inspec-core 4.41.20 → 4.52.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +4 -0
- data/etc/deprecations.json +1 -1
- data/lib/bundles/inspec-supermarket/README.md +21 -2
- data/lib/bundles/inspec-supermarket/cli.rb +20 -3
- data/lib/bundles/inspec-supermarket/target.rb +3 -2
- data/lib/inspec/base_cli.rb +12 -0
- data/lib/inspec/cli.rb +21 -4
- data/lib/inspec/control_eval_context.rb +40 -39
- data/lib/inspec/dsl.rb +18 -3
- data/lib/inspec/globals.rb +5 -0
- data/lib/inspec/plugin/v1/registry.rb +1 -1
- data/lib/inspec/profile.rb +115 -2
- data/lib/inspec/resources/auditd.rb +5 -4
- data/lib/inspec/resources/cassandra.rb +64 -0
- data/lib/inspec/resources/cassandradb_conf.rb +47 -0
- data/lib/inspec/resources/cassandradb_session.rb +68 -0
- data/lib/inspec/resources/chrony_conf.rb +55 -0
- data/lib/inspec/resources/csv.rb +26 -3
- data/lib/inspec/resources/groups.rb +22 -3
- data/lib/inspec/resources/http.rb +135 -54
- data/lib/inspec/resources/ibmdb2_conf.rb +57 -0
- data/lib/inspec/resources/ibmdb2_session.rb +69 -0
- data/lib/inspec/resources/mssql_sys_conf.rb +48 -0
- data/lib/inspec/resources/opa.rb +4 -1
- data/lib/inspec/resources/oracle.rb +66 -0
- data/lib/inspec/resources/oracledb_conf.rb +40 -0
- data/lib/inspec/resources/oracledb_listener_conf.rb +123 -0
- data/lib/inspec/resources/oracledb_session.rb +25 -6
- data/lib/inspec/resources/packages.rb +21 -0
- data/lib/inspec/resources/postgres_session.rb +15 -4
- data/lib/inspec/resources/service.rb +59 -10
- data/lib/inspec/resources/ssl.rb +7 -0
- data/lib/inspec/resources/sybase_conf.rb +37 -0
- data/lib/inspec/resources/sybase_session.rb +111 -0
- data/lib/inspec/resources/users.rb +16 -2
- data/lib/inspec/resources/windows_firewall.rb +1 -1
- data/lib/inspec/resources.rb +9 -0
- data/lib/inspec/run_data/profile.rb +0 -2
- data/lib/inspec/version.rb +1 -1
- metadata +14 -2
@@ -0,0 +1,48 @@
|
|
1
|
+
require "inspec/resources/mssql_session"
|
2
|
+
|
3
|
+
module Inspec::Resources
|
4
|
+
class MssqlSysConf < Inspec.resource(1)
|
5
|
+
name "mssql_sys_conf"
|
6
|
+
supports platform: "windows"
|
7
|
+
supports platform: "debian"
|
8
|
+
supports platform: "redhat"
|
9
|
+
supports platform: "suse"
|
10
|
+
|
11
|
+
desc "Use the mssql_sys_conf InSpec audit resource to test the database system configurations for Mssql DB"
|
12
|
+
example <<~EXAMPLE
|
13
|
+
describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do
|
14
|
+
its("value_in_use") { should cmp "0" }
|
15
|
+
its("value_configured") { should cmp "0" }
|
16
|
+
end
|
17
|
+
EXAMPLE
|
18
|
+
|
19
|
+
attr_reader :mssql_session, :sql_query
|
20
|
+
|
21
|
+
def initialize(conf_param_name, opts = {})
|
22
|
+
opts[:username] ||= "SA"
|
23
|
+
@mssql_session = inspec.mssql_session(opts)
|
24
|
+
setting = conf_param_name.to_s.gsub("_", " ").split.map(&:capitalize).join(" ")
|
25
|
+
determine_system_configurations(setting)
|
26
|
+
end
|
27
|
+
|
28
|
+
def value_in_use
|
29
|
+
sql_query.row(0).column("value_in_use").value
|
30
|
+
end
|
31
|
+
|
32
|
+
def value_configured
|
33
|
+
sql_query.row(0).column("value_configured").value
|
34
|
+
end
|
35
|
+
|
36
|
+
def to_s
|
37
|
+
"MsSql DB Configuration"
|
38
|
+
end
|
39
|
+
|
40
|
+
private
|
41
|
+
|
42
|
+
def determine_system_configurations(setting)
|
43
|
+
@sql_query = mssql_session.query("SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = '#{setting}'")
|
44
|
+
rescue => e
|
45
|
+
raise Inspec::Exceptions::ResourceFailed, "Errors fetching database system configurations for Mssql database: #{e}"
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
data/lib/inspec/resources/opa.rb
CHANGED
@@ -6,12 +6,15 @@ module Inspec::Resources
|
|
6
6
|
supports platform: "unix"
|
7
7
|
supports platform: "windows"
|
8
8
|
|
9
|
-
attr_reader :result
|
10
9
|
def initialize(content)
|
11
10
|
@content = content
|
12
11
|
super({ content: @content })
|
13
12
|
end
|
14
13
|
|
14
|
+
def result
|
15
|
+
@content == {} || @content["result"].empty? ? nil : @content
|
16
|
+
end
|
17
|
+
|
15
18
|
private
|
16
19
|
|
17
20
|
def parse(content)
|
@@ -0,0 +1,66 @@
|
|
1
|
+
require "inspec/resources/powershell"
|
2
|
+
|
3
|
+
module Inspec::Resources
|
4
|
+
class Oracle < Inspec.resource(1)
|
5
|
+
name "oracle"
|
6
|
+
supports platform: "unix"
|
7
|
+
supports platform: "windows"
|
8
|
+
|
9
|
+
desc "The 'oracle' resource is a helper for the 'oracledb_listener_conf'"
|
10
|
+
|
11
|
+
attr_reader :conf_path
|
12
|
+
|
13
|
+
def initialize
|
14
|
+
case inspec.os[:family]
|
15
|
+
when "debian", "redhat", "linux", "suse"
|
16
|
+
determine_conf_dir_and_path_in_linux
|
17
|
+
when "windows"
|
18
|
+
determine_conf_dir_and_path_in_windows
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
def to_s
|
23
|
+
"OracleDB"
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
def determine_conf_dir_and_path_in_linux
|
29
|
+
oracle_home = inspec.os_env("ORACLE_HOME").content
|
30
|
+
|
31
|
+
if oracle_home.nil? || oracle_home.empty?
|
32
|
+
warn "$ORACLE_HOME env value not set in the system"
|
33
|
+
nil
|
34
|
+
else
|
35
|
+
conf_path = "#{oracle_home}/network/admin/listener.ora"
|
36
|
+
if !inspec.file(conf_path).exist?
|
37
|
+
warn "No oracle listener settings found in $ORACLE_HOME/network/admin directory"
|
38
|
+
nil
|
39
|
+
else
|
40
|
+
@conf_path = conf_path
|
41
|
+
end
|
42
|
+
end
|
43
|
+
rescue => e
|
44
|
+
fail_resource "Errors reading listener settings: #{e}"
|
45
|
+
end
|
46
|
+
|
47
|
+
def determine_conf_dir_and_path_in_windows
|
48
|
+
oracle_home = inspec.os_env("ORACLE_HOME").content
|
49
|
+
|
50
|
+
if oracle_home.nil? || oracle_home.empty?
|
51
|
+
warn "ORACLE_HOME env value not set in the system"
|
52
|
+
nil
|
53
|
+
else
|
54
|
+
conf_path = "#{oracle_home}\\network\\admin\\listener.ora"
|
55
|
+
if !inspec.file(conf_path).exist?
|
56
|
+
warn "No oracle listener settings found in ORACLE_HOME\\network\\admin directory"
|
57
|
+
nil
|
58
|
+
else
|
59
|
+
@conf_path = conf_path
|
60
|
+
end
|
61
|
+
end
|
62
|
+
rescue => e
|
63
|
+
fail_resource "Errors reading listener settings: #{e}"
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
require "inspec/resources/oracledb_session"
|
2
|
+
|
3
|
+
module Inspec::Resources
|
4
|
+
class OracledbConf < Inspec.resource(1)
|
5
|
+
name "oracledb_conf"
|
6
|
+
supports platform: "unix"
|
7
|
+
supports platform: "windows"
|
8
|
+
desc "Use the oracledb_conf InSpec audit resource to test the database settings for Oracle DB"
|
9
|
+
example <<~EXAMPLE
|
10
|
+
describe oracledb_conf(user: 'USER', password: 'PASSWORD') do
|
11
|
+
its("audit_sys_operations") { should cmp "true" }
|
12
|
+
its("sql92_security") { should cmp "true" }
|
13
|
+
end
|
14
|
+
EXAMPLE
|
15
|
+
|
16
|
+
attr_reader :oracledb_session
|
17
|
+
|
18
|
+
def initialize(opts = {})
|
19
|
+
@oracledb_session = inspec.oracledb_session(opts)
|
20
|
+
end
|
21
|
+
|
22
|
+
def method_missing(name)
|
23
|
+
setting = name.to_s.upcase
|
24
|
+
determine_database_setting(setting)
|
25
|
+
end
|
26
|
+
|
27
|
+
def to_s
|
28
|
+
"Oracle DB Configuration"
|
29
|
+
end
|
30
|
+
|
31
|
+
private
|
32
|
+
|
33
|
+
def determine_database_setting(setting)
|
34
|
+
sql_query = oracledb_session.query("SELECT UPPER(VALUE) AS UPPER_VALUE FROM V$SYSTEM_PARAMETER WHERE UPPER(NAME) = '#{setting}'")
|
35
|
+
sql_query.row(0).column("UPPER_VALUE").value
|
36
|
+
rescue => e
|
37
|
+
raise Inspec::Exceptions::ResourceFailed, "Errors fetching database settings for Oracle database: #{e}"
|
38
|
+
end
|
39
|
+
end
|
40
|
+
end
|
@@ -0,0 +1,123 @@
|
|
1
|
+
require "inspec/utils/object_traversal"
|
2
|
+
require "inspec/utils/simpleconfig"
|
3
|
+
require "inspec/utils/find_files"
|
4
|
+
require "inspec/utils/file_reader"
|
5
|
+
require "inspec/resources/oracle"
|
6
|
+
|
7
|
+
module Inspec::Resources
|
8
|
+
class OracledbListenerConf < Inspec.resource(1)
|
9
|
+
name "oracledb_listener_conf"
|
10
|
+
supports platform: "unix"
|
11
|
+
supports platform: "windows"
|
12
|
+
desc "Use the oracledb_listener_conf InSpec audit resource to test the listener settings for Oracle DB"
|
13
|
+
example <<~EXAMPLE
|
14
|
+
describe oracledb_listener_conf do
|
15
|
+
its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' }
|
16
|
+
end
|
17
|
+
EXAMPLE
|
18
|
+
|
19
|
+
include FindFiles
|
20
|
+
include FileReader
|
21
|
+
include ObjectTraverser
|
22
|
+
|
23
|
+
def initialize(conf_path = nil)
|
24
|
+
oracle = nil
|
25
|
+
if conf_path.nil?
|
26
|
+
oracle = inspec.oracle
|
27
|
+
@conf_path = oracle.conf_path
|
28
|
+
else
|
29
|
+
@conf_path = conf_path
|
30
|
+
end
|
31
|
+
|
32
|
+
if oracle && oracle.resource_failed?
|
33
|
+
raise oracle.resource_exception_message
|
34
|
+
elsif @conf_path.nil?
|
35
|
+
return skip_resource "Oracle Listener conf path is not set"
|
36
|
+
end
|
37
|
+
|
38
|
+
@conf_dir = File.expand_path(File.dirname(@conf_path))
|
39
|
+
@files_contents = {}
|
40
|
+
@content = nil
|
41
|
+
@params = nil
|
42
|
+
read_content
|
43
|
+
end
|
44
|
+
|
45
|
+
def content
|
46
|
+
@content ||= read_content
|
47
|
+
end
|
48
|
+
|
49
|
+
def params(*opts)
|
50
|
+
@params || read_content
|
51
|
+
res = @params
|
52
|
+
opts.each do |opt|
|
53
|
+
res = res[opt] unless res.nil?
|
54
|
+
end
|
55
|
+
res
|
56
|
+
end
|
57
|
+
|
58
|
+
def value(key)
|
59
|
+
extract_value(key, @params)
|
60
|
+
end
|
61
|
+
|
62
|
+
def method_missing(*keys)
|
63
|
+
keys.shift if keys.is_a?(Array) && keys[0] == :[]
|
64
|
+
param = value(keys)
|
65
|
+
return nil if param.nil?
|
66
|
+
# extract first value if we have only one value in array
|
67
|
+
return param[0] if param.length == 1
|
68
|
+
|
69
|
+
param
|
70
|
+
end
|
71
|
+
|
72
|
+
def to_s
|
73
|
+
"Oracle Listener Configuration"
|
74
|
+
end
|
75
|
+
|
76
|
+
private
|
77
|
+
|
78
|
+
def read_content
|
79
|
+
@content = ""
|
80
|
+
@params = {}
|
81
|
+
|
82
|
+
to_read = [@conf_path]
|
83
|
+
until to_read.empty?
|
84
|
+
base_dir = File.dirname(to_read[0])
|
85
|
+
raw_conf = read_file(to_read[0])
|
86
|
+
@content += raw_conf
|
87
|
+
|
88
|
+
opts = {
|
89
|
+
assignment_regex: /^\s*([^=]*?)\s*=\s*[']?\s*(.*?)\s*[']?\s*$/,
|
90
|
+
}
|
91
|
+
params = SimpleConfig.new(raw_conf, opts).params
|
92
|
+
@params.merge!(params)
|
93
|
+
|
94
|
+
to_read = to_read.drop(1)
|
95
|
+
# see if there is more config files to include
|
96
|
+
|
97
|
+
to_read += include_files(params, base_dir).find_all do |fp|
|
98
|
+
not @files_contents.key? fp
|
99
|
+
end
|
100
|
+
end
|
101
|
+
@content
|
102
|
+
end
|
103
|
+
|
104
|
+
def include_files(params, base_dir)
|
105
|
+
include_files = Array(params["include"]) || []
|
106
|
+
include_files += Array(params["include_if_exists"]) || []
|
107
|
+
include_files.map! do |f|
|
108
|
+
Pathname.new(f).absolute? ? f : File.join(base_dir, f)
|
109
|
+
end
|
110
|
+
|
111
|
+
dirs = Array(params["include_dir"]) || []
|
112
|
+
dirs.each do |dir|
|
113
|
+
dir = File.join(base_dir, dir) if dir[0] != "/"
|
114
|
+
include_files += find_files(dir, depth: 1, type: "file")
|
115
|
+
end
|
116
|
+
include_files
|
117
|
+
end
|
118
|
+
|
119
|
+
def read_file(path)
|
120
|
+
@files_contents[path] ||= read_file_content(path)
|
121
|
+
end
|
122
|
+
end
|
123
|
+
end
|
@@ -42,6 +42,7 @@ module Inspec::Resources
|
|
42
42
|
end
|
43
43
|
|
44
44
|
def query(sql)
|
45
|
+
raise Inspec::Exceptions::ResourceSkipped, "#{resource_exception_message}" if resource_skipped?
|
45
46
|
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
|
46
47
|
|
47
48
|
if @sqlcl_bin && inspec.command(@sqlcl_bin).exist?
|
@@ -78,7 +79,14 @@ module Inspec::Resources
|
|
78
79
|
# using a db_role
|
79
80
|
# su, using a db_role
|
80
81
|
def command_builder(format_options, query)
|
81
|
-
|
82
|
+
if @db_role.nil? || @su_user.nil?
|
83
|
+
verified_query = verify_query(query)
|
84
|
+
else
|
85
|
+
escaped_query = query.gsub(/\\\\/, "\\").gsub(/"/, '\\"')
|
86
|
+
escaped_query = escaped_query.gsub("$", '\\$') unless escaped_query.include? "\\$"
|
87
|
+
verified_query = verify_query(escaped_query)
|
88
|
+
end
|
89
|
+
|
82
90
|
sql_prefix, sql_postfix = "", ""
|
83
91
|
if inspec.os.windows?
|
84
92
|
sql_prefix = %{@'\n#{format_options}\n#{verified_query}\nEXIT\n'@ | }
|
@@ -87,11 +95,14 @@ module Inspec::Resources
|
|
87
95
|
end
|
88
96
|
|
89
97
|
if @db_role.nil?
|
90
|
-
|
98
|
+
%{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}}
|
91
99
|
elsif @su_user.nil?
|
92
|
-
|
100
|
+
%{#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}}
|
93
101
|
else
|
94
|
-
|
102
|
+
# oracle_query_string is echoed to be able to extract the query output clearly
|
103
|
+
# su - su_user in certain versions of oracle returns a message
|
104
|
+
# Example of msg with query output: The Oracle base remains unchanged with value /oracle\n\nVALUE\n3\n
|
105
|
+
%{su - #{@su_user} -c "echo 'oracle_query_string'; env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"}
|
95
106
|
end
|
96
107
|
end
|
97
108
|
|
@@ -101,9 +112,17 @@ module Inspec::Resources
|
|
101
112
|
end
|
102
113
|
|
103
114
|
def parse_csv_result(stdout)
|
104
|
-
output = stdout.
|
115
|
+
output = stdout.split("oracle_query_string")[-1]
|
116
|
+
# comma_query_sub replaces the csv delimiter "," in the output.
|
117
|
+
# Handles CSV parsing of data like this (DROP,3) etc
|
118
|
+
output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
|
105
119
|
converter = ->(header) { header.downcase }
|
106
|
-
CSV.parse(output, headers: true, header_converters: converter).map
|
120
|
+
CSV.parse(output, headers: true, header_converters: converter).map do |row|
|
121
|
+
next if row.entries.flatten.empty?
|
122
|
+
|
123
|
+
revised_row = row.entries.flatten.map { |entry| entry&.gsub("comma_query_sub", ",") }
|
124
|
+
Hashie::Mash.new([revised_row].to_h)
|
125
|
+
end
|
107
126
|
end
|
108
127
|
end
|
109
128
|
end
|
@@ -26,6 +26,8 @@ module Inspec::Resources
|
|
26
26
|
@pkgs = Debs.new(inspec)
|
27
27
|
elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
|
28
28
|
@pkgs = Rpms.new(inspec)
|
29
|
+
elsif ["alpine"].include?(os[:name])
|
30
|
+
@pkgs = AlpinePkgs.new(inspec)
|
29
31
|
else
|
30
32
|
return skip_resource "The packages resource is not yet supported on OS #{inspec.os.name}"
|
31
33
|
end
|
@@ -108,4 +110,23 @@ module Inspec::Resources
|
|
108
110
|
end
|
109
111
|
end
|
110
112
|
end
|
113
|
+
|
114
|
+
# RedHat family
|
115
|
+
class AlpinePkgs < PkgsManagement
|
116
|
+
def build_package_list
|
117
|
+
command = "apk list --no-network --installed"
|
118
|
+
cmd = inspec.command(command)
|
119
|
+
all = cmd.stdout.split("\n")
|
120
|
+
return [] if all.nil? || cmd.exit_status.to_i != 0
|
121
|
+
|
122
|
+
all.map do |m|
|
123
|
+
next if m =~ /^WARNING/i
|
124
|
+
|
125
|
+
a = m.split(" ")
|
126
|
+
version = a[0].split("-")[-2]
|
127
|
+
name = a[2].gsub(/[{}^]*/, "")
|
128
|
+
PackageStruct.new("installed", name, version, a[1])
|
129
|
+
end
|
130
|
+
end
|
131
|
+
end
|
111
132
|
end
|
@@ -40,11 +40,12 @@ module Inspec::Resources
|
|
40
40
|
end
|
41
41
|
EXAMPLE
|
42
42
|
|
43
|
-
def initialize(user, pass, host = nil, port = nil)
|
43
|
+
def initialize(user, pass, host = nil, port = nil, socket_path = nil)
|
44
44
|
@user = user || "postgres"
|
45
45
|
@pass = pass
|
46
46
|
@host = host || "localhost"
|
47
47
|
@port = port || 5432
|
48
|
+
@socket_path = socket_path
|
48
49
|
raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil?
|
49
50
|
end
|
50
51
|
|
@@ -69,10 +70,20 @@ module Inspec::Resources
|
|
69
70
|
|
70
71
|
def create_psql_cmd(query, db = [])
|
71
72
|
dbs = db.map { |x| "#{x}" }.join(" ")
|
72
|
-
|
73
|
-
|
73
|
+
|
74
|
+
if @socket_path && !inspec.os.windows?
|
75
|
+
# Socket path and empty host in the connection string establishes socket connection
|
76
|
+
# Socket connection only enabled for non-windows platforms
|
77
|
+
# Windows does not support unix domain sockets
|
78
|
+
"psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} -A -t -w -c #{escaped_query(query)}"
|
74
79
|
else
|
75
|
-
|
80
|
+
# Host in connection string establishes tcp/ip connection
|
81
|
+
if inspec.os.windows?
|
82
|
+
warn "Socket based connection not supported in windows, connecting using host" if @socket_path
|
83
|
+
"psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
|
84
|
+
else
|
85
|
+
"psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
|
86
|
+
end
|
76
87
|
end
|
77
88
|
end
|
78
89
|
end
|
@@ -141,7 +141,7 @@ module Inspec::Resources
|
|
141
141
|
elsif version > 0
|
142
142
|
SysV.new(inspec, service_ctl || "/usr/sbin/service")
|
143
143
|
end
|
144
|
-
when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific"
|
144
|
+
when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific", "rocky", "almalinux"
|
145
145
|
version = os[:release].to_i
|
146
146
|
|
147
147
|
systemd = ((platform != "fedora" && version >= 7) ||
|
@@ -163,7 +163,12 @@ module Inspec::Resources
|
|
163
163
|
when "mac_os_x", "darwin"
|
164
164
|
LaunchCtl.new(inspec, service_ctl)
|
165
165
|
when "freebsd"
|
166
|
-
|
166
|
+
version = os[:release].to_f
|
167
|
+
if version < 10
|
168
|
+
BSDInit.new(inspec, service_ctl)
|
169
|
+
else
|
170
|
+
FreeBSD10Init.new(inspec, service_ctl)
|
171
|
+
end
|
167
172
|
when "arch"
|
168
173
|
Systemd.new(inspec, service_ctl)
|
169
174
|
when "coreos"
|
@@ -186,6 +191,8 @@ module Inspec::Resources
|
|
186
191
|
Svcs.new(inspec)
|
187
192
|
when "yocto"
|
188
193
|
Systemd.new(inspec, service_ctl)
|
194
|
+
when "alpine"
|
195
|
+
SysV.new(inspec, service_ctl)
|
189
196
|
end
|
190
197
|
end
|
191
198
|
|
@@ -478,6 +485,7 @@ module Inspec::Resources
|
|
478
485
|
|
479
486
|
# @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
|
480
487
|
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
|
488
|
+
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+9.3-RELEASE&arch=default&format=html
|
481
489
|
class BSDInit < ServiceManager
|
482
490
|
def initialize(service_name, service_ctl = nil)
|
483
491
|
@service_ctl = service_ctl || "service"
|
@@ -485,17 +493,20 @@ module Inspec::Resources
|
|
485
493
|
end
|
486
494
|
|
487
495
|
def info(service_name)
|
488
|
-
#
|
489
|
-
#
|
490
|
-
#
|
491
|
-
#
|
492
|
-
#
|
493
|
-
#
|
496
|
+
# `service -e` lists all enabled services. Output format:
|
497
|
+
# % service -e
|
498
|
+
# /etc/rc.d/hostid
|
499
|
+
# /etc/rc.d/hostid_save
|
500
|
+
# /etc/rc.d/cleanvar
|
501
|
+
# /etc/rc.d/ip6addrctl
|
502
|
+
# /etc/rc.d/devd
|
503
|
+
|
494
504
|
cmd = inspec.command("#{service_ctl} -e")
|
495
505
|
return nil if cmd.exit_status != 0
|
496
506
|
|
497
507
|
# search for the service
|
498
|
-
|
508
|
+
|
509
|
+
srv = %r{^.*/(#{service_name}$)}.match(cmd.stdout)
|
499
510
|
return nil if srv.nil? || srv[0].nil?
|
500
511
|
|
501
512
|
enabled = true
|
@@ -516,6 +527,37 @@ module Inspec::Resources
|
|
516
527
|
end
|
517
528
|
end
|
518
529
|
|
530
|
+
# @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
|
531
|
+
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
|
532
|
+
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html
|
533
|
+
class FreeBSD10Init < ServiceManager
|
534
|
+
def initialize(service_name, service_ctl = nil)
|
535
|
+
@service_ctl = service_ctl || "service"
|
536
|
+
super
|
537
|
+
end
|
538
|
+
|
539
|
+
def info(service_name)
|
540
|
+
# check if service is enabled
|
541
|
+
cmd = inspec.command("#{service_ctl} #{service_name} enabled")
|
542
|
+
|
543
|
+
enabled = cmd.exit_status == 0
|
544
|
+
|
545
|
+
# check if the service is running
|
546
|
+
# if the service is not available or not running, we always get an error code
|
547
|
+
cmd = inspec.command("#{service_ctl} #{service_name} onestatus")
|
548
|
+
running = cmd.exit_status == 0
|
549
|
+
|
550
|
+
{
|
551
|
+
name: service_name,
|
552
|
+
description: nil,
|
553
|
+
installed: true,
|
554
|
+
running: running,
|
555
|
+
enabled: enabled,
|
556
|
+
type: "bsd-init",
|
557
|
+
}
|
558
|
+
end
|
559
|
+
end
|
560
|
+
|
519
561
|
class Runit < ServiceManager
|
520
562
|
def initialize(service_name, service_ctl = nil)
|
521
563
|
@service_ctl = service_ctl || "sv"
|
@@ -782,7 +824,14 @@ module Inspec::Resources
|
|
782
824
|
EXAMPLE
|
783
825
|
|
784
826
|
def select_service_mgmt
|
785
|
-
|
827
|
+
os = inspec.os
|
828
|
+
version = os[:release].to_f
|
829
|
+
|
830
|
+
if version >= 10
|
831
|
+
FreeBSD10Init.new(inspec, service_ctl)
|
832
|
+
else
|
833
|
+
BSDInit.new(inspec, service_ctl)
|
834
|
+
end
|
786
835
|
end
|
787
836
|
end
|
788
837
|
|
data/lib/inspec/resources/ssl.rb
CHANGED
@@ -38,6 +38,7 @@ module Inspec::Resources
|
|
38
38
|
"tls1.0",
|
39
39
|
"tls1.1",
|
40
40
|
"tls1.2",
|
41
|
+
"tls1.3",
|
41
42
|
].freeze
|
42
43
|
|
43
44
|
attr_reader :host, :port, :timeout, :retries
|
@@ -72,6 +73,11 @@ module Inspec::Resources
|
|
72
73
|
protocol: proto, ciphers: e.map(&:cipher),
|
73
74
|
timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
|
74
75
|
end
|
76
|
+
|
77
|
+
if !res[0].empty? && res[0][1].key?("error") && res[0][1]["error"].include?("Connection error Errno::ECONNREFUSED")
|
78
|
+
raise "#{res[0][1]["error"]}"
|
79
|
+
end
|
80
|
+
|
75
81
|
Hash[res]
|
76
82
|
end
|
77
83
|
.install_filter_methods_on_resource(self, :scan_config)
|
@@ -89,6 +95,7 @@ module Inspec::Resources
|
|
89
95
|
{ "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
|
90
96
|
{ "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
|
91
97
|
{ "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
|
98
|
+
{ "protocol" => "tls1.3", "ciphers" => SSLShake::TLS::TLS13_CIPHERS.keys },
|
92
99
|
].map do |line|
|
93
100
|
line["ciphers"].map do |cipher|
|
94
101
|
{ "protocol" => line["protocol"], "cipher" => cipher }
|
@@ -0,0 +1,37 @@
|
|
1
|
+
require "inspec/resources/sybase_session"
|
2
|
+
|
3
|
+
module Inspec::Resources
|
4
|
+
class SybaseConf < Inspec.resource(1)
|
5
|
+
name "sybase_conf"
|
6
|
+
supports platform: "unix"
|
7
|
+
# supports platform: "windows" # TODO
|
8
|
+
desc "Use the sybase_conf InSpec resource to test Sybase config settings"
|
9
|
+
example <<~EXAMPLE
|
10
|
+
describe sybase_conf("max memory", password: 'password', server: 'SYBASE') do
|
11
|
+
its("run_value") { should cmp 180224 }
|
12
|
+
end
|
13
|
+
EXAMPLE
|
14
|
+
|
15
|
+
attr_reader :conf_param, :sql_query
|
16
|
+
def initialize(conf_param_name, opts = {})
|
17
|
+
@conf_param = conf_param_name
|
18
|
+
opts[:username] ||= "sa"
|
19
|
+
opts[:database] ||= "master"
|
20
|
+
sql_session = inspec.sybase_session(opts)
|
21
|
+
@sql_query = sql_session.query("sp_configure \"#{conf_param}\"")
|
22
|
+
end
|
23
|
+
|
24
|
+
def run_value
|
25
|
+
sql_query.row(0).column("Run Value").value
|
26
|
+
end
|
27
|
+
|
28
|
+
def config_value
|
29
|
+
sql_query.row(0).column("Config Value").value
|
30
|
+
end
|
31
|
+
|
32
|
+
def to_s
|
33
|
+
"Sybase Conf #{conf_param}"
|
34
|
+
end
|
35
|
+
|
36
|
+
end
|
37
|
+
end
|