inspec-core 5.12.2 → 5.18.14

data/lib/inspec/resources/php_config.rb

@@ -0,0 +1,72 @@
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class PhpConfig < Inspec.resource(1)
+    # Resource's internal name.
+    name "php_config"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the php_config InSpec audit resource to test PHP config parameters"
+
+    example <<~EXAMPLE
+      describe php_config("config_param") do
+        its("value") { should eq "some_value" }
+      end
+
+      describe php_config("config_param", { "ini" => "path_to_ini_file" }) do
+        its("value") { should eq "some_value"  }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    attr_reader :config_param, :config_file_or_path
+    def initialize(config_param, config_file_or_path = {})
+      @config_param = config_param
+      @config_file_or_path = config_file_or_path
+    end
+
+    # Unique resource id
+    def resource_id
+      config_param
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "php_config #{resource_id}"
+    end
+
+    # Returns the value evaluated for the initialized config parameter
+    def value
+      php_utility = find_utility_or_error
+
+      # The keys in the hash provided by user can be string or symbols.
+      # Converting the key to symbols to handle scenario when "ini" key is provided as string.
+      config_file_or_path.transform_keys(&:to_sym)
+
+      # Assign the path with -c option for ini file provided by the user if any.
+      php_ini_file = !config_file_or_path.empty? && config_file_or_path.key?(:ini) ? "-c #{config_file_or_path[:ini]}" : ""
+
+      # The below command `get_cfg_var` is used to fetch the value for any config parameter.
+      php_cmd = "#{php_utility} #{php_ini_file} -r 'echo get_cfg_var(\"#{config_param}\");'"
+      config_value_cmd = inspec.command(php_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{php_cmd} failed: #{config_value_cmd.stderr}" if config_value_cmd.exit_status.to_i != 0
+
+      config_value = config_value_cmd.stdout.strip
+
+      # Convert value to integer if the config value are digits.
+      config_value.match(/^(\d)+$/) ? config_value.to_i : config_value
+    end
+
+    private
+
+    # Method to check if php is present or not on the system.
+    def find_utility_or_error
+      %w{/usr/sbin/php /sbin/php php}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `php` on your system."
+    end
+  end
+end

data/lib/inspec/resources/pip.rb

@@ -56,6 +56,10 @@ module Inspec::Resources
       info[:version]
     end
 
+    def resource_id
+      @package_name || "pip"
+    end
+
     def to_s
       "Pip Package #{@package_name}"
     end

data/lib/inspec/resources/platform.rb

@@ -93,6 +93,10 @@ module Inspec::Resources
       key.to_s.tr("-", "_").to_sym
     end
 
+    def resource_id
+      @platform.name || "platform"
+    end
+
     def to_s
       "Platform Detection"
     end

data/lib/inspec/resources/postfix_conf.rb

@@ -22,6 +22,10 @@ module Inspec::Resources
       SimpleConfig.new(content).params
     end
 
+    def resource_id
+      "Postfix Conf"
+    end
+
     def to_s
       "Postfix Mail Transfer Agent"
     end

data/lib/inspec/resources/postgres_conf.rb

@@ -64,6 +64,10 @@ module Inspec::Resources
       param
     end
 
+    def resource_id
+      @conf_path || "postgres_conf"
+    end
+
     def to_s
       "PostgreSQL Configuration"
     end

data/lib/inspec/resources/postgres_session.rb

@@ -4,9 +4,9 @@ require "shellwords" unless defined?(Shellwords)
 
 module Inspec::Resources
   class Lines
-    attr_reader :output
+    attr_reader :output, :exit_status
 
-    def initialize(raw, desc)
+    def initialize(raw, desc, exit_status)
       @output = raw
       @desc = desc
     end
@@ -58,12 +58,16 @@ module Inspec::Resources
       if cmd.exit_status != 0 && ( out =~ /could not connect to/ || out =~ /password authentication failed/ ) && out.downcase =~ /error:/
         raise Inspec::Exceptions::ResourceFailed, "PostgreSQL connection error: #{out}"
       elsif cmd.exit_status != 0 && out.downcase =~ /error:/
-        Lines.new(out, "PostgreSQL query with error: #{query}")
+        Lines.new(out, "PostgreSQL query with error: #{query}", cmd.exit_status)
       else
-        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
+        Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}", cmd.exit_status)
       end
     end
 
+    def resource_id
+      "postgress_session:User:#{@user}:Host:#{@host}"
+    end
+
     private
 
     def escaped_query(query)

data/lib/inspec/resources/powershell.rb

@@ -49,6 +49,10 @@ module Inspec::Resources
     def to_s
       "Powershell"
     end
+
+    def resource_id
+      "Powershell"
+    end
   end
 
   PowershellScript = Powershell

data/lib/inspec/resources/processes.rb

@@ -43,7 +43,7 @@ module Inspec::Resources
 
       all_cmds = ps_axo
       @list = all_cmds.find_all do |hm|
-        hm[:command] =~ grep
+        hm[:command] =~ grep || hm[:process_name] =~ grep
       end
     end
 
@@ -60,6 +60,17 @@ module Inspec::Resources
       @list
     end
 
+    # Matcher to check if the process is running
+    def running?
+      # A process is considered running if:
+      # unix: it is in running(R) state or either of sleep state(D: Uninterruptible or S: Interruptible)
+      # windows: it is responding i.e. state is True.
+
+      # Other codes like <(high priorty), N(low priority), +(foreground process group) etc. may appear after the state code in unix.
+      # Hence the regex used is /^statecode+/ where statecode is either R, S, or D.
+      states.any? and !!(states[0] =~ /True/ || states[0] =~ /^R+/ || states[0] =~ /^D+/ || states[0] =~ /^S+/)
+    end
+
     filter = FilterTable.create
     filter.register_column(:labels, field: "label")
       .register_column(:pids,     field: "pid")
@@ -73,6 +84,7 @@ module Inspec::Resources
       .register_column(:time,     field: "time")
       .register_column(:users,    field: "user")
       .register_column(:commands, field: "command")
+      .register_column(:process_name, field: "process_name")
       .install_filter_methods_on_resource(self, :filtered_processes)
 
     private
@@ -87,9 +99,9 @@ module Inspec::Resources
       if os.linux?
         command, regex, field_map = ps_configuration_for_linux
       elsif os.windows?
-        command = '$Proc = Get-Process -IncludeUserName | Where-Object {$_.Path -ne $null } | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
+        command = '$Proc = Get-Process -IncludeUserName | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path,ProcessName | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
         # Wanted to use /(?:^|,)([^,]*)/; works on rubular.com not sure why here?
-        regex = /^(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+)$/
+        regex = /^(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*),(.*)$/
         field_map = {
           pid: 2,
           cpu: 3,
@@ -102,6 +114,7 @@ module Inspec::Resources
           time: 10,
           user: 11,
           command: 12,
+          process_name: 13,
         }
       else
         command = "ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command"
@@ -193,7 +206,7 @@ module Inspec::Resources
 
         # build a hash of process data that we'll turn into a struct for FilterTable
         process_data = {}
-        %i{label pid cpu mem vsz rss tty stat start time user command}.each do |param|
+        %i{label pid cpu mem vsz rss tty stat start time user command process_name}.each do |param|
           # not all operating systems support all fields, so skip the field if we don't have it
           process_data[param] = line[field_map[param]] if field_map.key?(param)
         end

data/lib/inspec/resources/rabbitmq_config.rb

@@ -32,6 +32,10 @@ module Inspec::Resources
       "rabbitmq_config #{@conf_path}"
     end
 
+    def resource_id
+      @conf_path
+    end
+
     private
 
     def read_content

data/lib/inspec/resources/registry_key.rb

@@ -140,6 +140,10 @@ module Inspec::Resources
       "Registry Key #{@options[:name]}"
     end
 
+    def resource_id
+      @options[:path]
+    end
+
     private
 
     def prep_prop(property)

data/lib/inspec/resources/security_identifier.rb

@@ -51,6 +51,10 @@ module Inspec::Resources
       "Security Identifier"
     end
 
+    def resource_id
+      @name
+    end
+
     private
 
     def fetch_sids

data/lib/inspec/resources/security_policy.rb

@@ -112,6 +112,10 @@ module Inspec::Resources
       "Security Policy"
     end
 
+    def resource_id
+      "Security Policy"
+    end
+
     private
 
     def read_content

data/lib/inspec/resources/service.rb

@@ -182,7 +182,9 @@ module Inspec::Resources
       when "aix"
         SrcMstr.new(inspec)
       when "amazon"
-        if os[:release] =~ /^20\d\d/
+        # If `initctl` exists on the system, use `Upstart`. Else use `Systemd` since all-new Amazon Linux supports `systemctl`.
+        # This way, it is not dependent on the version of Amazon Linux.
+        if inspec.command("initctl").exist? || inspec.command("/sbin/initctl").exist?
           Upstart.new(inspec, service_ctl)
         else
           Systemd.new(inspec, service_ctl)
@@ -271,6 +273,34 @@ module Inspec::Resources
       info[:startname]
     end
 
+    # matcher equivalent to startmode property; compares start-up mode
+    # supported only on windows.
+    def has_start_mode?(mode)
+      raise Inspec::Exceptions::ResourceSkipped, "The `has_start_mode` matcher is not supported on your OS yet." unless inspec.os.windows?
+
+      mode == startmode
+    end
+
+    # matcher to check if the service is monitored by the given monitoring tool/software
+    def monitored_by?(monitoring_tool)
+      # Currently supported monitoring tools are: monit & god
+      # To add support for new monitoring tools, extend the case statement with additional monitoring tool and
+      # add the definition and logic in a new class (inheriting the base class MonitoringTool: optional)
+      case monitoring_tool
+      when "monit"
+        current_monitoring_tool = Monit.new(inspec, @service_name)
+      when "god"
+        current_monitoring_tool = God.new(inspec, @service_name)
+      else
+        puts "The monitoring tool #{monitoring_tool} is not yet supported by InSpec."
+      end
+      current_monitoring_tool.is_service_monitored?
+    end
+
+    def resource_id
+      @service_name || "Service"
+    end
+
     def to_s
       "Service #{@service_name}"
     end
@@ -893,4 +923,53 @@ module Inspec::Resources
       Runit.new(inspec, service_ctl)
     end
   end
+
+  # Helper class for monitored_by matcher
+  class MonitoringTool
+    attr_reader :inspec, :service_name
+    def initialize(inspec, service_name)
+      @inspec = inspec
+      @service_name ||= service_name
+    end
+
+    def find_utility_or_error(utility_name)
+      [ "/usr/sbin/#{utility_name}" , "/sbin/#{utility_name}" , "/usr/bin/#{utility_name}" , "/bin/#{utility_name}" , "#{utility_name}" ].each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `#{utility_name}`"
+    end
+  end
+
+  class Monit < MonitoringTool
+    def is_service_monitored?
+      utility = find_utility_or_error("monit")
+      utility_cmd = inspec.command("#{utility} summary")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} summary failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      monitoring_info = utility_cmd.stdout.split("\n")
+      monitoring_info.map! { |info| info.strip.squeeze(" ") }
+      is_monitored = false
+      monitoring_info.each do |info|
+        if info =~ /^#{service_name} OK.*/
+          is_monitored = true
+          break
+        end
+      end
+      is_monitored
+    end
+  end
+
+  class God < MonitoringTool
+    def is_service_monitored?
+      utility = find_utility_or_error("god")
+      utility_cmd = inspec.command("#{utility} status #{service_name}")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} status #{service_name} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      monitoring_info = utility_cmd.stdout.strip
+      monitoring_info =~ /^#{service_name}: up/
+    end
+  end
 end

data/lib/inspec/resources/ssh_config.rb

@@ -57,6 +57,10 @@ module Inspec::Resources
       "SSH Configuration"
     end
 
+    def resource_id
+      @conf_path || "SSH Configuration"
+    end
+
     private
 
     def read_content

data/lib/inspec/resources/sybase_conf.rb

@@ -29,6 +29,10 @@ module Inspec::Resources
       sql_query.row(0).column("Config Value").value
     end
 
+    def resource_id
+      conf_param || "Sybase config settings"
+    end
+
     def to_s
       "Sybase Conf #{conf_param}"
     end

data/lib/inspec/resources/sybase_session.rb

@@ -64,6 +64,10 @@ module Inspec::Resources
       DatabaseHelper::SQLQueryResult.new(isql_cmd, parse_csv_result(isql_cmd.stdout))
     end
 
+    def resource_id
+      @database || "Sybase Session"
+    end
+
     def to_s
       "Sybase Session"
     end

data/lib/inspec/resources/sys_info.rb

@@ -112,6 +112,10 @@ module Inspec::Resources
       end
     end
 
+    def resource_id
+      "sys_info"
+    end
+
     def to_s
       "System Information"
     end

data/lib/inspec/resources/timezone.rb

@@ -52,6 +52,10 @@ module Inspec::Resources
       @output["time_offset"]
     end
 
+    def resource_id
+      "timezone"
+    end
+
     def to_s
       "Time Zone resource"
     end

data/lib/inspec/resources/users.rb

@@ -307,6 +307,10 @@ module Inspec::Resources
       shadow_information[1]
     end
 
+    def resource_id
+      @username || "User"
+    end
+
     def to_s
       "User #{@username}"
     end

data/lib/inspec/resources/vbscript.rb

@@ -51,6 +51,11 @@ module Inspec::Resources
       @result ||= parse_stdout
     end
 
+    # vbscript can be of multiple lines so that can't be used as UUID so using the hardcoded string.
+    def resource_id
+      "Windows VBScript"
+    end
+
     def to_s
       "Windows VBScript"
     end

data/lib/inspec/resources/virtualization.rb

@@ -59,6 +59,10 @@ module Inspec::Resources
       collect_data_linux
     end
 
+    def resource_id
+      @virtualization_data[:system] || "virtualization"
+    end
+
     def to_s
       "Virtualization Detection"
     end

data/lib/inspec/resources/windows_feature.rb

@@ -59,8 +59,12 @@ module Inspec::Resources
       @cache
     end
 
+    def resource_id
+      @feature
+    end
+
     def to_s
-      "Windows Feature '#{@feature}'"
+      @feature || "windows_feature"
     end
 
     private

data/lib/inspec/resources/windows_firewall.rb

@@ -21,6 +21,10 @@ module Inspec::Resources
       @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
     end
 
+    def resource_id
+      @profile || "windows_firewall"
+    end
+
     def to_s
       "Windows Firewall (Profile #{@profile})"
     end

data/lib/inspec/resources/windows_firewall_rule.rb

@@ -23,6 +23,10 @@ module Inspec::Resources
       @state = JSON.load(cmd.stdout) unless cmd.stdout.empty?
     end
 
+    def resource_id
+      @name || "windows_firewall_rule"
+    end
+
     def to_s
       "Windows Firewall Rule #{@name}"
     end

data/lib/inspec/resources/windows_hotfix.rb

@@ -24,6 +24,10 @@ module Inspec::Resources
       @content = cmd.stdout
     end
 
+    def resource_id
+      @id || "windows_hotfix"
+    end
+
     def to_s
       "Windows Hotfix #{@id}"
     end

data/lib/inspec/resources/windows_task.rb

@@ -105,6 +105,10 @@ module Inspec::Resources
       }
     end
 
+    def resource_id
+      @taskuri || "windows_task"
+    end
+
     def to_s
       "Windows Task '#{@taskuri}'"
     end

data/lib/inspec/resources/wmi.rb

@@ -95,6 +95,10 @@ module Inspec::Resources
       @content
     end
 
+    def resource_id
+      @options[:class] || "WMI"
+    end
+
     def to_s
       "WMI with #{@options}"
     end

data/lib/inspec/resources/x509_certificate.rb

@@ -83,6 +83,11 @@ module Inspec::Resources
       @parsed_subject = Hashie::Mash.new(Hash[@cert.subject.to_a.map { |k, v, _| [k, v] }])
     end
 
+    # This property is equivalent to subject.emailAddress
+    def email
+      subject.emailAddress
+    end
+
     def issuer_dn
       return if @cert.nil?
 
@@ -104,6 +109,8 @@ module Inspec::Resources
       @cert.public_key.n.num_bytes * 8
     end
 
+    alias :keylength :key_length
+
     def validity_in_days
       (not_after - Time.now.utc) / 86400
     end
@@ -138,6 +145,50 @@ module Inspec::Resources
       @extensions
     end
 
+    # check purpose of the certificate
+    def has_purpose?(purpose)
+      # If we have the filepath in our options we use the filepath to fetch the purposes.
+      # Else, we create a temporary file and write the content to that file.
+      # Then, use the temporary file to fetch the purposes.
+      # Todo: Check if this can be optimized or improved.
+
+      if @opts[:filepath]
+        cert_purpose = fetch_purpose(@opts[:filepath])
+      else
+        begin
+          f = File.open("temporary_certificate.pem", "w")
+          f.write(@cert.to_pem)
+          f.rewind
+          cert_purpose = fetch_purpose("temporary_certificate.pem")
+        ensure
+          f.close unless f.nil? || f.closed?
+          File.delete("temporary_certificate.pem") if File.exist? "temporary_certificate.pem"
+        end
+      end
+      cert_purpose =~ /purpose/ ? true : false
+    end
+
+    def fetch_purpose(cert_file_or_path)
+      openssl_utility = check_openssl_or_error
+
+      # The below command is used to view the Certificate purposes
+      # The -in argument expects a certificate file or path to certificate file.
+      cert_purpose_cmd = "#{openssl_utility} x509 -noout -purpose -in #{cert_file_or_path}"
+      cert_purpose = inspec.command(cert_purpose_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{cert_purpose_cmd} failed: #{cert_purpose.stderr}" if cert_purpose.exit_status.to_i != 0
+
+      cert_purpose.stdout
+    end
+
+    def subject_alt_names
+      extensions["subjectAltName"]
+    end
+
+    def resource_id
+      @opts[:filepath] || subject.CN || "x509 Certificate"
+    end
+
     def to_s
       cert = @opts[:filepath]
       cert ||= subject.CN
@@ -153,5 +204,13 @@ module Inspec::Resources
         opts
       end
     end
+
+    def check_openssl_or_error
+      %w{/usr/sbin/openssl /usr/bin/openssl /sbin/openssl /bin/openssl openssl}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `openssl` on your system."
+    end
   end
 end