inspec-core 4.50.3 → 4.56.19
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +7 -11
- data/inspec-core.gemspec +2 -2
- data/lib/bundles/inspec-supermarket/README.md +21 -2
- data/lib/bundles/inspec-supermarket/cli.rb +20 -3
- data/lib/bundles/inspec-supermarket/target.rb +3 -2
- data/lib/inspec/base_cli.rb +8 -0
- data/lib/inspec/config.rb +5 -1
- data/lib/inspec/dependencies/requirement.rb +2 -1
- data/lib/inspec/formatters/base.rb +8 -6
- data/lib/inspec/library_eval_context.rb +2 -0
- data/lib/inspec/plugin/v1/registry.rb +1 -1
- data/lib/inspec/plugin/v2/plugin_types/streaming_reporter.rb +10 -0
- data/lib/inspec/profile_context.rb +1 -6
- data/lib/inspec/reporters/automate.rb +1 -1
- data/lib/inspec/reporters/json.rb +1 -1
- data/lib/inspec/resources/auditd.rb +5 -4
- data/lib/inspec/resources/bash.rb +2 -0
- data/lib/inspec/resources/file.rb +38 -0
- data/lib/inspec/resources/firewalld.rb +83 -9
- data/lib/inspec/resources/grub_conf.rb +1 -1
- data/lib/inspec/resources/http.rb +31 -2
- data/lib/inspec/resources/ibmdb2_session.rb +2 -2
- data/lib/inspec/resources/iptables.rb +18 -2
- data/lib/inspec/resources/kernel_parameters.rb +58 -0
- data/lib/inspec/resources/mssql_session.rb +11 -3
- data/lib/inspec/resources/oracledb_session.rb +10 -4
- data/lib/inspec/resources/package.rb +74 -1
- data/lib/inspec/resources/packages.rb +21 -0
- data/lib/inspec/resources/postgres_session.rb +4 -2
- data/lib/inspec/resources/registry_key.rb +30 -0
- data/lib/inspec/resources/selinux.rb +6 -1
- data/lib/inspec/resources/service.rb +58 -9
- data/lib/inspec/resources/ssl.rb +7 -0
- data/lib/inspec/resources/timezone.rb +65 -0
- data/lib/inspec/resources.rb +2 -0
- data/lib/inspec/runner_rspec.rb +30 -0
- data/lib/inspec/utils/filter.rb +46 -2
- data/lib/inspec/utils/run_data_filters.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/api.rb +1 -1
- data/lib/plugins/inspec-compliance/lib/inspec-compliance/cli.rb +4 -3
- metadata +8 -5
@@ -33,6 +33,7 @@ module Inspec::Resources
|
|
33
33
|
def initialize(params = {})
|
34
34
|
@table = params[:table]
|
35
35
|
@chain = params[:chain]
|
36
|
+
@ignore_comments = params[:ignore_comments] || false
|
36
37
|
|
37
38
|
# we're done if we are on linux
|
38
39
|
return if inspec.os.linux?
|
@@ -59,8 +60,13 @@ module Inspec::Resources
|
|
59
60
|
cmd = inspec.command(iptables_cmd)
|
60
61
|
return [] if cmd.exit_status.to_i != 0
|
61
62
|
|
62
|
-
|
63
|
-
|
63
|
+
if @ignore_comments
|
64
|
+
# split rules, returns array or rules without any comment
|
65
|
+
@iptables_cache = remove_comments_from_rules(cmd.stdout.split("\n"))
|
66
|
+
else
|
67
|
+
# split rules, returns array or rules
|
68
|
+
@iptables_cache = cmd.stdout.split("\n").map(&:strip)
|
69
|
+
end
|
64
70
|
end
|
65
71
|
|
66
72
|
def to_s
|
@@ -69,6 +75,16 @@ module Inspec::Resources
|
|
69
75
|
|
70
76
|
private
|
71
77
|
|
78
|
+
def remove_comments_from_rules(rules)
|
79
|
+
rules.each do |rule|
|
80
|
+
next if rule.nil?
|
81
|
+
|
82
|
+
rule.gsub!(/ -m comment --comment "([^"]*)"/, "")
|
83
|
+
rule.strip
|
84
|
+
end
|
85
|
+
rules
|
86
|
+
end
|
87
|
+
|
72
88
|
def find_iptables_or_error
|
73
89
|
%w{/usr/sbin/iptables /sbin/iptables iptables}.each do |cmd|
|
74
90
|
return cmd if inspec.command(cmd).exist?
|
@@ -0,0 +1,58 @@
|
|
1
|
+
module Inspec::Resources
|
2
|
+
class KernelParameters < Inspec.resource(1)
|
3
|
+
name "kernel_parameters"
|
4
|
+
supports platform: "unix"
|
5
|
+
desc "Use the kernel_parameters InSpec audit resource to test kernel parameters on Linux platforms."
|
6
|
+
example <<~EXAMPLE
|
7
|
+
describe kernel_parameters.where(parameter: /^net./ ) do
|
8
|
+
its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
|
9
|
+
end
|
10
|
+
|
11
|
+
describe kernel_parameters.where(parameter: "net.ipv4.conf.all.forwarding") do
|
12
|
+
its('values') { should eq [0] }
|
13
|
+
end
|
14
|
+
|
15
|
+
describe kernel_parameters do
|
16
|
+
its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
|
17
|
+
its('values') { should include 0 }
|
18
|
+
end
|
19
|
+
EXAMPLE
|
20
|
+
|
21
|
+
filter = FilterTable.create
|
22
|
+
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
23
|
+
filter.register_column(:parameters, field: "parameter")
|
24
|
+
.register_column(:values, field: "value")
|
25
|
+
filter.install_filter_methods_on_resource(self, :params)
|
26
|
+
|
27
|
+
def initialize
|
28
|
+
# this resource is only supported on Linux
|
29
|
+
return skip_resource "The `kernel_parameters` resource is not supported on your OS." unless inspec.os.linux?
|
30
|
+
end
|
31
|
+
|
32
|
+
def to_s
|
33
|
+
"Kernel Parameters"
|
34
|
+
end
|
35
|
+
|
36
|
+
private
|
37
|
+
|
38
|
+
def params
|
39
|
+
cmd = inspec.command("/sbin/sysctl -a")
|
40
|
+
cmd.exit_status != 0 ? [] : parse_kernel_paramater(cmd.stdout)
|
41
|
+
end
|
42
|
+
|
43
|
+
def parse_kernel_paramater(stdout)
|
44
|
+
result = []
|
45
|
+
stdout.split("\n").each do |out|
|
46
|
+
splitted_output = out.split("=").map(&:strip)
|
47
|
+
result.push(
|
48
|
+
{
|
49
|
+
"parameter" => splitted_output[0],
|
50
|
+
"value" => splitted_output[1].to_i,
|
51
|
+
}
|
52
|
+
)
|
53
|
+
end
|
54
|
+
result
|
55
|
+
end
|
56
|
+
|
57
|
+
end
|
58
|
+
end
|
@@ -76,7 +76,7 @@ module Inspec::Resources
|
|
76
76
|
if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
|
77
77
|
raise Inspec::Exceptions::ResourceFailed, "Could not execute the sql query #{out}"
|
78
78
|
else
|
79
|
-
DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
|
79
|
+
DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd.stdout))
|
80
80
|
end
|
81
81
|
end
|
82
82
|
|
@@ -94,9 +94,17 @@ module Inspec::Resources
|
|
94
94
|
!query("select getdate()").empty?
|
95
95
|
end
|
96
96
|
|
97
|
-
def parse_csv_result(
|
97
|
+
def parse_csv_result(stdout)
|
98
98
|
require "csv" unless defined?(CSV)
|
99
|
-
|
99
|
+
|
100
|
+
# replaces \n with \r since multiline data in older versions of database returns faulty
|
101
|
+
# formatted multiline data, example name\r\n----\r\nThis is\na multiline field\r\n
|
102
|
+
out = stdout.gsub("\n", "\r")
|
103
|
+
out = out.gsub("\r\r", "\r")
|
104
|
+
|
105
|
+
# row separator used since row delimiters \n (in linux) or \r\n (in windows)
|
106
|
+
# are converted to \r for consistency and handling faulty formatted multiline data
|
107
|
+
table = CSV.parse(out, headers: true, row_sep: "\r")
|
100
108
|
|
101
109
|
# remove first row, since it will be a seperator line
|
102
110
|
table.delete(0)
|
@@ -61,9 +61,13 @@ module Inspec::Resources
|
|
61
61
|
raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
|
62
62
|
else
|
63
63
|
begin
|
64
|
-
|
65
|
-
|
66
|
-
|
64
|
+
unless inspec_cmd.stdout.empty?
|
65
|
+
DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
|
66
|
+
else
|
67
|
+
inspec_cmd.stdout
|
68
|
+
end
|
69
|
+
rescue Exception => ex
|
70
|
+
raise Inspec::Exceptions::ResourceFailed, "Oracle query with exception: #{ex}"
|
67
71
|
end
|
68
72
|
end
|
69
73
|
end
|
@@ -118,7 +122,9 @@ module Inspec::Resources
|
|
118
122
|
output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
|
119
123
|
converter = ->(header) { header.downcase }
|
120
124
|
CSV.parse(output, headers: true, header_converters: converter).map do |row|
|
121
|
-
|
125
|
+
next if row.entries.flatten.empty?
|
126
|
+
|
127
|
+
revised_row = row.entries.flatten.map { |entry| entry&.gsub("comma_query_sub", ",") }
|
122
128
|
Hashie::Mash.new([revised_row].to_h)
|
123
129
|
end
|
124
130
|
end
|
@@ -26,6 +26,7 @@ module Inspec::Resources
|
|
26
26
|
@cache = nil
|
27
27
|
# select package manager
|
28
28
|
@pkgman = nil
|
29
|
+
@latest_version = nil
|
29
30
|
|
30
31
|
os = inspec.os
|
31
32
|
if os.debian?
|
@@ -60,6 +61,15 @@ module Inspec::Resources
|
|
60
61
|
info[:installed] == true
|
61
62
|
end
|
62
63
|
|
64
|
+
def latest?(_provider = nil, _version = nil)
|
65
|
+
os = inspec.os
|
66
|
+
if os.solaris? || (%w{hpux aix}.include? os[:family])
|
67
|
+
raise Inspec::Exceptions::ResourceSkipped, "The `be_latest` matcher is not supported on your OS yet."
|
68
|
+
end
|
69
|
+
|
70
|
+
(!info[:only_version_no].nil? && !latest_version.nil?) && (info[:only_version_no] == latest_version)
|
71
|
+
end
|
72
|
+
|
63
73
|
# returns true it the package is held (if the OS supports it)
|
64
74
|
def held?(_provider = nil, _version = nil)
|
65
75
|
info[:held] == true
|
@@ -82,6 +92,10 @@ module Inspec::Resources
|
|
82
92
|
info[:version]
|
83
93
|
end
|
84
94
|
|
95
|
+
def latest_version
|
96
|
+
@latest_version ||= ( @pkgman.latest_version(@package_name) || info[:latest_version] )
|
97
|
+
end
|
98
|
+
|
85
99
|
def to_s
|
86
100
|
"System Package #{@package_name}"
|
87
101
|
end
|
@@ -107,6 +121,21 @@ module Inspec::Resources
|
|
107
121
|
# combined into a `ResourceSkipped` exception message.
|
108
122
|
[]
|
109
123
|
end
|
124
|
+
|
125
|
+
private
|
126
|
+
|
127
|
+
def fetch_latest_version(cmd_string)
|
128
|
+
cmd = inspec.command(cmd_string)
|
129
|
+
if cmd.exit_status != 0
|
130
|
+
raise Inspec::Exceptions::ResourceFailed, "Failed to fetch latest version. Error: #{cmd.stderr}"
|
131
|
+
else
|
132
|
+
fetch_version_no(cmd.stdout)
|
133
|
+
end
|
134
|
+
end
|
135
|
+
|
136
|
+
def fetch_version_no(output)
|
137
|
+
output.scan(/(?:(?:\d+)[.]){2,}(?:\d+)/).max_by { |s| Gem::Version.new(s) } unless output.nil?
|
138
|
+
end
|
110
139
|
end
|
111
140
|
|
112
141
|
# Debian / Ubuntu
|
@@ -124,14 +153,21 @@ module Inspec::Resources
|
|
124
153
|
# If the package is installed and marked hold, Status is "hold ok installed"
|
125
154
|
# If the package is removed and not purged, Status is "deinstall ok config-files" with exit_status 0
|
126
155
|
# If the package is purged cmd fails with non-zero exit status
|
156
|
+
|
127
157
|
{
|
128
158
|
name: params["Package"],
|
129
159
|
installed: params["Status"].split(" ")[2] == "installed",
|
130
160
|
held: params["Status"].split(" ")[0] == "hold",
|
131
161
|
version: params["Version"],
|
132
162
|
type: "deb",
|
163
|
+
only_version_no: fetch_version_no(params["Version"]),
|
133
164
|
}
|
134
165
|
end
|
166
|
+
|
167
|
+
def latest_version(package_name)
|
168
|
+
cmd_string = "apt list #{package_name} -a"
|
169
|
+
fetch_latest_version(cmd_string)
|
170
|
+
end
|
135
171
|
end
|
136
172
|
|
137
173
|
# RHEL family
|
@@ -181,9 +217,15 @@ module Inspec::Resources
|
|
181
217
|
installed: true,
|
182
218
|
version: "#{v}-#{r}",
|
183
219
|
type: "rpm",
|
220
|
+
only_version_no: "#{v}",
|
184
221
|
}
|
185
222
|
end
|
186
223
|
|
224
|
+
def latest_version(package_name)
|
225
|
+
cmd_string = "yum list #{package_name}"
|
226
|
+
fetch_latest_version(cmd_string)
|
227
|
+
end
|
228
|
+
|
187
229
|
private
|
188
230
|
|
189
231
|
def rpm_command(package_name)
|
@@ -216,11 +258,17 @@ module Inspec::Resources
|
|
216
258
|
installed: true,
|
217
259
|
version: pkg["installed"][0]["version"],
|
218
260
|
type: "brew",
|
261
|
+
latest_version: pkg["versions"]["stable"],
|
262
|
+
only_version_no: pkg["installed"][0]["version"],
|
219
263
|
}
|
220
264
|
rescue JSON::ParserError => e
|
221
265
|
raise Inspec::Exceptions::ResourceFailed,
|
222
266
|
"Failed to parse JSON from `brew` command. Error: #{e}"
|
223
267
|
end
|
268
|
+
|
269
|
+
def latest_version(package_name)
|
270
|
+
nil
|
271
|
+
end
|
224
272
|
end
|
225
273
|
|
226
274
|
# Arch Linux
|
@@ -240,8 +288,14 @@ module Inspec::Resources
|
|
240
288
|
installed: true,
|
241
289
|
version: params["Version"],
|
242
290
|
type: "pacman",
|
291
|
+
only_version_no: fetch_version_no(params["Version"]),
|
243
292
|
}
|
244
293
|
end
|
294
|
+
|
295
|
+
def latest_version(package_name)
|
296
|
+
cmd_string = "pacman -Ss #{package_name} | grep #{package_name} | grep installed"
|
297
|
+
fetch_latest_version(cmd_string)
|
298
|
+
end
|
245
299
|
end
|
246
300
|
|
247
301
|
class HpuxPkg < PkgManagement
|
@@ -267,13 +321,20 @@ module Inspec::Resources
|
|
267
321
|
pkg_info = cmd.stdout.split("\n").delete_if { |e| e =~ /^WARNING/i }
|
268
322
|
pkg = pkg_info[0].split(" - ")[0]
|
269
323
|
|
324
|
+
version = pkg.partition("-")[2]
|
270
325
|
{
|
271
326
|
name: pkg.partition("-")[0],
|
272
327
|
installed: true,
|
273
|
-
version:
|
328
|
+
version: version,
|
274
329
|
type: "pkg",
|
330
|
+
only_version_no: fetch_version_no(version),
|
275
331
|
}
|
276
332
|
end
|
333
|
+
|
334
|
+
def latest_version(package_name)
|
335
|
+
cmd_string = "apk info #{package_name}"
|
336
|
+
fetch_latest_version(cmd_string)
|
337
|
+
end
|
277
338
|
end
|
278
339
|
|
279
340
|
class FreebsdPkg < PkgManagement
|
@@ -292,8 +353,14 @@ module Inspec::Resources
|
|
292
353
|
installed: true,
|
293
354
|
version: params["Version"],
|
294
355
|
type: "pkg",
|
356
|
+
only_version_no: params["Version"],
|
295
357
|
}
|
296
358
|
end
|
359
|
+
|
360
|
+
def latest_version(package_name)
|
361
|
+
cmd_string = "pkg version -v | grep #{package_name}"
|
362
|
+
fetch_latest_version(cmd_string)
|
363
|
+
end
|
297
364
|
end
|
298
365
|
|
299
366
|
# Determines the installed packages on Windows using the Windows package registry entries.
|
@@ -339,8 +406,14 @@ module Inspec::Resources
|
|
339
406
|
installed: true,
|
340
407
|
version: package["DisplayVersion"],
|
341
408
|
type: "windows",
|
409
|
+
only_version_no: package["DisplayVersion"],
|
342
410
|
}
|
343
411
|
end
|
412
|
+
|
413
|
+
def latest_version(package_name)
|
414
|
+
cmd_string = "Get-Package #{package_name} -AllVersions"
|
415
|
+
fetch_latest_version(cmd_string)
|
416
|
+
end
|
344
417
|
end
|
345
418
|
|
346
419
|
# AIX
|
@@ -26,6 +26,8 @@ module Inspec::Resources
|
|
26
26
|
@pkgs = Debs.new(inspec)
|
27
27
|
elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
|
28
28
|
@pkgs = Rpms.new(inspec)
|
29
|
+
elsif ["alpine"].include?(os[:name])
|
30
|
+
@pkgs = AlpinePkgs.new(inspec)
|
29
31
|
else
|
30
32
|
return skip_resource "The packages resource is not yet supported on OS #{inspec.os.name}"
|
31
33
|
end
|
@@ -108,4 +110,23 @@ module Inspec::Resources
|
|
108
110
|
end
|
109
111
|
end
|
110
112
|
end
|
113
|
+
|
114
|
+
# RedHat family
|
115
|
+
class AlpinePkgs < PkgsManagement
|
116
|
+
def build_package_list
|
117
|
+
command = "apk list --no-network --installed"
|
118
|
+
cmd = inspec.command(command)
|
119
|
+
all = cmd.stdout.split("\n")
|
120
|
+
return [] if all.nil? || cmd.exit_status.to_i != 0
|
121
|
+
|
122
|
+
all.map do |m|
|
123
|
+
next if m =~ /^WARNING/i
|
124
|
+
|
125
|
+
a = m.split(" ")
|
126
|
+
version = a[0].split("-")[-2]
|
127
|
+
name = a[2].gsub(/[{}^]*/, "")
|
128
|
+
PackageStruct.new("installed", name, version, a[1])
|
129
|
+
end
|
130
|
+
end
|
131
|
+
end
|
111
132
|
end
|
@@ -55,8 +55,10 @@ module Inspec::Resources
|
|
55
55
|
psql_cmd = create_psql_cmd(query, db)
|
56
56
|
cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
|
57
57
|
out = cmd.stdout + "\n" + cmd.stderr
|
58
|
-
if cmd.exit_status != 0
|
59
|
-
raise Inspec::Exceptions::ResourceFailed, "PostgreSQL
|
58
|
+
if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
|
59
|
+
raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
|
60
|
+
elsif cmd.exit_status != 0 && out.downcase =~ /error:/
|
61
|
+
Lines.new(out, "PostgreSQL query with error: #{query}")
|
60
62
|
else
|
61
63
|
Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
|
62
64
|
end
|
@@ -105,6 +105,21 @@ module Inspec::Resources
|
|
105
105
|
children_keys(@options[:path], filter)
|
106
106
|
end
|
107
107
|
|
108
|
+
# returns hash containing users / groups and their permission
|
109
|
+
def user_permissions
|
110
|
+
return {} unless exists?
|
111
|
+
|
112
|
+
get_permissions(@options[:path])
|
113
|
+
end
|
114
|
+
|
115
|
+
# returns true if inheritance is enabled for registry key.
|
116
|
+
def inherited?
|
117
|
+
return false unless exists?
|
118
|
+
|
119
|
+
cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
|
120
|
+
cmd.stdout.chomp == "0" ? false : true
|
121
|
+
end
|
122
|
+
|
108
123
|
# returns nil, if not existent or value
|
109
124
|
def method_missing(*keys)
|
110
125
|
# allow the use of array syntax in an `its` block so that users
|
@@ -283,6 +298,21 @@ module Inspec::Resources
|
|
283
298
|
|
284
299
|
key.start_with?("\\") ? key : "\\#{key}"
|
285
300
|
end
|
301
|
+
|
302
|
+
def get_permissions(path)
|
303
|
+
script = <<~EOH
|
304
|
+
$path = '#{path}'
|
305
|
+
$Acl = Get-Acl -Path ('Registry::' + $path)
|
306
|
+
$Result = foreach ($Access in $acl.Access) {
|
307
|
+
[PSCustomObject]@{
|
308
|
+
$Access.IdentityReference = $Access.RegistryRights.ToString()
|
309
|
+
}
|
310
|
+
}
|
311
|
+
$Result | ConvertTo-Json
|
312
|
+
EOH
|
313
|
+
result = inspec.powershell(script)
|
314
|
+
JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
|
315
|
+
end
|
286
316
|
end
|
287
317
|
|
288
318
|
class WindowsRegistryKey < RegistryKey
|
@@ -84,8 +84,13 @@ module Inspec::Resources
|
|
84
84
|
|
85
85
|
def initialize(selinux_path = "/etc/selinux/config")
|
86
86
|
@path = selinux_path
|
87
|
-
|
87
|
+
if inspec.os.redhat? && inspec.os.name == "amazon"
|
88
|
+
lcmd = "/usr/sbin/sestatus"
|
89
|
+
else
|
90
|
+
lcmd = "sestatus"
|
91
|
+
end
|
88
92
|
|
93
|
+
cmd = inspec.command(lcmd)
|
89
94
|
if cmd.exit_status != 0
|
90
95
|
# `sestatus` command not found error message comes in stdout so handling both here
|
91
96
|
out = cmd.stdout + "\n" + cmd.stderr
|
@@ -163,7 +163,12 @@ module Inspec::Resources
|
|
163
163
|
when "mac_os_x", "darwin"
|
164
164
|
LaunchCtl.new(inspec, service_ctl)
|
165
165
|
when "freebsd"
|
166
|
-
|
166
|
+
version = os[:release].to_f
|
167
|
+
if version < 10
|
168
|
+
BSDInit.new(inspec, service_ctl)
|
169
|
+
else
|
170
|
+
FreeBSD10Init.new(inspec, service_ctl)
|
171
|
+
end
|
167
172
|
when "arch"
|
168
173
|
Systemd.new(inspec, service_ctl)
|
169
174
|
when "coreos"
|
@@ -186,6 +191,8 @@ module Inspec::Resources
|
|
186
191
|
Svcs.new(inspec)
|
187
192
|
when "yocto"
|
188
193
|
Systemd.new(inspec, service_ctl)
|
194
|
+
when "alpine"
|
195
|
+
SysV.new(inspec, service_ctl)
|
189
196
|
end
|
190
197
|
end
|
191
198
|
|
@@ -478,6 +485,7 @@ module Inspec::Resources
|
|
478
485
|
|
479
486
|
# @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
|
480
487
|
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
|
488
|
+
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+9.3-RELEASE&arch=default&format=html
|
481
489
|
class BSDInit < ServiceManager
|
482
490
|
def initialize(service_name, service_ctl = nil)
|
483
491
|
@service_ctl = service_ctl || "service"
|
@@ -485,17 +493,20 @@ module Inspec::Resources
|
|
485
493
|
end
|
486
494
|
|
487
495
|
def info(service_name)
|
488
|
-
#
|
489
|
-
#
|
490
|
-
#
|
491
|
-
#
|
492
|
-
#
|
493
|
-
#
|
496
|
+
# `service -e` lists all enabled services. Output format:
|
497
|
+
# % service -e
|
498
|
+
# /etc/rc.d/hostid
|
499
|
+
# /etc/rc.d/hostid_save
|
500
|
+
# /etc/rc.d/cleanvar
|
501
|
+
# /etc/rc.d/ip6addrctl
|
502
|
+
# /etc/rc.d/devd
|
503
|
+
|
494
504
|
cmd = inspec.command("#{service_ctl} -e")
|
495
505
|
return nil if cmd.exit_status != 0
|
496
506
|
|
497
507
|
# search for the service
|
498
|
-
|
508
|
+
|
509
|
+
srv = %r{^.*/(#{service_name}$)}.match(cmd.stdout)
|
499
510
|
return nil if srv.nil? || srv[0].nil?
|
500
511
|
|
501
512
|
enabled = true
|
@@ -516,6 +527,37 @@ module Inspec::Resources
|
|
516
527
|
end
|
517
528
|
end
|
518
529
|
|
530
|
+
# @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
|
531
|
+
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
|
532
|
+
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc&apropos=0&sektion=8&manpath=FreeBSD+10.0-RELEASE&arch=default&format=html
|
533
|
+
class FreeBSD10Init < ServiceManager
|
534
|
+
def initialize(service_name, service_ctl = nil)
|
535
|
+
@service_ctl = service_ctl || "service"
|
536
|
+
super
|
537
|
+
end
|
538
|
+
|
539
|
+
def info(service_name)
|
540
|
+
# check if service is enabled
|
541
|
+
cmd = inspec.command("#{service_ctl} #{service_name} enabled")
|
542
|
+
|
543
|
+
enabled = cmd.exit_status == 0
|
544
|
+
|
545
|
+
# check if the service is running
|
546
|
+
# if the service is not available or not running, we always get an error code
|
547
|
+
cmd = inspec.command("#{service_ctl} #{service_name} onestatus")
|
548
|
+
running = cmd.exit_status == 0
|
549
|
+
|
550
|
+
{
|
551
|
+
name: service_name,
|
552
|
+
description: nil,
|
553
|
+
installed: true,
|
554
|
+
running: running,
|
555
|
+
enabled: enabled,
|
556
|
+
type: "bsd-init",
|
557
|
+
}
|
558
|
+
end
|
559
|
+
end
|
560
|
+
|
519
561
|
class Runit < ServiceManager
|
520
562
|
def initialize(service_name, service_ctl = nil)
|
521
563
|
@service_ctl = service_ctl || "sv"
|
@@ -782,7 +824,14 @@ module Inspec::Resources
|
|
782
824
|
EXAMPLE
|
783
825
|
|
784
826
|
def select_service_mgmt
|
785
|
-
|
827
|
+
os = inspec.os
|
828
|
+
version = os[:release].to_f
|
829
|
+
|
830
|
+
if version >= 10
|
831
|
+
FreeBSD10Init.new(inspec, service_ctl)
|
832
|
+
else
|
833
|
+
BSDInit.new(inspec, service_ctl)
|
834
|
+
end
|
786
835
|
end
|
787
836
|
end
|
788
837
|
|
data/lib/inspec/resources/ssl.rb
CHANGED
@@ -38,6 +38,7 @@ module Inspec::Resources
|
|
38
38
|
"tls1.0",
|
39
39
|
"tls1.1",
|
40
40
|
"tls1.2",
|
41
|
+
"tls1.3",
|
41
42
|
].freeze
|
42
43
|
|
43
44
|
attr_reader :host, :port, :timeout, :retries
|
@@ -72,6 +73,11 @@ module Inspec::Resources
|
|
72
73
|
protocol: proto, ciphers: e.map(&:cipher),
|
73
74
|
timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
|
74
75
|
end
|
76
|
+
|
77
|
+
if !res[0].empty? && res[0][1].key?("error") && res[0][1]["error"].include?("Connection error Errno::ECONNREFUSED")
|
78
|
+
raise "#{res[0][1]["error"]}"
|
79
|
+
end
|
80
|
+
|
75
81
|
Hash[res]
|
76
82
|
end
|
77
83
|
.install_filter_methods_on_resource(self, :scan_config)
|
@@ -89,6 +95,7 @@ module Inspec::Resources
|
|
89
95
|
{ "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
|
90
96
|
{ "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
|
91
97
|
{ "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
|
98
|
+
{ "protocol" => "tls1.3", "ciphers" => SSLShake::TLS::TLS13_CIPHERS.keys },
|
92
99
|
].map do |line|
|
93
100
|
line["ciphers"].map do |cipher|
|
94
101
|
{ "protocol" => line["protocol"], "cipher" => cipher }
|
@@ -0,0 +1,65 @@
|
|
1
|
+
require "inspec/resources/command"
|
2
|
+
|
3
|
+
module Inspec::Resources
|
4
|
+
class TimeZone < Cmd
|
5
|
+
name "timezone"
|
6
|
+
supports platform: "unix"
|
7
|
+
supports platform: "windows"
|
8
|
+
|
9
|
+
desc "Check for timezone configurations"
|
10
|
+
example <<~EXAMPLE
|
11
|
+
describe timezone do
|
12
|
+
its('identifier') { should eq 'Asia/Kolkata' }
|
13
|
+
its('name') { should eq 'IST' }
|
14
|
+
its('time_offset') { should eq '+0530' }
|
15
|
+
end
|
16
|
+
EXAMPLE
|
17
|
+
|
18
|
+
def initialize
|
19
|
+
@output = {}
|
20
|
+
os = inspec.os
|
21
|
+
cmd = if os.windows?
|
22
|
+
inspec.command("Get-TimeZone")
|
23
|
+
else
|
24
|
+
inspec.command("timedatectl status | grep -i 'Time zone'")
|
25
|
+
end
|
26
|
+
if cmd.exit_status != 0
|
27
|
+
raise Inspec::Exceptions::ResourceFailed, "Time Zone resource with error: #{cmd.stderr}"
|
28
|
+
else
|
29
|
+
if os.windows?
|
30
|
+
splitted_output = cmd.stdout.strip.gsub(/\r/, "").split("\n").select { |out| (out.include? "Id") || (out.include? "DisplayName") || (out.include? "BaseUtcOffset") }
|
31
|
+
@output["identifier"] = split_and_fetch_last(splitted_output[1])
|
32
|
+
@output["name"] = split_and_fetch_last(splitted_output[0])
|
33
|
+
@output["time_offset"] = split_and_fetch_last(splitted_output[2])
|
34
|
+
else
|
35
|
+
splitted_output = cmd.stdout.split(":")[-1]&.strip&.gsub(/[(),^]*/, "")&.split(" ") || []
|
36
|
+
@output["identifier"] = splitted_output[0]
|
37
|
+
@output["name"] = splitted_output[1]
|
38
|
+
@output["time_offset"] = splitted_output[2]
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
|
43
|
+
def identifier
|
44
|
+
@output["identifier"]
|
45
|
+
end
|
46
|
+
|
47
|
+
def name
|
48
|
+
@output["name"]
|
49
|
+
end
|
50
|
+
|
51
|
+
def time_offset
|
52
|
+
@output["time_offset"]
|
53
|
+
end
|
54
|
+
|
55
|
+
def to_s
|
56
|
+
"Time Zone resource"
|
57
|
+
end
|
58
|
+
|
59
|
+
private
|
60
|
+
|
61
|
+
def split_and_fetch_last(string_value)
|
62
|
+
string_value.split(" :")[-1].strip
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
data/lib/inspec/resources.rb
CHANGED
@@ -41,6 +41,7 @@ require "inspec/resources/cassandradb_session"
|
|
41
41
|
require "inspec/resources/cassandradb_conf"
|
42
42
|
require "inspec/resources/cassandra"
|
43
43
|
require "inspec/resources/crontab"
|
44
|
+
require "inspec/resources/timezone"
|
44
45
|
require "inspec/resources/dh_params"
|
45
46
|
require "inspec/resources/directory"
|
46
47
|
require "inspec/resources/docker"
|
@@ -72,6 +73,7 @@ require "inspec/resources/ip6tables"
|
|
72
73
|
require "inspec/resources/iptables"
|
73
74
|
require "inspec/resources/kernel_module"
|
74
75
|
require "inspec/resources/kernel_parameter"
|
76
|
+
require "inspec/resources/kernel_parameters"
|
75
77
|
require "inspec/resources/key_rsa"
|
76
78
|
require "inspec/resources/ksh"
|
77
79
|
require "inspec/resources/limits_conf"
|