inspec-core 5.10.5 → 5.17.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d96c590b3ff91ce5db5eaf8ee6ef68721fd17d103f250c8c3106941784f8f336
-  data.tar.gz: 50b56c3506f186b51fcf07df23a59050461132e0c03245bed088961ef0e854fb
+  metadata.gz: b31dbb074483f274162eeea0fde1b234cd19e1c65257e19f7d0bc2f46c375b70
+  data.tar.gz: 31756fedad66edc248e5ae7b1ca5ab08408f6d7d6e6ce6dfb9053d1323c1acac
 SHA512:
-  metadata.gz: 0eeb703b52391323d79b9ff99ce9bdc4b4aac5903fd6e10087b7ae92372b733b7a5779672fb67a3dc7aa6cfb2e3c859ca35ab81a6e49c0331ae623487e6ea241
-  data.tar.gz: 7f076f8c2bef5080a73b6fb8886657137a558bf9c624dd11906c91ef9f555e8c6713af8f62282f9a2fa20e650624fbcd3172fe0e9557f59dd8eb539684192ff1
+  metadata.gz: e765163668a3799ae45fbe2a5ddd219832341c32b01b62422506324a62c44b99ad771f47c662be5abb1198fdd65969e2a038f54c5059841561edda42170f7631
+  data.tar.gz: bbbadea0724f15d1a67c895eab750eea1a660bfc2e65143af703f8b5a88eb9e0c9fde1f9c08356fd9e4b32d202d620902fbad8784618cc01eec866c20f5247c7

data/etc/keys/progress-2022-05-04.pem.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8FWKhVwT5ilFdk5/schY
+J3X6DkDbZPul7MAKYuicmyvrk4VZFqFJYzUo9G+ZvtWCjCMZF3JLDbg0VJ+V3j2b
+A5MRUDMH1MtbQZS8u0AIUAitHsSiMgu4w/EHUSHODoDmbdaHT1xkFe9IxMSM1/AV
+/s5u2uAMuiayo+dGW5i9xf/LMZN1JCeX8Yqw85CpS01gMC2XxoUu5wGLwBwXkdql
++H3SaWRdDTtccgtu0Rxt9dzRtHAPNWKSLl9TScW6Qt/+7bgb3M6+7od/FuPziAS9
+1NGUiKL9vajpafxUJF8863q0l64dAXGWXVFed7/7GFiNVuLxBksPzK8VrkyCS214
+kQIDAQAB
+-----END PUBLIC KEY-----

data/lib/inspec/cli.rb

@@ -95,6 +95,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   desc "check PATH", "verify all tests at the specified PATH"
   option :format, type: :string,
     desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
+  option :with_cookstyle, type: :boolean,
+    desc: "Enable or disable cookstyle checks.", default: false
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config

data/lib/inspec/dependency_loader.rb

@@ -50,7 +50,11 @@ module Inspec
     end
 
     def gem_version_installed?(name, version)
-      list_installed_gems.any? { |s| s.name == name && Gem::Requirement.new(version.split(",")) =~ s.version }
+      if version.nil?
+        list_installed_gems.any? { |s| s.name == name }
+      else
+        list_installed_gems.any? { |s| s.name == name && Gem::Requirement.new(version.split(",")) =~ s.version }
+      end
     end
 
     private

data/lib/inspec/profile.rb

@@ -105,6 +105,7 @@ module Inspec
       @check_mode = options[:check_mode] || false
       @parent_profile = options[:parent_profile]
       @legacy_profile_path = options[:profiles_path] || false
+      @check_cookstyle = options[:with_cookstyle]
       Metadata.finalize(@source_reader.metadata, @profile_id, options)
 
       # if a backend has already been created, clone it so each profile has its own unique backend object
@@ -409,7 +410,7 @@ module Inspec
           else
             ui = Inspec::UI.new
             gem_dependencies.each { |gem_dependency| ui.list_item("#{gem_dependency[:name]} #{gem_dependency[:version]}") }
-            choice = ui.prompt.select("Would you like to install profile gem dependencies listed above?", %w{Yes No})
+            choice = ui.prompt.select("The above listed gem dependencies are required to run the profile. Would you like to install them ?", %w{Yes No})
             if choice == "Yes"
               Inspec::Config.cached[:auto_install_gems] = true
               load_gem_dependencies
@@ -655,12 +656,13 @@ module Inspec
       end
 
       # Running cookstyle to check for code offenses
-      cookstyle_linting_check.each do |lint_output|
-        data = lint_output.split(":")
-        msg = "#{data[-2]}:#{data[-1]}"
-        offense.call(data[0], data[1], data[2], nil, msg)
+      if @check_cookstyle
+        cookstyle_linting_check.each do |lint_output|
+          data = lint_output.split(":")
+          msg = "#{data[-2]}:#{data[-1]}"
+          offense.call(data[0], data[1], data[2], nil, msg)
+        end
       end
-
       # profile is valid if we could not find any error & offenses
       result[:summary][:valid] = result[:errors].empty? && result[:offenses].empty?
 
@@ -848,7 +850,12 @@ module Inspec
         f = load_rule_filepath(prefix, rule)
         load_rule(rule, f, controls, groups)
       end
-      params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
+      if @profile_id.nil?
+        # identifying inputs using profile name
+        params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(params[:name])
+      else
+        params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
+      end
       params
     end
 

data/lib/inspec/resources/default_gateway.rb

@@ -0,0 +1,61 @@
+require "inspec/resources/command"
+require_relative "routing_table"
+
+module Inspec::Resources
+  class Defaultgateway < Routingtable
+    # resource internal name.
+    name "default_gateway"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the `default_gateway` Chef InSpec audit resource to test the assigned ip address and interface for the default route."
+
+    example <<~EXAMPLE
+      describe default_gateway do
+        its(:ipaddress) { should eq '172.31.80.1' }
+      end
+      describe default_gateway do
+        its("interface") { should eq 'eth0' }
+      end
+    EXAMPLE
+
+    def initialize
+      skip_resource "The `default_gateway` resource is not yet available on your OS." unless inspec.os.unix? || inspec.os.windows?
+      # invoke the routing_table initialize; which populates the @routing_info
+      super()
+    end
+
+    # resource appearance in test reports.
+    def to_s
+      "default_gateway"
+    end
+
+    # fetches the ipaddress assigned to the default gateway
+    # default gateway's destination is either `default` or `0.0.0.0`
+    def ipaddress
+      # @routing_info is the hash populated in routing_table resource
+      # @routing_info contain values as:
+      # {
+      #   destination1: [ [gateway1x, interface1x], [gateway1y, interface1y] ],
+      #   destination2: [gateway2, interface2]
+      # }
+      %w{default 0.0.0.0}.each do |destination|
+        return @routing_info[destination][0][0] if @routing_info.key?(destination)
+      end
+      # raise exception because no destination with value default or 0.0.0.0 is found in the routing table
+      raise Inspec::Exceptions::ResourceFailed, "No routing found as part of default gateway"
+    end
+
+    # fetches the interface assigned to the default gateway
+    def interface
+      %w{default 0.0.0.0}.each do |destination|
+        return @routing_info[destination][0][1] if @routing_info.key?(destination)
+      end
+      # raise exception because no destination with value default or 0.0.0.0 is found in the routing table
+      raise Inspec::Exceptions::ResourceFailed, "No routing found as part of default gateway"
+    end
+  end
+end

data/lib/inspec/resources/docker_container.rb

@@ -43,6 +43,19 @@ module Inspec::Resources
       status.downcase.start_with?("up") if object_info.entries.length == 1
     end
 
+    # has_volume? matcher checks if the volume specified in source path of host is mounted in destination path of docker
+    def has_volume?(destination, source)
+      # volume_info is the hash which contains the low-level information about the container
+      # if Mounts key is not present or is nil; raise exception
+      raise Inspec::Exceptions::ResourceFailed, "Could not find any mounted volumes for your container" unless volume_info.Mounts[0]
+
+      # Iterate through the list of mounted volumes and check if it matches with the given destination and source
+      # is_mounted flag is used to handle to return explict boolean values of true or false
+      is_mounted = false
+      volume_info.Mounts.detect { |mount| is_mounted = mount.Destination == destination && mount.Source == source }
+      is_mounted
+    end
+
     def status
       object_info.status[0] if object_info.entries.length == 1
     end
@@ -87,5 +100,13 @@ module Inspec::Resources
       opts = @opts
       @info = inspec.docker.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }
     end
+
+    # volume_info returns the low-level information obtained on docker inspect [container_name/id]
+    def volume_info
+      return @mount_info if defined?(@mount_info)
+
+      # Check for either docker inspect [container_name] or docker inspect [container_id]
+      @mount_info = inspec.docker.object(@opts[:name] || @opts[:id])
+    end
   end
 end

data/lib/inspec/resources/docker_image.rb

@@ -48,6 +48,25 @@ module Inspec::Resources
       object_info.tags[0] if object_info.entries.size == 1
     end
 
+    # method_missing handles when hash_keys are invoked to check information obtained on docker inspect [image_name]
+    def method_missing(*hash_keys)
+      # User can test the low-level inspect information in three ways:
+      # Way 1: Serverspec style: its(['Config.Cmd']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "Config.Cmd"]
+      # Way 2: InSpec style: its(['Config','Cmd']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "Config", "Cmd"]
+      # Way 3: Mix of both: its(['GraphDriver.Data','MergedDir']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "GraphDriver.Data", "MergedDir"]
+
+      # hash_keys are passed to this method to evaluate the value
+      image_hash_inspection(hash_keys)
+    end
+
+    # inspection property allows to test any of the hash key-value pairs as part of the image_inspect_info
+    def inspection
+      image_inspect_info
+    end
+
     def to_s
       img = @opts[:image] || @opts[:id]
       "Docker Image #{img}"
@@ -80,5 +99,39 @@ module Inspec::Resources
         (repository == opts[:repo] && tag == opts[:tag]) || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id])))
       end
     end
+
+    # image_inspect_info returns the complete inspect hash_values of the image
+    def image_inspect_info
+      return @inspect_info if defined?(@inspect_info)
+
+      @inspect_info = inspec.docker.object(@opts[:image] || (!@opts[:id].nil? && @opts[:id]))
+    end
+
+    # image_hash_inspection formats the input hash_keys and checks if any value exists for such keys in @inspect_info(image_inspect_info)
+    def image_hash_inspection(hash_keys)
+      # The hash_keys recieved are in three formats as mentioned in method_missing
+      # The hash_keys recieved must be in array format [] and the zeroth index must be :[]
+      # Check for the conditions and remove the zeroth element from the hash_keys
+
+      hash_keys.shift if hash_keys.is_a?(Array) && hash_keys[0] == :[]
+
+      # When received hash_keys in Serverspec style or mix of both
+      # The hash_keys are to be splitted at '.' (dot) and flatten it so that it doesn't become array of arrays
+      # After splitting and flattening is done, hash_keys is now an array with individual keys
+      hash_keys = hash_keys.map { |key| key.split(".") }.flatten
+
+      # image_inspect_info returns the complete inspect hash_values of the image
+      # dig() finds the nested value specified by the sequence of the key object by calling dig at each step.
+      # hash_keys is the key object. If one of the key is bad, value will be nil.
+      hash_value = image_inspect_info.dig(*hash_keys)
+
+      # If one of the key is bad, hash_value will be nil, so raise exception which throws it in rescue block
+      # else return hash_value
+      raise Inspec::Exceptions::ResourceFailed if hash_value.nil?
+
+      hash_value
+    rescue
+      raise Inspec::Exceptions::ResourceFailed, "#{hash_keys.join(".")} is not a valid key for your image or has nil value."
+    end
   end
 end

data/lib/inspec/resources/file.rb

@@ -181,6 +181,34 @@ module Inspec::Resources
       inv_mode & file.mode != 0
     end
 
+    def immutable?
+      raise Inspec::Exceptions::ResourceSkipped, "The `be_immutable` matcher is not supported on your OS yet." unless inspec.os.unix?
+
+      if inspec.os.linux?
+        file_info = LinuxImmutableFlagCheck.new(inspec, file)
+      else
+        file_info = UnixImmutableFlagCheck.new(inspec, file)
+      end
+
+      file_info.is_immutable?
+    end
+
+    # parse the json file content and returns the content
+    def content_as_json
+      require "json" unless defined?(JSON)
+      JSON.parse(file.content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse the given JSON file: #{e.message}"
+    end
+
+    # parse the yaml file content and returns the content
+    def content_as_yaml
+      require "yaml" unless defined?(YAML)
+      YAML.load(file.content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse the given YAML file: #{e.message}"
+    end
+
     def to_s
       if file
         "File #{source_path}"
@@ -373,4 +401,67 @@ module Inspec::Resources
       end
     end
   end
+
+  # Helper class for immutable matcher.
+  class ImmutableFlagCheck
+    attr_reader :inspec, :file_path
+    def initialize(inspec, file)
+      @inspec = inspec
+      @file_path = file.path
+    end
+
+    def find_utility_or_error(utility_name)
+      [
+        "/usr/sbin/#{utility_name}",
+        "/sbin/#{utility_name}",
+        "/usr/bin/#{utility_name}",
+        "/bin/#{utility_name}",
+        "#{utility_name}",
+      ].each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `#{utility_name}`"
+    end
+  end
+
+  class LinuxImmutableFlagCheck < ImmutableFlagCheck
+    def is_immutable?
+      # Check if lsattr is available. In general, all linux system has lsattr & chattr
+      # This logic check is valid for immutable flag set with chattr
+      utility = find_utility_or_error("lsattr")
+      utility_cmd = inspec.command("#{utility} #{file_path}")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} #{file_path} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      # General output for lsattr file_name is:
+      # ----i---------e----- file_name
+      # The fifth char resembles the immutable flag. Total 20 flags are allowed.
+      lsattr_info = utility_cmd.stdout.strip.squeeze(" ")
+      lsattr_info =~ /^.{4}i.{15} .*/
+    end
+  end
+
+  class UnixImmutableFlagCheck < ImmutableFlagCheck
+    def is_immutable?
+      # Check if chflags is available on the system. Most unix-like system comes with chflags.
+      # This logic check is valid for immutable flag set with chflags
+      find_utility_or_error("chflags")
+
+      # In general ls -lO is used to check immutable flag set by chflags
+      utility_cmd = inspec.command("ls -lO #{file_path}")
+
+      # But on some bsd system (eg: freebsd) ls -lo is used instead of ls -lO
+      utility_cmd = inspec.command("ls -lo #{file_path}") if utility_cmd.exit_status.to_i != 0
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing ls -lo #{file_path} and ls -lO #{file_path} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      # General output for ls -lO file_name is:
+      # -rw-r--r--  1 current_user  1083951318  uchg 0 Apr  6 12:45 file_name
+      # The schg flag and the uchg flag represents the immutable flags
+      # uchg => user immutable flag, schg => system immutable flag.
+      file_info = utility_cmd.stdout.strip.split
+      file_info.include?("uchg") || file_info.include?("schg")
+    end
+  end
 end

data/lib/inspec/resources/groups.rb

@@ -145,6 +145,11 @@ module Inspec::Resources
       true
     end
 
+    # matcher equivalent to gid property.
+    def has_gid?(gid_value)
+      gid_value == gid
+    end
+
     def to_s
       "Group #{@group}"
     end

data/lib/inspec/resources/host.rb

@@ -113,6 +113,16 @@ module Inspec::Resources
       resolve.nil? || resolve.empty? ? nil : resolve
     end
 
+    # returns an array of the ipv4 addresses
+    def ipv4_address
+      ipaddress.select { |ip| ip.match(Resolv::IPv4::Regex) }
+    end
+
+    # returns an array of the ipv6 addresses
+    def ipv6_address
+      ipaddress.select { |ip| ip.match(Resolv::IPv6::Regex) }
+    end
+
     def to_s
       resource_name = "Host #{hostname}"
       resource_name += " port #{port} proto #{protocol}" if port
@@ -296,15 +306,44 @@ module Inspec::Resources
     end
 
     def resolve(hostname)
+      addresses = []
+      # -Type A is the DNS query for IPv4 server Address.
       cmd = inspec.command("Resolve-DnsName –Type A #{hostname} | ConvertTo-Json")
       begin
-        resolv = JSON.parse(cmd.stdout)
+        resolve_ipv4 = JSON.parse(cmd.stdout)
       rescue JSON::ParserError => _e
         return nil
       end
 
-      resolv = [resolv] unless resolv.is_a?(Array)
-      resolv.map { |entry| entry["IPAddress"] }
+      resolve_ipv4 = resolve_ipv4.inject(:merge) if resolve_ipv4.is_a?(Array)
+
+      # Append the ipv4 addresses
+      resolve_ipv4.each_value do |ip|
+        matched = ip.to_s.chomp.match(Resolv::IPv4::Regex)
+        next if matched.nil? || addresses.include?(matched.to_s)
+
+        addresses << matched.to_s
+      end
+
+      # -Type AAAA is the DNS query for IPv6 server Address.
+      cmd = inspec.command("Resolve-DnsName –Type AAAA #{hostname} | ConvertTo-Json")
+      begin
+        resolve_ipv6 = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        return nil
+      end
+
+      resolve_ipv6 = resolve_ipv6.inject(:merge) if resolve_ipv6.is_a?(Array)
+
+      # Append the ipv6 addresses
+      resolve_ipv6.each_value do |ip|
+        matched = ip.to_s.chomp.match(Resolv::IPv6::Regex)
+        next if matched.nil? || addresses.include?(matched.to_s)
+
+        addresses << matched.to_s
+      end
+
+      addresses
     end
   end
 end

data/lib/inspec/resources/linux_audit_system.rb

@@ -0,0 +1,81 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class LinuxAuditSystem < Inspec.resource(1)
+    # Resource's internal name.
+    name "linux_audit_system"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "linux"
+
+    desc "Use the `linux_audit_system` Chef InSpec audit resource to test the configuration of linux audit system."
+
+    example <<~EXAMPLE
+      describe linux_audit_system do
+        it { should be_enabled }
+        it { should be_running }
+        its("rules") { should include "-w /etc -p wa" }
+        its("rules") { should include %r{-w /etc -p wa} }
+        its("rules") { should include %r!-w /etc -p wa! }
+      end
+    EXAMPLE
+
+    attr_reader :auditctl_utility
+
+    # Resource initialization.
+    def initialize
+      skip_resource "The `linux_audit_system` resource is not yet available on your OS." unless inspec.os.linux?
+      @auditctl_utility = find_auditctl_or_error
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "linux_audit_system"
+    end
+
+    # The be_enabled matcher checks if the auditing is enabled.
+    # The enabled flag 1 indicates that the auditing is enabled.
+    def enabled?
+      auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep enabled")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      # Sample stdout: enabled 1
+      auditctl_enabled_status = auditctl_cmd.stdout.strip.split
+      auditctl_enabled_status[1].to_i == 1
+    end
+
+    # The be_running matcher checks if the audit daemon is running.
+    # A pid of 0 indicates that the audit daemon is not running.
+    def running?
+      auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep pid")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      # Sample stdout: pid 682462
+      auditctl_running_status = auditctl_cmd.stdout.strip.split
+      !auditctl_running_status[1].nil? && auditctl_running_status[1].to_i != 0
+    end
+
+    # The rules property returns the array of audit rules obtained on auditctl -l.
+    # The auditctl -l list all rules, 1 per line.
+    def rules
+      auditctl_cmd = inspec.command("#{auditctl_utility} -l")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -l: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      auditctl_cmd.stdout.strip.split("\n")
+    end
+
+    private
+
+    # Check if auditctl is available on the system.
+    def find_auditctl_or_error
+      %w{/usr/sbin/auditctl /sbin/auditctl auditctl}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `auditctl`. This resource requires `auditctl` utility to be available on the system."
+    end
+  end
+end

data/lib/inspec/resources/mail_alias.rb

@@ -0,0 +1,46 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class Mailalias < Inspec.resource(1)
+    # resource internal name.
+    name "mail_alias"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+
+    desc "Use the mail_alias InSpec audit resource to test mail alias present in the aliases file"
+
+    example <<~EXAMPLE
+      describe mail_alias("toor") do
+        it { should be_aliased_to "root" }
+      end
+    EXAMPLE
+
+    def initialize(alias_key)
+      skip_resource "The `mail_alias` resource is not yet available on your OS." unless inspec.os.unix?
+      @alias_key = alias_key
+    end
+
+    # resource_id is used in reporting engines to uniquely identify the individual resource.
+    def resource_id
+      "#{@alias_key}"
+    end
+
+    # resource appearance in test reports.
+    def to_s
+      "mail_alias #{resource_id}"
+    end
+
+    # aliased_to matcher checks if the given alias_value is set to the initialized alias_key
+    def aliased_to?(alias_value)
+      # /etc/aliases if the file where the alias and its value(s) are stored
+      cmd = inspec.command("cat /etc/aliases | grep '^#{@alias_key}:'")
+      raise Inspec::Exceptions::ResourceFailed, "#{@alias_key} is not a valid key in the aliases" if cmd.exit_status.to_i != 0
+
+      # in general aliases file contains : separated values like alias_key : alias_value1, alias_value2
+      alias_values_combined = cmd.stdout.split(":").map(&:strip)[1]
+      alias_values_splitted = alias_values_combined.split(",").map(&:strip)
+      alias_values_splitted.include?(alias_value)
+    end
+  end
+end

data/lib/inspec/resources/php_config.rb

@@ -0,0 +1,72 @@
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class PhpConfig < Inspec.resource(1)
+    # Resource's internal name.
+    name "php_config"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the php_config InSpec audit resource to test PHP config parameters"
+
+    example <<~EXAMPLE
+      describe php_config("config_param") do
+        its("value") { should eq "some_value" }
+      end
+
+      describe php_config("config_param", { "ini" => "path_to_ini_file" }) do
+        its("value") { should eq "some_value"  }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    attr_reader :config_param, :config_file_or_path
+    def initialize(config_param, config_file_or_path = {})
+      @config_param = config_param
+      @config_file_or_path = config_file_or_path
+    end
+
+    # Unique resource id
+    def resource_id
+      config_param
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "php_config #{resource_id}"
+    end
+
+    # Returns the value evaluated for the initialized config parameter
+    def value
+      php_utility = find_utility_or_error
+
+      # The keys in the hash provided by user can be string or symbols.
+      # Converting the key to symbols to handle scenario when "ini" key is provided as string.
+      config_file_or_path.transform_keys(&:to_sym)
+
+      # Assign the path with -c option for ini file provided by the user if any.
+      php_ini_file = !config_file_or_path.empty? && config_file_or_path.key?(:ini) ? "-c #{config_file_or_path[:ini]}" : ""
+
+      # The below command `get_cfg_var` is used to fetch the value for any config parameter.
+      php_cmd = "#{php_utility} #{php_ini_file} -r 'echo get_cfg_var(\"#{config_param}\");'"
+      config_value_cmd = inspec.command(php_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{php_cmd} failed: #{config_value_cmd.stderr}" if config_value_cmd.exit_status.to_i != 0
+
+      config_value = config_value_cmd.stdout.strip
+
+      # Convert value to integer if the config value are digits.
+      config_value.match(/^(\d)+$/) ? config_value.to_i : config_value
+    end
+
+    private
+
+    # Method to check if php is present or not on the system.
+    def find_utility_or_error
+      %w{/usr/sbin/php /sbin/php php}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `php` on your system."
+    end
+  end
+end

data/lib/inspec/resources/processes.rb

@@ -60,6 +60,17 @@ module Inspec::Resources
       @list
     end
 
+    # Matcher to check if the process is running
+    def running?
+      # A process is considered running if:
+      # unix: it is in running(R) state or either of sleep state(D: Uninterruptible or S: Interruptible)
+      # windows: it is responding i.e. state is True.
+
+      # Other codes like <(high priorty), N(low priority), +(foreground process group) etc. may appear after the state code in unix.
+      # Hence the regex used is /^statecode+/ where statecode is either R, S, or D.
+      states.any? and !!(states[0] =~ /True/ || states[0] =~ /^R+/ || states[0] =~ /^D+/ || states[0] =~ /^S+/)
+    end
+
     filter = FilterTable.create
     filter.register_column(:labels, field: "label")
       .register_column(:pids,     field: "pid")