inspec-core 4.38.3 → 4.38.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +0 -11
- data/lib/inspec/resources/mssql_session.rb +1 -5
- data/lib/inspec/resources/oracledb_session.rb +16 -6
- data/lib/inspec/resources/postgres.rb +45 -12
- data/lib/inspec/resources/postgres_conf.rb +2 -0
- data/lib/inspec/resources/postgres_hba_conf.rb +2 -1
- data/lib/inspec/resources/postgres_ident_conf.rb +2 -1
- data/lib/inspec/resources/postgres_session.rb +9 -5
- data/lib/inspec/rule.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 17449ad4c9680511a8fc11c6fdb11d9ece550a7942c9e734c95eac0d41913d9f
|
|
4
|
+
data.tar.gz: ae5055ccc9bebd1aed4f22da4ad4dcd1be31e1bd2b5707e7b5fb088c916eda08
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6cec299ca48d7ca4c3fb9b3eecc79c8687541fbd83fc79e837ed13d2abb4bcb861f747782a68bf90f7e1083443a671079a1368a97e9f552e249e456616a92059
|
|
7
|
+
data.tar.gz: 287e2d79dbc494c83d6f8b8046e0f9c54632c5a13ec75ac69b603bdf9fe9b6a89ff86c9c8f025f7e04372490adb1ffa5a5a7fc10f3ecab1e7fabd70f71f6767d
|
data/Gemfile
CHANGED
|
@@ -20,22 +20,11 @@ end
|
|
|
20
20
|
# but our runtime dep is still 3.9+
|
|
21
21
|
gem "rspec", ">= 3.10"
|
|
22
22
|
|
|
23
|
-
def probably_x86?
|
|
24
|
-
# We don't currently build on ARM windows, so assume x86 there
|
|
25
|
-
return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/
|
|
26
|
-
|
|
27
|
-
# Otherwise rely on uname -m
|
|
28
|
-
`uname -m`.match?(/^(x86_64|i\d86)/)
|
|
29
|
-
end
|
|
30
|
-
|
|
31
23
|
group :omnibus do
|
|
32
24
|
gem "rb-readline"
|
|
33
25
|
gem "appbundler"
|
|
34
26
|
gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
|
|
35
27
|
gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
|
|
36
|
-
if probably_x86?
|
|
37
|
-
gem "x25519" # ed25519 KEX module, not supported on ARM
|
|
38
|
-
end
|
|
39
28
|
end
|
|
40
29
|
|
|
41
30
|
group :test do
|
|
@@ -42,11 +42,7 @@ module Inspec::Resources
|
|
|
42
42
|
@local_mode = opts[:local_mode]
|
|
43
43
|
unless local_mode?
|
|
44
44
|
@host = opts[:host] || "localhost"
|
|
45
|
-
|
|
46
|
-
@port = opts[:port]
|
|
47
|
-
else
|
|
48
|
-
@port = "1433"
|
|
49
|
-
end
|
|
45
|
+
@port = opts[:port]
|
|
50
46
|
end
|
|
51
47
|
@instance = opts[:instance]
|
|
52
48
|
@db_name = opts[:db_name]
|
|
@@ -38,11 +38,12 @@ module Inspec::Resources
|
|
|
38
38
|
@sqlcl_bin = opts[:sqlcl_bin] || nil
|
|
39
39
|
@sqlplus_bin = opts[:sqlplus_bin] || "sqlplus"
|
|
40
40
|
skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && su_user
|
|
41
|
-
fail_resource "Can't run Oracle checks without authentication" unless su_user
|
|
42
|
-
fail_resource "You must provide a service name for the session" unless service
|
|
41
|
+
fail_resource "Can't run Oracle checks without authentication" unless su_user || (user || password)
|
|
43
42
|
end
|
|
44
43
|
|
|
45
44
|
def query(sql)
|
|
45
|
+
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
|
|
46
|
+
|
|
46
47
|
if @sqlcl_bin && inspec.command(@sqlcl_bin).exist?
|
|
47
48
|
@bin = @sqlcl_bin
|
|
48
49
|
format_options = "set sqlformat csv\nSET FEEDBACK OFF"
|
|
@@ -53,8 +54,17 @@ module Inspec::Resources
|
|
|
53
54
|
|
|
54
55
|
command = command_builder(format_options, sql)
|
|
55
56
|
inspec_cmd = inspec.command(command)
|
|
57
|
+
out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr
|
|
56
58
|
|
|
57
|
-
|
|
59
|
+
if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/
|
|
60
|
+
raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
|
|
61
|
+
else
|
|
62
|
+
begin
|
|
63
|
+
DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
|
|
64
|
+
rescue
|
|
65
|
+
raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
|
|
66
|
+
end
|
|
67
|
+
end
|
|
58
68
|
end
|
|
59
69
|
|
|
60
70
|
def to_s
|
|
@@ -77,11 +87,11 @@ module Inspec::Resources
|
|
|
77
87
|
end
|
|
78
88
|
|
|
79
89
|
if @db_role.nil?
|
|
80
|
-
|
|
90
|
+
"#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}"
|
|
81
91
|
elsif @su_user.nil?
|
|
82
|
-
|
|
92
|
+
"#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}"
|
|
83
93
|
else
|
|
84
|
-
|
|
94
|
+
"su - #{@su_user} -c env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"
|
|
85
95
|
end
|
|
86
96
|
end
|
|
87
97
|
|
|
@@ -4,6 +4,8 @@ module Inspec::Resources
|
|
|
4
4
|
class Postgres < Inspec.resource(1)
|
|
5
5
|
name "postgres"
|
|
6
6
|
supports platform: "unix"
|
|
7
|
+
supports platform: "windows"
|
|
8
|
+
|
|
7
9
|
desc "The 'postgres' resource is a helper for the 'postgres_conf', 'postgres_hba_conf', 'postgres_ident_conf' & 'postgres_session' resources. Please use those instead."
|
|
8
10
|
|
|
9
11
|
attr_reader :service, :data_dir, :conf_dir, :conf_path, :version, :cluster
|
|
@@ -43,11 +45,17 @@ module Inspec::Resources
|
|
|
43
45
|
@conf_dir = "/etc/postgresql/#{@version}/#{@cluster}"
|
|
44
46
|
@data_dir = "/var/lib/postgresql/#{@version}/#{@cluster}"
|
|
45
47
|
end
|
|
48
|
+
elsif inspec.os.windows?
|
|
49
|
+
dir = "C:\\Program Files\\PostgreSQL"
|
|
50
|
+
@version = version_from_psql || version_from_dir_windows(dir)
|
|
51
|
+
unless @version.to_s.empty?
|
|
52
|
+
@data_dir = "#{dir}\\#{@version}\\data\\"
|
|
53
|
+
end
|
|
46
54
|
else
|
|
47
55
|
@version = version_from_psql
|
|
48
56
|
if @version.to_s.empty?
|
|
49
57
|
if inspec.directory("/var/lib/pgsql/data").exist?
|
|
50
|
-
warn "Unable to determine PostgreSQL version: psql did not return" \
|
|
58
|
+
Inspec::Log.warn "Unable to determine PostgreSQL version: psql did not return" \
|
|
51
59
|
"a version number and unversioned data directories were found."
|
|
52
60
|
else
|
|
53
61
|
@version = version_from_dir("/var/lib/pgsql")
|
|
@@ -69,13 +77,13 @@ module Inspec::Resources
|
|
|
69
77
|
|
|
70
78
|
def verify_dirs
|
|
71
79
|
unless inspec.directory(@conf_dir).exist?
|
|
72
|
-
warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \
|
|
80
|
+
Inspec::Log.warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \
|
|
73
81
|
"Postgresql may not be installed or we've misidentified the configuration " \
|
|
74
82
|
"directory."
|
|
75
83
|
end
|
|
76
84
|
|
|
77
85
|
unless inspec.directory(@data_dir).exist?
|
|
78
|
-
warn "Default postgresql data directory: #{@data_dir} does not exist. " \
|
|
86
|
+
Inspec::Log.warn "Default postgresql data directory: #{@data_dir} does not exist. " \
|
|
79
87
|
"Postgresql may not be installed or we've misidentified the data " \
|
|
80
88
|
"directory."
|
|
81
89
|
end
|
|
@@ -84,7 +92,15 @@ module Inspec::Resources
|
|
|
84
92
|
def version_from_psql
|
|
85
93
|
return unless inspec.command("psql").exist?
|
|
86
94
|
|
|
87
|
-
inspec.command("psql --version
|
|
95
|
+
version = inspec.command("psql --version").stdout.strip.split(" ")[2].split(".")
|
|
96
|
+
|
|
97
|
+
unless version.empty?
|
|
98
|
+
if version.first.to_i >= 10
|
|
99
|
+
version.first
|
|
100
|
+
else
|
|
101
|
+
"#{version[0]}.#{version[1]}"
|
|
102
|
+
end
|
|
103
|
+
end
|
|
88
104
|
end
|
|
89
105
|
|
|
90
106
|
def locate_data_dir_location_by_version(ver = @version)
|
|
@@ -100,7 +116,7 @@ module Inspec::Resources
|
|
|
100
116
|
data_dir_loc = dir_list.detect { |i| inspec.directory(i).exist? }
|
|
101
117
|
|
|
102
118
|
if data_dir_loc.nil?
|
|
103
|
-
warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
|
|
119
|
+
Inspec::Log.warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
|
|
104
120
|
execute "psql -t -A -p <port> -h <host> -c "show hba_file";" as the PostgreSQL
|
|
105
121
|
DBA to find the non-standard data_dir location.'
|
|
106
122
|
end
|
|
@@ -112,15 +128,32 @@ module Inspec::Resources
|
|
|
112
128
|
entries = dirs.lines.count
|
|
113
129
|
case entries
|
|
114
130
|
when 0
|
|
115
|
-
warn "Could not determine version of installed postgresql by inspecting #{dir}"
|
|
131
|
+
Inspec::Log.warn "Could not determine version of installed postgresql by inspecting #{dir}"
|
|
132
|
+
nil
|
|
133
|
+
when 1
|
|
134
|
+
Inspec::Log.warn "Using #{dirs}: #{dir_to_version(dirs)}"
|
|
135
|
+
dir_to_version(dirs)
|
|
136
|
+
else
|
|
137
|
+
Inspec::Log.warn "Multiple versions of postgresql installed or incorrect base dir #{dir}"
|
|
138
|
+
first = dir_to_version(dirs.lines.first)
|
|
139
|
+
Inspec::Log.warn "Using the first version found: #{first}"
|
|
140
|
+
first
|
|
141
|
+
end
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
def version_from_dir_windows(dir)
|
|
145
|
+
dirs = inspec.command("Get-ChildItem -Path \"#{dir}\" -Name").stdout
|
|
146
|
+
entries = dirs.lines.count
|
|
147
|
+
case entries
|
|
148
|
+
when 0
|
|
149
|
+
Inspec::Log.warn "Could not determine version of installed PostgreSQL by inspecting #{dir}"
|
|
116
150
|
nil
|
|
117
151
|
when 1
|
|
118
|
-
warn "Using #{dirs}: #{dir_to_version(dirs)}"
|
|
119
152
|
dir_to_version(dirs)
|
|
120
153
|
else
|
|
121
|
-
warn "Multiple versions of
|
|
154
|
+
Inspec::Log.warn "Multiple versions of PostgreSQL installed or incorrect base dir #{dir}"
|
|
122
155
|
first = dir_to_version(dirs.lines.first)
|
|
123
|
-
warn "Using the first version found: #{first}"
|
|
156
|
+
Inspec::Log.warn "Using the first version found: #{first}"
|
|
124
157
|
first
|
|
125
158
|
end
|
|
126
159
|
end
|
|
@@ -137,13 +170,13 @@ module Inspec::Resources
|
|
|
137
170
|
else
|
|
138
171
|
dirs = inspec.command("ls -d #{dir}/*/").stdout.lines
|
|
139
172
|
if dirs.empty?
|
|
140
|
-
warn "No postgresql clusters configured or incorrect base dir #{dir}"
|
|
173
|
+
Inspec::Log.warn "No postgresql clusters configured or incorrect base dir #{dir}"
|
|
141
174
|
return nil
|
|
142
175
|
end
|
|
143
176
|
first = dirs.first.chomp.split("/").last
|
|
144
177
|
if dirs.count > 1
|
|
145
|
-
warn "Multiple postgresql clusters configured or incorrect base dir #{dir}"
|
|
146
|
-
warn "Using the first directory found: #{first}"
|
|
178
|
+
Inspec::Log.warn "Multiple postgresql clusters configured or incorrect base dir #{dir}"
|
|
179
|
+
Inspec::Log.warn "Using the first directory found: #{first}"
|
|
147
180
|
end
|
|
148
181
|
first
|
|
149
182
|
end
|
|
@@ -5,6 +5,7 @@ module Inspec::Resources
|
|
|
5
5
|
class PostgresHbaConf < Inspec.resource(1)
|
|
6
6
|
name "postgres_hba_conf"
|
|
7
7
|
supports platform: "unix"
|
|
8
|
+
supports platform: "windows"
|
|
8
9
|
desc 'Use the `postgres_hba_conf` InSpec audit resource to test the client
|
|
9
10
|
authentication data defined in the pg_hba.conf file.'
|
|
10
11
|
example <<~EXAMPLE
|
|
@@ -19,7 +20,7 @@ module Inspec::Resources
|
|
|
19
20
|
|
|
20
21
|
# @todo add checks to ensure that we have data in our file
|
|
21
22
|
def initialize(hba_conf_path = nil)
|
|
22
|
-
@conf_file = hba_conf_path || File.
|
|
23
|
+
@conf_file = hba_conf_path || File.join(inspec.postgres.conf_dir, "pg_hba.conf")
|
|
23
24
|
@content = ""
|
|
24
25
|
@params = {}
|
|
25
26
|
read_content
|
|
@@ -5,6 +5,7 @@ module Inspec::Resources
|
|
|
5
5
|
class PostgresIdentConf < Inspec.resource(1)
|
|
6
6
|
name "postgres_ident_conf"
|
|
7
7
|
supports platform: "unix"
|
|
8
|
+
supports platform: "windows"
|
|
8
9
|
desc 'Use the postgres_ident_conf InSpec audit resource to test the client
|
|
9
10
|
authentication data is controlled by a pg_ident.conf file.'
|
|
10
11
|
example <<~EXAMPLE
|
|
@@ -18,7 +19,7 @@ module Inspec::Resources
|
|
|
18
19
|
attr_reader :params, :conf_file
|
|
19
20
|
|
|
20
21
|
def initialize(ident_conf_path = nil)
|
|
21
|
-
@conf_file = ident_conf_path || File.
|
|
22
|
+
@conf_file = ident_conf_path || File.join(inspec.postgres.conf_dir, "pg_ident.conf")
|
|
22
23
|
@content = nil
|
|
23
24
|
@params = nil
|
|
24
25
|
read_content
|
|
@@ -12,7 +12,7 @@ module Inspec::Resources
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def lines
|
|
15
|
-
output.split("\n")
|
|
15
|
+
output.split("\n").map(&:strip)
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def to_s
|
|
@@ -54,7 +54,7 @@ module Inspec::Resources
|
|
|
54
54
|
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
|
|
55
55
|
|
|
56
56
|
psql_cmd = create_psql_cmd(query, db)
|
|
57
|
-
cmd = inspec.command(psql_cmd, redact_regex:
|
|
57
|
+
cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
|
|
58
58
|
out = cmd.stdout + "\n" + cmd.stderr
|
|
59
59
|
if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
|
|
60
60
|
raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}"
|
|
@@ -66,7 +66,7 @@ module Inspec::Resources
|
|
|
66
66
|
private
|
|
67
67
|
|
|
68
68
|
def test_connection
|
|
69
|
-
query("select now()")
|
|
69
|
+
query("select now()\;")
|
|
70
70
|
end
|
|
71
71
|
|
|
72
72
|
def escaped_query(query)
|
|
@@ -74,8 +74,12 @@ module Inspec::Resources
|
|
|
74
74
|
end
|
|
75
75
|
|
|
76
76
|
def create_psql_cmd(query, db = [])
|
|
77
|
-
dbs = db.map { |x| "
|
|
78
|
-
|
|
77
|
+
dbs = db.map { |x| "#{x}" }.join(" ")
|
|
78
|
+
if inspec.os.windows?
|
|
79
|
+
"psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
|
|
80
|
+
else
|
|
81
|
+
"psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
|
|
82
|
+
end
|
|
79
83
|
end
|
|
80
84
|
end
|
|
81
85
|
end
|
data/lib/inspec/rule.rb
CHANGED
|
@@ -360,7 +360,7 @@ module Inspec
|
|
|
360
360
|
# A string that does not represent a valid time results in the date 0000-01-01.
|
|
361
361
|
if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
|
|
362
362
|
expiry = expiry.to_time if expiry.is_a? Date
|
|
363
|
-
expiry = Time.
|
|
363
|
+
expiry = Time.parse(expiry) if expiry.is_a? String
|
|
364
364
|
if expiry < Time.now # If the waiver expired, return - no skip applied
|
|
365
365
|
__waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally"
|
|
366
366
|
return
|
data/lib/inspec/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: inspec-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.38.
|
|
4
|
+
version: 4.38.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chef InSpec Team
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-07-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: chef-telemetry
|