inspec-core 4.10.4 → 4.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 431744ec266e2ed0cbde565cc232ee4bb944ff76076d8c10d381c73346796337
-  data.tar.gz: a8a844283829729c5a886a9e324e7fc22b31a986eb25e36c0a01fe7a26fbda78
+  metadata.gz: 873c4c83c46030d3a3adb7093f085650f8400c6bbfc7c87984ebc77305aa660b
+  data.tar.gz: '091ccf8b261dfeafac84a771ec549e46f015dcc9e5da9836982788df40c456c1'
 SHA512:
-  metadata.gz: 3678f2a31c972d7e6e08c3352249ce9bc72b82b7989a1758b70a3bdc41912cc0eb048bd70cc4da0794b929f53aacdfe6227e5defc13aeb3465cc5cc744393a8c
-  data.tar.gz: 5ded1f1c7315194f7ae8a791aea4e21221b524debdc4136fe2e60911b9c050c9e948af0529aca1eff1dcfd1e68a8f3ab17be448b65aab202bf16c789d0e7b4a1
+  metadata.gz: ed9c35b0c96d17f96eea08658b251812ac3f03c4912a1663b9d5de600a5d6637460bf223ca90e9ca84625298b5dce64f999ac8d019c2b615b621247c48e1693a
+  data.tar.gz: fca132a2f7221c41c78bf7379ccf74e4c07cc412d36da10817d99adc15a9c2e5a049f6311a8c6bf323a8c7deffed18462d8fb660b0c9669d5182b477cf3ca585

data/README.md

@@ -327,13 +327,13 @@ Remote Targets
 
 In addition, runtime support is provided for:
 
-| Platform | Versions |
-| -------- | -------- |
-| Debian   | 8, 9     |
-| RHEL     | 6, 7     |
-| Ubuntu   | 12.04+   |
-| Windows  | 7+       |
-| Windows  | 2012+    |
+| Platform | Versions | Arch   |
+| -------- | -------- | ------ |
+| Debian   | 8, 9     | x86_64 |
+| RHEL     | 6, 7     | x86_64 |
+| Ubuntu   | 12.04+   | x86_64 |
+| Windows  | 7+       | x86_64 |
+| Windows  | 2012+    | x86_64 |
 
 ## Documentation
 

data/lib/inspec/resources/command.rb

@@ -1,6 +1,8 @@
 # copyright: 2015, Vulcano Security GmbH
 
 require "inspec/resource"
+require "inspec/resources/platform"
+require "inspec/resources/os"
 
 module Inspec::Resources
   class Cmd < Inspec.resource(1)

data/lib/inspec/resources/dh_params.rb

@@ -1,81 +1,83 @@
 require "openssl"
 require "inspec/utils/file_reader"
 
-class DhParams < Inspec.resource(1)
-  name "dh_params"
-  supports platform: "unix"
-  desc '
-    Use the `dh_params` InSpec audit resource to test Diffie-Hellman (DH)
-    parameters.
-  '
-
-  example <<~EXAMPLE
-    describe dh_params('/path/to/file.dh_pem') do
-      it { should be_dh_params }
-      it { should be_valid }
-      its('generator') { should eq 2 }
-      its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
-      its('prime_length') { should eq 2048 }
-      its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
-      its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
+module Inspec::Resources
+  class DhParams < Inspec.resource(1)
+    name "dh_params"
+    supports platform: "unix"
+    desc '
+      Use the `dh_params` InSpec audit resource to test Diffie-Hellman (DH)
+      parameters.
+    '
+
+    example <<~EXAMPLE
+      describe dh_params('/path/to/file.dh_pem') do
+        it { should be_dh_params }
+        it { should be_valid }
+        its('generator') { should eq 2 }
+        its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
+        its('prime_length') { should eq 2048 }
+        its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
+        its('text') { should eq 'PKCS#3 DH Parameters: (2048 bit)...' }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(filename)
+      @dh_params_path = filename
+      @dh_params = OpenSSL::PKey::DH.new read_file_content(@dh_params_path)
     end
-  EXAMPLE
 
-  include FileReader
-
-  def initialize(filename)
-    @dh_params_path = filename
-    @dh_params = OpenSSL::PKey::DH.new read_file_content(@dh_params_path)
-  end
-
-  # it { should be_dh_params }
-  def dh_params?
-    !@dh_params.nil?
-  end
+    # it { should be_dh_params }
+    def dh_params?
+      !@dh_params.nil?
+    end
 
-  # its('generator') { should eq 2 }
-  def generator
-    return if @dh_params.nil?
+    # its('generator') { should eq 2 }
+    def generator
+      return if @dh_params.nil?
 
-    @dh_params.g.to_i
-  end
+      @dh_params.g.to_i
+    end
 
-  # its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
-  def modulus
-    return if @dh_params.nil?
+    # its('modulus') { should eq '00:91:a0:15:89:e5:bc:38:93:12:02:fc:...' }
+    def modulus
+      return if @dh_params.nil?
 
-    "00:" + @dh_params.p.to_s(16).downcase.scan(/.{2}/).join(":")
-  end
+      "00:" + @dh_params.p.to_s(16).downcase.scan(/.{2}/).join(":")
+    end
 
-  # its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
-  def pem
-    return if @dh_params.nil?
+    # its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
+    def pem
+      return if @dh_params.nil?
 
-    @dh_params.to_pem
-  end
+      @dh_params.to_pem
+    end
 
-  # its('prime_length') { should be 2048 }
-  def prime_length
-    return if @dh_params.nil?
+    # its('prime_length') { should be 2048 }
+    def prime_length
+      return if @dh_params.nil?
 
-    @dh_params.p.num_bits
-  end
+      @dh_params.p.num_bits
+    end
 
-  # its('text') { should eq 'human-readable-text' }
-  def text
-    return if @dh_params.nil?
+    # its('text') { should eq 'human-readable-text' }
+    def text
+      return if @dh_params.nil?
 
-    @dh_params.to_text
-  end
+      @dh_params.to_text
+    end
 
-  # it { should be_valid }
-  def valid?
-    return if @dh_params.nil?
+    # it { should be_valid }
+    def valid?
+      return if @dh_params.nil?
 
-    @dh_params.params_ok?
-  end
+      @dh_params.params_ok?
+    end
 
-  def to_s
-    "dh_params #{@dh_params_path}"
+    def to_s
+      "dh_params #{@dh_params_path}"
+    end
   end
 end

data/lib/inspec/resources/etc_hosts.rb

@@ -1,62 +1,64 @@
 require "inspec/utils/parser"
 require "inspec/utils/file_reader"
 
-class EtcHosts < Inspec.resource(1)
-  name "etc_hosts"
-  supports platform: "linux"
-  supports platform: "bsd"
-  supports platform: "windows"
-  desc 'Use the etc_hosts InSpec audit resource to find an
-    ip_address and its associated hosts'
-  example <<~EXAMPLE
-    describe etc_hosts.where { ip_address == '127.0.0.1' } do
-      its('ip_address') { should cmp '127.0.0.1' }
-      its('primary_name') { should cmp 'localhost' }
-      its('all_host_names') { should eq [['localhost', 'localhost.localdomain', 'localhost4', 'localhost4.localdomain4']] }
-    end
-  EXAMPLE
+module Inspec::Resources
+  class EtcHosts < Inspec.resource(1)
+    name "etc_hosts"
+    supports platform: "linux"
+    supports platform: "bsd"
+    supports platform: "windows"
+    desc 'Use the etc_hosts InSpec audit resource to find an
+      ip_address and its associated hosts'
+    example <<~EXAMPLE
+      describe etc_hosts.where { ip_address == '127.0.0.1' } do
+        its('ip_address') { should cmp '127.0.0.1' }
+        its('primary_name') { should cmp 'localhost' }
+        its('all_host_names') { should eq [['localhost', 'localhost.localdomain', 'localhost4', 'localhost4.localdomain4']] }
+      end
+    EXAMPLE
 
-  attr_reader :params
+    attr_reader :params
 
-  include CommentParser
-  include FileReader
+    include CommentParser
+    include FileReader
 
-  DEFAULT_UNIX_PATH    = "/etc/hosts".freeze
-  DEFAULT_WINDOWS_PATH = 'C:\windows\system32\drivers\etc\hosts'.freeze
+    DEFAULT_UNIX_PATH    = "/etc/hosts".freeze
+    DEFAULT_WINDOWS_PATH = 'C:\windows\system32\drivers\etc\hosts'.freeze
 
-  def initialize(hosts_path = nil)
-    content = read_file_content(hosts_path || default_hosts_file_path)
+    def initialize(hosts_path = nil)
+      content = read_file_content(hosts_path || default_hosts_file_path)
 
-    @params = parse_conf(content.lines)
-  end
+      @params = parse_conf(content.lines)
+    end
 
-  FilterTable.create
-    .register_column(:ip_address,     field: "ip_address")
-    .register_column(:primary_name,   field: "primary_name")
-    .register_column(:all_host_names, field: "all_host_names")
-    .install_filter_methods_on_resource(self, :params)
+    FilterTable.create
+      .register_column(:ip_address,     field: "ip_address")
+      .register_column(:primary_name,   field: "primary_name")
+      .register_column(:all_host_names, field: "all_host_names")
+      .install_filter_methods_on_resource(self, :params)
 
-  private
+    private
 
-  def default_hosts_file_path
-    inspec.os.windows? ? DEFAULT_WINDOWS_PATH : DEFAULT_UNIX_PATH
-  end
+    def default_hosts_file_path
+      inspec.os.windows? ? DEFAULT_WINDOWS_PATH : DEFAULT_UNIX_PATH
+    end
 
-  def parse_conf(lines)
-    lines.reject(&:empty?).reject(&comment?).map(&parse_data).map(&format_data)
-  end
+    def parse_conf(lines)
+      lines.reject(&:empty?).reject(&comment?).map(&parse_data).map(&format_data)
+    end
 
-  def comment?
-    parse_options = { comment_char: "#", standalone_comments: false }
+    def comment?
+      parse_options = { comment_char: "#", standalone_comments: false }
 
-    ->(data) { parse_comment_line(data, parse_options).first.empty? }
-  end
+      ->(data) { parse_comment_line(data, parse_options).first.empty? }
+    end
 
-  def parse_data
-    ->(data) { [data.split[0], data.split[1], data.split[1..-1]] }
-  end
+    def parse_data
+      ->(data) { [data.split[0], data.split[1], data.split[1..-1]] }
+    end
 
-  def format_data
-    ->(data) { %w{ip_address primary_name all_host_names}.zip(data).to_h }
+    def format_data
+      ->(data) { %w{ip_address primary_name all_host_names}.zip(data).to_h }
+    end
   end
 end

data/lib/inspec/resources/groups.rb

@@ -164,22 +164,40 @@ module Inspec::Resources
   # OSX uses opendirectory for groups, so `/etc/group` may not be fully accurate
   # This uses `dscacheutil` to get the group info instead of `etc_group`
   class DarwinGroup < GroupInfo
+    def runmap(cmd, &blk)
+      hashmap(inspec.command(cmd).stdout.lines, &blk)
+    end
+
+    def hashmap(enum, &blk)
+      enum.map(&blk).to_h
+    end
+
     def groups
-      group_info = inspec.command("dscacheutil -q group").stdout.split("\n\n")
+      group_by_id = runmap("dscl . -list /Groups PrimaryGroupID")  { |l| name, id = l.split; [id.to_i, name] }
+      userss      = runmap("dscl . -list /Users  PrimaryGroupID")  { |l| name, id = l.split; [name, id.to_i] }
+      membership  = runmap("dscl . -list /Groups GroupMembership") { |l| key, *vs = l.split; [key, vs] }
+      membership.default_proc = ->(h, k) { h[k] = [] }
+
+      users_by_group = hashmap(userss.keys.group_by { |k| userss[k] }) { |k, vs| [group_by_id[k], vs] }
+      users_by_group.each do |name, users|
+        membership[name].concat users
+      end
+
+      group_info = inspec.command("dscacheutil -q group").stdout.split("\n\n").uniq
 
-      groups = []
       regex = /^([^:]*?)\s*:\s(.*?)\s*$/
-      group_info.each do |data|
-        groups << inspec.parse_config(data, assignment_regex: regex).params
+      groups = group_info.map do |data|
+        inspec.parse_config(data, assignment_regex: regex).params
       end
 
       # Convert the `dscacheutil` groups to match `inspec.etc_group.entries`
       groups.each { |g| g["gid"] = g["gid"].to_i }
       groups.each do |g|
-        next if g["users"].nil?
-
-        g["members"] = g.delete("users")
-        g["members"].tr!(" ", ",")
+        users = g.delete("users") || ""
+        users = users.split
+        users += Array(users_by_group[g["name"]])
+        g["members"] = users
+        g["members"].sort.join ","
       end
     end
   end

data/lib/inspec/resources/grub_conf.rb

@@ -1,228 +1,230 @@
 require "inspec/utils/simpleconfig"
 require "inspec/utils/file_reader"
 
-class GrubConfig < Inspec.resource(1)
-  name "grub_conf"
-  supports platform: "unix"
-  desc "Use the grub_conf InSpec audit resource to test the boot config of Linux systems that use Grub."
-  example <<~EXAMPLE
-    describe grub_conf('/etc/grub.conf',  'default') do
-      its('kernel') { should include '/vmlinuz-2.6.32-573.7.1.el6.x86_64' }
-      its('initrd') { should include '/initramfs-2.6.32-573.el6.x86_64.img=1' }
-      its('default') { should_not eq '1' }
-      its('timeout') { should eq '5' }
-    end
+module Inspec::Resources
+  class GrubConfig < Inspec.resource(1)
+    name "grub_conf"
+    supports platform: "unix"
+    desc "Use the grub_conf InSpec audit resource to test the boot config of Linux systems that use Grub."
+    example <<~EXAMPLE
+      describe grub_conf('/etc/grub.conf',  'default') do
+        its('kernel') { should include '/vmlinuz-2.6.32-573.7.1.el6.x86_64' }
+        its('initrd') { should include '/initramfs-2.6.32-573.el6.x86_64.img=1' }
+        its('default') { should_not eq '1' }
+        its('timeout') { should eq '5' }
+      end
 
-    also check specific kernels
-    describe grub_conf('/etc/grub.conf',  'CentOS (2.6.32-573.12.1.el6.x86_64)') do
-      its('kernel') { should include 'audit=1' }
-    end
-  EXAMPLE
+      also check specific kernels
+      describe grub_conf('/etc/grub.conf',  'CentOS (2.6.32-573.12.1.el6.x86_64)') do
+        its('kernel') { should include 'audit=1' }
+      end
+    EXAMPLE
 
-  include FileReader
+    include FileReader
 
-  class UnknownGrubConfig < StandardError; end
+    class UnknownGrubConfig < StandardError; end
 
-  def initialize(path = nil, kernel = nil)
-    config_for_platform(path)
-    @content = read_file(@conf_path)
-    @kernel = kernel || "default"
-  rescue UnknownGrubConfig
-    skip_resource "The `grub_config` resource is not supported on your OS yet."
-  end
+    def initialize(path = nil, kernel = nil)
+      config_for_platform(path)
+      @content = read_file(@conf_path)
+      @kernel = kernel || "default"
+    rescue UnknownGrubConfig
+      skip_resource "The `grub_config` resource is not supported on your OS yet."
+    end
 
-  def config_for_platform(path)
-    os = inspec.os
-    if os.redhat? || os[:name] == "fedora"
-      config_for_redhatish(path)
-    elsif os.debian?
-      @conf_path = path || "/boot/grub/grub.cfg"
-      @defaults_path = "/etc/default/grub"
-      @grubenv_path = "/boot/grub2/grubenv"
-      @version = "grub2"
-    elsif os[:name] == "amazon"
-      @conf_path = path || "/etc/grub.conf"
-      @version = "legacy"
-    else
-      raise UnknownGrubConfig
+    def config_for_platform(path)
+      os = inspec.os
+      if os.redhat? || os[:name] == "fedora"
+        config_for_redhatish(path)
+      elsif os.debian?
+        @conf_path = path || "/boot/grub/grub.cfg"
+        @defaults_path = "/etc/default/grub"
+        @grubenv_path = "/boot/grub2/grubenv"
+        @version = "grub2"
+      elsif os[:name] == "amazon"
+        @conf_path = path || "/etc/grub.conf"
+        @version = "legacy"
+      else
+        raise UnknownGrubConfig
+      end
     end
-  end
 
-  def config_for_redhatish(path)
-    if inspec.os[:release].to_f < 7
-      @conf_path = path || "/etc/grub.conf"
-      @version = "legacy"
-    else
-      @conf_path = path || "/boot/grub2/grub.cfg"
-      @defaults_path = "/etc/default/grub"
-      @grubenv_path = "/boot/grub2/grubenv"
-      @version = "grub2"
+    def config_for_redhatish(path)
+      if inspec.os[:release].to_f < 7
+        @conf_path = path || "/etc/grub.conf"
+        @version = "legacy"
+      else
+        @conf_path = path || "/boot/grub2/grub.cfg"
+        @defaults_path = "/etc/default/grub"
+        @grubenv_path = "/boot/grub2/grubenv"
+        @version = "grub2"
+      end
     end
-  end
 
-  def method_missing(name)
-    read_params[name.to_s]
-  end
+    def method_missing(name)
+      read_params[name.to_s]
+    end
 
-  def to_s
-    "Grub Config"
-  end
+    def to_s
+      "Grub Config"
+    end
 
-  private
+    private
 
-  ######################################################################
-  # Grub2 This is used by all supported versions of Ubuntu and Rhel 7+ #
-  ######################################################################
+    ######################################################################
+    # Grub2 This is used by all supported versions of Ubuntu and Rhel 7+ #
+    ######################################################################
 
-  def grub2_parse_kernel_lines(content, conf)
-    menu_entries = extract_menu_entries(content)
+    def grub2_parse_kernel_lines(content, conf)
+      menu_entries = extract_menu_entries(content)
 
-    if @kernel == "default"
-      default_menu_entry(menu_entries, conf["GRUB_DEFAULT"])
-    else
-      menu_entries.find { |entry| entry["name"] == @kernel }
+      if @kernel == "default"
+        default_menu_entry(menu_entries, conf["GRUB_DEFAULT"])
+      else
+        menu_entries.find { |entry| entry["name"] == @kernel }
+      end
     end
-  end
 
-  def extract_menu_entries(content)
-    menu_entries = []
+    def extract_menu_entries(content)
+      menu_entries = []
 
-    lines = content.split("\n")
-    lines.each_with_index do |line, index|
-      next unless line =~ /^menuentry\s+.*/
+      lines = content.split("\n")
+      lines.each_with_index do |line, index|
+        next unless line =~ /^menuentry\s+.*/
 
-      entry = {}
-      entry["insmod"] = []
+        entry = {}
+        entry["insmod"] = []
 
-      # Extract name from menuentry line
-      capture_data = line.match(/(?:^|\s+).*menuentry\s*['|"](.*)['|"]\s*--/)
-      if capture_data.nil? || capture_data.captures[0].nil?
-        raise Inspec::Exceptions::ResourceFailed "Failed to extract menuentry name from #{line}"
-      end
+        # Extract name from menuentry line
+        capture_data = line.match(/(?:^|\s+).*menuentry\s*['|"](.*)['|"]\s*--/)
+        if capture_data.nil? || capture_data.captures[0].nil?
+          raise Inspec::Exceptions::ResourceFailed "Failed to extract menuentry name from #{line}"
+        end
 
-      entry["name"] = capture_data.captures[0]
-
-      # Begin processing from index forward until a `}` line is met
-      lines.drop(index + 1).each do |mline|
-        break if mline =~ /^\s*}\s*$/
-
-        case mline
-        when /(?:^|\s*)initrd.*/
-          entry["initrd"] = mline.split(" ")[1]
-        when /(?:^|\s*)linux.*/
-          entry["kernel"] = mline.split
-        when /(?:^|\s*)set root=.*/
-          entry["root"] = mline.split("=")[1].tr("'", "")
-        when /(?:^|\s*)insmod.*/
-          entry["insmod"] << mline.split(" ")[1]
+        entry["name"] = capture_data.captures[0]
+
+        # Begin processing from index forward until a `}` line is met
+        lines.drop(index + 1).each do |mline|
+          break if mline =~ /^\s*}\s*$/
+
+          case mline
+          when /(?:^|\s*)initrd.*/
+            entry["initrd"] = mline.split(" ")[1]
+          when /(?:^|\s*)linux.*/
+            entry["kernel"] = mline.split
+          when /(?:^|\s*)set root=.*/
+            entry["root"] = mline.split("=")[1].tr("'", "")
+          when /(?:^|\s*)insmod.*/
+            entry["insmod"] << mline.split(" ")[1]
+          end
         end
+
+        menu_entries << entry
       end
 
-      menu_entries << entry
+      menu_entries
     end
 
-    menu_entries
-  end
-
-  def default_menu_entry(menu_entries, default)
-    # If the default entry isn't `saved` then a number is used as an index.
-    # By default this is `0`, which would be the first item in the list.
-    return menu_entries[default.to_i] unless default == "saved"
+    def default_menu_entry(menu_entries, default)
+      # If the default entry isn't `saved` then a number is used as an index.
+      # By default this is `0`, which would be the first item in the list.
+      return menu_entries[default.to_i] unless default == "saved"
 
-    grubenv_contents = inspec.file(@grubenv_path).content
+      grubenv_contents = inspec.file(@grubenv_path).content
 
-    # The location of the grubenv file is not guaranteed. In the case that
-    # the file does not exist this will return the 0th entry. This will also
-    # return the 0th entry if InSpec lacks permission to read the file. Both
-    # of these reflect the default Grub2 behavior.
-    return menu_entries[0] if grubenv_contents.nil?
+      # The location of the grubenv file is not guaranteed. In the case that
+      # the file does not exist this will return the 0th entry. This will also
+      # return the 0th entry if InSpec lacks permission to read the file. Both
+      # of these reflect the default Grub2 behavior.
+      return menu_entries[0] if grubenv_contents.nil?
 
-    default_name = SimpleConfig.new(grubenv_contents).params["saved_entry"]
-    default_entry = menu_entries.select { |k| k["name"] == default_name }[0]
-    return default_entry unless default_entry.nil?
+      default_name = SimpleConfig.new(grubenv_contents).params["saved_entry"]
+      default_entry = menu_entries.select { |k| k["name"] == default_name }[0]
+      return default_entry unless default_entry.nil?
 
-    # It is possible for the saved entry to not be valid . For example, grubenv
-    # not being up to date. If so, the 0th entry is the default.
-    menu_entries[0]
-  end
+      # It is possible for the saved entry to not be valid . For example, grubenv
+      # not being up to date. If so, the 0th entry is the default.
+      menu_entries[0]
+    end
 
-  ###################################################################
-  # Grub1 aka legacy-grub config. Primarily used by Centos/Rhel 6.x #
-  ###################################################################
-
-  def parse_kernel_lines(content, conf)
-    # Find all "title" lines and then parse them into arrays
-    menu_entry = 0
-    lines = content.split("\n")
-    kernel_opts = {}
-    lines.each_with_index do |file_line, index|
-      next unless file_line =~ /^title.*/
-
-      current_kernel = file_line.split(" ", 2)[1]
-      lines.drop(index + 1).each do |kernel_line|
-        if kernel_line =~ /^\s.*/
-          option_type = kernel_line.split(" ")[0]
-          line_options = kernel_line.split(" ").drop(1)
-          if (menu_entry == conf["default"].to_i && @kernel == "default") || current_kernel == @kernel
-            if option_type == "kernel"
-              kernel_opts["kernel"] = line_options
-            else
-              kernel_opts[option_type] = line_options[0]
+    ###################################################################
+    # Grub1 aka legacy-grub config. Primarily used by Centos/Rhel 6.x #
+    ###################################################################
+
+    def parse_kernel_lines(content, conf)
+      # Find all "title" lines and then parse them into arrays
+      menu_entry = 0
+      lines = content.split("\n")
+      kernel_opts = {}
+      lines.each_with_index do |file_line, index|
+        next unless file_line =~ /^title.*/
+
+        current_kernel = file_line.split(" ", 2)[1]
+        lines.drop(index + 1).each do |kernel_line|
+          if kernel_line =~ /^\s.*/
+            option_type = kernel_line.split(" ")[0]
+            line_options = kernel_line.split(" ").drop(1)
+            if (menu_entry == conf["default"].to_i && @kernel == "default") || current_kernel == @kernel
+              if option_type == "kernel"
+                kernel_opts["kernel"] = line_options
+              else
+                kernel_opts[option_type] = line_options[0]
+              end
             end
+          else
+            menu_entry += 1
+            break
           end
-        else
-          menu_entry += 1
-          break
         end
       end
+      kernel_opts
     end
-    kernel_opts
-  end
 
-  def read_file(config_file)
-    read_file_content(config_file)
-  end
+    def read_file(config_file)
+      read_file_content(config_file)
+    end
 
-  def read_params
-    return @params if defined?(@params)
-
-    content = read_file(@conf_path)
-
-    if @version == "legacy"
-      # parse the file
-      conf = SimpleConfig.new(
-        content,
-        multiple_values: true
-      ).params
-      # convert single entry arrays into strings
-      conf.each do |key, value|
-        if value.size == 1
-          conf[key] = conf[key][0].to_s
+    def read_params
+      return @params if defined?(@params)
+
+      content = read_file(@conf_path)
+
+      if @version == "legacy"
+        # parse the file
+        conf = SimpleConfig.new(
+          content,
+          multiple_values: true
+        ).params
+        # convert single entry arrays into strings
+        conf.each do |key, value|
+          if value.size == 1
+            conf[key] = conf[key][0].to_s
+          end
         end
+        kernel_opts = parse_kernel_lines(content, conf)
+        @params = conf.merge(kernel_opts)
       end
-      kernel_opts = parse_kernel_lines(content, conf)
-      @params = conf.merge(kernel_opts)
-    end
 
-    if @version == "grub2"
-      # read defaults
-      defaults = read_file(@defaults_path)
+      if @version == "grub2"
+        # read defaults
+        defaults = read_file(@defaults_path)
 
-      conf = SimpleConfig.new(
-        defaults,
-        multiple_values: true
-      ).params
+        conf = SimpleConfig.new(
+          defaults,
+          multiple_values: true
+        ).params
 
-      # convert single entry arrays into strings
-      conf.each do |key, value|
-        if value.size == 1
-          conf[key] = conf[key][0].to_s
+        # convert single entry arrays into strings
+        conf.each do |key, value|
+          if value.size == 1
+            conf[key] = conf[key][0].to_s
+          end
         end
-      end
 
-      kernel_opts = grub2_parse_kernel_lines(content, conf)
-      @params = conf.merge(kernel_opts)
+        kernel_opts = grub2_parse_kernel_lines(content, conf)
+        @params = conf.merge(kernel_opts)
+      end
+      @params
     end
-    @params
   end
 end

data/lib/inspec/resources/iis_app_pool.rb

@@ -5,125 +5,127 @@ require "inspec/resources/powershell"
 # check for web applications in IIS
 # Note: this is only supported in windows 2012 and later
 
-class IisAppPool < Inspec.resource(1)
-  name "iis_app_pool"
-  desc "Tests IIS application pool configuration on windows."
-  supports platform: "windows"
-  example <<~EXAMPLE
-    describe iis_app_pool('DefaultAppPool') do
-      it { should exist }
-      its('enable32bit') { should cmp 'True' }
-      its('runtime_version') { should eq 'v4.0' }
-      its('pipeline_mode') { should eq 'Integrated' }
-    end
-  EXAMPLE
-
-  def initialize(pool_name)
-    @pool_name = pool_name
-    @pool_path = "IIS:\\AppPools\\#{@pool_name}"
-    @cache = nil
-
-    # verify that this resource is only supported on Windows
-    return skip_resource "The `iis_app_pool` resource is not supported on your OS." unless inspec.os.windows?
-  end
-
-  def pool_name
-    iis_app_pool[:pool_name]
-  end
-
-  def runtime_version
-    iis_app_pool[:version]
-  end
+module Inspec::Resources
+  class IisAppPool < Inspec.resource(1)
+    name "iis_app_pool"
+    desc "Tests IIS application pool configuration on windows."
+    supports platform: "windows"
+    example <<~EXAMPLE
+      describe iis_app_pool('DefaultAppPool') do
+        it { should exist }
+        its('enable32bit') { should cmp 'True' }
+        its('runtime_version') { should eq 'v4.0' }
+        its('pipeline_mode') { should eq 'Integrated' }
+      end
+    EXAMPLE
+
+    def initialize(pool_name)
+      @pool_name = pool_name
+      @pool_path = "IIS:\\AppPools\\#{@pool_name}"
+      @cache = nil
+
+      # verify that this resource is only supported on Windows
+      return skip_resource "The `iis_app_pool` resource is not supported on your OS." unless inspec.os.windows?
+    end
 
-  def enable32bit
-    iis_app_pool[:e32b]
-  end
+    def pool_name
+      iis_app_pool[:pool_name]
+    end
 
-  def pipeline_mode
-    iis_app_pool[:mode]
-  end
+    def runtime_version
+      iis_app_pool[:version]
+    end
 
-  def max_processes
-    iis_app_pool[:processes]
-  end
+    def enable32bit
+      iis_app_pool[:e32b]
+    end
 
-  def timeout
-    iis_app_pool[:timeout]
-  end
+    def pipeline_mode
+      iis_app_pool[:mode]
+    end
 
-  def timeout_days
-    iis_app_pool[:timeout_days]
-  end
+    def max_processes
+      iis_app_pool[:processes]
+    end
 
-  def timeout_hours
-    iis_app_pool[:timeout_hours]
-  end
+    def timeout
+      iis_app_pool[:timeout]
+    end
 
-  def timeout_minutes
-    iis_app_pool[:timeout_minutes]
-  end
+    def timeout_days
+      iis_app_pool[:timeout_days]
+    end
 
-  def timeout_seconds
-    iis_app_pool[:timeout_seconds]
-  end
+    def timeout_hours
+      iis_app_pool[:timeout_hours]
+    end
 
-  def user_identity_type
-    iis_app_pool[:user_identity_type]
-  end
+    def timeout_minutes
+      iis_app_pool[:timeout_minutes]
+    end
 
-  def username
-    iis_app_pool[:username]
-  end
+    def timeout_seconds
+      iis_app_pool[:timeout_seconds]
+    end
 
-  def exists?
-    !iis_app_pool[:pool_name].empty?
-  end
+    def user_identity_type
+      iis_app_pool[:user_identity_type]
+    end
 
-  def to_s
-    "IIS App Pool '#{@pool_name}'"
-  end
+    def username
+      iis_app_pool[:username]
+    end
 
-  private
+    def exists?
+      !iis_app_pool[:pool_name].empty?
+    end
 
-  def iis_app_pool
-    return @cache unless @cache.nil?
+    def to_s
+      "IIS App Pool '#{@pool_name}'"
+    end
 
-    # We use `-Compress` here to avoid a bug in PowerShell
-    # It does not affect validity of the output, only the representation
-    # See: https://github.com/inspec/inspec/pull/3842
-    script = <<~EOH
-      Import-Module WebAdministration
-      If (Test-Path '#{@pool_path}') {
-        Get-Item '#{@pool_path}' | Select-Object * | ConvertTo-Json -Compress
-      } Else {
-        Write-Host '{}'
+    private
+
+    def iis_app_pool
+      return @cache unless @cache.nil?
+
+      # We use `-Compress` here to avoid a bug in PowerShell
+      # It does not affect validity of the output, only the representation
+      # See: https://github.com/inspec/inspec/pull/3842
+      script = <<~EOH
+        Import-Module WebAdministration
+        If (Test-Path '#{@pool_path}') {
+          Get-Item '#{@pool_path}' | Select-Object * | ConvertTo-Json -Compress
+        } Else {
+          Write-Host '{}'
+        }
+      EOH
+      cmd = inspec.powershell(script)
+
+      begin
+        pool = JSON.parse(cmd.stdout)
+      rescue JSON::ParserError => _e
+        raise Inspec::Exceptions::ResourceFailed, "Unable to parse app pool JSON"
+      end
+
+      process_model = pool.fetch("processModel", {})
+      idle_timeout = process_model.fetch("idleTimeout", {})
+
+      # map our values to a hash table
+      @cache = {
+        pool_name: pool["name"],
+        version: pool["managedRuntimeVersion"],
+        e32b: pool["enable32BitAppOnWin64"],
+        mode: pool["managedPipelineMode"],
+        processes: process_model["maxProcesses"],
+        timeout: "#{idle_timeout["Hours"]}:#{idle_timeout["Minutes"]}:#{idle_timeout["Seconds"]}",
+        timeout_days: idle_timeout["Days"],
+        timeout_hours: idle_timeout["Hours"],
+        timeout_minutes: idle_timeout["Minutes"],
+        timeout_seconds: idle_timeout["Seconds"],
+        user_identity_type: process_model["identityType"],
+        username: process_model["userName"],
       }
-    EOH
-    cmd = inspec.powershell(script)
-
-    begin
-      pool = JSON.parse(cmd.stdout)
-    rescue JSON::ParserError => _e
-      raise Inspec::Exceptions::ResourceFailed, "Unable to parse app pool JSON"
-    end
-
-    process_model = pool.fetch("processModel", {})
-    idle_timeout = process_model.fetch("idleTimeout", {})
-
-    # map our values to a hash table
-    @cache = {
-      pool_name: pool["name"],
-      version: pool["managedRuntimeVersion"],
-      e32b: pool["enable32BitAppOnWin64"],
-      mode: pool["managedPipelineMode"],
-      processes: process_model["maxProcesses"],
-      timeout: "#{idle_timeout["Hours"]}:#{idle_timeout["Minutes"]}:#{idle_timeout["Seconds"]}",
-      timeout_days: idle_timeout["Days"],
-      timeout_hours: idle_timeout["Hours"],
-      timeout_minutes: idle_timeout["Minutes"],
-      timeout_seconds: idle_timeout["Seconds"],
-      user_identity_type: process_model["identityType"],
-      username: process_model["userName"],
-    }
+    end
   end
 end

data/lib/inspec/resources/service.rb

@@ -243,6 +243,13 @@ module Inspec::Resources
       info[:startmode]
     end
 
+    # returns the service's user from info
+    def startname
+      return nil if info.nil?
+
+      info[:startname]
+    end
+
     def to_s
       "Service #{@service_name}"
     end
@@ -575,12 +582,13 @@ module Inspec::Resources
     # Also see: https://msdn.microsoft.com/en-us/library/aa384896(v=vs.85).aspx
     # Use the following powershell to determine the start mode
     # PS: Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq $name -or $_.DisplayName -eq $name} | Select-Object -Prop
-    # erty Name, StartMode, State, Status | ConvertTo-Json
+    # erty Name, StartMode, State, Status, StartName | ConvertTo-Json
     # {
     #     "Name":  "Dhcp",
     #     "StartMode":  "Auto",
     #     "State":  "Running",
-    #     "Status":  "OK"
+    #     "Status":  "OK",
+    #     "StartName":  "LocalSystem"
     # }
     #
     # Windows Services have the following status code:
@@ -593,7 +601,7 @@ module Inspec::Resources
     # - 6: Pause Pending
     # - 7: Paused
     def info(service_name)
-      cmd = inspec.command("New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name '#{service_name}'| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq '#{service_name}' -or $_.DisplayName -eq '#{service_name}'} | Select-Object -Property StartMode) -PassThru | ConvertTo-Json")
+      cmd = inspec.command("New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name '#{service_name}'| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq '#{service_name}' -or $_.DisplayName -eq '#{service_name}'} | Select-Object -Property StartMode, StartName) -PassThru | ConvertTo-Json")
 
       # cannot rely on exit code for now, successful command returns exit code 1
       # return nil if cmd.exit_status != 0
@@ -614,6 +622,7 @@ module Inspec::Resources
         running: service_running?(service),
         enabled: service_enabled?(service),
         startmode: service["WMI"]["StartMode"],
+        startname: service["WMI"]["StartName"],
         type: "windows",
       }
     end

data/lib/inspec/resources/ssl.rb

@@ -6,92 +6,94 @@ require "uri"
 require "parallel"
 
 # Custom resource based on the InSpec resource DSL
-class SSL < Inspec.resource(1)
-  name "ssl"
-  supports platform: "unix"
-  supports platform: "windows"
+module Inspec::Resources
+  class SSL < Inspec.resource(1)
+    name "ssl"
+    supports platform: "unix"
+    supports platform: "windows"
 
-  desc "
-    SSL test resource
-  "
+    desc "
+      SSL test resource
+    "
 
-  example <<~EXAMPLE
-    describe ssl(port: 443) do
-      it { should be_enabled }
-    end
+    example <<~EXAMPLE
+      describe ssl(port: 443) do
+        it { should be_enabled }
+      end
 
-    # protocols: ssl2, ssl3, tls1.0, tls1.1, tls1.2
-    describe ssl(port: 443).protocols('ssl2') do
-      it { should_not be_enabled }
-    end
+      # protocols: ssl2, ssl3, tls1.0, tls1.1, tls1.2
+      describe ssl(port: 443).protocols('ssl2') do
+        it { should_not be_enabled }
+      end
 
-    # any ciphers, filter by name or regex
-    describe ssl(port: 443).ciphers(/rc4/i) do
-      it { should_not be_enabled }
-    end
-  EXAMPLE
+      # any ciphers, filter by name or regex
+      describe ssl(port: 443).ciphers(/rc4/i) do
+        it { should_not be_enabled }
+      end
+    EXAMPLE
 
-  VERSIONS = [
-    "ssl2",
-    "ssl3",
-    "tls1.0",
-    "tls1.1",
-    "tls1.2",
-  ].freeze
+    VERSIONS = [
+      "ssl2",
+      "ssl3",
+      "tls1.0",
+      "tls1.1",
+      "tls1.2",
+    ].freeze
 
-  attr_reader :host, :port, :timeout, :retries
+    attr_reader :host, :port, :timeout, :retries
 
-  def initialize(opts = {})
-    @host = opts[:host]
-    if @host.nil?
-      # Transports like SSH and WinRM will provide a hostname
-      if inspec.backend.respond_to?("hostname")
-        @host = inspec.backend.hostname
-      elsif inspec.backend.class.to_s == "Train::Transports::Local::Connection"
-        @host = "localhost"
+    def initialize(opts = {})
+      @host = opts[:host]
+      if @host.nil?
+        # Transports like SSH and WinRM will provide a hostname
+        if inspec.backend.respond_to?("hostname")
+          @host = inspec.backend.hostname
+        elsif inspec.backend.class.to_s == "Train::Transports::Local::Connection"
+          @host = "localhost"
+        end
       end
+      @port = opts[:port] || 443
+      @timeout = opts[:timeout]
+      @retries = opts[:retries]
     end
-    @port = opts[:port] || 443
-    @timeout = opts[:timeout]
-    @retries = opts[:retries]
-  end
 
-  filter = FilterTable.create
-  filter.register_custom_matcher(:enabled?) do |x|
-    raise "Cannot determine host for SSL test. Please specify it or use a different target." if x.resource.host.nil?
+    filter = FilterTable.create
+    filter.register_custom_matcher(:enabled?) do |x|
+      raise "Cannot determine host for SSL test. Please specify it or use a different target." if x.resource.host.nil?
 
-    x.handshake.values.any? { |i| i["success"] }
-  end
-  filter.register_column(:ciphers, field: "cipher")
-    .register_column(:protocols, field: "protocol")
-    .register_custom_property(:handshake) do |x|
-      groups = x.entries.group_by(&:protocol)
-      res = Parallel.map(groups, in_threads: 8) do |proto, e|
-        [proto, SSLShake.hello(x.resource.host, port: x.resource.port,
-          protocol: proto, ciphers: e.map(&:cipher),
-          timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
-      end
-      Hash[res]
+      x.handshake.values.any? { |i| i["success"] }
     end
-    .install_filter_methods_on_resource(self, :scan_config)
+    filter.register_column(:ciphers, field: "cipher")
+      .register_column(:protocols, field: "protocol")
+      .register_custom_property(:handshake) do |x|
+        groups = x.entries.group_by(&:protocol)
+        res = Parallel.map(groups, in_threads: 8) do |proto, e|
+          [proto, SSLShake.hello(x.resource.host, port: x.resource.port,
+            protocol: proto, ciphers: e.map(&:cipher),
+            timeout: x.resource.timeout, retries: x.resource.retries, servername: x.resource.host)]
+        end
+        Hash[res]
+      end
+      .install_filter_methods_on_resource(self, :scan_config)
 
-  def to_s
-    "SSL/TLS on #{@host}:#{@port}"
-  end
+    def to_s
+      "SSL/TLS on #{@host}:#{@port}"
+    end
 
-  private
+    private
 
-  def scan_config
-    [
-      { "protocol" => "ssl2", "ciphers" => SSLShake::SSLv2::CIPHERS.keys },
-      { "protocol" => "ssl3", "ciphers" => SSLShake::TLS::SSL3_CIPHERS.keys },
-      { "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
-      { "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
-      { "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
-    ].map do |line|
-      line["ciphers"].map do |cipher|
-        { "protocol" => line["protocol"], "cipher" => cipher }
-      end
-    end.flatten
+    def scan_config
+      [
+        { "protocol" => "ssl2", "ciphers" => SSLShake::SSLv2::CIPHERS.keys },
+        { "protocol" => "ssl3", "ciphers" => SSLShake::TLS::SSL3_CIPHERS.keys },
+        { "protocol" => "tls1.0", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
+        { "protocol" => "tls1.1", "ciphers" => SSLShake::TLS::TLS10_CIPHERS.keys },
+        { "protocol" => "tls1.2", "ciphers" => SSLShake::TLS::TLS_CIPHERS.keys },
+      ].map do |line|
+        line["ciphers"].map do |cipher|
+          { "protocol" => line["protocol"], "cipher" => cipher }
+        end
+      end.flatten
+    end
   end
 end

data/lib/inspec/runner.rb

@@ -33,6 +33,7 @@ module Inspec
     extend Forwardable
 
     attr_reader :backend, :rules
+    attr_accessor :target_profiles
 
     def attributes
       Inspec.deprecate(:rename_attributes_to_inputs, "Don't call runner.attributes, call runner.inputs")

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.10.4".freeze
+  VERSION = "4.12.0".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.10.4
+  version: 4.12.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-08-01 00:00:00.000000000 Z
+date: 2019-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train-core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: license-acceptance
   requirement: !ruby/object:Gem::Requirement