inspec-core 4.56.17 → 5.10.5

data/lib/inspec/profile.rb

@@ -13,6 +13,8 @@ require "inspec/dependencies/cache"
 require "inspec/dependencies/lockfile"
 require "inspec/dependencies/dependency_set"
 require "inspec/utils/json_profile_summary"
+require "inspec/dependency_loader"
+require "inspec/dependency_installer"
 
 module Inspec
   class Profile
@@ -378,6 +380,66 @@ module Inspec
       @runner_context
     end
 
+    def collect_gem_dependencies(profile_context)
+      gem_dependencies = []
+      all_profiles = []
+      profile_context.dependencies.list.values.each do |requirement|
+        all_profiles << requirement.profile
+      end
+      all_profiles << self
+      all_profiles.each do |profile|
+        gem_dependencies << profile.metadata.gem_dependencies unless profile.metadata.gem_dependencies.empty?
+      end
+      gem_dependencies.flatten.uniq
+    end
+
+    # Loads the required gems specified in the Profile's metadata file from default inspec gems path i.e. ~/.inspec/gems
+    # else installs and loads them.
+    def load_gem_dependencies
+      gem_dependencies = collect_gem_dependencies(load_libraries)
+      gem_dependencies.each do |gem_data|
+        dependency_loader = DependencyLoader.new
+        if dependency_loader.gem_version_installed?(gem_data[:name], gem_data[:version]) ||
+            dependency_loader.gem_installed?(gem_data[:name])
+          load_gem_dependency(gem_data)
+        else
+          if Inspec::Config.cached[:auto_install_gems]
+            install_gem_dependency(gem_data)
+            load_gem_dependency(gem_data)
+          else
+            ui = Inspec::UI.new
+            gem_dependencies.each { |gem_dependency| ui.list_item("#{gem_dependency[:name]} #{gem_dependency[:version]}") }
+            choice = ui.prompt.select("Would you like to install profile gem dependencies listed above?", %w{Yes No})
+            if choice == "Yes"
+              Inspec::Config.cached[:auto_install_gems] = true
+              load_gem_dependencies
+            else
+              ui.error "Unable to resolve above listed profile gem dependencies."
+              Inspec::UI.new.exit(:gem_dependency_load_error)
+            end
+          end
+        end
+      end
+    end
+
+    # Requires gem_data as argument.
+    # gem_dta example: { name: "gem_name", version: "0.0.1"}
+    def load_gem_dependency(gem_data)
+      dependency_loader = DependencyLoader.new(nil, [gem_data])
+      dependency_loader.load
+    rescue Inspec::GemDependencyLoadError => e
+      raise e.message
+    end
+
+    # Requires gem_data as argument.
+    # gem_dta example: { name: "gem_name", version: "0.0.1"}
+    def install_gem_dependency(gem_data)
+      gem_dependency = DependencyInstaller.new(nil, [gem_data])
+      gem_dependency.install
+    rescue Inspec::GemDependencyInstallError => e
+      raise e.message
+    end
+
     def to_s
       "Inspec::Profile<#{name}>"
     end
@@ -774,6 +836,7 @@ module Inspec
     end
 
     def load_checks_params(params)
+      load_gem_dependencies
       load_libraries
       tests = collect_tests
       params[:controls] = controls = {}

data/lib/inspec/reporters/automate.rb

@@ -21,7 +21,7 @@ module Inspec::Reporters
       final_report[:type] = "inspec_report"
 
       final_report[:end_time] = Time.now.utc.strftime("%FT%TZ")
-      final_report[:node_uuid] = report[:platform][:target_id] || @config["node_uuid"] || @config["target_id"]
+      final_report[:node_uuid] = @config["node_uuid"] || report[:platform][:target_id]
       raise Inspec::ReporterError, "Cannot find a UUID for your node. Please specify one via json-config." if final_report[:node_uuid].nil?
 
       final_report[:report_uuid] = @config["report_uuid"] || uuid_from_string(final_report[:end_time] + final_report[:node_uuid])

data/lib/inspec/reporters/cli.rb

@@ -76,7 +76,7 @@ module Inspec::Reporters
       }
       header["Failure Message"] = profile[:status_message] if profile[:status] == "failed"
       header["Target"] = run_data[:platform][:target] unless run_data[:platform][:target].nil?
-      header["Target ID"] = @config["target_id"] unless @config["target_id"].nil?
+      header["Target ID"] = run_data[:platform][:target_id] || ""
 
       pad = header.keys.max_by(&:length).length + 1
       header.each do |title, value|

data/lib/inspec/reporters/json.rb

@@ -29,28 +29,48 @@ module Inspec::Reporters
       {
         name:      run_data[:platform][:name],
         release:   run_data[:platform][:release],
-        target_id: run_data[:platform][:target_id] || @config["target_id"],
+        target_id: run_data[:platform][:target_id] || "",
       }.reject { |_k, v| v.nil? }
     end
 
     def profile_results(control)
       (control[:results] || []).map { |r|
         {
-          status:       r[:status],
-          code_desc:    r[:code_desc],
-          run_time:     r[:run_time],
-          start_time:   r[:start_time],
-          resource:     r[:resource],
-          skip_message: r[:skip_message],
-          message:      r[:message],
-          exception:    r[:exception],
-          backtrace:    r[:backtrace],
-          resource_class: r[:resource_class],
+          status:          r[:status],
+          code_desc:       r[:code_desc],
+          run_time:        r[:run_time],
+          start_time:      r[:start_time],
+          resource:        r[:resource],
+          skip_message:    r[:skip_message],
+          message:         r[:message],
+          exception:       r[:exception],
+          backtrace:       r[:backtrace],
+          resource_class:  r[:resource_class],
           resource_params: r[:resource_params].to_s,
+          resource_id:     extract_resource_id(r),
         }.reject { |_k, v| v.nil? }
       }
     end
 
+    def extract_resource_id(r)
+      # According to the RunData API, this is supposed to be an anonymous
+      # class that represents a resource, with embedded instance methods....
+      resource_obj = r[:resource_title]
+      return resource_obj.resource_id if resource_obj.respond_to?(:resource_id)
+
+      # But sometimes, it isn't, and has been collapsed into the to_s stringification of the resource.
+      if resource_obj.is_a?(String)
+        orig_str = resource_obj
+        # Try to trim off the resource class - eg "File /some/path" => "/some/path"
+        trimmed_str = orig_str.sub(/^#{r[:resource_class]}/i, "").strip
+        trimmed_str.empty? ? orig_str : trimmed_str
+      else
+        # Boo, InSpec is crazy, and we don't know what it possibly could be.
+        # Failsafe for resource_id is empty string.
+        ""
+      end
+    end
+
     def profiles
       run_data[:profiles].map do |p|
         res = {

data/lib/inspec/resource.rb

@@ -34,6 +34,12 @@ module Inspec
       Inspec::Resource.support_registry[key].push(criteria)
     end
 
+    def resource_id(value = nil)
+      @resource_id = value if value
+      @resource_id = ""    if @resource_id.nil?
+      @resource_id
+    end
+
     # TODO: this is pretty terrible and is only here to work around
     # the idea that we've trained resource authors to make initialize
     # methods w/o calling super.

data/lib/inspec/resources/apt.rb

@@ -135,19 +135,25 @@ module Inspec::Resources
 
   class PpaRepository < AptRepository
     name "ppa"
+    desc "Use the ppa InSpec audit resource to verify PPA repositories on the Debian-based linux platforms."
+    example <<~EXAMPLE
+      describe ppa('ubuntu-wine/ppa') do
+        it { should exist }
+        it { should be_enabled }
+      end
+
+      describe ppa('ppa:ubuntu-wine/ppa') do
+        it { should exist }
+        it { should be_enabled }
+      end
+    EXAMPLE
 
     def exists?
-      deprecated
       super()
     end
 
     def enabled?
-      deprecated
       super()
     end
-
-    def deprecated
-      Inspec.deprecate(:resource_ppa, "The `ppa` resource is deprecated. Please use `apt`")
-    end
   end
 end

data/lib/inspec/resources/cgroup.rb

@@ -0,0 +1,101 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class Cgroup < Inspec.resource(1)
+    name "cgroup"
+    # Restrict to only run on the below platform
+    supports platform: "linux"
+    desc "Use the cgroup InSpec audit resource to test cgroup subsytem's parameters."
+
+    example <<~EXAMPLE
+      describe cgroup("foo") do
+        its("cpuset.cpus") { should eq 0 }
+        its("memory.limit_in_bytes") { should eq 499712 }
+        its("memory.limit_in_bytes") { should be <= 500000 }
+        its("memory.numa_stat") { should match /total=0/ }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    def initialize(cgroup_name)
+      raise Inspec::Exceptions::ResourceSkipped, "The `cgroup` resource is not supported on your OS yet." unless inspec.os.linux?
+
+      @cgroup_name = cgroup_name
+      @valid_queries, @valid_queries_split = [], []
+      find_valid_queries
+      # Used to track the method calls in an "its" query
+      @cgroup_info_query = []
+    end
+
+    def resource_id
+      @cgroup_name
+    end
+
+    def to_s
+      "cgroup #{resource_id}"
+    end
+
+    def method_missing(param)
+      # Add the latest param we've seen to the list and form the query with all the params we've seen so far.
+      @cgroup_info_query << param.to_s
+      query = @cgroup_info_query.join(".")
+
+      # The ith level param must match with atleast one row's ith column of @valid_queries_split
+      # Else there is no way, we would find any valid query in further iteration, so raise exception.
+      if @valid_queries_split.map { |e| e[@cgroup_info_query.length - 1] }.include?(param.to_s)
+        # If the query form so far is part of @valid_queries, we are good to trigger find_cgroup_info
+        # else go for next level of param
+        if @valid_queries.include?(query)
+          @cgroup_info_query = []
+          find_cgroup_info(query)
+        else
+          self
+        end
+      else
+        @cgroup_info_query = []
+
+        raise Inspec::Exceptions::ResourceFailed, "The query #{query} does not appear to be valid."
+      end
+    end
+
+    private
+
+    # Method to find cgget tool
+    def find_cgget_or_error
+      %w{/usr/sbin/cgget /sbin/cgget cgget}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `cgget`"
+    end
+
+    # find the cgroup info of the query which is given as input by the user
+    def find_cgroup_info(query)
+      bin = find_cgget_or_error
+      cgget_cmd = "#{bin} -n -r #{query} #{@cgroup_name}"
+      cmd = inspec.command(cgget_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing cgget failed: #{cmd.stderr}" if cmd.exit_status.to_i != 0
+
+      # For complex returns the user must use match /the_regex/
+      param_value = cmd.stdout.split(":")
+      return nil if param_value.nil? || param_value.empty?
+
+      param_value = param_value[1].strip.split("\t").join
+      param_value.match(/^\d+$/) ? param_value.to_i : param_value
+    end
+
+    # find all the information about all relevant controllers for the current cgroup
+    def find_valid_queries
+      bin = find_cgget_or_error
+      cgget_all_cmd = "#{bin} -n -a #{@cgroup_name}"
+      cmd = inspec.command(cgget_all_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing cgget failed: #{cmd.stderr}" if cmd.exit_status.to_i != 0
+
+      queries = cmd.stdout.to_s.gsub(/:.*/, "").gsub(/^\s+.*/, "").split("\n")
+      # store the relevant controller parameters in @valid_queries and the dot splitted paramters into @valid_queries_split
+      @valid_queries = queries.map { |q| q if q.length > 0 }.compact
+      @valid_queries_split = @valid_queries.map { |q| q.split(".") }.compact
+    end
+  end
+end

data/lib/inspec/resources/cron.rb

@@ -0,0 +1,49 @@
+require "inspec/resources/crontab"
+
+module Inspec::Resources
+  class Cron < Crontab
+    name "cron"
+    supports platform: "unix"
+    desc "Use the cron InSpec audit resource to test entires in the crontab file for a given user. This also can be used as alias to crontab resource."
+    example <<~EXAMPLE
+      describe cron do
+         it { should have_entry '* * * * * /usr/local/bin/foo' }
+      end
+
+      describe cron(user: "username") do
+        its(:table) { should match /you can use regexp/ }
+      end
+    EXAMPLE
+
+    def initialize(opts = nil)
+      super
+      @params = read_cron_contents
+    end
+
+    def read_cron_contents
+      result = inspec.command(crontab_cmd)
+      if result.exit_status == 0
+        result.stdout.lines.map { |l| parse_comment_line(l, comment_char: "#", standalone_comments: false)[0].strip }
+      else
+        error = result.stdout + "\n" + result.stderr
+        raise Inspec::Exceptions::ResourceFailed, "Error while executing #{crontab_cmd} command: #{error}"
+      end
+    end
+
+    def table
+      @params.reject(&:empty?).join("\n")
+    end
+
+    def has_entry?(rule)
+      @params.include?(rule)
+    end
+
+    def to_s
+      if is_user_crontab?
+        "cron for user #{@user}"
+      else
+        "cron for current user"
+      end
+    end
+  end
+end

data/lib/inspec/resources/ipfilter.rb

@@ -0,0 +1,59 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class IpFilter < Inspec.resource(1)
+    name "ipfilter"
+    supports platform: "bsd"
+    supports platform: "solaris"
+    desc "Use the ipfilter InSpec audit resource to test rules that are defined for ipfilter, which maintains the IP rule set"
+    example <<~EXAMPLE
+      describe ipfilter do
+        it { should have_rule("pass in quick on lo0 all") }
+      end
+    EXAMPLE
+
+    def initialize
+      # checks if the instance is either bsd or solaris
+      return if (inspec.os.bsd? && !inspec.os.darwin?) || inspec.os.solaris?
+
+      # ensures, all calls are aborted for non-supported os
+      @ipfilter_cache = []
+      skip_resource "The `ipfilter` resource is not supported on your OS yet."
+    end
+
+    def has_rule?(rule = nil)
+      # checks if the rule is part of the ruleset
+      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def retrieve_rules
+      # this would be true if the OS family was not bsd/solaris when checked in initliaze
+      return @ipfilter_cache if defined?(@ipfilter_cache)
+
+      # construct ipfstat command to read all rules
+      bin = find_ipfstat_or_error
+      ipfstat_cmd = "#{bin} -io"
+      cmd = inspec.command(ipfstat_cmd)
+
+      # Return empty array when command is not executed successfully
+      # or there is no output since no rules are active
+      return [] if cmd.exit_status.to_i != 0 || cmd.stdout == ""
+
+      # split rules, returns array or rules
+      @ipfilter_cache = cmd.stdout.split("\n").map(&:strip)
+    end
+
+    def to_s
+      "Ipfilter"
+    end
+
+    private
+
+    def find_ipfstat_or_error
+      %w{/usr/sbin/ipfstat /sbin/ipfstat ipfstat}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `ipfstat`"
+    end
+  end
+end

data/lib/inspec/resources/ipnat.rb

@@ -0,0 +1,58 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class IpNat < Inspec.resource(1)
+    name "ipnat"
+    supports platform: "bsd"
+    supports platform: "solaris"
+    desc "Use the ipnat InSpec audit resource to test rules that are defined for IP NAT"
+    example <<~EXAMPLE
+      describe ipnat do
+        it { should have_rule("map net1 192.168.0.0/24 -> 0/32") }
+      end
+    EXAMPLE
+
+    def initialize
+      # checks if the instance is either bsd or solaris
+      return if (inspec.os.bsd? && !inspec.os.darwin?) || inspec.os.solaris?
+
+      # ensures, all calls are aborted for non-supported os
+      @ipnat_cache = []
+      skip_resource "The `ipnat` resource is not supported on your OS yet."
+    end
+
+    def has_rule?(rule = nil)
+      # checks if the rule is part of the ruleset
+      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
+    end
+
+    def retrieve_rules
+      # this would be true if the OS family was not bsd/solaris when checked in initliaze
+      return @ipnat_cache if defined?(@ipnat_cache)
+
+      # construct ipnat command to show the list of current IP NAT table entry mappings
+      bin = find_ipnat_or_error
+      ipnat_cmd = "#{bin} -l"
+      cmd = inspec.command(ipnat_cmd)
+
+      # Return empty array when command is not executed successfully
+      return [] if cmd.exit_status.to_i != 0
+
+      # split rules, returns array or rules
+      @ipnat_cache = cmd.stdout.split("\n").map(&:strip)
+    end
+
+    def to_s
+      "Ipnat"
+    end
+
+    private
+
+    def find_ipnat_or_error
+      %w{/usr/sbin/ipnat /sbin/ipnat ipnat}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `ipnat`"
+    end
+  end
+end

data/lib/inspec/resources/lxc.rb

@@ -0,0 +1,57 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class Lxc < Inspec.resource(1)
+    name "lxc"
+    # Restrict to only run on the below platforms
+    supports platform: "linux"
+    desc "Use the lxc InSpec audit resource to test if container exists and/or is running for linux container"
+    example <<~EXAMPLE
+      describe lxc("ubuntu-container") do
+        it { should exist }
+        it { should be_running }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    def initialize(container_name)
+      @container_name = container_name
+
+      raise Inspec::Exceptions::ResourceSkipped, "The `lxc` resource is not supported on your OS yet." unless inspec.os.linux?
+    end
+
+    def resource_id
+      @container_name
+    end
+
+    def to_s
+      "lxc #{resource_id}"
+    end
+
+    def exists?
+      lxc_info_cmd.exit_status.to_i == 0
+    end
+
+    def running?
+      container_info = lxc_info_cmd.stdout.split(":").map(&:strip)
+      container_info[0] == "Status" && container_info[1] == "Running"
+    end
+
+    private
+
+    # Method to find lxc
+    def find_lxc_or_error
+      %w{/usr/sbin/lxc /sbin/lxc lxc}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `lxc`"
+    end
+
+    def lxc_info_cmd
+      bin = find_lxc_or_error
+      info_cmd = "info #{@container_name} | grep -i Status"
+      lxc_cmd = format("%s %s", bin, info_cmd).strip
+      inspec.command(lxc_cmd)
+    end
+  end
+end

data/lib/inspec/resources/oracledb_session.rb

@@ -61,9 +61,13 @@ module Inspec::Resources
         raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
       else
         begin
-          DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
-        rescue
-          raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
+          unless inspec_cmd.stdout.empty?
+            DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
+          else
+            inspec_cmd.stdout
+          end
+        rescue Exception => ex
+          raise Inspec::Exceptions::ResourceFailed, "Oracle query with exception: #{ex}"
         end
       end
     end

data/lib/inspec/resources/postgres_session.rb

@@ -55,8 +55,10 @@ module Inspec::Resources
       psql_cmd = create_psql_cmd(query, db)
       cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
       out = cmd.stdout + "\n" + cmd.stderr
-      if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
-        raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}"
+      if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
+        raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
+      elsif cmd.exit_status != 0 && out.downcase =~ /error:/
+        Lines.new(out, "PostgreSQL query with error: #{query}")
       else
         Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
       end

data/lib/inspec/resources/virtualization.rb

@@ -190,7 +190,7 @@ module Inspec::Resources
       true
     end
 
-    # Detect LXC/Docker
+    # Detect LXC/Docker/k8s/podman
     #
     # /proc/self/cgroup will look like this inside a docker container:
     # <index #>:<subsystem>:/lxc/<hexadecimal container id>
@@ -208,7 +208,7 @@ module Inspec::Resources
     #
     # Full notes, https://tickets.opscode.com/browse/OHAI-551
     # Kernel docs, https://www.kernel.org/doc/Documentation/cgroups
-    def detect_lxc_docker
+    def detect_container
       return false unless inspec.file("/proc/self/cgroup").exist?
 
       cgroup_content = inspec.file("/proc/self/cgroup").content
@@ -216,6 +216,12 @@ module Inspec::Resources
           cgroup_content =~ %r{^\d+:[^:]+:/[^/]+/(lxc|docker)-.+$} # rubocop:disable Layout/MultilineOperationIndentation
         @virtualization_data[:system] = $1 # rubocop:disable Style/PerlBackrefs
         @virtualization_data[:role] = "guest"
+      elsif cgroup_content =~ %r{^\d+:[^:]+:/(kubepods)/.+$}
+        @virtualization_data[:system] = $1
+        @virtualization_data[:role] = "guest"
+      elsif /container=podman/.match?(file_read("/proc/1/environ"))
+        @virtualization_data[:system] = "podman"
+        @virtualization_data[:role] = "guest"
       elsif lxc_version_exists? && cgroup_content =~ %r{\d:[^:]+:/$}
         # lxc-version shouldn't be installed by default
         # Even so, it is likely we are on an LXC capable host that is not being used as such
@@ -297,7 +303,7 @@ module Inspec::Resources
       return if detect_docker
       return if detect_virtualbox
       return if detect_lxd
-      return if detect_lxc_docker
+      return if detect_container
       return if detect_linux_vserver
       return if detect_kvm_from_cpuinfo
       return if detect_kvm_from_sys

data/lib/inspec/resources.rb

@@ -8,21 +8,6 @@
 # glob so this remains a sort of manifest for our resources.
 
 require "inspec/resource"
-
-# Detect if we are running the stripped-down inspec-core
-# This relies on AWS being stripped from the inspec-core gem
-inspec_core_only = ENV["NO_AWS"] || !File.exist?(File.join(File.dirname(__FILE__), "..", "resource_support", "aws.rb"))
-
-# Do not attempt to load cloud resources if we are in inspec-core mode
-unless inspec_core_only
-  require "resource_support/aws"
-  require "resources/azure/azure_backend"
-  require "resources/azure/azure_generic_resource"
-  require "resources/azure/azure_resource_group"
-  require "resources/azure/azure_virtual_machine"
-  require "resources/azure/azure_virtual_machine_data_disk"
-end
-
 require "inspec/resources/aide_conf"
 require "inspec/resources/apache"
 require "inspec/resources/apache_conf"
@@ -41,6 +26,7 @@ require "inspec/resources/cassandradb_session"
 require "inspec/resources/cassandradb_conf"
 require "inspec/resources/cassandra"
 require "inspec/resources/crontab"
+require "inspec/resources/cron"
 require "inspec/resources/timezone"
 require "inspec/resources/dh_params"
 require "inspec/resources/directory"
@@ -138,7 +124,8 @@ require "inspec/resources/xinetd_conf"
 require "inspec/resources/yum"
 require "inspec/resources/zfs_dataset"
 require "inspec/resources/zfs_pool"
-
+require "inspec/resources/ipnat"
+require "inspec/resources/ipfilter"
 # file formats, depend on json implementation
 require "inspec/resources/json"
 require "inspec/resources/yaml"