status.to_i != 0
+
+      all.map do |m|
+        next if m =~ /^WARNING/i
+
+        a = m.split(" ")
+        version = a[0].split("-")[-2]
+        name = a[2].gsub(/[{}^]*/, "")
+        PackageStruct.new("installed", name, version, a[1])
+      end
+    end
+  end
 end

data/lib/inspec/resources/postgres_session.rb

@@ -40,11 +40,12 @@ module Inspec::Resources
       end
     EXAMPLE
 
-    def initialize(user, pass, host = nil, port = nil)
+    def initialize(user, pass, host = nil, port = nil, socket_path = nil)
       @user = user || "postgres"
       @pass = pass
       @host = host || "localhost"
       @port = port || 5432
+      @socket_path = socket_path
       raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil?
     end
 
@@ -69,10 +70,20 @@ module Inspec::Resources
 
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "#{x}" }.join(" ")
-      if inspec.os.windows?
-        "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+
+      if @socket_path && !inspec.os.windows?
+        # Socket path and empty host in the connection string establishes socket connection
+        # Socket connection only enabled for non-windows platforms
+        # Windows does not support unix domain sockets
+        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} -A -t -w -c #{escaped_query(query)}"
       else
-        "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+        # Host in connection string establishes tcp/ip connection
+        if inspec.os.windows?
+          warn "Socket based connection not supported in windows, connecting using host" if @socket_path
+          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+        else
+          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+        end
       end
     end
   end

data/lib/inspec/resources/service.rb

@@ -141,7 +141,7 @@ module Inspec::Resources
         elsif version > 0
           SysV.new(inspec, service_ctl || "/usr/sbin/service")
         end
-      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific"
+      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific", "rocky", "almalinux"
         version = os[:release].to_i
 
         systemd = ((platform != "fedora" && version >= 7) ||
@@ -163,7 +163,12 @@ module Inspec::Resources
       when "mac_os_x", "darwin"
         LaunchCtl.new(inspec, service_ctl)
       when "freebsd"
-        BSDInit.new(inspec, service_ctl)
+        version = os[:release].to_f
+        if version < 10
+          BSDInit.new(inspec, service_ctl)
+        else
+          FreeBSD10Init.new(inspec, service_ctl)
+        end
       when "arch"
         Systemd.new(inspec, service_ctl)
       when "coreos"
@@ -186,6 +191,8 @@ module Inspec::Resources
         Svcs.new(inspec)
       when "yocto"
         Systemd.new(inspec, service_ctl)
+      when "alpine"
+        SysV.new(inspec, service_ctl)
       end
     end
 
@@ -478,6 +485,7 @@ module Inspec::Resources
 
   # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
   # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
+  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+9.3-RELEASE&arch=default&format=html
   class BSDInit < ServiceManager
     def initialize(service_name, service_ctl = nil)
       @service_ctl = service_ctl || "service"
@@ -485,17 +493,20 @@ module Inspec::Resources
     end
 
     def info(service_name)
-      # check if service is enabled
-      # services are enabled in /etc/rc.conf and /etc/defaults/rc.conf
-      # via #{service_name}_enable="YES"
-      # service SERVICE status returns the following result if not activated:
-      #   Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
-      # gather all enabled services
+      # `service -e` lists all enabled services. Output format:
+      # % service -e
+      # /etc/rc.d/hostid
+      # /etc/rc.d/hostid_save
+      # /etc/rc.d/cleanvar
+      # /etc/rc.d/ip6addrctl
+      # /etc/rc.d/devd
+
       cmd = inspec.command("#{service_ctl} -e")
       return nil if cmd.exit_status != 0
 
       # search for the service
-      srv = /(^.*#{service_name}$)/.match(cmd.stdout)
+
+      srv = %r{^.*/(#{service_name}$)}.match(cmd.stdout)
       return nil if srv.nil? || srv[0].nil?
 
       enabled = true
@@ -516,6 +527,37 @@ module Inspec::Resources
     end
   end
 
+  # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
+  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
+  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html
+  class FreeBSD10Init < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || "service"
+      super
+    end
+
+    def info(service_name)
+      # check if service is enabled
+      cmd = inspec.command("#{service_ctl} #{service_name} enabled")
+
+      enabled = cmd.exit_status == 0
+
+      # check if the service is running
+      # if the service is not available or not running, we always get an error code
+      cmd = inspec.command("#{service_ctl} #{service_name} onestatus")
+      running = cmd.exit_status == 0
+
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        type: "bsd-init",
+      }
+    end
+  end
+
   class Runit < ServiceManager
     def initialize(service_name, service_ctl = nil)
       @service_ctl = service_ctl || "sv"
@@ -782,7 +824,14 @@ module Inspec::Resources
     EXAMPLE
 
     def select_service_mgmt
-      BSDInit.new(inspec, service_ctl)
+      os = inspec.os
+      version = os[:release].to_f
+
+      if version >= 10
+        FreeBSD10Init.new(inspec, service_ctl)
+      else
+        BSDInit.new(inspec, service_ctl)
+      end
     end
   end
 

data/lib/inspec/resources/ssl.rb

@@ -38,6 +38,7 @@ module Inspec::Resources
       "tls1.0",
       "tls1.1",
       "tls1.2",
+      "tls1.3",
     ].freeze
 
     attr_reader :host, :port, :timeout, :retries
@@ -72,6 +73,11 @@ module Inspec::Resources
             protocol: proto, ciphers: e.map(&:cipher),
             timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
         end
+
+        if !res[0].empty? && res[0][1].key?("error") && res[0][1]["error"].include?("Connection error Errno::ECONNREFUSED")
+          raise "#{res[0][1]["error"]}"
+        end
+
         Hash[res]
       end
       .install_filter_methods_on_resource(self, :scan_config)
@@ -89,6 +95,7 @@ module Inspec::Resources
         { "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
         { "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
         { "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
+        { "protocol" => "tls1.3", "ciphers" => SSLShake::TLS::TLS13_CIPHERS.keys },
       ].map do |line|
         line["ciphers"].map do |cipher|
           { "protocol" => line["protocol"], "cipher" => cipher }

data/lib/inspec/resources/sybase_conf.rb

@@ -0,0 +1,37 @@
+require "inspec/resources/sybase_session"
+
+module Inspec::Resources
+  class SybaseConf < Inspec.resource(1)
+    name "sybase_conf"
+    supports platform: "unix"
+    # supports platform: "windows" # TODO
+    desc "Use the sybase_conf InSpec resource to test Sybase config settings"
+    example <<~EXAMPLE
+      describe sybase_conf("max memory", password: 'password', server: 'SYBASE') do
+        its("run_value") { should cmp 180224 }
+      end
+    EXAMPLE
+
+    attr_reader :conf_param, :sql_query
+    def initialize(conf_param_name, opts = {})
+      @conf_param = conf_param_name
+      opts[:username] ||= "sa"
+      opts[:database] ||= "master"
+      sql_session = inspec.sybase_session(opts)
+      @sql_query = sql_session.query("sp_configure \"#{conf_param}\"")
+    end
+
+    def run_value
+      sql_query.row(0).column("Run Value").value
+    end
+
+    def config_value
+      sql_query.row(0).column("Config Value").value
+    end
+
+    def to_s
+      "Sybase Conf #{conf_param}"
+    end
+
+  end
+end