inspec-core 4.50.3 → 5.7.9

data/lib/inspec/resources/http.rb

@@ -121,6 +121,10 @@ module Inspec::Resources
         def max_redirects
           opts.fetch(:max_redirects, nil)
         end
+
+        def proxy
+          opts.fetch(:proxy, nil)
+        end
       end
 
       class Local < Base
@@ -141,12 +145,18 @@ module Inspec::Resources
         def response
           return @response if @response
 
+          Faraday.ignore_env_proxy = true if proxy == "disable"
+
           conn = Faraday.new(url: url, headers: request_headers, params: params, ssl: { verify: ssl_verify? }) do |builder|
             builder.request :url_encoded
             builder.use FaradayMiddleware::FollowRedirects, limit: max_redirects unless max_redirects.nil?
             builder.adapter Faraday.default_adapter
           end
 
+          unless proxy == "disable" || proxy.nil?
+            conn.proxy = proxy
+          end
+
           # set basic authentication
           conn.basic_auth username, password unless username.nil? || password.nil?
 
@@ -252,6 +262,14 @@ module Inspec::Resources
               cmd << "-X #{http_method}"
             end
 
+            cmd << "--noproxy '*'" if proxy == "disable"
+            unless proxy == "disable" || proxy.nil?
+              if proxy.is_a?(Hash)
+                cmd << "--proxy #{proxy[:uri]} --proxy-user #{proxy[:user]}:#{proxy[:password]}"
+              else
+                cmd << "--proxy #{proxy}"
+              end
+            end
             cmd << "--connect-timeout #{open_timeout}"
             cmd << "--max-time #{open_timeout + read_timeout}"
             cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
@@ -292,6 +310,17 @@ module Inspec::Resources
           else
             cmd << "'#{url}?#{params.map { |e| e.join("=") }.join("&")}'"
           end
+
+          proxy_script = ""
+          unless proxy == "disable" || proxy.nil?
+            cmd << "-Proxy #{proxy[:uri]}"
+            cmd << "-ProxyCredential $proxyCreds"
+            proxy_script = <<-EOH
+              $secPasswd = ConvertTo-SecureString "#{proxy[:password]}" -AsPlainText -Force
+              $proxyCreds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{proxy[:user]}",$secPasswd
+            EOH
+          end
+
           command = cmd.join(" ")
           body = "\'#{request_body}\'"
           script = <<-EOH
@@ -302,10 +331,10 @@ module Inspec::Resources
             foreach ($property in $Body.PSObject.Properties) {
               $HashTable[$property.Name] = $property.Value
             }
-            $response = #{command} -Body $HashTable
+            $response = #{command} -Body $HashTable -UseBasicParsing
             $response | Select-Object -Property * | ConvertTo-json # We use `Select-Object -Property * ` to get around an odd PowerShell error
           EOH
-          script.strip
+          proxy_script.strip + "\n" + script.strip
         end
       end
     end

data/lib/inspec/resources/ibmdb2_session.rb

@@ -46,12 +46,12 @@ module Inspec::Resources
 
         # check if following specific error is there. Sourcing the db2profile to resolve the error.
         if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
-          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} \"#{q}\"\;")
           out = cmd.stdout + "\n" + cmd.stderr
         end
       elsif inspec.os.platform?("windows")
         # set-item command set the powershell to run the db2 commands.
-        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 #{q}\;")
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 \"#{q}\"\;")
         out = cmd.stdout + "\n" + cmd.stderr
       end
 

data/lib/inspec/resources/ipfilter.rb

@@ -0,0 +1,59 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class IpFilter < Inspec.resource(1)
+    name "ipfilter"
+    supports platform: "bsd"
+    supports platform: "solaris"
+    desc "Use the ipfilter InSpec audit resource to test rules that are defined for ipfilter, which maintains the IP rule set"
+    example <<~EXAMPLE
+      describe ipfilter do
+        it { should have_rule("pass in quick on lo0 all") }
+      end
+    EXAMPLE
+
+    def initialize
+      # checks if the instance is either bsd or solaris
+      return if (inspec.os.bsd? && !inspec.os.darwin?) || inspec.os.solaris?
+
+      # ensures, all calls are aborted for non-supported os
+      @ipfilter_cache = []
+      skip_resource "The `ipfilter` resource is not supported on your OS yet."
+    end
+
+    def has_rule?(rule = nil)
+      # checks if the rule is part of the ruleset
+      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def retrieve_rules
+      # this would be true if the OS family was not bsd/solaris when checked in initliaze
+      return @ipfilter_cache if defined?(@ipfilter_cache)
+
+      # construct ipfstat command to read all rules
+      bin = find_ipfstat_or_error
+      ipfstat_cmd = "#{bin} -io"
+      cmd = inspec.command(ipfstat_cmd)
+
+      # Return empty array when command is not executed successfully
+      # or there is no output since no rules are active
+      return [] if cmd.exit_status.to_i != 0 || cmd.stdout == ""
+
+      # split rules, returns array or rules
+      @ipfilter_cache = cmd.stdout.split("\n").map(&:strip)
+    end
+
+    def to_s
+      "Ipfilter"
+    end
+
+    private
+
+    def find_ipfstat_or_error
+      %w{/usr/sbin/ipfstat /sbin/ipfstat ipfstat}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `ipfstat`"
+    end
+  end
+end

data/lib/inspec/resources/ipnat.rb

@@ -0,0 +1,58 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class IpNat < Inspec.resource(1)
+    name "ipnat"
+    supports platform: "bsd"
+    supports platform: "solaris"
+    desc "Use the ipnat InSpec audit resource to test rules that are defined for IP NAT"
+    example <<~EXAMPLE
+      describe ipnat do
+        it { should have_rule("map net1 192.168.0.0/24 -> 0/32") }
+      end
+    EXAMPLE
+
+    def initialize
+      # checks if the instance is either bsd or solaris
+      return if (inspec.os.bsd? && !inspec.os.darwin?) || inspec.os.solaris?
+
+      # ensures, all calls are aborted for non-supported os
+      @ipnat_cache = []
+      skip_resource "The `ipnat` resource is not supported on your OS yet."
+    end
+
+    def has_rule?(rule = nil)
+      # checks if the rule is part of the ruleset
+      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def retrieve_rules
+      # this would be true if the OS family was not bsd/solaris when checked in initliaze
+      return @ipnat_cache if defined?(@ipnat_cache)
+
+      # construct ipnat command to show the list of current IP NAT table entry mappings
+      bin = find_ipnat_or_error
+      ipnat_cmd = "#{bin} -l"
+      cmd = inspec.command(ipnat_cmd)
+
+      # Return empty array when command is not executed successfully
+      return [] if cmd.exit_status.to_i != 0
+
+      # split rules, returns array or rules
+      @ipnat_cache = cmd.stdout.split("\n").map(&:strip)
+    end
+
+    def to_s
+      "Ipnat"
+    end
+
+    private
+
+    def find_ipnat_or_error
+      %w{/usr/sbin/ipnat /sbin/ipnat ipnat}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `ipnat`"
+    end
+  end
+end

data/lib/inspec/resources/iptables.rb

@@ -33,6 +33,7 @@ module Inspec::Resources
     def initialize(params = {})
       @table = params[:table]
       @chain = params[:chain]
+      @ignore_comments = params[:ignore_comments] || false
 
       # we're done if we are on linux
       return if inspec.os.linux?
@@ -59,8 +60,13 @@ module Inspec::Resources
       cmd = inspec.command(iptables_cmd)
       return [] if cmd.exit_status.to_i != 0
 
-      # split rules, returns array or rules
-      @iptables_cache = cmd.stdout.split("\n").map(&:strip)
+      if @ignore_comments
+        # split rules, returns array or rules without any comment
+        @iptables_cache = remove_comments_from_rules(cmd.stdout.split("\n"))
+      else
+        # split rules, returns array or rules
+        @iptables_cache = cmd.stdout.split("\n").map(&:strip)
+      end
     end
 
     def to_s
@@ -69,6 +75,16 @@ module Inspec::Resources
 
     private
 
+    def remove_comments_from_rules(rules)
+      rules.each do |rule|
+        next if rule.nil?
+
+        rule.gsub!(/ -m comment --comment "([^"]*)"/, "")
+        rule.strip
+      end
+      rules
+    end
+
     def find_iptables_or_error
       %w{/usr/sbin/iptables /sbin/iptables iptables}.each do |cmd|
         return cmd if inspec.command(cmd).exist?

data/lib/inspec/resources/kernel_parameters.rb

@@ -0,0 +1,58 @@
+module Inspec::Resources
+  class KernelParameters < Inspec.resource(1)
+    name "kernel_parameters"
+    supports platform: "unix"
+    desc "Use the kernel_parameters InSpec audit resource to test kernel parameters on Linux platforms."
+    example <<~EXAMPLE
+      describe kernel_parameters.where(parameter: /^net./ ) do
+        its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
+      end
+
+      describe kernel_parameters.where(parameter: "net.ipv4.conf.all.forwarding") do
+        its('values') { should eq [0] }
+      end
+
+      describe kernel_parameters do
+        its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
+        its('values') { should include 0 }
+      end
+    EXAMPLE
+
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:parameters, field: "parameter")
+      .register_column(:values, field: "value")
+    filter.install_filter_methods_on_resource(self, :params)
+
+    def initialize
+      # this resource is only supported on Linux
+      return skip_resource "The `kernel_parameters` resource is not supported on your OS." unless inspec.os.linux?
+    end
+
+    def to_s
+      "Kernel Parameters"
+    end
+
+    private
+
+    def params
+      cmd = inspec.command("/sbin/sysctl -a")
+      cmd.exit_status != 0 ? [] : parse_kernel_paramater(cmd.stdout)
+    end
+
+    def parse_kernel_paramater(stdout)
+      result = []
+      stdout.split("\n").each do |out|
+        splitted_output = out.split("=").map(&:strip)
+        result.push(
+          {
+            "parameter" => splitted_output[0],
+            "value" => splitted_output[1].to_i,
+          }
+        )
+      end
+      result
+    end
+
+  end
+end

data/lib/inspec/resources/mssql_session.rb

@@ -76,7 +76,7 @@ module Inspec::Resources
       if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
         raise Inspec::Exceptions::ResourceFailed, "Could not execute the sql query #{out}"
       else
-        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
+        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd.stdout))
       end
     end
 
@@ -94,9 +94,17 @@ module Inspec::Resources
       !query("select getdate()").empty?
     end
 
-    def parse_csv_result(cmd)
+    def parse_csv_result(stdout)
       require "csv" unless defined?(CSV)
-      table = CSV.parse(cmd.stdout, headers: true)
+
+      # replaces \n with \r since multiline data in older versions of database returns faulty
+      # formatted multiline data, example name\r\n----\r\nThis is\na multiline field\r\n
+      out = stdout.gsub("\n", "\r")
+      out = out.gsub("\r\r", "\r")
+
+      # row separator used since row delimiters \n (in linux) or \r\n (in windows)
+      # are converted to \r for consistency and handling faulty formatted multiline data
+      table = CSV.parse(out, headers: true, row_sep: "\r")
 
       # remove first row, since it will be a seperator line
       table.delete(0)

data/lib/inspec/resources/oracledb_session.rb

@@ -118,7 +118,9 @@ module Inspec::Resources
       output = output.sub(/\r/, "").strip.gsub(",", "comma_query_sub")
       converter = ->(header) { header.downcase }
       CSV.parse(output, headers: true, header_converters: converter).map do |row|
-        revised_row = row.entries.flatten.map { |entry| entry.gsub("comma_query_sub", ",") }
+        next if row.entries.flatten.empty?
+
+        revised_row = row.entries.flatten.map { |entry| entry&.gsub("comma_query_sub", ",") }
         Hashie::Mash.new([revised_row].to_h)
       end
     end

data/lib/inspec/resources/package.rb

@@ -26,6 +26,7 @@ module Inspec::Resources
       @cache = nil
       # select package manager
       @pkgman = nil
+      @latest_version = nil
 
       os = inspec.os
       if os.debian?
@@ -60,6 +61,15 @@ module Inspec::Resources
       info[:installed] == true
     end
 
+    def latest?(_provider = nil, _version = nil)
+      os = inspec.os
+      if os.solaris? || (%w{hpux aix}.include? os[:family])
+        raise Inspec::Exceptions::ResourceSkipped, "The `be_latest` matcher is not supported on your OS yet."
+      end
+
+      (!info[:only_version_no].nil? && !latest_version.nil?) && (info[:only_version_no] == latest_version)
+    end
+
     # returns true it the package is held (if the OS supports it)
     def held?(_provider = nil, _version = nil)
       info[:held] == true
@@ -82,6 +92,10 @@ module Inspec::Resources
       info[:version]
     end
 
+    def latest_version
+      @latest_version ||= ( @pkgman.latest_version(@package_name) || info[:latest_version] )
+    end
+
     def to_s
       "System Package #{@package_name}"
     end
@@ -107,6 +121,21 @@ module Inspec::Resources
       # combined into a `ResourceSkipped` exception message.
       []
     end
+
+    private
+
+    def fetch_latest_version(cmd_string)
+      cmd = inspec.command(cmd_string)
+      if cmd.exit_status != 0
+        raise Inspec::Exceptions::ResourceFailed, "Failed to fetch latest version. Error: #{cmd.stderr}"
+      else
+        fetch_version_no(cmd.stdout)
+      end
+    end
+
+    def fetch_version_no(output)
+      output.scan(/(?:(?:\d+)[.]){2,}(?:\d+)/).max_by { |s| Gem::Version.new(s) } unless output.nil?
+    end
   end
 
   # Debian / Ubuntu
@@ -124,14 +153,21 @@ module Inspec::Resources
       # If the package is installed and marked hold, Status is "hold ok installed"
       # If the package is removed and not purged, Status is "deinstall ok config-files" with exit_status 0
       # If the package is purged cmd fails with non-zero exit status
+
       {
         name: params["Package"],
         installed: params["Status"].split(" ")[2] == "installed",
         held: params["Status"].split(" ")[0] == "hold",
         version: params["Version"],
         type: "deb",
+        only_version_no: fetch_version_no(params["Version"]),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "apt list #{package_name} -a"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # RHEL family
@@ -181,9 +217,15 @@ module Inspec::Resources
         installed: true,
         version: "#{v}-#{r}",
         type: "rpm",
+        only_version_no: "#{v}",
       }
     end
 
+    def latest_version(package_name)
+      cmd_string = "yum list #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
+
     private
 
     def rpm_command(package_name)
@@ -216,11 +258,17 @@ module Inspec::Resources
         installed: true,
         version: pkg["installed"][0]["version"],
         type: "brew",
+        latest_version: pkg["versions"]["stable"],
+        only_version_no: pkg["installed"][0]["version"],
       }
     rescue JSON::ParserError => e
       raise Inspec::Exceptions::ResourceFailed,
             "Failed to parse JSON from `brew` command. Error: #{e}"
     end
+
+    def latest_version(package_name)
+      nil
+    end
   end
 
   # Arch Linux
@@ -240,8 +288,14 @@ module Inspec::Resources
         installed: true,
         version: params["Version"],
         type: "pacman",
+        only_version_no: fetch_version_no(params["Version"]),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "pacman -Ss #{package_name} | grep #{package_name} | grep installed"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   class HpuxPkg < PkgManagement
@@ -267,13 +321,20 @@ module Inspec::Resources
       pkg_info = cmd.stdout.split("\n").delete_if { |e| e =~ /^WARNING/i }
       pkg = pkg_info[0].split(" - ")[0]
 
+      version = pkg.partition("-")[2]
       {
         name: pkg.partition("-")[0],
         installed: true,
-        version: pkg.partition("-")[2],
+        version: version,
         type: "pkg",
+        only_version_no: fetch_version_no(version),
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "apk info #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   class FreebsdPkg < PkgManagement
@@ -292,8 +353,14 @@ module Inspec::Resources
         installed: true,
         version: params["Version"],
         type: "pkg",
+        only_version_no: params["Version"],
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "pkg version -v | grep #{package_name}"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # Determines the installed packages on Windows using the Windows package registry entries.
@@ -339,8 +406,14 @@ module Inspec::Resources
         installed: true,
         version: package["DisplayVersion"],
         type: "windows",
+        only_version_no: package["DisplayVersion"],
       }
     end
+
+    def latest_version(package_name)
+      cmd_string = "Get-Package #{package_name} -AllVersions"
+      fetch_latest_version(cmd_string)
+    end
   end
 
   # AIX

data/lib/inspec/resources/packages.rb

@@ -26,6 +26,8 @@ module Inspec::Resources
         @pkgs = Debs.new(inspec)
       elsif os.redhat? || %w{suse amazon fedora}.include?(os[:family])
         @pkgs = Rpms.new(inspec)
+      elsif ["alpine"].include?(os[:name])
+        @pkgs = AlpinePkgs.new(inspec)
       else
         return skip_resource "The packages resource is not yet supported on OS #{inspec.os.name}"
       end
@@ -108,4 +110,23 @@ module Inspec::Resources
       end
     end
   end
+
+  # RedHat family
+  class AlpinePkgs < PkgsManagement
+    def build_package_list
+      command = "apk list --no-network --installed"
+      cmd = inspec.command(command)
+      all = cmd.stdout.split("\n")
+      return [] if all.nil? || cmd.exit_status.to_i != 0
+
+      all.map do |m|
+        next if m =~ /^WARNING/i
+
+        a = m.split(" ")
+        version = a[0].split("-")[-2]
+        name = a[2].gsub(/[{}^]*/, "")
+        PackageStruct.new("installed", name, version, a[1])
+      end
+    end
+  end
 end

data/lib/inspec/resources/registry_key.rb

@@ -105,6 +105,21 @@ module Inspec::Resources
       children_keys(@options[:path], filter)
     end
 
+    # returns hash containing users / groups and their permission
+    def user_permissions
+      return {} unless exists?
+
+      get_permissions(@options[:path])
+    end
+
+    # returns true if inheritance is enabled for registry key.
+    def inherited?
+      return false unless exists?
+
+      cmd = inspec.command("(Get-Acl -Path 'Registry::#{@options[:path]}').access| Where-Object {$_.IsInherited -eq $true} | measure | % { $_.Count }")
+      cmd.stdout.chomp == "0" ? false : true
+    end
+
     # returns nil, if not existent or value
     def method_missing(*keys)
       # allow the use of array syntax in an `its` block so that users
@@ -283,6 +298,21 @@ module Inspec::Resources
 
       key.start_with?("\\") ? key : "\\#{key}"
     end
+
+    def get_permissions(path)
+      script = <<~EOH
+      $path = '#{path}'
+      $Acl = Get-Acl -Path ('Registry::' + $path)
+      $Result = foreach ($Access in $acl.Access) {
+        [PSCustomObject]@{
+          $Access.IdentityReference = $Access.RegistryRights.ToString()
+        }
+      }
+      $Result | ConvertTo-Json
+      EOH
+      result = inspec.powershell(script)
+      JSON.load(result.stdout).inject(&:merge) unless result.stdout.empty?
+    end
   end
 
   class WindowsRegistryKey < RegistryKey

data/lib/inspec/resources/selinux.rb

@@ -84,8 +84,13 @@ module Inspec::Resources
 
     def initialize(selinux_path = "/etc/selinux/config")
       @path = selinux_path
-      cmd = inspec.command("sestatus")
+      if inspec.os.redhat? && inspec.os.name == "amazon"
+        lcmd = "/usr/sbin/sestatus"
+      else
+        lcmd = "sestatus"
+      end
 
+      cmd = inspec.command(lcmd)
       if cmd.exit_status != 0
         # `sestatus` command not found error message comes in stdout so handling both here
         out = cmd.stdout + "\n" + cmd.stderr