inspec-core 5.12.2 → 5.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b7242aa89bb64084dbeb75587b128af25c4967be0bc06ec8e9d8f386e821d36a
-  data.tar.gz: 876166ebb7e7ae59bb39fe1b9fd4523f45cdb6c22702f08e0074dad4662bf5bf
+  metadata.gz: 3cb92e0f21964ecac43d5d9f208e7a2b07a57c2daa0fef4aad06515f933b9072
+  data.tar.gz: 6c4d5f59ed6dde73193198f4ad32c801515cec12d9c04924765d1ac7ee4bd5bc
 SHA512:
-  metadata.gz: 155d7f957519b8358c1e8d92373f50b8839cb7f31ca3f32af953a556a2753f768b69b9a78dc7fa2b228ed30e2a26a5b33a393dbe472c501fcc1bda0b54a353f8
-  data.tar.gz: af8ec2a17788ba7add5c58c07c0e842b31e8a7a92f6afd38ca0e794c2d297dde6464e8dd9cf8d8a07374042a2437ec41685226be098004a4396160432d68a14f
+  metadata.gz: 8397f679eea47dead2cb1952026b74c800adf7ea650120597b714c3ccdef1c7e0eeb6af387458a31c028173a6bc332b07de103d4d545dbd37257573b77c6e0b1
+  data.tar.gz: 96d8ac046aa00ec95fc173e81c28999d744ed823af7a4a6401e9d1776817e303e451e7c8d46450d2c39c02e6ef4ff4c82d1c425683e82299effa2f3384f9f93e

data/lib/inspec/cli.rb

@@ -95,6 +95,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   desc "check PATH", "verify all tests at the specified PATH"
   option :format, type: :string,
     desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
+  option :with_cookstyle, type: :boolean,
+    desc: "Enable or disable cookstyle checks.", default: false
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config

data/lib/inspec/profile.rb

@@ -105,6 +105,7 @@ module Inspec
       @check_mode = options[:check_mode] || false
       @parent_profile = options[:parent_profile]
       @legacy_profile_path = options[:profiles_path] || false
+      @check_cookstyle = options[:with_cookstyle]
       Metadata.finalize(@source_reader.metadata, @profile_id, options)
 
       # if a backend has already been created, clone it so each profile has its own unique backend object
@@ -655,12 +656,13 @@ module Inspec
       end
 
       # Running cookstyle to check for code offenses
-      cookstyle_linting_check.each do |lint_output|
-        data = lint_output.split(":")
-        msg = "#{data[-2]}:#{data[-1]}"
-        offense.call(data[0], data[1], data[2], nil, msg)
+      if @check_cookstyle
+        cookstyle_linting_check.each do |lint_output|
+          data = lint_output.split(":")
+          msg = "#{data[-2]}:#{data[-1]}"
+          offense.call(data[0], data[1], data[2], nil, msg)
+        end
       end
-
       # profile is valid if we could not find any error & offenses
       result[:summary][:valid] = result[:errors].empty? && result[:offenses].empty?
 

data/lib/inspec/resources/default_gateway.rb

@@ -0,0 +1,61 @@
+require "inspec/resources/command"
+require_relative "routing_table"
+
+module Inspec::Resources
+  class Defaultgateway < Routingtable
+    # resource internal name.
+    name "default_gateway"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the `default_gateway` Chef InSpec audit resource to test the assigned ip address and interface for the default route."
+
+    example <<~EXAMPLE
+      describe default_gateway do
+        its(:ipaddress) { should eq '172.31.80.1' }
+      end
+      describe default_gateway do
+        its("interface") { should eq 'eth0' }
+      end
+    EXAMPLE
+
+    def initialize
+      skip_resource "The `default_gateway` resource is not yet available on your OS." unless inspec.os.unix? || inspec.os.windows?
+      # invoke the routing_table initialize; which populates the @routing_info
+      super()
+    end
+
+    # resource appearance in test reports.
+    def to_s
+      "default_gateway"
+    end
+
+    # fetches the ipaddress assigned to the default gateway
+    # default gateway's destination is either `default` or `0.0.0.0`
+    def ipaddress
+      # @routing_info is the hash populated in routing_table resource
+      # @routing_info contain values as:
+      # {
+      #   destination1: [ [gateway1x, interface1x], [gateway1y, interface1y] ],
+      #   destination2: [gateway2, interface2]
+      # }
+      %w{default 0.0.0.0}.each do |destination|
+        return @routing_info[destination][0][0] if @routing_info.key?(destination)
+      end
+      # raise exception because no destination with value default or 0.0.0.0 is found in the routing table
+      raise Inspec::Exceptions::ResourceFailed, "No routing found as part of default gateway"
+    end
+
+    # fetches the interface assigned to the default gateway
+    def interface
+      %w{default 0.0.0.0}.each do |destination|
+        return @routing_info[destination][0][1] if @routing_info.key?(destination)
+      end
+      # raise exception because no destination with value default or 0.0.0.0 is found in the routing table
+      raise Inspec::Exceptions::ResourceFailed, "No routing found as part of default gateway"
+    end
+  end
+end

data/lib/inspec/resources/file.rb

@@ -181,6 +181,34 @@ module Inspec::Resources
       inv_mode & file.mode != 0
     end
 
+    def immutable?
+      raise Inspec::Exceptions::ResourceSkipped, "The `be_immutable` matcher is not supported on your OS yet." unless inspec.os.unix?
+
+      if inspec.os.linux?
+        file_info = LinuxImmutableFlagCheck.new(inspec, file)
+      else
+        file_info = UnixImmutableFlagCheck.new(inspec, file)
+      end
+
+      file_info.is_immutable?
+    end
+
+    # parse the json file content and returns the content
+    def content_as_json
+      require "json" unless defined?(JSON)
+      JSON.parse(file.content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse the given JSON file: #{e.message}"
+    end
+
+    # parse the yaml file content and returns the content
+    def content_as_yaml
+      require "yaml" unless defined?(YAML)
+      YAML.load(file.content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse the given YAML file: #{e.message}"
+    end
+
     def to_s
       if file
         "File #{source_path}"
@@ -373,4 +401,67 @@ module Inspec::Resources
       end
     end
   end
+
+  # Helper class for immutable matcher.
+  class ImmutableFlagCheck
+    attr_reader :inspec, :file_path
+    def initialize(inspec, file)
+      @inspec = inspec
+      @file_path = file.path
+    end
+
+    def find_utility_or_error(utility_name)
+      [
+        "/usr/sbin/#{utility_name}",
+        "/sbin/#{utility_name}",
+        "/usr/bin/#{utility_name}",
+        "/bin/#{utility_name}",
+        "#{utility_name}",
+      ].each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `#{utility_name}`"
+    end
+  end
+
+  class LinuxImmutableFlagCheck < ImmutableFlagCheck
+    def is_immutable?
+      # Check if lsattr is available. In general, all linux system has lsattr & chattr
+      # This logic check is valid for immutable flag set with chattr
+      utility = find_utility_or_error("lsattr")
+      utility_cmd = inspec.command("#{utility} #{file_path}")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} #{file_path} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      # General output for lsattr file_name is:
+      # ----i---------e----- file_name
+      # The fifth char resembles the immutable flag. Total 20 flags are allowed.
+      lsattr_info = utility_cmd.stdout.strip.squeeze(" ")
+      lsattr_info =~ /^.{4}i.{15} .*/
+    end
+  end
+
+  class UnixImmutableFlagCheck < ImmutableFlagCheck
+    def is_immutable?
+      # Check if chflags is available on the system. Most unix-like system comes with chflags.
+      # This logic check is valid for immutable flag set with chflags
+      find_utility_or_error("chflags")
+
+      # In general ls -lO is used to check immutable flag set by chflags
+      utility_cmd = inspec.command("ls -lO #{file_path}")
+
+      # But on some bsd system (eg: freebsd) ls -lo is used instead of ls -lO
+      utility_cmd = inspec.command("ls -lo #{file_path}") if utility_cmd.exit_status.to_i != 0
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing ls -lo #{file_path} and ls -lO #{file_path} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      # General output for ls -lO file_name is:
+      # -rw-r--r--  1 current_user  1083951318  uchg 0 Apr  6 12:45 file_name
+      # The schg flag and the uchg flag represents the immutable flags
+      # uchg => user immutable flag, schg => system immutable flag.
+      file_info = utility_cmd.stdout.strip.split
+      file_info.include?("uchg") || file_info.include?("schg")
+    end
+  end
 end

data/lib/inspec/resources/groups.rb

@@ -145,6 +145,11 @@ module Inspec::Resources
       true
     end
 
+    # matcher equivalent to gid property.
+    def has_gid?(gid_value)
+      gid_value == gid
+    end
+
     def to_s
       "Group #{@group}"
     end

data/lib/inspec/resources/linux_audit_system.rb

@@ -0,0 +1,81 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class LinuxAuditSystem < Inspec.resource(1)
+    # Resource's internal name.
+    name "linux_audit_system"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "linux"
+
+    desc "Use the `linux_audit_system` Chef InSpec audit resource to test the configuration of linux audit system."
+
+    example <<~EXAMPLE
+      describe linux_audit_system do
+        it { should be_enabled }
+        it { should be_running }
+        its("rules") { should include "-w /etc -p wa" }
+        its("rules") { should include %r{-w /etc -p wa} }
+        its("rules") { should include %r!-w /etc -p wa! }
+      end
+    EXAMPLE
+
+    attr_reader :auditctl_utility
+
+    # Resource initialization.
+    def initialize
+      skip_resource "The `linux_audit_system` resource is not yet available on your OS." unless inspec.os.linux?
+      @auditctl_utility = find_auditctl_or_error
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "linux_audit_system"
+    end
+
+    # The be_enabled matcher checks if the auditing is enabled.
+    # The enabled flag 1 indicates that the auditing is enabled.
+    def enabled?
+      auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep enabled")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      # Sample stdout: enabled 1
+      auditctl_enabled_status = auditctl_cmd.stdout.strip.split
+      auditctl_enabled_status[1].to_i == 1
+    end
+
+    # The be_running matcher checks if the audit daemon is running.
+    # A pid of 0 indicates that the audit daemon is not running.
+    def running?
+      auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep pid")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      # Sample stdout: pid 682462
+      auditctl_running_status = auditctl_cmd.stdout.strip.split
+      !auditctl_running_status[1].nil? && auditctl_running_status[1].to_i != 0
+    end
+
+    # The rules property returns the array of audit rules obtained on auditctl -l.
+    # The auditctl -l list all rules, 1 per line.
+    def rules
+      auditctl_cmd = inspec.command("#{auditctl_utility} -l")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -l: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      auditctl_cmd.stdout.strip.split("\n")
+    end
+
+    private
+
+    # Check if auditctl is available on the system.
+    def find_auditctl_or_error
+      %w{/usr/sbin/auditctl /sbin/auditctl auditctl}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `auditctl`. This resource requires `auditctl` utility to be available on the system."
+    end
+  end
+end

data/lib/inspec/resources/service.rb

@@ -271,6 +271,30 @@ module Inspec::Resources
       info[:startname]
     end
 
+    # matcher equivalent to startmode property; compares start-up mode
+    # supported only on windows.
+    def has_start_mode?(mode)
+      raise Inspec::Exceptions::ResourceSkipped, "The `has_start_mode` matcher is not supported on your OS yet." unless inspec.os.windows?
+
+      mode == startmode
+    end
+
+    # matcher to check if the service is monitored by the given monitoring tool/software
+    def monitored_by?(monitoring_tool)
+      # Currently supported monitoring tools are: monit & god
+      # To add support for new monitoring tools, extend the case statement with additional monitoring tool and
+      # add the definition and logic in a new class (inheriting the base class MonitoringTool: optional)
+      case monitoring_tool
+      when "monit"
+        current_monitoring_tool = Monit.new(inspec, @service_name)
+      when "god"
+        current_monitoring_tool = God.new(inspec, @service_name)
+      else
+        puts "The monitoring tool #{monitoring_tool} is not yet supported by InSpec."
+      end
+      current_monitoring_tool.is_service_monitored?
+    end
+
     def to_s
       "Service #{@service_name}"
     end
@@ -893,4 +917,53 @@ module Inspec::Resources
       Runit.new(inspec, service_ctl)
     end
   end
+
+  # Helper class for monitored_by matcher
+  class MonitoringTool
+    attr_reader :inspec, :service_name
+    def initialize(inspec, service_name)
+      @inspec = inspec
+      @service_name ||= service_name
+    end
+
+    def find_utility_or_error(utility_name)
+      [ "/usr/sbin/#{utility_name}" , "/sbin/#{utility_name}" , "/usr/bin/#{utility_name}" , "/bin/#{utility_name}" , "#{utility_name}" ].each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `#{utility_name}`"
+    end
+  end
+
+  class Monit < MonitoringTool
+    def is_service_monitored?
+      utility = find_utility_or_error("monit")
+      utility_cmd = inspec.command("#{utility} summary")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} summary failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      monitoring_info = utility_cmd.stdout.split("\n")
+      monitoring_info.map! { |info| info.strip.squeeze(" ") }
+      is_monitored = false
+      monitoring_info.each do |info|
+        if info =~ /^#{service_name} OK.*/
+          is_monitored = true
+          break
+        end
+      end
+      is_monitored
+    end
+  end
+
+  class God < MonitoringTool
+    def is_service_monitored?
+      utility = find_utility_or_error("god")
+      utility_cmd = inspec.command("#{utility} status #{service_name}")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} status #{service_name} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      monitoring_info = utility_cmd.stdout.strip
+      monitoring_info =~ /^#{service_name}: up/
+    end
+  end
 end

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "5.12.2".freeze
+  VERSION = "5.14.0".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 5.12.2
+  version: 5.14.0
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-08 00:00:00.000000000 Z
+date: 2022-04-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -520,6 +520,7 @@ files:
 - lib/inspec/resources/cron.rb
 - lib/inspec/resources/crontab.rb
 - lib/inspec/resources/csv.rb
+- lib/inspec/resources/default_gateway.rb
 - lib/inspec/resources/dh_params.rb
 - lib/inspec/resources/directory.rb
 - lib/inspec/resources/docker.rb
@@ -566,6 +567,7 @@ files:
 - lib/inspec/resources/ksh.rb
 - lib/inspec/resources/launchd_service.rb
 - lib/inspec/resources/limits_conf.rb
+- lib/inspec/resources/linux_audit_system.rb
 - lib/inspec/resources/linux_kernel_parameter.rb
 - lib/inspec/resources/login_defs.rb
 - lib/inspec/resources/lxc.rb