inspec-core 5.7.9 → 5.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4c3af1b1fd71ded2286e8aa90c46c74dd20f7fb31c525e56ae03e52952c26b0f
-  data.tar.gz: 507db51585f790cc26af852626b3bb52f8a35f36870ee563902234f1c2664a2a
+  metadata.gz: 3cb92e0f21964ecac43d5d9f208e7a2b07a57c2daa0fef4aad06515f933b9072
+  data.tar.gz: 6c4d5f59ed6dde73193198f4ad32c801515cec12d9c04924765d1ac7ee4bd5bc
 SHA512:
-  metadata.gz: 00447ba26c980417a501be959fb8ca85268db4e600417c11a912181da2c75c41169d419f1177fac484a12c1c405cae3aab5912ec9cab24f9a9e4adf355d40faa
-  data.tar.gz: f007b4bc1998187a7313f34f8739145f5e511500e2c9ca280b7163495a6909646be25fed9b4307a27f370e5e36b94b36b558c9e8d5c67079dc6cf24fb93029ea
+  metadata.gz: 8397f679eea47dead2cb1952026b74c800adf7ea650120597b714c3ccdef1c7e0eeb6af387458a31c028173a6bc332b07de103d4d545dbd37257573b77c6e0b1
+  data.tar.gz: 96d8ac046aa00ec95fc173e81c28999d744ed823af7a4a6401e9d1776817e303e451e7c8d46450d2c39c02e6ef4ff4c82d1c425683e82299effa2f3384f9f93e

data/etc/deprecations.json

@@ -83,11 +83,6 @@
       "suffix": "This resource was removed in InSpec 4.0.",
       "comment": "Needed for ServerSpec compatibility"
     },
-    "resource_ppa": {
-      "action": "exit",
-      "suffix": "This resource was removed in InSpec 4.0.",
-      "comment": "Needed for ServerSpec compatibility"
-    },
     "resource_script": {
       "action": "exit",
       "suffix": "This resource will be removed in InSpec 4.0"

data/lib/inspec/cli.rb

@@ -95,6 +95,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   desc "check PATH", "verify all tests at the specified PATH"
   option :format, type: :string,
     desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
+  option :with_cookstyle, type: :boolean,
+    desc: "Enable or disable cookstyle checks.", default: false
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config

data/lib/inspec/plugin/v2/installer.rb

@@ -149,12 +149,19 @@ module Inspec::Plugin::V2
 
       gem_info = {}
       matched_tuples.each do |tuple|
-        gem_info[tuple.first.name] ||= []
-        gem_info[tuple.first.name] << tuple.first.version.to_s
+        gem_info[tuple.first.name] ||= {}
+        gem_info[tuple.first.name]["versions"] ||= []
+        gem_info[tuple.first.name]["versions"] << tuple.first.version.to_s
+        gem_info[tuple.first.name]["description"] ||= fetch_plugin_specs(fetcher, tuple.first.name)&.summary
       end
       gem_info
     end
 
+    def fetch_plugin_specs(fetcher, gem_name)
+      plugin_dependency = Gem::Dependency.new(gem_name)
+      fetcher.spec_for_dependency(plugin_dependency).flatten.first
+    end
+
     # Testing API.  Performs a hard reset on the installer and registry, and reloads the loader.
     # Not for public use.
     # TODO: bad timing coupling in tests

data/lib/inspec/plugin/v2/loader.rb

@@ -259,10 +259,15 @@ module Inspec::Plugin::V2
         status.entry_point = File.join(plugin_dir, "lib", status.name.to_s + ".rb")
         status.installation_type = :core
         status.loaded = false
+        status.description = fetch_gemspec(File.join(plugin_dir, status.name.to_s + ".gemspec"))&.summary
         registry[status.name.to_sym] = status
       end
     end
 
+    def fetch_gemspec(spec_file)
+      Gem::Specification.load(spec_file)
+    end
+
     def read_conf_file_into_registry
       conf_file.each do |plugin_entry|
         status = Inspec::Plugin::V2::Status.new
@@ -273,6 +278,7 @@ module Inspec::Plugin::V2
         when :user_gem
           status.entry_point = status.name.to_s
           status.version = plugin_entry[:version]
+          status.description = fetch_plugin_specs(status.name.to_s)&.summary
         when :path
           status.entry_point = plugin_entry[:installation_path]
         end
@@ -281,6 +287,12 @@ module Inspec::Plugin::V2
       end
     end
 
+    def fetch_plugin_specs(plugin_name)
+      fetcher = Gem::SpecFetcher.fetcher
+      plugin_dependency = Gem::Dependency.new(plugin_name)
+      fetcher.spec_for_dependency(plugin_dependency).flatten.first
+    end
+
     def fixup_train_plugin_status(status)
       status.api_generation = :'train-1'
       if status.installation_type == :user_gem
@@ -327,6 +339,7 @@ module Inspec::Plugin::V2
         status.version = plugin_spec.version.to_s
         status.loaded = false
         status.installation_type = :system_gem
+        status.description = plugin_spec.summary
 
         if train_plugin_name?(status[:name])
           # Train plugins are not true InSpec plugins; we need to decorate them a

data/lib/inspec/plugin/v2/status.rb

@@ -14,7 +14,8 @@ module Inspec::Plugin::V2
     :loaded,                  # true, false False could mean not attempted or failed
     :load_exception,          # Exception class if it failed to load
     :name,                    # String name
-    :version # three-digit version.  Core / bundled plugins use InSpec version here.
+    :version,                 # three-digit version.  Core / bundled plugins use InSpec version here.
+    :description              # Description of plugin.
   ) do
     def initialize(*)
       super

data/lib/inspec/profile.rb

@@ -105,6 +105,7 @@ module Inspec
       @check_mode = options[:check_mode] || false
       @parent_profile = options[:parent_profile]
       @legacy_profile_path = options[:profiles_path] || false
+      @check_cookstyle = options[:with_cookstyle]
       Metadata.finalize(@source_reader.metadata, @profile_id, options)
 
       # if a backend has already been created, clone it so each profile has its own unique backend object
@@ -655,12 +656,13 @@ module Inspec
       end
 
       # Running cookstyle to check for code offenses
-      cookstyle_linting_check.each do |lint_output|
-        data = lint_output.split(":")
-        msg = "#{data[-2]}:#{data[-1]}"
-        offense.call(data[0], data[1], data[2], nil, msg)
+      if @check_cookstyle
+        cookstyle_linting_check.each do |lint_output|
+          data = lint_output.split(":")
+          msg = "#{data[-2]}:#{data[-1]}"
+          offense.call(data[0], data[1], data[2], nil, msg)
+        end
       end
-
       # profile is valid if we could not find any error & offenses
       result[:summary][:valid] = result[:errors].empty? && result[:offenses].empty?
 

data/lib/inspec/resources/apt.rb

@@ -135,19 +135,25 @@ module Inspec::Resources
 
   class PpaRepository < AptRepository
     name "ppa"
+    desc "Use the ppa InSpec audit resource to verify PPA repositories on the Debian-based linux platforms."
+    example <<~EXAMPLE
+      describe ppa('ubuntu-wine/ppa') do
+        it { should exist }
+        it { should be_enabled }
+      end
+
+      describe ppa('ppa:ubuntu-wine/ppa') do
+        it { should exist }
+        it { should be_enabled }
+      end
+    EXAMPLE
 
     def exists?
-      deprecated
       super()
     end
 
     def enabled?
-      deprecated
       super()
     end
-
-    def deprecated
-      Inspec.deprecate(:resource_ppa, "The `ppa` resource is deprecated. Please use `apt`")
-    end
   end
 end

data/lib/inspec/resources/cgroup.rb

@@ -0,0 +1,101 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class Cgroup < Inspec.resource(1)
+    name "cgroup"
+    # Restrict to only run on the below platform
+    supports platform: "linux"
+    desc "Use the cgroup InSpec audit resource to test cgroup subsytem's parameters."
+
+    example <<~EXAMPLE
+      describe cgroup("foo") do
+        its("cpuset.cpus") { should eq 0 }
+        its("memory.limit_in_bytes") { should eq 499712 }
+        its("memory.limit_in_bytes") { should be <= 500000 }
+        its("memory.numa_stat") { should match /total=0/ }
+      end
+    EXAMPLE
+
+    # Resource initialization.
+    def initialize(cgroup_name)
+      raise Inspec::Exceptions::ResourceSkipped, "The `cgroup` resource is not supported on your OS yet." unless inspec.os.linux?
+
+      @cgroup_name = cgroup_name
+      @valid_queries, @valid_queries_split = [], []
+      find_valid_queries
+      # Used to track the method calls in an "its" query
+      @cgroup_info_query = []
+    end
+
+    def resource_id
+      @cgroup_name
+    end
+
+    def to_s
+      "cgroup #{resource_id}"
+    end
+
+    def method_missing(param)
+      # Add the latest param we've seen to the list and form the query with all the params we've seen so far.
+      @cgroup_info_query << param.to_s
+      query = @cgroup_info_query.join(".")
+
+      # The ith level param must match with atleast one row's ith column of @valid_queries_split
+      # Else there is no way, we would find any valid query in further iteration, so raise exception.
+      if @valid_queries_split.map { |e| e[@cgroup_info_query.length - 1] }.include?(param.to_s)
+        # If the query form so far is part of @valid_queries, we are good to trigger find_cgroup_info
+        # else go for next level of param
+        if @valid_queries.include?(query)
+          @cgroup_info_query = []
+          find_cgroup_info(query)
+        else
+          self
+        end
+      else
+        @cgroup_info_query = []
+
+        raise Inspec::Exceptions::ResourceFailed, "The query #{query} does not appear to be valid."
+      end
+    end
+
+    private
+
+    # Method to find cgget tool
+    def find_cgget_or_error
+      %w{/usr/sbin/cgget /sbin/cgget cgget}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `cgget`"
+    end
+
+    # find the cgroup info of the query which is given as input by the user
+    def find_cgroup_info(query)
+      bin = find_cgget_or_error
+      cgget_cmd = "#{bin} -n -r #{query} #{@cgroup_name}"
+      cmd = inspec.command(cgget_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing cgget failed: #{cmd.stderr}" if cmd.exit_status.to_i != 0
+
+      # For complex returns the user must use match /the_regex/
+      param_value = cmd.stdout.split(":")
+      return nil if param_value.nil? || param_value.empty?
+
+      param_value = param_value[1].strip.split("\t").join
+      param_value.match(/^\d+$/) ? param_value.to_i : param_value
+    end
+
+    # find all the information about all relevant controllers for the current cgroup
+    def find_valid_queries
+      bin = find_cgget_or_error
+      cgget_all_cmd = "#{bin} -n -a #{@cgroup_name}"
+      cmd = inspec.command(cgget_all_cmd)
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing cgget failed: #{cmd.stderr}" if cmd.exit_status.to_i != 0
+
+      queries = cmd.stdout.to_s.gsub(/:.*/, "").gsub(/^\s+.*/, "").split("\n")
+      # store the relevant controller parameters in @valid_queries and the dot splitted paramters into @valid_queries_split
+      @valid_queries = queries.map { |q| q if q.length > 0 }.compact
+      @valid_queries_split = @valid_queries.map { |q| q.split(".") }.compact
+    end
+  end
+end

data/lib/inspec/resources/default_gateway.rb

@@ -0,0 +1,61 @@
+require "inspec/resources/command"
+require_relative "routing_table"
+
+module Inspec::Resources
+  class Defaultgateway < Routingtable
+    # resource internal name.
+    name "default_gateway"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the `default_gateway` Chef InSpec audit resource to test the assigned ip address and interface for the default route."
+
+    example <<~EXAMPLE
+      describe default_gateway do
+        its(:ipaddress) { should eq '172.31.80.1' }
+      end
+      describe default_gateway do
+        its("interface") { should eq 'eth0' }
+      end
+    EXAMPLE
+
+    def initialize
+      skip_resource "The `default_gateway` resource is not yet available on your OS." unless inspec.os.unix? || inspec.os.windows?
+      # invoke the routing_table initialize; which populates the @routing_info
+      super()
+    end
+
+    # resource appearance in test reports.
+    def to_s
+      "default_gateway"
+    end
+
+    # fetches the ipaddress assigned to the default gateway
+    # default gateway's destination is either `default` or `0.0.0.0`
+    def ipaddress
+      # @routing_info is the hash populated in routing_table resource
+      # @routing_info contain values as:
+      # {
+      #   destination1: [ [gateway1x, interface1x], [gateway1y, interface1y] ],
+      #   destination2: [gateway2, interface2]
+      # }
+      %w{default 0.0.0.0}.each do |destination|
+        return @routing_info[destination][0][0] if @routing_info.key?(destination)
+      end
+      # raise exception because no destination with value default or 0.0.0.0 is found in the routing table
+      raise Inspec::Exceptions::ResourceFailed, "No routing found as part of default gateway"
+    end
+
+    # fetches the interface assigned to the default gateway
+    def interface
+      %w{default 0.0.0.0}.each do |destination|
+        return @routing_info[destination][0][1] if @routing_info.key?(destination)
+      end
+      # raise exception because no destination with value default or 0.0.0.0 is found in the routing table
+      raise Inspec::Exceptions::ResourceFailed, "No routing found as part of default gateway"
+    end
+  end
+end

data/lib/inspec/resources/docker_container.rb

@@ -43,6 +43,19 @@ module Inspec::Resources
       status.downcase.start_with?("up") if object_info.entries.length == 1
     end
 
+    # has_volume? matcher checks if the volume specified in source path of host is mounted in destination path of docker
+    def has_volume?(destination, source)
+      # volume_info is the hash which contains the low-level information about the container
+      # if Mounts key is not present or is nil; raise exception
+      raise Inspec::Exceptions::ResourceFailed, "Could not find any mounted volumes for your container" unless volume_info.Mounts[0]
+
+      # Iterate through the list of mounted volumes and check if it matches with the given destination and source
+      # is_mounted flag is used to handle to return explict boolean values of true or false
+      is_mounted = false
+      volume_info.Mounts.detect { |mount| is_mounted = mount.Destination == destination && mount.Source == source }
+      is_mounted
+    end
+
     def status
       object_info.status[0] if object_info.entries.length == 1
     end
@@ -87,5 +100,13 @@ module Inspec::Resources
       opts = @opts
       @info = inspec.docker.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }
     end
+
+    # volume_info returns the low-level information obtained on docker inspect [container_name/id]
+    def volume_info
+      return @mount_info if defined?(@mount_info)
+
+      # Check for either docker inspect [container_name] or docker inspect [container_id]
+      @mount_info = inspec.docker.object(@opts[:name] || @opts[:id])
+    end
   end
 end

data/lib/inspec/resources/docker_image.rb

@@ -48,6 +48,25 @@ module Inspec::Resources
       object_info.tags[0] if object_info.entries.size == 1
     end
 
+    # method_missing handles when hash_keys are invoked to check information obtained on docker inspect [image_name]
+    def method_missing(*hash_keys)
+      # User can test the low-level inspect information in three ways:
+      # Way 1: Serverspec style: its(['Config.Cmd']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "Config.Cmd"]
+      # Way 2: InSpec style: its(['Config','Cmd']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "Config", "Cmd"]
+      # Way 3: Mix of both: its(['GraphDriver.Data','MergedDir']) { should include some_value }
+      #        here, the value for hash_keys recieved is [:[], "GraphDriver.Data", "MergedDir"]
+
+      # hash_keys are passed to this method to evaluate the value
+      image_hash_inspection(hash_keys)
+    end
+
+    # inspection property allows to test any of the hash key-value pairs as part of the image_inspect_info
+    def inspection
+      image_inspect_info
+    end
+
     def to_s
       img = @opts[:image] || @opts[:id]
       "Docker Image #{img}"
@@ -80,5 +99,39 @@ module Inspec::Resources
         (repository == opts[:repo] && tag == opts[:tag]) || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id])))
       end
     end
+
+    # image_inspect_info returns the complete inspect hash_values of the image
+    def image_inspect_info
+      return @inspect_info if defined?(@inspect_info)
+
+      @inspect_info = inspec.docker.object(@opts[:image] || (!@opts[:id].nil? && @opts[:id]))
+    end
+
+    # image_hash_inspection formats the input hash_keys and checks if any value exists for such keys in @inspect_info(image_inspect_info)
+    def image_hash_inspection(hash_keys)
+      # The hash_keys recieved are in three formats as mentioned in method_missing
+      # The hash_keys recieved must be in array format [] and the zeroth index must be :[]
+      # Check for the conditions and remove the zeroth element from the hash_keys
+
+      hash_keys.shift if hash_keys.is_a?(Array) && hash_keys[0] == :[]
+
+      # When received hash_keys in Serverspec style or mix of both
+      # The hash_keys are to be splitted at '.' (dot) and flatten it so that it doesn't become array of arrays
+      # After splitting and flattening is done, hash_keys is now an array with individual keys
+      hash_keys = hash_keys.map { |key| key.split(".") }.flatten
+
+      # image_inspect_info returns the complete inspect hash_values of the image
+      # dig() finds the nested value specified by the sequence of the key object by calling dig at each step.
+      # hash_keys is the key object. If one of the key is bad, value will be nil.
+      hash_value = image_inspect_info.dig(*hash_keys)
+
+      # If one of the key is bad, hash_value will be nil, so raise exception which throws it in rescue block
+      # else return hash_value
+      raise Inspec::Exceptions::ResourceFailed if hash_value.nil?
+
+      hash_value
+    rescue
+      raise Inspec::Exceptions::ResourceFailed, "#{hash_keys.join(".")} is not a valid key for your image or has nil value."
+    end
   end
 end

data/lib/inspec/resources/file.rb

@@ -181,6 +181,34 @@ module Inspec::Resources
       inv_mode & file.mode != 0
     end
 
+    def immutable?
+      raise Inspec::Exceptions::ResourceSkipped, "The `be_immutable` matcher is not supported on your OS yet." unless inspec.os.unix?
+
+      if inspec.os.linux?
+        file_info = LinuxImmutableFlagCheck.new(inspec, file)
+      else
+        file_info = UnixImmutableFlagCheck.new(inspec, file)
+      end
+
+      file_info.is_immutable?
+    end
+
+    # parse the json file content and returns the content
+    def content_as_json
+      require "json" unless defined?(JSON)
+      JSON.parse(file.content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse the given JSON file: #{e.message}"
+    end
+
+    # parse the yaml file content and returns the content
+    def content_as_yaml
+      require "yaml" unless defined?(YAML)
+      YAML.load(file.content)
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse the given YAML file: #{e.message}"
+    end
+
     def to_s
       if file
         "File #{source_path}"
@@ -373,4 +401,67 @@ module Inspec::Resources
       end
     end
   end
+
+  # Helper class for immutable matcher.
+  class ImmutableFlagCheck
+    attr_reader :inspec, :file_path
+    def initialize(inspec, file)
+      @inspec = inspec
+      @file_path = file.path
+    end
+
+    def find_utility_or_error(utility_name)
+      [
+        "/usr/sbin/#{utility_name}",
+        "/sbin/#{utility_name}",
+        "/usr/bin/#{utility_name}",
+        "/bin/#{utility_name}",
+        "#{utility_name}",
+      ].each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `#{utility_name}`"
+    end
+  end
+
+  class LinuxImmutableFlagCheck < ImmutableFlagCheck
+    def is_immutable?
+      # Check if lsattr is available. In general, all linux system has lsattr & chattr
+      # This logic check is valid for immutable flag set with chattr
+      utility = find_utility_or_error("lsattr")
+      utility_cmd = inspec.command("#{utility} #{file_path}")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{utility} #{file_path} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      # General output for lsattr file_name is:
+      # ----i---------e----- file_name
+      # The fifth char resembles the immutable flag. Total 20 flags are allowed.
+      lsattr_info = utility_cmd.stdout.strip.squeeze(" ")
+      lsattr_info =~ /^.{4}i.{15} .*/
+    end
+  end
+
+  class UnixImmutableFlagCheck < ImmutableFlagCheck
+    def is_immutable?
+      # Check if chflags is available on the system. Most unix-like system comes with chflags.
+      # This logic check is valid for immutable flag set with chflags
+      find_utility_or_error("chflags")
+
+      # In general ls -lO is used to check immutable flag set by chflags
+      utility_cmd = inspec.command("ls -lO #{file_path}")
+
+      # But on some bsd system (eg: freebsd) ls -lo is used instead of ls -lO
+      utility_cmd = inspec.command("ls -lo #{file_path}") if utility_cmd.exit_status.to_i != 0
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing ls -lo #{file_path} and ls -lO #{file_path} failed: #{utility_cmd.stderr}" if utility_cmd.exit_status.to_i != 0
+
+      # General output for ls -lO file_name is:
+      # -rw-r--r--  1 current_user  1083951318  uchg 0 Apr  6 12:45 file_name
+      # The schg flag and the uchg flag represents the immutable flags
+      # uchg => user immutable flag, schg => system immutable flag.
+      file_info = utility_cmd.stdout.strip.split
+      file_info.include?("uchg") || file_info.include?("schg")
+    end
+  end
 end

data/lib/inspec/resources/groups.rb

@@ -145,6 +145,11 @@ module Inspec::Resources
       true
     end
 
+    # matcher equivalent to gid property.
+    def has_gid?(gid_value)
+      gid_value == gid
+    end
+
     def to_s
       "Group #{@group}"
     end

data/lib/inspec/resources/linux_audit_system.rb

@@ -0,0 +1,81 @@
+require "inspec/resources/command"
+module Inspec::Resources
+  class LinuxAuditSystem < Inspec.resource(1)
+    # Resource's internal name.
+    name "linux_audit_system"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "linux"
+
+    desc "Use the `linux_audit_system` Chef InSpec audit resource to test the configuration of linux audit system."
+
+    example <<~EXAMPLE
+      describe linux_audit_system do
+        it { should be_enabled }
+        it { should be_running }
+        its("rules") { should include "-w /etc -p wa" }
+        its("rules") { should include %r{-w /etc -p wa} }
+        its("rules") { should include %r!-w /etc -p wa! }
+      end
+    EXAMPLE
+
+    attr_reader :auditctl_utility
+
+    # Resource initialization.
+    def initialize
+      skip_resource "The `linux_audit_system` resource is not yet available on your OS." unless inspec.os.linux?
+      @auditctl_utility = find_auditctl_or_error
+    end
+
+    # Resource appearance in test reports.
+    def to_s
+      "linux_audit_system"
+    end
+
+    # The be_enabled matcher checks if the auditing is enabled.
+    # The enabled flag 1 indicates that the auditing is enabled.
+    def enabled?
+      auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep enabled")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      # Sample stdout: enabled 1
+      auditctl_enabled_status = auditctl_cmd.stdout.strip.split
+      auditctl_enabled_status[1].to_i == 1
+    end
+
+    # The be_running matcher checks if the audit daemon is running.
+    # A pid of 0 indicates that the audit daemon is not running.
+    def running?
+      auditctl_cmd = inspec.command("#{auditctl_utility} -s | grep pid")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -s | grep enabled failed: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      # Sample stdout: pid 682462
+      auditctl_running_status = auditctl_cmd.stdout.strip.split
+      !auditctl_running_status[1].nil? && auditctl_running_status[1].to_i != 0
+    end
+
+    # The rules property returns the array of audit rules obtained on auditctl -l.
+    # The auditctl -l list all rules, 1 per line.
+    def rules
+      auditctl_cmd = inspec.command("#{auditctl_utility} -l")
+
+      raise Inspec::Exceptions::ResourceFailed, "Executing #{auditctl_utility} -l: #{auditctl_cmd.stderr}" if auditctl_cmd.exit_status.to_i != 0
+
+      auditctl_cmd.stdout.strip.split("\n")
+    end
+
+    private
+
+    # Check if auditctl is available on the system.
+    def find_auditctl_or_error
+      %w{/usr/sbin/auditctl /sbin/auditctl auditctl}.each do |cmd|
+        return cmd if inspec.command(cmd).exist?
+      end
+
+      raise Inspec::Exceptions::ResourceFailed, "Could not find `auditctl`. This resource requires `auditctl` utility to be available on the system."
+    end
+  end
+end