inspec-core 5.12.2 → 5.18.14
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +1 -1
- data/etc/deprecations.json +4 -0
- data/etc/keys/progress-2022-05-04.pem.pub +9 -0
- data/inspec-core.gemspec +1 -1
- data/lib/inspec/base_cli.rb +5 -0
- data/lib/inspec/cli.rb +64 -9
- data/lib/inspec/dependencies/dependency_set.rb +6 -2
- data/lib/inspec/dependency_loader.rb +5 -1
- data/lib/inspec/dsl.rb +18 -5
- data/lib/inspec/errors.rb +2 -0
- data/lib/inspec/exceptions.rb +2 -0
- data/lib/inspec/fetcher/url.rb +1 -1
- data/lib/inspec/file_provider.rb +36 -0
- data/lib/inspec/iaf_file.rb +127 -0
- data/lib/inspec/profile.rb +31 -14
- data/lib/inspec/resources/aide_conf.rb +4 -0
- data/lib/inspec/resources/apache.rb +4 -0
- data/lib/inspec/resources/apache_conf.rb +4 -0
- data/lib/inspec/resources/apt.rb +6 -1
- data/lib/inspec/resources/audit_policy.rb +5 -0
- data/lib/inspec/resources/auditd_conf.rb +4 -0
- data/lib/inspec/resources/bash.rb +4 -0
- data/lib/inspec/resources/bond.rb +4 -0
- data/lib/inspec/resources/bridge.rb +4 -0
- data/lib/inspec/resources/cassandradb_conf.rb +5 -0
- data/lib/inspec/resources/cassandradb_session.rb +8 -3
- data/lib/inspec/resources/chocolatey_package.rb +4 -0
- data/lib/inspec/resources/chrony_conf.rb +4 -0
- data/lib/inspec/resources/command.rb +5 -0
- data/lib/inspec/resources/cpan.rb +4 -0
- data/lib/inspec/resources/cran.rb +4 -0
- data/lib/inspec/resources/cron.rb +5 -0
- data/lib/inspec/resources/csv.rb +6 -1
- data/lib/inspec/resources/default_gateway.rb +61 -0
- data/lib/inspec/resources/dh_params.rb +4 -0
- data/lib/inspec/resources/docker_container.rb +4 -0
- data/lib/inspec/resources/docker_image.rb +4 -0
- data/lib/inspec/resources/docker_plugin.rb +4 -0
- data/lib/inspec/resources/docker_service.rb +4 -0
- data/lib/inspec/resources/etc_group.rb +4 -0
- data/lib/inspec/resources/etc_hosts_allow_deny.rb +5 -0
- data/lib/inspec/resources/file.rb +97 -1
- data/lib/inspec/resources/filesystem.rb +4 -0
- data/lib/inspec/resources/gem.rb +4 -0
- data/lib/inspec/resources/groups.rb +9 -0
- data/lib/inspec/resources/grub_conf.rb +4 -0
- data/lib/inspec/resources/host.rb +46 -3
- data/lib/inspec/resources/http.rb +4 -0
- data/lib/inspec/resources/ibmdb2_conf.rb +8 -0
- data/lib/inspec/resources/ibmdb2_session.rb +12 -3
- data/lib/inspec/resources/iis_app.rb +4 -0
- data/lib/inspec/resources/iis_app_pool.rb +4 -0
- data/lib/inspec/resources/iis_site.rb +4 -0
- data/lib/inspec/resources/inetd_conf.rb +4 -0
- data/lib/inspec/resources/interface.rb +4 -0
- data/lib/inspec/resources/ip6tables.rb +4 -0
- data/lib/inspec/resources/ipfilter.rb +4 -0
- data/lib/inspec/resources/ipnat.rb +4 -0
- data/lib/inspec/resources/iptables.rb +4 -0
- data/lib/inspec/resources/json.rb +4 -0
- data/lib/inspec/resources/kernel_module.rb +4 -0
- data/lib/inspec/resources/kernel_parameter.rb +4 -0
- data/lib/inspec/resources/key_rsa.rb +4 -0
- data/lib/inspec/resources/ksh.rb +4 -0
- data/lib/inspec/resources/limits_conf.rb +4 -0
- data/lib/inspec/resources/linux_audit_system.rb +81 -0
- data/lib/inspec/resources/login_defs.rb +4 -0
- data/lib/inspec/resources/mongodb.rb +4 -0
- data/lib/inspec/resources/mongodb_conf.rb +5 -0
- data/lib/inspec/resources/mongodb_session.rb +6 -1
- data/lib/inspec/resources/mount.rb +4 -0
- data/lib/inspec/resources/mssql_session.rb +4 -0
- data/lib/inspec/resources/mssql_sys_conf.rb +7 -0
- data/lib/inspec/resources/mysql_conf.rb +4 -0
- data/lib/inspec/resources/mysql_session.rb +8 -1
- data/lib/inspec/resources/nginx.rb +6 -1
- data/lib/inspec/resources/nginx_conf.rb +4 -0
- data/lib/inspec/resources/noop.rb +4 -0
- data/lib/inspec/resources/npm.rb +4 -0
- data/lib/inspec/resources/ntp_conf.rb +4 -0
- data/lib/inspec/resources/oneget.rb +4 -0
- data/lib/inspec/resources/opa_api.rb +10 -0
- data/lib/inspec/resources/opa_cli.rb +14 -0
- data/lib/inspec/resources/oracledb_conf.rb +5 -0
- data/lib/inspec/resources/oracledb_listener_conf.rb +4 -0
- data/lib/inspec/resources/oracledb_session.rb +10 -0
- data/lib/inspec/resources/os.rb +4 -0
- data/lib/inspec/resources/os_env.rb +4 -0
- data/lib/inspec/resources/package.rb +4 -0
- data/lib/inspec/resources/parse_config.rb +10 -1
- data/lib/inspec/resources/php_config.rb +72 -0
- data/lib/inspec/resources/pip.rb +4 -0
- data/lib/inspec/resources/platform.rb +4 -0
- data/lib/inspec/resources/postfix_conf.rb +4 -0
- data/lib/inspec/resources/postgres_conf.rb +4 -0
- data/lib/inspec/resources/postgres_session.rb +8 -4
- data/lib/inspec/resources/powershell.rb +4 -0
- data/lib/inspec/resources/processes.rb +17 -4
- data/lib/inspec/resources/rabbitmq_config.rb +4 -0
- data/lib/inspec/resources/registry_key.rb +4 -0
- data/lib/inspec/resources/security_identifier.rb +4 -0
- data/lib/inspec/resources/security_policy.rb +4 -0
- data/lib/inspec/resources/service.rb +80 -1
- data/lib/inspec/resources/ssh_config.rb +4 -0
- data/lib/inspec/resources/sybase_conf.rb +4 -0
- data/lib/inspec/resources/sybase_session.rb +4 -0
- data/lib/inspec/resources/sys_info.rb +4 -0
- data/lib/inspec/resources/timezone.rb +4 -0
- data/lib/inspec/resources/users.rb +4 -0
- data/lib/inspec/resources/vbscript.rb +5 -0
- data/lib/inspec/resources/virtualization.rb +4 -0
- data/lib/inspec/resources/windows_feature.rb +5 -1
- data/lib/inspec/resources/windows_firewall.rb +4 -0
- data/lib/inspec/resources/windows_firewall_rule.rb +4 -0
- data/lib/inspec/resources/windows_hotfix.rb +4 -0
- data/lib/inspec/resources/windows_task.rb +4 -0
- data/lib/inspec/resources/wmi.rb +4 -0
- data/lib/inspec/resources/x509_certificate.rb +59 -0
- data/lib/inspec/resources/x509_private_key.rb +93 -0
- data/lib/inspec/resources/yum.rb +4 -0
- data/lib/inspec/resources/zfs.rb +48 -0
- data/lib/inspec/resources/zfs_dataset.rb +4 -0
- data/lib/inspec/resources/zfs_pool.rb +4 -0
- data/lib/inspec/rule.rb +1 -1
- data/lib/inspec/secrets/yaml.rb +7 -1
- data/lib/inspec/ui.rb +1 -0
- data/lib/inspec/utils/yaml_profile_summary.rb +34 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/plugins/inspec-reporter-html2/templates/body.html.erb +4 -4
- data/lib/plugins/inspec-reporter-html2/templates/control.html.erb +1 -1
- data/lib/plugins/inspec-reporter-html2/templates/profile.html.erb +1 -1
- data/lib/plugins/{inspec-artifact/inspec-artifact.gemspec → inspec-sign/inspec-sign.gemspec} +2 -2
- data/lib/plugins/inspec-sign/lib/inspec-sign/base.rb +161 -0
- data/lib/plugins/{inspec-artifact/lib/inspec-artifact → inspec-sign/lib/inspec-sign}/cli.rb +14 -23
- data/lib/plugins/inspec-sign/lib/inspec-sign.rb +12 -0
- data/lib/source_readers/inspec.rb +8 -2
- metadata +16 -8
- data/lib/plugins/inspec-artifact/lib/inspec-artifact/base.rb +0 -187
- data/lib/plugins/inspec-artifact/lib/inspec-artifact.rb +0 -12
@@ -62,6 +62,10 @@ module Inspec::Resources
|
|
62
62
|
@ip6tables_cache = cmd.stdout.split("\n").map(&:strip)
|
63
63
|
end
|
64
64
|
|
65
|
+
def resource_id
|
66
|
+
format("Ip6tables %s %s", @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
|
67
|
+
end
|
68
|
+
|
65
69
|
def to_s
|
66
70
|
format("Ip6tables %s %s", @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
|
67
71
|
end
|
@@ -69,6 +69,10 @@ module Inspec::Resources
|
|
69
69
|
end
|
70
70
|
end
|
71
71
|
|
72
|
+
def resource_id
|
73
|
+
format("Iptables %s %s", @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
|
74
|
+
end
|
75
|
+
|
72
76
|
def to_s
|
73
77
|
format("Iptables %s %s", @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
|
74
78
|
end
|
data/lib/inspec/resources/ksh.rb
CHANGED
@@ -0,0 +1,81 @@
|
|
1
|
+
require "inspec/resources/command"
|
2
|
+
module Inspec::Resources
|
3
|
+
class LinuxAuditSystem < Inspec.resource(1)
|
4
|
+
# Resource's internal name.
|
5
|
+
name "linux_audit_system"
|
6
|
+
|
7
|
+
# Restrict to only run on the below platforms (if none were given,
|
8
|
+
# all OS's and cloud API's supported)
|
9
|
+
supports platform: "linux"
|
10
|
+
|
11
|
+
desc "Use the `linux_audit_system` Chef InSpec audit resource to test the configuration of linux audit system."
|
12
|
+
|
13
|
+
example <<~EXAMPLE
|
14
|
+
describe linux_audit_system do
|
15
|
+
it { should be_enabled }
|
16
|
+
it { should be_running }
|
17
|
+
its("rules") { should include "-w /etc -p wa" }
|
18
|
+
its("rules") { should include %r{-w /etc -p wa} }
|
19
|
+
its("rules") { should include %r!-w /etc -p wa! }
|
20
|
+
end
|
21
|
+
EXAMPLE
|
22
|
+
|
23
|
+
attr_reader :auditctl_utility
|
24
|
+
|
25
|
+
# Resource initialization.
|
26
|
+
def initialize
|
27
|
+
skip_resource "The `linux_audit_system` resource is not yet available on your OS." unless inspec.os.linux?
|
28
|
+
@auditctl_utility = find_auditctl_or_error
|
29
|
+
end
|
30
|
+
|
31
|
+
# Resource appearance in test reports.
|
32
|
+
def to_s
|
33
|
+
"linux_audit_system"
|
34
|
+
end
|
35
|
+
|
36
|
+
# The be_enabled matcher checks if the auditing is enabled.
|
37
|
+
# The enabled flag 1 indicates that the auditing is enabled.
|
38
|
+
def enabled?
|
39
|
+
auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep enabled")
|
40
|
+
|
41
|
+
raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
|
42
|
+
|
43
|
+
# Sample stdout: enabled 1
|
44
|
+
auditctl_enabled_status = auditctl_cmd.stdout.strip.split
|
45
|
+
auditctl_enabled_status[1].to_i == 1
|
46
|
+
end
|
47
|
+
|
48
|
+
# The be_running matcher checks if the audit daemon is running.
|
49
|
+
# A pid of 0 indicates that the audit daemon is not running.
|
50
|
+
def running?
|
51
|
+
auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep pid")
|
52
|
+
|
53
|
+
raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
|
54
|
+
|
55
|
+
# Sample stdout: pid 682462
|
56
|
+
auditctl_running_status = auditctl_cmd.stdout.strip.split
|
57
|
+
!auditctl_running_status[1].nil? && auditctl_running_status[1].to_i != 0
|
58
|
+
end
|
59
|
+
|
60
|
+
# The rules property returns the array of audit rules obtained on auditctl -l.
|
61
|
+
# The auditctl -l list all rules, 1 per line.
|
62
|
+
def rules
|
63
|
+
auditctl_cmd = inspec.command("#{auditctl_utility} -l")
|
64
|
+
|
65
|
+
raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -l: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
|
66
|
+
|
67
|
+
auditctl_cmd.stdout.strip.split("\n")
|
68
|
+
end
|
69
|
+
|
70
|
+
private
|
71
|
+
|
72
|
+
# Check if auditctl is available on the system.
|
73
|
+
def find_auditctl_or_error
|
74
|
+
%w{/usr/sbin/auditctl /sbin/auditctl auditctl}.each do |cmd|
|
75
|
+
return cmd if inspec.command(cmd).exist?
|
76
|
+
end
|
77
|
+
|
78
|
+
raise Inspec::Exceptions::ResourceFailed, "Could not find `auditctl`. This resource requires `auditctl` utility to be available on the system."
|
79
|
+
end
|
80
|
+
end
|
81
|
+
end
|
@@ -4,9 +4,10 @@ module Inspec::Resources
|
|
4
4
|
class Lines
|
5
5
|
attr_reader :params
|
6
6
|
|
7
|
-
def initialize(raw, desc)
|
7
|
+
def initialize(raw, desc, exit_status = nil)
|
8
8
|
@params = raw
|
9
9
|
@desc = desc
|
10
|
+
@exit_status = exit_status
|
10
11
|
end
|
11
12
|
|
12
13
|
def to_s
|
@@ -62,6 +63,10 @@ module Inspec::Resources
|
|
62
63
|
raise Inspec::Exceptions::ResourceFailed, "Can't run MongoDB command Error: #{e.message}"
|
63
64
|
end
|
64
65
|
|
66
|
+
def resource_id
|
67
|
+
"mongodb_session:User:#{@user}:Host:#{@host}:Database:#{@database}"
|
68
|
+
end
|
69
|
+
|
65
70
|
private
|
66
71
|
|
67
72
|
def create_session
|
@@ -19,6 +19,8 @@ module Inspec::Resources
|
|
19
19
|
attr_reader :mssql_session, :sql_query
|
20
20
|
|
21
21
|
def initialize(conf_param_name, opts = {})
|
22
|
+
@conf_param_name = conf_param_name
|
23
|
+
@opts = opts
|
22
24
|
opts[:username] ||= "SA"
|
23
25
|
@mssql_session = inspec.mssql_session(opts)
|
24
26
|
setting = conf_param_name.to_s.gsub("_", " ").split.map(&:capitalize).join(" ")
|
@@ -37,6 +39,11 @@ module Inspec::Resources
|
|
37
39
|
"MsSql DB Configuration"
|
38
40
|
end
|
39
41
|
|
42
|
+
def resource_id
|
43
|
+
username = @opts[:username] || "SA"
|
44
|
+
"#{@conf_param_name}-#{username}"
|
45
|
+
end
|
46
|
+
|
40
47
|
private
|
41
48
|
|
42
49
|
def determine_system_configurations(setting)
|
@@ -43,6 +43,7 @@ module Inspec::Resources
|
|
43
43
|
@host = host
|
44
44
|
@port = port
|
45
45
|
@socket = socket
|
46
|
+
@db = nil
|
46
47
|
init_fallback if user.nil? || pass.nil?
|
47
48
|
raise Inspec::Exceptions::ResourceFailed, "Can't run MySQL SQL checks without authentication." if @user.nil? || @pass.nil?
|
48
49
|
|
@@ -52,7 +53,9 @@ module Inspec::Resources
|
|
52
53
|
def query(q, db = "")
|
53
54
|
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
|
54
55
|
|
55
|
-
|
56
|
+
@db = db
|
57
|
+
mysql_cmd = create_mysql_cmd(q, @db)
|
58
|
+
|
56
59
|
cmd = if !@pass.nil?
|
57
60
|
inspec.command(mysql_cmd, redact_regex: /(mysql -u\w+ -p).+(\s-(h|S).*)/)
|
58
61
|
else
|
@@ -66,6 +69,10 @@ module Inspec::Resources
|
|
66
69
|
end
|
67
70
|
end
|
68
71
|
|
72
|
+
def resource_id
|
73
|
+
"mysql_session:User:#{@user}:Host:#{@host}:Database:#{@db}"
|
74
|
+
end
|
75
|
+
|
69
76
|
def to_s
|
70
77
|
"MySQL Session"
|
71
78
|
end
|
@@ -18,12 +18,13 @@ module Inspec::Resources
|
|
18
18
|
its('modules') { should include 'my_module' }
|
19
19
|
end
|
20
20
|
EXAMPLE
|
21
|
-
attr_reader :params, :bin_dir
|
21
|
+
attr_reader :params, :bin_dir, :nginx_path
|
22
22
|
|
23
23
|
def initialize(nginx_path = "/usr/sbin/nginx")
|
24
24
|
return skip_resource "The `nginx` resource is not yet available on your OS." if inspec.os.windows?
|
25
25
|
return skip_resource "The `nginx` binary not found in the path provided." unless inspec.command(nginx_path).exist?
|
26
26
|
|
27
|
+
@nginx_path = nginx_path
|
27
28
|
cmd = inspec.command("#{nginx_path} -V 2>&1")
|
28
29
|
if cmd.exit_status != 0
|
29
30
|
return skip_resource "Error using the command nginx -V"
|
@@ -59,6 +60,10 @@ module Inspec::Resources
|
|
59
60
|
@data.scan(/--with-(\S+)_module/).flatten
|
60
61
|
end
|
61
62
|
|
63
|
+
def resource_id
|
64
|
+
nginx_path || "nginx"
|
65
|
+
end
|
66
|
+
|
62
67
|
def to_s
|
63
68
|
"Nginx Environment"
|
64
69
|
end
|
data/lib/inspec/resources/npm.rb
CHANGED
@@ -6,6 +6,12 @@ module Inspec::Resources
|
|
6
6
|
supports platform: "unix"
|
7
7
|
supports platform: "windows"
|
8
8
|
|
9
|
+
example <<~EXAMPLE
|
10
|
+
describe opa_api(url: "localhost:8181/v1/data/example/violation", data: "input.json") do
|
11
|
+
its(["result"]) { should eq 'value' }
|
12
|
+
end
|
13
|
+
EXAMPLE
|
14
|
+
|
9
15
|
def initialize(opts = {})
|
10
16
|
@url = opts[:url] || nil
|
11
17
|
@data = opts[:data] || nil
|
@@ -18,6 +24,10 @@ module Inspec::Resources
|
|
18
24
|
@content["result"]
|
19
25
|
end
|
20
26
|
|
27
|
+
def resource_id
|
28
|
+
@url || "opa_api"
|
29
|
+
end
|
30
|
+
|
21
31
|
def to_s
|
22
32
|
"OPA api"
|
23
33
|
end
|
@@ -6,6 +6,12 @@ module Inspec::Resources
|
|
6
6
|
supports platform: "unix"
|
7
7
|
supports platform: "windows"
|
8
8
|
|
9
|
+
example <<~EXAMPLE
|
10
|
+
describe opa_cli(policy: "example.rego", data: "input.json", query: "data.example.allow") do
|
11
|
+
its(["result"]) { should eq "value" }
|
12
|
+
end
|
13
|
+
EXAMPLE
|
14
|
+
|
9
15
|
def initialize(opts = {})
|
10
16
|
@opa_executable_path = opts[:opa_executable_path] || "opa" # if this path is not provided then we will assume that it's been set in the ENV PATH
|
11
17
|
@policy = opts[:policy] || nil
|
@@ -22,6 +28,14 @@ module Inspec::Resources
|
|
22
28
|
@content["result"][0]["expressions"][0]["value"] if @content["result"][0]["expressions"][0]["text"].include?("allow")
|
23
29
|
end
|
24
30
|
|
31
|
+
def resource_id
|
32
|
+
if @policy.nil? && @query.nil?
|
33
|
+
"opa_cli"
|
34
|
+
else
|
35
|
+
"#{@policy}:#{@query}"
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
25
39
|
def to_s
|
26
40
|
"OPA cli"
|
27
41
|
end
|
@@ -17,6 +17,7 @@ module Inspec::Resources
|
|
17
17
|
|
18
18
|
def initialize(opts = {})
|
19
19
|
@oracledb_session = inspec.oracledb_session(opts)
|
20
|
+
@opts = opts
|
20
21
|
end
|
21
22
|
|
22
23
|
def method_missing(name)
|
@@ -28,6 +29,10 @@ module Inspec::Resources
|
|
28
29
|
"Oracle DB Configuration"
|
29
30
|
end
|
30
31
|
|
32
|
+
def resource_id
|
33
|
+
@opts[:user] || ""
|
34
|
+
end
|
35
|
+
|
31
36
|
private
|
32
37
|
|
33
38
|
def determine_database_setting(setting)
|
data/lib/inspec/resources/os.rb
CHANGED
@@ -68,6 +68,10 @@ module Inspec::Resources
|
|
68
68
|
end
|
69
69
|
end
|
70
70
|
|
71
|
+
def resource_id
|
72
|
+
@content || "parse_config"
|
73
|
+
end
|
74
|
+
|
71
75
|
def to_s
|
72
76
|
"Parse Config #{@conf_path}"
|
73
77
|
end
|
@@ -104,8 +108,13 @@ module Inspec::Resources
|
|
104
108
|
EXAMPLE
|
105
109
|
|
106
110
|
def initialize(path, opts = nil)
|
111
|
+
@path = path
|
107
112
|
super(nil, opts)
|
108
|
-
parse_file(path)
|
113
|
+
parse_file(@path)
|
114
|
+
end
|
115
|
+
|
116
|
+
def resource_id
|
117
|
+
@path || "parse_config_file"
|
109
118
|
end
|
110
119
|
|
111
120
|
def to_s
|