inspec-core 4.38.3 → 4.38.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +0 -11
- data/lib/inspec/resources/mssql_session.rb +1 -5
- data/lib/inspec/resources/oracledb_session.rb +16 -6
- data/lib/inspec/resources/postgres.rb +45 -12
- data/lib/inspec/resources/postgres_conf.rb +2 -0
- data/lib/inspec/resources/postgres_hba_conf.rb +2 -1
- data/lib/inspec/resources/postgres_ident_conf.rb +2 -1
- data/lib/inspec/resources/postgres_session.rb +9 -5
- data/lib/inspec/rule.rb +1 -1
- data/lib/inspec/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 17449ad4c9680511a8fc11c6fdb11d9ece550a7942c9e734c95eac0d41913d9f
|
|
4
|
+
data.tar.gz: ae5055ccc9bebd1aed4f22da4ad4dcd1be31e1bd2b5707e7b5fb088c916eda08
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6cec299ca48d7ca4c3fb9b3eecc79c8687541fbd83fc79e837ed13d2abb4bcb861f747782a68bf90f7e1083443a671079a1368a97e9f552e249e456616a92059
|
|
7
|
+
data.tar.gz: 287e2d79dbc494c83d6f8b8046e0f9c54632c5a13ec75ac69b603bdf9fe9b6a89ff86c9c8f025f7e04372490adb1ffa5a5a7fc10f3ecab1e7fabd70f71f6767d
|
data/Gemfile
CHANGED
|
@@ -20,22 +20,11 @@ end
|
|
|
20
20
|
# but our runtime dep is still 3.9+
|
|
21
21
|
gem "rspec", ">= 3.10"
|
|
22
22
|
|
|
23
|
-
def probably_x86?
|
|
24
|
-
# We don't currently build on ARM windows, so assume x86 there
|
|
25
|
-
return true if RUBY_PLATFORM =~ /windows|mswin|msys|mingw|cygwin/
|
|
26
|
-
|
|
27
|
-
# Otherwise rely on uname -m
|
|
28
|
-
`uname -m`.match?(/^(x86_64|i\d86)/)
|
|
29
|
-
end
|
|
30
|
-
|
|
31
23
|
group :omnibus do
|
|
32
24
|
gem "rb-readline"
|
|
33
25
|
gem "appbundler"
|
|
34
26
|
gem "ed25519" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
|
|
35
27
|
gem "bcrypt_pbkdf" # ed25519 ssh key support done here as its a native gem we can't put in the gemspec
|
|
36
|
-
if probably_x86?
|
|
37
|
-
gem "x25519" # ed25519 KEX module, not supported on ARM
|
|
38
|
-
end
|
|
39
28
|
end
|
|
40
29
|
|
|
41
30
|
group :test do
|
|
@@ -42,11 +42,7 @@ module Inspec::Resources
|
|
|
42
42
|
@local_mode = opts[:local_mode]
|
|
43
43
|
unless local_mode?
|
|
44
44
|
@host = opts[:host] || "localhost"
|
|
45
|
-
|
|
46
|
-
@port = opts[:port]
|
|
47
|
-
else
|
|
48
|
-
@port = "1433"
|
|
49
|
-
end
|
|
45
|
+
@port = opts[:port]
|
|
50
46
|
end
|
|
51
47
|
@instance = opts[:instance]
|
|
52
48
|
@db_name = opts[:db_name]
|
|
@@ -38,11 +38,12 @@ module Inspec::Resources
|
|
|
38
38
|
@sqlcl_bin = opts[:sqlcl_bin] || nil
|
|
39
39
|
@sqlplus_bin = opts[:sqlplus_bin] || "sqlplus"
|
|
40
40
|
skip_resource "Option 'as_os_user' not available in Windows" if inspec.os.windows? && su_user
|
|
41
|
-
fail_resource "Can't run Oracle checks without authentication" unless su_user
|
|
42
|
-
fail_resource "You must provide a service name for the session" unless service
|
|
41
|
+
fail_resource "Can't run Oracle checks without authentication" unless su_user || (user || password)
|
|
43
42
|
end
|
|
44
43
|
|
|
45
44
|
def query(sql)
|
|
45
|
+
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
|
|
46
|
+
|
|
46
47
|
if @sqlcl_bin && inspec.command(@sqlcl_bin).exist?
|
|
47
48
|
@bin = @sqlcl_bin
|
|
48
49
|
format_options = "set sqlformat csv\nSET FEEDBACK OFF"
|
|
@@ -53,8 +54,17 @@ module Inspec::Resources
|
|
|
53
54
|
|
|
54
55
|
command = command_builder(format_options, sql)
|
|
55
56
|
inspec_cmd = inspec.command(command)
|
|
57
|
+
out = inspec_cmd.stdout + "\n" + inspec_cmd.stderr
|
|
56
58
|
|
|
57
|
-
|
|
59
|
+
if inspec_cmd.exit_status != 0 || !inspec_cmd.stderr.empty? || out.downcase =~ /^error.*/
|
|
60
|
+
raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
|
|
61
|
+
else
|
|
62
|
+
begin
|
|
63
|
+
DatabaseHelper::SQLQueryResult.new(inspec_cmd, parse_csv_result(inspec_cmd.stdout))
|
|
64
|
+
rescue
|
|
65
|
+
raise Inspec::Exceptions::ResourceFailed, "Oracle query with errors: #{out}"
|
|
66
|
+
end
|
|
67
|
+
end
|
|
58
68
|
end
|
|
59
69
|
|
|
60
70
|
def to_s
|
|
@@ -77,11 +87,11 @@ module Inspec::Resources
|
|
|
77
87
|
end
|
|
78
88
|
|
|
79
89
|
if @db_role.nil?
|
|
80
|
-
|
|
90
|
+
"#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service}#{sql_postfix}"
|
|
81
91
|
elsif @su_user.nil?
|
|
82
|
-
|
|
92
|
+
"#{sql_prefix}#{bin} #{user}/#{password}@#{host}:#{port}/#{@service} as #{@db_role}#{sql_postfix}"
|
|
83
93
|
else
|
|
84
|
-
|
|
94
|
+
"su - #{@su_user} -c env ORACLE_SID=#{@service} #{@bin} / as #{@db_role}#{sql_postfix}"
|
|
85
95
|
end
|
|
86
96
|
end
|
|
87
97
|
|
|
@@ -4,6 +4,8 @@ module Inspec::Resources
|
|
|
4
4
|
class Postgres < Inspec.resource(1)
|
|
5
5
|
name "postgres"
|
|
6
6
|
supports platform: "unix"
|
|
7
|
+
supports platform: "windows"
|
|
8
|
+
|
|
7
9
|
desc "The 'postgres' resource is a helper for the 'postgres_conf', 'postgres_hba_conf', 'postgres_ident_conf' & 'postgres_session' resources. Please use those instead."
|
|
8
10
|
|
|
9
11
|
attr_reader :service, :data_dir, :conf_dir, :conf_path, :version, :cluster
|
|
@@ -43,11 +45,17 @@ module Inspec::Resources
|
|
|
43
45
|
@conf_dir = "/etc/postgresql/#{@version}/#{@cluster}"
|
|
44
46
|
@data_dir = "/var/lib/postgresql/#{@version}/#{@cluster}"
|
|
45
47
|
end
|
|
48
|
+
elsif inspec.os.windows?
|
|
49
|
+
dir = "C:\\Program Files\\PostgreSQL"
|
|
50
|
+
@version = version_from_psql || version_from_dir_windows(dir)
|
|
51
|
+
unless @version.to_s.empty?
|
|
52
|
+
@data_dir = "#{dir}\\#{@version}\\data\\"
|
|
53
|
+
end
|
|
46
54
|
else
|
|
47
55
|
@version = version_from_psql
|
|
48
56
|
if @version.to_s.empty?
|
|
49
57
|
if inspec.directory("/var/lib/pgsql/data").exist?
|
|
50
|
-
warn "Unable to determine PostgreSQL version: psql did not return" \
|
|
58
|
+
Inspec::Log.warn "Unable to determine PostgreSQL version: psql did not return" \
|
|
51
59
|
"a version number and unversioned data directories were found."
|
|
52
60
|
else
|
|
53
61
|
@version = version_from_dir("/var/lib/pgsql")
|
|
@@ -69,13 +77,13 @@ module Inspec::Resources
|
|
|
69
77
|
|
|
70
78
|
def verify_dirs
|
|
71
79
|
unless inspec.directory(@conf_dir).exist?
|
|
72
|
-
warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \
|
|
80
|
+
Inspec::Log.warn "Default postgresql configuration directory: #{@conf_dir} does not exist. " \
|
|
73
81
|
"Postgresql may not be installed or we've misidentified the configuration " \
|
|
74
82
|
"directory."
|
|
75
83
|
end
|
|
76
84
|
|
|
77
85
|
unless inspec.directory(@data_dir).exist?
|
|
78
|
-
warn "Default postgresql data directory: #{@data_dir} does not exist. " \
|
|
86
|
+
Inspec::Log.warn "Default postgresql data directory: #{@data_dir} does not exist. " \
|
|
79
87
|
"Postgresql may not be installed or we've misidentified the data " \
|
|
80
88
|
"directory."
|
|
81
89
|
end
|
|
@@ -84,7 +92,15 @@ module Inspec::Resources
|
|
|
84
92
|
def version_from_psql
|
|
85
93
|
return unless inspec.command("psql").exist?
|
|
86
94
|
|
|
87
|
-
inspec.command("psql --version
|
|
95
|
+
version = inspec.command("psql --version").stdout.strip.split(" ")[2].split(".")
|
|
96
|
+
|
|
97
|
+
unless version.empty?
|
|
98
|
+
if version.first.to_i >= 10
|
|
99
|
+
version.first
|
|
100
|
+
else
|
|
101
|
+
"#{version[0]}.#{version[1]}"
|
|
102
|
+
end
|
|
103
|
+
end
|
|
88
104
|
end
|
|
89
105
|
|
|
90
106
|
def locate_data_dir_location_by_version(ver = @version)
|
|
@@ -100,7 +116,7 @@ module Inspec::Resources
|
|
|
100
116
|
data_dir_loc = dir_list.detect { |i| inspec.directory(i).exist? }
|
|
101
117
|
|
|
102
118
|
if data_dir_loc.nil?
|
|
103
|
-
warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
|
|
119
|
+
Inspec::Log.warn 'Unable to find the PostgreSQL data_dir in expected location(s), please
|
|
104
120
|
execute "psql -t -A -p <port> -h <host> -c "show hba_file";" as the PostgreSQL
|
|
105
121
|
DBA to find the non-standard data_dir location.'
|
|
106
122
|
end
|
|
@@ -112,15 +128,32 @@ module Inspec::Resources
|
|
|
112
128
|
entries = dirs.lines.count
|
|
113
129
|
case entries
|
|
114
130
|
when 0
|
|
115
|
-
warn "Could not determine version of installed postgresql by inspecting #{dir}"
|
|
131
|
+
Inspec::Log.warn "Could not determine version of installed postgresql by inspecting #{dir}"
|
|
132
|
+
nil
|
|
133
|
+
when 1
|
|
134
|
+
Inspec::Log.warn "Using #{dirs}: #{dir_to_version(dirs)}"
|
|
135
|
+
dir_to_version(dirs)
|
|
136
|
+
else
|
|
137
|
+
Inspec::Log.warn "Multiple versions of postgresql installed or incorrect base dir #{dir}"
|
|
138
|
+
first = dir_to_version(dirs.lines.first)
|
|
139
|
+
Inspec::Log.warn "Using the first version found: #{first}"
|
|
140
|
+
first
|
|
141
|
+
end
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
def version_from_dir_windows(dir)
|
|
145
|
+
dirs = inspec.command("Get-ChildItem -Path \"#{dir}\" -Name").stdout
|
|
146
|
+
entries = dirs.lines.count
|
|
147
|
+
case entries
|
|
148
|
+
when 0
|
|
149
|
+
Inspec::Log.warn "Could not determine version of installed PostgreSQL by inspecting #{dir}"
|
|
116
150
|
nil
|
|
117
151
|
when 1
|
|
118
|
-
warn "Using #{dirs}: #{dir_to_version(dirs)}"
|
|
119
152
|
dir_to_version(dirs)
|
|
120
153
|
else
|
|
121
|
-
warn "Multiple versions of
|
|
154
|
+
Inspec::Log.warn "Multiple versions of PostgreSQL installed or incorrect base dir #{dir}"
|
|
122
155
|
first = dir_to_version(dirs.lines.first)
|
|
123
|
-
warn "Using the first version found: #{first}"
|
|
156
|
+
Inspec::Log.warn "Using the first version found: #{first}"
|
|
124
157
|
first
|
|
125
158
|
end
|
|
126
159
|
end
|
|
@@ -137,13 +170,13 @@ module Inspec::Resources
|
|
|
137
170
|
else
|
|
138
171
|
dirs = inspec.command("ls -d #{dir}/*/").stdout.lines
|
|
139
172
|
if dirs.empty?
|
|
140
|
-
warn "No postgresql clusters configured or incorrect base dir #{dir}"
|
|
173
|
+
Inspec::Log.warn "No postgresql clusters configured or incorrect base dir #{dir}"
|
|
141
174
|
return nil
|
|
142
175
|
end
|
|
143
176
|
first = dirs.first.chomp.split("/").last
|
|
144
177
|
if dirs.count > 1
|
|
145
|
-
warn "Multiple postgresql clusters configured or incorrect base dir #{dir}"
|
|
146
|
-
warn "Using the first directory found: #{first}"
|
|
178
|
+
Inspec::Log.warn "Multiple postgresql clusters configured or incorrect base dir #{dir}"
|
|
179
|
+
Inspec::Log.warn "Using the first directory found: #{first}"
|
|
147
180
|
end
|
|
148
181
|
first
|
|
149
182
|
end
|
|
@@ -5,6 +5,7 @@ module Inspec::Resources
|
|
|
5
5
|
class PostgresHbaConf < Inspec.resource(1)
|
|
6
6
|
name "postgres_hba_conf"
|
|
7
7
|
supports platform: "unix"
|
|
8
|
+
supports platform: "windows"
|
|
8
9
|
desc 'Use the `postgres_hba_conf` InSpec audit resource to test the client
|
|
9
10
|
authentication data defined in the pg_hba.conf file.'
|
|
10
11
|
example <<~EXAMPLE
|
|
@@ -19,7 +20,7 @@ module Inspec::Resources
|
|
|
19
20
|
|
|
20
21
|
# @todo add checks to ensure that we have data in our file
|
|
21
22
|
def initialize(hba_conf_path = nil)
|
|
22
|
-
@conf_file = hba_conf_path || File.
|
|
23
|
+
@conf_file = hba_conf_path || File.join(inspec.postgres.conf_dir, "pg_hba.conf")
|
|
23
24
|
@content = ""
|
|
24
25
|
@params = {}
|
|
25
26
|
read_content
|
|
@@ -5,6 +5,7 @@ module Inspec::Resources
|
|
|
5
5
|
class PostgresIdentConf < Inspec.resource(1)
|
|
6
6
|
name "postgres_ident_conf"
|
|
7
7
|
supports platform: "unix"
|
|
8
|
+
supports platform: "windows"
|
|
8
9
|
desc 'Use the postgres_ident_conf InSpec audit resource to test the client
|
|
9
10
|
authentication data is controlled by a pg_ident.conf file.'
|
|
10
11
|
example <<~EXAMPLE
|
|
@@ -18,7 +19,7 @@ module Inspec::Resources
|
|
|
18
19
|
attr_reader :params, :conf_file
|
|
19
20
|
|
|
20
21
|
def initialize(ident_conf_path = nil)
|
|
21
|
-
@conf_file = ident_conf_path || File.
|
|
22
|
+
@conf_file = ident_conf_path || File.join(inspec.postgres.conf_dir, "pg_ident.conf")
|
|
22
23
|
@content = nil
|
|
23
24
|
@params = nil
|
|
24
25
|
read_content
|
|
@@ -12,7 +12,7 @@ module Inspec::Resources
|
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def lines
|
|
15
|
-
output.split("\n")
|
|
15
|
+
output.split("\n").map(&:strip)
|
|
16
16
|
end
|
|
17
17
|
|
|
18
18
|
def to_s
|
|
@@ -54,7 +54,7 @@ module Inspec::Resources
|
|
|
54
54
|
raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
|
|
55
55
|
|
|
56
56
|
psql_cmd = create_psql_cmd(query, db)
|
|
57
|
-
cmd = inspec.command(psql_cmd, redact_regex:
|
|
57
|
+
cmd = inspec.command(psql_cmd, redact_regex: %r{(:\/\/[a-z]*:).*(@)})
|
|
58
58
|
out = cmd.stdout + "\n" + cmd.stderr
|
|
59
59
|
if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
|
|
60
60
|
raise Inspec::Exceptions::ResourceFailed, "PostgreSQL query with errors: #{out}"
|
|
@@ -66,7 +66,7 @@ module Inspec::Resources
|
|
|
66
66
|
private
|
|
67
67
|
|
|
68
68
|
def test_connection
|
|
69
|
-
query("select now()")
|
|
69
|
+
query("select now()\;")
|
|
70
70
|
end
|
|
71
71
|
|
|
72
72
|
def escaped_query(query)
|
|
@@ -74,8 +74,12 @@ module Inspec::Resources
|
|
|
74
74
|
end
|
|
75
75
|
|
|
76
76
|
def create_psql_cmd(query, db = [])
|
|
77
|
-
dbs = db.map { |x| "
|
|
78
|
-
|
|
77
|
+
dbs = db.map { |x| "#{x}" }.join(" ")
|
|
78
|
+
if inspec.os.windows?
|
|
79
|
+
"psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
|
|
80
|
+
else
|
|
81
|
+
"psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
|
|
82
|
+
end
|
|
79
83
|
end
|
|
80
84
|
end
|
|
81
85
|
end
|
data/lib/inspec/rule.rb
CHANGED
|
@@ -360,7 +360,7 @@ module Inspec
|
|
|
360
360
|
# A string that does not represent a valid time results in the date 0000-01-01.
|
|
361
361
|
if [Date, Time].include?(expiry.class) || (expiry.is_a?(String) && Time.new(expiry).year != 0)
|
|
362
362
|
expiry = expiry.to_time if expiry.is_a? Date
|
|
363
|
-
expiry = Time.
|
|
363
|
+
expiry = Time.parse(expiry) if expiry.is_a? String
|
|
364
364
|
if expiry < Time.now # If the waiver expired, return - no skip applied
|
|
365
365
|
__waiver_data["message"] = "Waiver expired on #{expiry}, evaluating control normally"
|
|
366
366
|
return
|
data/lib/inspec/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: inspec-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.38.
|
|
4
|
+
version: 4.38.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Chef InSpec Team
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-07-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: chef-telemetry
|