inspec-core 4.50.3 → 4.56.19

data/lib/inspec/resources/iptables.rb

@@ -33,6 +33,7 @@ module Inspec::Resources
     def initialize(params = {})
       @table = params[:table]
       @chain = params[:chain]
+      @ignore_comments = params[:ignore_comments] || false
 
       # we're done if we are on linux
       return if inspec.os.linux?
@@ -59,8 +60,13 @@ module Inspec::Resources
       cmd = inspec.command(iptables_cmd)
       return [] if cmd.exit_status.to_i != 0
 
-      # split rules, returns array or rules
-      @iptables_cache = cmd.stdout.split("\n").map(&:strip)
+      if @ignore_comments
+        # split rules, returns array or rules without any comment
+        @iptables_cache = remove_comments_from_rules(cmd.stdout.split("\n"))
+      else
+        # split rules, returns array or rules
+        @iptables_cache = cmd.stdout.split("\n").map(&:strip)
+      end
     end
 
     def to_s
@@ -69,6 +75,16 @@ module Inspec::Resources
 
     private
 
+    def remove_comments_from_rules(rules)
+      rules.each do |rule|
+        next if rule.nil?
+
+        rule.gsub!(/ -m comment --comment "([^"]*)"/, "")
+        rule.strip
+      end
+      rules
+    end
+
     def find_iptables_or_error
       %w{/usr/sbin/iptables /sbin/iptables iptables}.each do |cmd|
         return cmd if inspec.command(cmd).exist?

data/lib/inspec/resources/kernel_parameters.rb

@@ -0,0 +1,58 @@
+module Inspec::Resources
+  class KernelParameters < Inspec.resource(1)
+    name "kernel_parameters"
+    supports platform: "unix"
+    desc "Use the kernel_parameters InSpec audit resource to test kernel parameters on Linux platforms."
+    example <<~EXAMPLE
+      describe kernel_parameters.where(parameter: /^net./ ) do
+        its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
+      end
+
+      describe kernel_parameters.where(parameter: "net.ipv4.conf.all.forwarding") do
+        its('values') { should eq [0] }
+      end
+
+      describe kernel_parameters do
+        its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
+        its('values') { should include 0 }
+      end
+    EXAMPLE
+
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:parameters, field: "parameter")
+      .register_column(:values, field: "value")
+    filter.install_filter_methods_on_resource(self, :params)
+
+    def initialize
+      # this resource is only supported on Linux
+      return skip_resource "The `kernel_parameters` resource is not supported on your OS." unless inspec.os.linux?
+    end
+
+    def to_s
+      "Kernel Parameters"
+    end
+
+    private
+
+    def params
+      cmd = inspec.command("/sbin/sysctl -a")
+      cmd.exit_status != 0 ? [] : parse_kernel_paramater(cmd.stdout)
+    end
+
+    def parse_kernel_paramater(stdout)
+      result = []
+      stdout.split("\n").each do |out|
+        splitted_output = out.split("=").map(&:strip)
+        result.push(
+          {
+            "parameter" => splitted_output[0],
+            "value" => splitted_output[1].to_i,
+          }
+        )
+      end
+      result
+    end
+
+  end
+end

data/lib/inspec/resources/mssql_session.rb

@@ -76,7 +76,7 @@ module Inspec::Resources
       if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
         raise Inspec::Exceptions::ResourceFailed, "Could not execute the sql query #{out}"
       else
-        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
+        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd.stdout))
       end
     end
 
@@ -94,9 +94,17 @@ module Inspec::Resources
       !query("select getdate()").empty?
     end
 
-    def parse_csv_result(cmd)
+    def parse_csv_result(stdout)
       require "csv" unless defined?(CSV)
-      table = CSV.parse(cmd.stdout, headers: true)
+
+      # replaces \n with \r since multiline data in older versions of database returns faulty
+      # formatted multiline data, example name\r\n----\r\nThis is\na multiline field\r\n
+      out = stdout.gsub("\n", "\r")
+      out = out.gsub("\r\r", "\r")
+
+      # row separator used since row delimiters \n (in linux) or \r\n (in windows)
+      # are converted to \r for consistency and handling faulty formatted multiline data
+      table = CSV.parse(out, headers: true, row_sep: "\r")
 
       # remove first row, since it will be a seperator line
       table.delete(0)

data/lib/inspec/resources/oracledb_session.rb

@@ -61,9 +61,13 @@ module Inspec::Resources
         raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
       else
         begin
-          DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
-        rescue
-          raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
+          unless inspec_cmd.stdout.empty?
+            DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
+          else
+            inspec_cmd.stdout
+          end
+        rescue Exception => ex
+          raise Inspec::Exceptions::ResourceFailed, "Oracle query with exception: #{ex}"
         end
       end
     end
@@ -118,7 +122,9 @@ module Inspec::Resources
       output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
       CSV.parse(output, headers: true, header_converters: converter).map do |row|
-        revised_row = row.entries.flatten.map { |entry| entry.gsub("comma_query_sub", ",") }
+        next if row.entries.flatten.empty?
+
+        revised_row = row.entries.flatten.map { |entry| entry&.gsub("comma_query_sub", ",") }
         Hashie::Mash.new([revised_row].to_h)
       end
     end

data/lib/inspec/resources/package.rb

@@ -26,6 +26,7 @@ module Inspec::Resources
       @cache = nil
       # select package manager
       @pkgman = nil
+      @latest_version = nil
 
       os = inspec.os
       if os.debian?
@@ -60,6 +61,15 @@ module Inspec::Resources
       info[:installed] == true
     end
 
+    def latest?(_provider = nil, _version = nil)
+      os = inspec.os
+      if os.solaris? || (%w{hpux aix}.include? os[:family])
+        raise Inspec::Exceptions::ResourceSkipped, "The `be_latest` matcher is not supported on your OS yet."
+      end
+
+      (!info[:only_version_no].nil? && !latest_version.nil?) && (info[:only_version_no] == latest_version)
+    end
+
     # returns true it the package is held (if the OS supports it)
     def held?(_provider = nil, _version = nil)
       info[:held] == true
@@ -82,6 +92,10 @@ module Inspec::Resources
       info[:version]
     end
 
+    def latest_version
+      @latest_version ||= ( @pkgman.latest_version(@package_name) || info[:latest_version] )
+    end
+
     def to_s
       "System Package #{@package_name}"
     end
@@ -107,6 +121,21 @@ module Inspec::Resources
       # combined into a `ResourceSkipped` exception message.
       []
     end
+
+    private
+
+    def fetch_latest_version(cmd_string)
+      cmd = inspec.command(cmd_string)
+      if cmd.exit_status != 0
+        raise Inspec::Exceptions::ResourceFailed, "Failed to fetch latest version. Error: #{cmd.stderr}"
+      else
+        fetch_version_no(cmd.stdout)
+      end
+    end
+
+    def fetch_version_no(output)
+      output.scan(/(?:(?:\d+)[.]){2,}(?:\d+)/).max_by { |s| Gem::Version.new(s) } unless output.nil?
+    end
   end
 
   # Debian / Ubuntu
@@ -124,14 +153,21 @@ module Inspec::Resources
       # If the package is installed and marked hold, Status is "hold ok installed"
       # If the package is removed and not purged, Status is "deinstall ok config-files" with exit_status 0
       # If the package is purged cmd fails with non-zero exit status
+
       {
         name: params["Package"],
         installed: params["Status"].split(" ")[2] == "installed",
         held: params["Status"].split(" ")[0] == "hold",
         version: params["Version"],
         type: "deb",
+        only_version_no: fetch_version_no(params["Version"]),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "apt list #{package_name} -a"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # RHEL family
@@ -181,9 +217,15 @@ module Inspec::Resources
         installed: true,
         version: "#{v}-#{r}",
         type: "rpm",
+        only_version_no: "#{v}",
       }
     end
 
+    def latest_version(package_name)
+      cmd_string = "yum list #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
+
     private
 
     def rpm_command(package_name)
@@ -216,11 +258,17 @@ module Inspec::Resources
         installed: true,
         version: pkg["installed"][0]["version"],
         type: "brew",
+        latest_version: pkg["versions"]["stable"],
+        only_version_no: pkg["installed"][0]["version"],
       }
     rescue JSON::ParserError => e
       raise Inspec::Exceptions::ResourceFailed,
             "Failed to parse JSON from `brew` command. Error: #{e}"
     end
+
+    def latest_version(package_name)
+      nil
+    end
   end
 
   # Arch Linux
@@ -240,8 +288,14 @@ module Inspec::Resources
         installed: true,
         version: params["Version"],
         type: "pacman",
+        only_version_no: fetch_version_no(params["Version"]),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "pacman -Ss #{package_name} | grep #{package_name} | grep installed"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   class HpuxPkg < PkgManagement
@@ -267,13 +321,20 @@ module Inspec::Resources
       pkg_info = cmd.stdout.split("\n").delete_if { |e| e =~ /^WARNING/i }
       pkg = pkg_info[0].split(" - ")[0]
 
+      version = pkg.partition("-")[2]
       {
         name: pkg.partition("-")[0],
         installed: true,
-        version: pkg.partition("-")[2],
+        version: version,
         type: "pkg",
+        only_version_no: fetch_version_no(version),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "apk info #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   class FreebsdPkg < PkgManagement
@@ -292,8 +353,14 @@ module Inspec::Resources
         installed: true,
         version: params["Version"],
         type: "pkg",
+        only_version_no: params["Version"],
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "pkg version -v | grep #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # Determines the installed packages on Windows using the Windows package registry entries.
@@ -339,8 +406,14 @@ module Inspec::Resources
         installed: true,
         version: package["DisplayVersion"],
         type: "windows",
+        only_version_no: package["DisplayVersion"],
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "Get-Package #{package_name} -AllVersions"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # AIX

data/lib/inspec/resources/packages.rb

@@ -26,6 +26,8 @@ module Inspec::Resources
         @pkgs = Debs.new(inspec)
       elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
         @pkgs = Rpms.new(inspec)
+      elsif ["alpine"].include?(os[:name])
+        @pkgs = AlpinePkgs.new(inspec)
       else
         return skip_resource "The packages resource is not yet supported on OS #{inspec.os.name}"
       end
@@ -108,4 +110,23 @@ module Inspec::Resources
       end
     end
   end
+
+  # RedHat family
+  class AlpinePkgs < PkgsManagement
+    def build_package_list
+      command = "apk list --no-network --installed"
+      cmd = inspec.command(command)
+      all = cmd.stdout.split("\n")
+      return [] if all.nil? || cmd.exit_status.to_i != 0
+
+      all.map do |m|
+        next if m =~ /^WARNING/i
+
+        a = m.split(" ")
+        version = a[0].split("-")[-2]
+        name = a[2].gsub(/[{}^]*/, "")
+        PackageStruct.new("installed", name, version, a[1])
+      end
+    end
+  end
 end

data/lib/inspec/resources/postgres_session.rb

@@ -55,8 +55,10 @@ module Inspec::Resources
       psql_cmd = create_psql_cmd(query, db)
       cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
       out = cmd.stdout + "\n" + cmd.stderr
-      if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
-        raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}"
+      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
+        raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
+      elsif cmd.exit_status != 0 && out.downcase =~ /error:/
+        Lines.new(out, "PostgreSQL query with error: #{query}")
       else
         Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
       end

data/lib/inspec/resources/registry_key.rb

@@ -105,6 +105,21 @@ module Inspec::Resources
       children_keys(@options[:path], filter)
     end
 
+    # returns hash containing users / groups and their permission
+    def user_permissions
+      return {} unless exists?
+
+      get_permissions(@options[:path])
+    end
+
+    # returns true if inheritance is enabled for registry key.
+    def inherited?
+      return false unless exists?
+
+      cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
+      cmd.stdout.chomp == "0" ? false : true
+    end
+
     # returns nil, if not existent or value
     def method_missing(*keys)
       # allow the use of array syntax in an `its` block so that users
@@ -283,6 +298,21 @@ module Inspec::Resources
 
       key.start_with?("\\") ? key : "\\#{key}"
     end
+
+    def get_permissions(path)
+      script = <<~EOH
+      $path = '#{path}'
+      $Acl = Get-Acl -Path ('Registry::' + $path)
+      $Result = foreach ($Access in $acl.Access) {
+        [PSCustomObject]@{
+          $Access.IdentityReference = $Access.RegistryRights.ToString()
+        }
+      }
+      $Result | ConvertTo-Json
+      EOH
+      result = inspec.powershell(script)
+      JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
+    end
   end
 
   class WindowsRegistryKey < RegistryKey

data/lib/inspec/resources/selinux.rb

@@ -84,8 +84,13 @@ module Inspec::Resources
 
     def initialize(selinux_path = "/etc/selinux/config")
       @path = selinux_path
-      cmd = inspec.command("sestatus")
+      if inspec.os.redhat? && inspec.os.name == "amazon"
+        lcmd = "/usr/sbin/sestatus"
+      else
+        lcmd = "sestatus"
+      end
 
+      cmd = inspec.command(lcmd)
       if cmd.exit_status != 0
         # `sestatus` command not found error message comes in stdout so handling both here
         out = cmd.stdout + "\n" + cmd.stderr

data/lib/inspec/resources/service.rb

@@ -163,7 +163,12 @@ module Inspec::Resources
       when "mac_os_x", "darwin"
         LaunchCtl.new(inspec, service_ctl)
       when "freebsd"
-        BSDInit.new(inspec, service_ctl)
+        version = os[:release].to_f
+        if version < 10
+          BSDInit.new(inspec, service_ctl)
+        else
+          FreeBSD10Init.new(inspec, service_ctl)
+        end
       when "arch"
         Systemd.new(inspec, service_ctl)
       when "coreos"
@@ -186,6 +191,8 @@ module Inspec::Resources
         Svcs.new(inspec)
       when "yocto"
         Systemd.new(inspec, service_ctl)
+      when "alpine"
+        SysV.new(inspec, service_ctl)
       end
     end
 
@@ -478,6 +485,7 @@ module Inspec::Resources
 
   # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
   # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
+  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+9.3-RELEASE&arch=default&format=html
   class BSDInit < ServiceManager
     def initialize(service_name, service_ctl = nil)
       @service_ctl = service_ctl || "service"
@@ -485,17 +493,20 @@ module Inspec::Resources
     end
 
     def info(service_name)
-      # check if service is enabled
-      # services are enabled in /etc/rc.conf and /etc/defaults/rc.conf
-      # via #{service_name}_enable="YES"
-      # service SERVICE status returns the following result if not activated:
-      #   Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
-      # gather all enabled services
+      # `service -e` lists all enabled services. Output format:
+      # % service -e
+      # /etc/rc.d/hostid
+      # /etc/rc.d/hostid_save
+      # /etc/rc.d/cleanvar
+      # /etc/rc.d/ip6addrctl
+      # /etc/rc.d/devd
+
       cmd = inspec.command("#{service_ctl} -e")
       return nil if cmd.exit_status != 0
 
       # search for the service
-      srv = /(^.*#{service_name}$)/.match(cmd.stdout)
+
+      srv = %r{^.*/(#{service_name}$)}.match(cmd.stdout)
       return nil if srv.nil? || srv[0].nil?
 
       enabled = true
@@ -516,6 +527,37 @@ module Inspec::Resources
     end
   end
 
+  # @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
+  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
+  # @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html
+  class FreeBSD10Init < ServiceManager
+    def initialize(service_name, service_ctl = nil)
+      @service_ctl = service_ctl || "service"
+      super
+    end
+
+    def info(service_name)
+      # check if service is enabled
+      cmd = inspec.command("#{service_ctl} #{service_name} enabled")
+
+      enabled = cmd.exit_status == 0
+
+      # check if the service is running
+      # if the service is not available or not running, we always get an error code
+      cmd = inspec.command("#{service_ctl} #{service_name} onestatus")
+      running = cmd.exit_status == 0
+
+      {
+        name: service_name,
+        description: nil,
+        installed: true,
+        running: running,
+        enabled: enabled,
+        type: "bsd-init",
+      }
+    end
+  end
+
   class Runit < ServiceManager
     def initialize(service_name, service_ctl = nil)
       @service_ctl = service_ctl || "sv"
@@ -782,7 +824,14 @@ module Inspec::Resources
     EXAMPLE
 
     def select_service_mgmt
-      BSDInit.new(inspec, service_ctl)
+      os = inspec.os
+      version = os[:release].to_f
+
+      if version >= 10
+        FreeBSD10Init.new(inspec, service_ctl)
+      else
+        BSDInit.new(inspec, service_ctl)
+      end
     end
   end
 

data/lib/inspec/resources/ssl.rb

@@ -38,6 +38,7 @@ module Inspec::Resources
       "tls1.0",
       "tls1.1",
       "tls1.2",
+      "tls1.3",
     ].freeze
 
     attr_reader :host, :port, :timeout, :retries
@@ -72,6 +73,11 @@ module Inspec::Resources
             protocol: proto, ciphers: e.map(&:cipher),
             timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
         end
+
+        if !res[0].empty? && res[0][1].key?("error") && res[0][1]["error"].include?("Connection error Errno::ECONNREFUSED")
+          raise "#{res[0][1]["error"]}"
+        end
+
         Hash[res]
       end
       .install_filter_methods_on_resource(self, :scan_config)
@@ -89,6 +95,7 @@ module Inspec::Resources
         { "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
         { "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
         { "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
+        { "protocol" => "tls1.3", "ciphers" => SSLShake::TLS::TLS13_CIPHERS.keys },
       ].map do |line|
         line["ciphers"].map do |cipher|
           { "protocol" => line["protocol"], "cipher" => cipher }

data/lib/inspec/resources/timezone.rb

@@ -0,0 +1,65 @@
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class TimeZone < Cmd
+    name "timezone"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Check for timezone configurations"
+    example <<~EXAMPLE
+      describe timezone do
+        its('identifier') { should eq 'Asia/Kolkata' }
+        its('name') { should eq 'IST' }
+        its('time_offset') { should eq '+0530' }
+      end
+    EXAMPLE
+
+    def initialize
+      @output = {}
+      os = inspec.os
+      cmd = if os.windows?
+              inspec.command("Get-TimeZone")
+            else
+              inspec.command("timedatectl status | grep -i 'Time zone'")
+            end
+      if cmd.exit_status != 0
+        raise Inspec::Exceptions::ResourceFailed, "Time Zone resource with error: #{cmd.stderr}"
+      else
+        if os.windows?
+          splitted_output = cmd.stdout.strip.gsub(/\r/, "").split("\n").select { |out| (out.include? "Id") || (out.include? "DisplayName") || (out.include? "BaseUtcOffset") }
+          @output["identifier"]  = split_and_fetch_last(splitted_output[1])
+          @output["name"]        = split_and_fetch_last(splitted_output[0])
+          @output["time_offset"] = split_and_fetch_last(splitted_output[2])
+        else
+          splitted_output = cmd.stdout.split(":")[-1]&.strip&.gsub(/[(),^]*/, "")&.split(" ") || []
+          @output["identifier"]  = splitted_output[0]
+          @output["name"]        = splitted_output[1]
+          @output["time_offset"] = splitted_output[2]
+        end
+      end
+    end
+
+    def identifier
+      @output["identifier"]
+    end
+
+    def name
+      @output["name"]
+    end
+
+    def time_offset
+      @output["time_offset"]
+    end
+
+    def to_s
+      "Time Zone resource"
+    end
+
+    private
+
+    def split_and_fetch_last(string_value)
+      string_value.split(" :")[-1].strip
+    end
+  end
+end

data/lib/inspec/resources.rb

@@ -41,6 +41,7 @@ require "inspec/resources/cassandradb_session"
 require "inspec/resources/cassandradb_conf"
 require "inspec/resources/cassandra"
 require "inspec/resources/crontab"
+require "inspec/resources/timezone"
 require "inspec/resources/dh_params"
 require "inspec/resources/directory"
 require "inspec/resources/docker"
@@ -72,6 +73,7 @@ require "inspec/resources/ip6tables"
 require "inspec/resources/iptables"
 require "inspec/resources/kernel_module"
 require "inspec/resources/kernel_parameter"
+require "inspec/resources/kernel_parameters"
 require "inspec/resources/key_rsa"
 require "inspec/resources/ksh"
 require "inspec/resources/limits_conf"