inspec-core 4.41.20 → 4.46.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 26a893a79810f4d3e7aeb90032bd625636c045c8edc11274dddef456d504d278
-  data.tar.gz: 05c34cf8764889bc585a0175cfd7d7c63ef54a4c45c30d182f599de1b3ef8a56
+  metadata.gz: 1cc013914b6503c547eeb5fbba13ce8398cf039236b82a0422339a8b7d178649
+  data.tar.gz: bb763eb39cb82fa264417d15147769d9d4b3fe1dff34ac40351712a35c6dbcb3
 SHA512:
-  metadata.gz: 6d04b25d7423b4fec6be048b8f131bfc28e90266a631829270930b8aa96a520b220c19a0d8fe463689441f67cb8d567d6163df7f56fcc27786ef72f25508dbfc
-  data.tar.gz: f798eee0dafda728d169d34ac8a73fef9803f3a70b1b1342d395d3954420644cef3fedcc202c1dc30204bdf1b2098741831af0200b1b3758c03511f38874e9ca
+  metadata.gz: 492c4bbde3afe3c8be2d7640bb5e6a04f973a762aa2b541231dc61a3862d2d4d3248a49ff9b149ca66fa07eba83e1cd61260185a61fb073ba6a3cc9b542ac04f
+  data.tar.gz: 89b55b1c8d8da24e1266bf6e19f688d284b88b18ec36c97f3f088c6f0422ac6ae6b0ddcab867bcb174ae789fc8e5bb334ed40cfd49adb26c7c3eb401c3164123

data/etc/deprecations.json

@@ -4,7 +4,7 @@
   "groups": {
     "attrs_value_replaces_default": {
       "action": "warn",
-      "prefix": "The 'default' option for attributes is being replaced by 'value' - please use it instead."
+      "prefix": "The 'default' option for inputs is being replaced by 'value' - please use it instead."
     },
     "attrs_dsl": {
       "action": "ignore",

data/lib/inspec/cli.rb

@@ -93,7 +93,8 @@ class Inspec::InspecCLI < Inspec::BaseCLI
   end
 
   desc "check PATH", "verify all tests at the specified PATH"
-  option :format, type: :string
+  option :format, type: :string,
+    desc: "The output format to use doc (default), json. If valid format is not provided then it will use the default."
   profile_options
   def check(path) # rubocop:disable Metrics/AbcSize,Metrics/MethodLength
     o = config

data/lib/inspec/control_eval_context.rb

@@ -18,6 +18,7 @@ module Inspec
     attr_accessor :skip_file
     attr_accessor :profile_context
     attr_accessor :resources_dsl
+    attr_accessor :conf
 
     def initialize(profile_context, resources_dsl, backend, conf, dependencies, require_loader, skip_only_if_eval)
       @profile_context = profile_context
@@ -189,29 +190,24 @@ module Inspec
       @skip_file = true
     end
 
-    private
-
-    def block_location(block, alternate_caller)
-      if block.nil?
-        alternate_caller[/^(.+:\d+):in .+$/, 1] || "unknown"
-      else
-        path, line = block.source_location
-        "#{File.basename(path)}:#{line}"
+    # Check if the given control exist in the --tags option
+    def tag_exist_in_control_tags?(tag_ids)
+      tag_option_matches_with_list = false
+      if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
+        tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
+        unless tag_option_matches_with_list
+          @conf["profile"].include_tags_list.any? do |inclusion|
+            # Try to see if the inclusion is a regex, and if it matches
+            if inclusion.is_a?(Regexp)
+              tag_ids.each do |id|
+                tag_option_matches_with_list = (inclusion =~ id)
+                break if tag_option_matches_with_list
+              end
+            end
+          end
+        end
       end
-    end
-
-    # Returns true if configuration hash is not empty and it contains the list of controls is not empty
-    def profile_config_exist?
-      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
-    end
-
-    def profile_tag_config_exist?
-      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
-    end
-
-    # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
-    def controls_list_empty?
-      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
+      tag_option_matches_with_list
     end
 
     def tags_list_empty?
@@ -230,24 +226,29 @@ module Inspec
       id_exist_in_list
     end
 
-    # Check if the given control exist in the --tags option
-    def tag_exist_in_control_tags?(tag_ids)
-      tag_option_matches_with_list = false
-      if !tag_ids.empty? && !tag_ids.nil? && profile_tag_config_exist?
-        tag_option_matches_with_list = !(tag_ids & @conf["profile"].include_tags_list).empty?
-        unless tag_option_matches_with_list
-          @conf["profile"].include_tags_list.any? do |inclusion|
-            # Try to see if the inclusion is a regex, and if it matches
-            if inclusion.is_a?(Regexp)
-              tag_ids.each do |id|
-                tag_option_matches_with_list = (inclusion =~ id)
-                break if tag_option_matches_with_list
-              end
-            end
-          end
-        end
+    # Returns true if configuration hash is empty or configuration hash does not have the list of controls that needs to be included
+    def controls_list_empty?
+      !@conf.empty? && @conf.key?("profile") && @conf["profile"].include_controls_list.empty? || @conf.empty?
+    end
+
+    private
+
+    def block_location(block, alternate_caller)
+      if block.nil?
+        alternate_caller[/^(.+:\d+):in .+$/, 1] || "unknown"
+      else
+        path, line = block.source_location
+        "#{File.basename(path)}:#{line}"
       end
-      tag_option_matches_with_list
+    end
+
+    # Returns true if configuration hash is not empty and it contains the list of controls is not empty
+    def profile_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_controls_list.empty?
+    end
+
+    def profile_tag_config_exist?
+      !@conf.empty? && @conf.key?("profile") && !@conf["profile"].include_tags_list.empty?
     end
   end
 end

data/lib/inspec/dsl.rb

@@ -93,23 +93,38 @@ module Inspec::DSL
     context = dep_entry.profile.runner_context
     # if we don't want all the rules, then just make 1 pass to get all rule_IDs
     # that we want to keep from the original
-    filter_included_controls(context, dep_entry.profile, &block) unless opts[:include_all]
+    if !opts[:include_all] || !(opts[:conf]["profile"].include_tags_list.empty?) || !opts[:conf]["profile"].include_controls_list.empty?
+      filter_included_controls(context, dep_entry.profile, opts, &block)
+    end
     # interpret the block and skip/modify as required
     context.load(block) if block_given?
     bind_context.add_subcontext(context)
   end
 
-  def self.filter_included_controls(context, profile, &block)
+  def self.filter_included_controls(context, profile, opts, &block)
     mock = Inspec::Backend.create(Inspec::Config.mock)
     include_ctx = Inspec::ProfileContext.for_profile(profile, mock)
     include_ctx.load(block) if block_given?
+    include_ctx.control_eval_context.conf = opts[:conf]
+    control_eval_ctx = include_ctx.control_eval_context
     # remove all rules that were not registered
     context.all_rules.each do |r|
       id = Inspec::Rule.rule_id(r)
       fid = Inspec::Rule.profile_id(r) + "/" + id
-      unless include_ctx.rules[id] || include_ctx.rules[fid]
+      if !opts[:include_all] && !(include_ctx.rules[id] || include_ctx.rules[fid])
         context.remove_rule(fid)
       end
+
+      unless control_eval_ctx.controls_list_empty?
+        # filter the dependent profile controls which are not in the --controls options list
+        context.remove_rule(fid) unless control_eval_ctx.control_exist_in_controls_list?(id)
+      end
+
+      unless control_eval_ctx.tags_list_empty?
+        # filter included controls using --tags
+        tag_ids = control_eval_ctx.control_tags(r)
+        context.remove_rule(fid) unless control_eval_ctx.tag_exist_in_control_tags?(tag_ids)
+      end
     end
   end
 end

data/lib/inspec/resources/chrony_conf.rb

@@ -0,0 +1,55 @@
+# chrony_conf
+
+require "inspec/utils/simpleconfig"
+require "inspec/utils/file_reader"
+
+module Inspec::Resources
+  class ChronyConf < Inspec.resource(1)
+    name "chrony_conf"
+    supports platform: "unix"
+    desc "Use the chrony_conf InSpec audit resource to test the synchronization settings defined in the chrony.conf file. This file is typically located at /etc/chrony.conf."
+    example <<~EXAMPLE
+      describe chrony_conf do
+        its('server') { should_not cmp nil }
+        its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery' }
+        its('pool') { should include 'pool.ntp.org iburst' }
+        its('driftfile') { should cmp '/var/lib/ntp/drift' }
+        its('allow') { should cmp nil }
+        its('keyfile') { should cmp '/etc/chrony.keys' }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(path = nil)
+      @conf_path = path || "/etc/chrony.conf"
+      @content = read_file_content(@conf_path)
+    end
+
+    def method_missing(name)
+      param = read_params[name.to_s]
+      # extract first value if we have only one value in array
+      return param[0] if param.is_a?(Array) && (param.length == 1)
+
+      param
+    end
+
+    def to_s
+      "chrony.conf"
+    end
+
+    private
+
+    def read_params
+      return @params if defined?(@params)
+
+      # parse the file
+      conf = SimpleConfig.new(
+        @content,
+        assignment_regex: /^\s*(\S+)\s+(.*)\s*$/,
+        multiple_values: true
+      )
+      @params = conf.params
+    end
+  end
+end

data/lib/inspec/resources/csv.rb

@@ -11,14 +11,28 @@ module Inspec::Resources
       describe csv('example.csv') do
         its('name') { should eq(['John', 'Alice']) }
       end
+
+      describe csv('example.csv', false).params do
+        its[[0]] { should eq (['name', 'col1', 'col2']) }
+      emd
     EXAMPLE
 
+    def initialize(path, headers = true)
+      @headers = headers
+      super(path)
+    end
+
     # override the parse method from JsonConfig
     # Assuming a header row of name,col1,col2, it will output an array of hashes like so:
     #    [
     #      { 'name' => 'row1', 'col1' => 'value1', 'col2' => 'value2' },
     #      { 'name' => 'row2', 'col1' => 'value3', 'col2' => 'value4' }
     #    ]
+    # When headers is set to false it will return data as array of array
+    #    [
+    #      ['name', col1', 'col2'],
+    #      ['row2', 'value3', 'value4']
+    #    ]
     def parse(content)
       require "csv" unless defined?(CSV)
 
@@ -28,10 +42,14 @@ module Inspec::Resources
       end
 
       # implicit conversion of values
-      csv = CSV.new(content, headers: true, converters: %i{all blank_to_nil})
+      csv = CSV.new(content, headers: @headers, converters: %i{all blank_to_nil})
 
       # convert to hash
-      csv.to_a.map(&:to_hash)
+      if @headers
+        csv.to_a.map(&:to_hash)
+      else
+        csv.to_a
+      end
     rescue => e
       raise Inspec::Exceptions::ResourceFailed, "Unable to parse CSV: #{e.message}"
     end
@@ -42,7 +60,12 @@ module Inspec::Resources
     # #value method from JsonConfig (which uses ObjectTraverser.extract_value)
     # doesn't make sense here.
     def value(key)
-      @params.map { |x| x[key.first.to_s] }.compact
+      if @headers
+        @params.map { |x| x[key.first.to_s] }.compact
+      else
+        # when headers is set to false send the array as it is.
+        @params
+      end
     end
 
     private

data/lib/inspec/resources/ibmdb2_conf.rb

@@ -0,0 +1,57 @@
+module Inspec::Resources
+  class Ibmdb2Conf < Inspec.resource(1)
+    name "ibmdb2_conf"
+
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the ibmdb2_conf InSpec audit resource to test the configuration values of IBM Db2 database."
+    example <<~EXAMPLE
+      describe ibmdb2_conf(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1") do
+        its("output") { should_not be_empty }
+        its("output") { should include("Audit buffer size (4KB) (AUDIT_BUF_SZ) = 0")}
+      end
+    EXAMPLE
+
+    attr_reader :output
+
+    def initialize(opts = {})
+      if inspec.os.platform?("unix")
+        @db2_executable_file_path = opts[:db2_executable_file_path]
+        @db_instance = opts[:db_instance]
+        raise Inspec::Exceptions::ResourceFailed, "Can't connect to IBM DB2 without db2_executable_file_path, db_instance options provided." if @db2_executable_file_path.nil? || @db_instance.nil?
+      end
+      @output = run_command
+    end
+
+    def to_s
+      "IBM Db2 Conf"
+    end
+
+    private
+
+    def run_command
+      # attach to the db2 instance and get the configuration
+      if inspec.os.platform?("unix")
+        cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration")
+        out = cmd.stdout + "\n" + cmd.stderr
+
+        # check if following specific error is there. Sourcing the db2profile to resolve the error.
+        if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} get database manager configuration")
+          out = cmd.stdout + "\n" + cmd.stderr
+        end
+      elsif inspec.os.platform?("windows")
+        # set-item command set the powershell to run the db2 commands.
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 get database manager configuration")
+        out = cmd.stdout + "\n" + cmd.stderr
+      end
+
+      if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 server/ || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "IBM Db2 query with error: #{out}"
+      else
+        cmd.stdout.gsub(/\n|\r/, ",").split(",").reject { |n| n.nil? || n.empty? }.map { |n| n.strip.gsub!(/\s+/, " ") }
+      end
+    end
+  end
+end

data/lib/inspec/resources/ibmdb2_session.rb

@@ -0,0 +1,69 @@
+module Inspec::Resources
+  class Lines
+    attr_reader :output
+
+    def initialize(raw, desc)
+      @output = raw
+      @desc = desc
+    end
+
+    def to_s
+      @desc
+    end
+  end
+
+  class Ibmdb2Session < Inspec.resource(1)
+    name "ibmdb2_session"
+
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "Use the ibmdb2_session InSpec audit resource to test SQL commands run against a IBM Db2 database."
+    example <<~EXAMPLE
+      describe ibmdb2_session(db2_executable_file_path: "path_to_db2_binary", db_instance: "db2inst1", db_name: "sample").query('list database directory') do
+        its('output') { should_not match(/sample/) }
+      end
+    EXAMPLE
+
+    def initialize(opts = {})
+      @db_name = opts[:db_name]
+      if inspec.os.platform?("unix")
+        @db2_executable_file_path = opts[:db2_executable_file_path]
+        @db_instance = opts[:db_instance]
+        raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db2_executable_file_path, db_instance, db_name options provided." if @db2_executable_file_path.nil? || @db_instance.nil? || @db_name.nil?
+      elsif inspec.os.platform?("windows")
+        raise Inspec::Exceptions::ResourceFailed, "Can't run IBM DB2 queries without db_name option provided." if @db_name.nil?
+      end
+    end
+
+    def query(q)
+      raise Inspec::Exceptions::ResourceFailed, "#{resource_exception_message}" if resource_failed?
+
+      if inspec.os.platform?("unix")
+        # connect to the db and query on the database
+        cmd = inspec.command("#{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
+        out = cmd.stdout + "\n" + cmd.stderr
+
+        # check if following specific error is there. Sourcing the db2profile to resolve the error.
+        if cmd.exit_status != 0 && out =~ /SQL10007N Message "-1390" could not be retrieved.  Reason code: "3"/
+          cmd = inspec.command(". ~/sqllib/db2profile\; #{@db2_executable_file_path} attach to #{@db_instance}\; #{@db2_executable_file_path} connect to #{@db_name}\; #{@db2_executable_file_path} #{q}\;")
+          out = cmd.stdout + "\n" + cmd.stderr
+        end
+      elsif inspec.os.platform?("windows")
+        # set-item command set the powershell to run the db2 commands.
+        cmd = inspec.command("set-item -path env:DB2CLP -value \"**$$**\"\; db2 connect to #{@db_name}\; db2 #{q}\;")
+        out = cmd.stdout + "\n" + cmd.stderr
+      end
+
+      if cmd.exit_status != 0 || out =~ /Can't connect to IBM Db2 / || out.downcase =~ /^error:.*/
+        raise Inspec::Exceptions::ResourceFailed, "IBM Db2 connection error: #{out}"
+      else
+        Lines.new(cmd.stdout.strip, "IBM Db2 Query: #{q}")
+      end
+    end
+
+    def to_s
+      "IBM Db2 Session"
+    end
+  end
+end

data/lib/inspec/resources/mssql_sys_conf.rb

@@ -0,0 +1,48 @@
+require "inspec/resources/mssql_session"
+
+module Inspec::Resources
+  class MssqlSysConf < Inspec.resource(1)
+    name "mssql_sys_conf"
+    supports platform: "windows"
+    supports platform: "debian"
+    supports platform: "redhat"
+    supports platform: "suse"
+
+    desc "Use the mssql_sys_conf InSpec audit resource to test the database system configurations for Mssql DB"
+    example <<~EXAMPLE
+      describe mssql_sys_conf("clr_enabled", user: 'USER', password: 'PASSWORD') do
+        its("value_in_use") { should cmp "0" }
+        its("value_configured") { should cmp "0" }
+      end
+    EXAMPLE
+
+    attr_reader :mssql_session, :sql_query
+
+    def initialize(conf_param_name, opts = {})
+      opts[:username] ||= "SA"
+      @mssql_session = inspec.mssql_session(opts)
+      setting = conf_param_name.to_s.gsub("_", " ").split.map(&:capitalize).join(" ")
+      determine_system_configurations(setting)
+    end
+
+    def value_in_use
+      sql_query.row(0).column("value_in_use").value
+    end
+
+    def value_configured
+      sql_query.row(0).column("value_configured").value
+    end
+
+    def to_s
+      "MsSql DB Configuration"
+    end
+
+    private
+
+    def determine_system_configurations(setting)
+      @sql_query = mssql_session.query("SELECT name, CAST(value as int) as value_configured, CAST(value_in_use as int) as value_in_use FROM sys.configurations WHERE name = '#{setting}'")
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Errors fetching database system configurations for Mssql database: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/opa.rb

@@ -6,12 +6,15 @@ module Inspec::Resources
     supports platform: "unix"
     supports platform: "windows"
 
-    attr_reader :result
     def initialize(content)
       @content = content
       super({ content: @content })
     end
 
+    def result
+      @content == {} || @content["result"].empty? ? nil : @content
+    end
+
     private
 
     def parse(content)

data/lib/inspec/resources/oracle.rb

@@ -0,0 +1,66 @@
+require "inspec/resources/powershell"
+
+module Inspec::Resources
+  class Oracle < Inspec.resource(1)
+    name "oracle"
+    supports platform: "unix"
+    supports platform: "windows"
+
+    desc "The 'oracle' resource is a helper for the 'oracledb_listener_conf'"
+
+    attr_reader :conf_path
+
+    def initialize
+      case inspec.os[:family]
+      when "debian", "redhat", "linux", "suse"
+        determine_conf_dir_and_path_in_linux
+      when "windows"
+        determine_conf_dir_and_path_in_windows
+      end
+    end
+
+    def to_s
+      "OracleDB"
+    end
+
+    private
+
+    def determine_conf_dir_and_path_in_linux
+      oracle_home = inspec.os_env("ORACLE_HOME").content
+
+      if oracle_home.nil? || oracle_home.empty?
+        warn "$ORACLE_HOME env value not set in the system"
+        nil
+      else
+        conf_path = "#{oracle_home}/network/admin/listener.ora"
+        if !inspec.file(conf_path).exist?
+          warn "No oracle listener settings found in $ORACLE_HOME/network/admin directory"
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading listener settings: #{e}"
+    end
+
+    def determine_conf_dir_and_path_in_windows
+      oracle_home = inspec.os_env("ORACLE_HOME").content
+
+      if oracle_home.nil? || oracle_home.empty?
+        warn "ORACLE_HOME env value not set in the system"
+        nil
+      else
+        conf_path = "#{oracle_home}\\network\\admin\\listener.ora"
+        if !inspec.file(conf_path).exist?
+          warn "No oracle listener settings found in ORACLE_HOME\\network\\admin directory"
+          nil
+        else
+          @conf_path = conf_path
+        end
+      end
+    rescue => e
+      fail_resource "Errors reading listener settings: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/oracledb_conf.rb

@@ -0,0 +1,40 @@
+require "inspec/resources/oracledb_session"
+
+module Inspec::Resources
+  class OracledbConf < Inspec.resource(1)
+    name "oracledb_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the oracledb_conf InSpec audit resource to test the database settings for Oracle DB"
+    example <<~EXAMPLE
+      describe oracledb_conf(user: 'USER', password: 'PASSWORD') do
+        its("audit_sys_operations") { should cmp "true" }
+        its("sql92_security") { should cmp "true" }
+      end
+    EXAMPLE
+
+    attr_reader :oracledb_session
+
+    def initialize(opts = {})
+      @oracledb_session = inspec.oracledb_session(opts)
+    end
+
+    def method_missing(name)
+      setting = name.to_s.upcase
+      determine_database_setting(setting)
+    end
+
+    def to_s
+      "Oracle DB Configuration"
+    end
+
+    private
+
+    def determine_database_setting(setting)
+      sql_query = oracledb_session.query("SELECT UPPER(VALUE) AS UPPER_VALUE FROM V$SYSTEM_PARAMETER WHERE UPPER(NAME) = '#{setting}'")
+      sql_query.row(0).column("UPPER_VALUE").value
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Errors fetching database settings for Oracle database: #{e}"
+    end
+  end
+end

data/lib/inspec/resources/oracledb_listener_conf.rb

@@ -0,0 +1,123 @@
+require "inspec/utils/object_traversal"
+require "inspec/utils/simpleconfig"
+require "inspec/utils/find_files"
+require "inspec/utils/file_reader"
+require "inspec/resources/oracle"
+
+module Inspec::Resources
+  class OracledbListenerConf < Inspec.resource(1)
+    name "oracledb_listener_conf"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the oracledb_listener_conf InSpec audit resource to test the listener settings for Oracle DB"
+    example <<~EXAMPLE
+      describe oracledb_listener_conf do
+        its('DEFAULT_SERVICE_LISTENER') { should eq 'XE' }
+      end
+    EXAMPLE
+
+    include FindFiles
+    include FileReader
+    include ObjectTraverser
+
+    def initialize(conf_path = nil)
+      oracle = nil
+      if conf_path.nil?
+        oracle = inspec.oracle
+        @conf_path = oracle.conf_path
+      else
+        @conf_path = conf_path
+      end
+
+      if oracle && oracle.resource_failed?
+        raise oracle.resource_exception_message
+      elsif @conf_path.nil?
+        return skip_resource "Oracle Listener conf path is not set"
+      end
+
+      @conf_dir = File.expand_path(File.dirname(@conf_path))
+      @files_contents = {}
+      @content = nil
+      @params = nil
+      read_content
+    end
+
+    def content
+      @content ||= read_content
+    end
+
+    def params(*opts)
+      @params || read_content
+      res = @params
+      opts.each do |opt|
+        res = res[opt] unless res.nil?
+      end
+      res
+    end
+
+    def value(key)
+      extract_value(key, @params)
+    end
+
+    def method_missing(*keys)
+      keys.shift if keys.is_a?(Array) && keys[0] == :[]
+      param = value(keys)
+      return nil if param.nil?
+      # extract first value if we have only one value in array
+      return param[0] if param.length == 1
+
+      param
+    end
+
+    def to_s
+      "Oracle Listener Configuration"
+    end
+
+    private
+
+    def read_content
+      @content = ""
+      @params = {}
+
+      to_read = [@conf_path]
+      until to_read.empty?
+        base_dir = File.dirname(to_read[0])
+        raw_conf = read_file(to_read[0])
+        @content += raw_conf
+
+        opts = {
+          assignment_regex: /^\s*([^=]*?)\s*=\s*[']?\s*(.*?)\s*[']?\s*$/,
+        }
+        params = SimpleConfig.new(raw_conf, opts).params
+        @params.merge!(params)
+
+        to_read = to_read.drop(1)
+        # see if there is more config files to include
+
+        to_read += include_files(params, base_dir).find_all do |fp|
+          not @files_contents.key? fp
+        end
+      end
+      @content
+    end
+
+    def include_files(params, base_dir)
+      include_files = Array(params["include"]) || []
+      include_files += Array(params["include_if_exists"]) || []
+      include_files.map! do |f|
+        Pathname.new(f).absolute? ? f : File.join(base_dir, f)
+      end
+
+      dirs = Array(params["include_dir"]) || []
+      dirs.each do |dir|
+        dir = File.join(base_dir, dir) if dir[0] != "/"
+        include_files += find_files(dir, depth: 1, type: "file")
+      end
+      include_files
+    end
+
+    def read_file(path)
+      @files_contents[path] ||= read_file_content(path)
+    end
+  end
+end

data/lib/inspec/resources/postgres_session.rb

@@ -40,11 +40,12 @@ module Inspec::Resources
       end
     EXAMPLE
 
-    def initialize(user, pass, host = nil, port = nil)
+    def initialize(user, pass, host = nil, port = nil, socket_path = nil)
       @user = user || "postgres"
       @pass = pass
       @host = host || "localhost"
       @port = port || 5432
+      @socket_path = socket_path
       raise Inspec::Exceptions::ResourceFailed, "Can't run PostgreSQL SQL checks without authentication." if @user.nil? || @pass.nil?
     end
 
@@ -69,10 +70,20 @@ module Inspec::Resources
 
     def create_psql_cmd(query, db = [])
       dbs = db.map { |x| "#{x}" }.join(" ")
-      if inspec.os.windows?
-        "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+
+      if @socket_path && !inspec.os.windows?
+        # Socket path and empty host in the connection string establishes socket connection
+        # Socket connection only enabled for non-windows platforms
+        # Windows does not support unix domain sockets
+        "psql -d postgresql://#{@user}:#{@pass}@/#{dbs}?host=#{@socket_path} -A -t -w -c #{escaped_query(query)}"
       else
-        "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+        # Host in connection string establishes tcp/ip connection
+        if inspec.os.windows?
+          warn "Socket based connection not supported in windows, connecting using host" if @socket_path
+          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c \"#{query}\""
+        else
+          "psql -d postgresql://#{@user}:#{@pass}@#{@host}:#{@port}/#{dbs} -A -t -w -c #{escaped_query(query)}"
+        end
       end
     end
   end

data/lib/inspec/resources/service.rb

@@ -141,7 +141,7 @@ module Inspec::Resources
         elsif version > 0
           SysV.new(inspec, service_ctl || "/usr/sbin/service")
         end
-      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific"
+      when "redhat", "fedora", "centos", "oracle", "cloudlinux", "scientific", "rocky", "almalinux"
         version = os[:release].to_i
 
         systemd = ((platform != "fedora" && version >= 7) ||

data/lib/inspec/resources/sybase_conf.rb

@@ -0,0 +1,37 @@
+require "inspec/resources/sybase_session"
+
+module Inspec::Resources
+  class SybaseConf < Inspec.resource(1)
+    name "sybase_conf"
+    supports platform: "unix"
+    # supports platform: "windows" # TODO
+    desc "Use the sybase_conf InSpec resource to test Sybase config settings"
+    example <<~EXAMPLE
+      describe sybase_conf("max memory", password: 'password', server: 'SYBASE') do
+        its("run_value") { should cmp 180224 }
+      end
+    EXAMPLE
+
+    attr_reader :conf_param, :sql_query
+    def initialize(conf_param_name, opts = {})
+      @conf_param = conf_param_name
+      opts[:username] ||= "sa"
+      opts[:database] ||= "master"
+      sql_session = inspec.sybase_session(opts)
+      @sql_query = sql_session.query("sp_configure \"#{conf_param}\"")
+    end
+
+    def run_value
+      sql_query.row(0).column("Run Value").value
+    end
+
+    def config_value
+      sql_query.row(0).column("Config Value").value
+    end
+
+    def to_s
+      "Sybase Conf #{conf_param}"
+    end
+
+  end
+end

data/lib/inspec/resources/sybase_session.rb

@@ -0,0 +1,111 @@
+require "inspec/resources/command"
+require "inspec/utils/database_helpers"
+require "hashie/mash"
+require "csv" unless defined?(CSV)
+require "tempfile" unless defined?(Tempfile)
+
+module Inspec::Resources
+  # STABILITY: Experimental
+  # This resource needs further testing and refinement
+  #
+  class SybaseSession < Inspec.resource(1)
+    name "sybase_session"
+    supports platform: "unix"
+    # supports platform: "windows" # TODO
+    desc "Use the sybase_session InSpec resource to test commands against an Sybase database"
+    example <<~EXAMPLE
+      sql = sybase_session(username: 'my_user', password: 'password', server: 'SYBASE', database: 'pubs2')
+      describe sql.query(\"SELECT * FROM authors\").row(0).column('au_lname') do
+        its('value') { should eq 'Smith' }
+      end
+    EXAMPLE
+
+    # TODO: allow to set -I interfaces file
+    # TODO: allow to customize -s column separator
+    attr_reader :bin, :col_sep, :database, :password, :server, :sybase_home, :username
+
+    def initialize(opts = {})
+      @username = opts[:username]
+      @password = opts[:password]
+      @database = opts[:database]
+      @server = opts[:server]
+      @sybase_home = opts[:sybase_home] || "/opt/sap"
+      @bin = opts[:bin] || "isql"
+      @col_sep = "|"
+
+      fail_resource "Can't run Sybase checks without authentication" unless username && password
+      fail_resource "You must provide a server name for the session" unless server
+      fail_resource "You must provide a database name for the session" unless database
+      fail_resource "Cannot find #{bin} CLI tool" unless inspec.command(bin).exist?
+    end
+
+    def query(sql)
+      # We must write the SQl to a temp file on the remote target
+      # try to get a temp path
+      sql_file_path = upload_sql_file(sql)
+
+      # isql reuires that we have a matching locale set, but does not support C.UTF-8. en_US.UTF-8 is the least evil.
+      command = "LANG=en_US.UTF-8 SYBASE=#{sybase_home} #{bin} -s\"#{col_sep}\" -w80000 -S #{server} -U #{username} -D #{database} -P \"#{password}\" < #{sql_file_path}"
+      isql_cmd = inspec.command(command)
+
+      # Check for isql errors
+      res = isql_cmd.exit_status
+      raise Inspec::Exceptions::ResourceFailed.new("isql exited with code #{res} and stderr '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless res == 0
+      # isql is ill-behaved, and returns 0 on error
+      raise Inspec::Exceptions::ResourceFailed.new("isql exited with error '#{isql_cmd.stderr}', stdout '#{isql_cmd.stdout}'") unless isql_cmd.stderr == ""
+      # check stdout for error messages when stderr is empty "Msg 102, Level 15, State 181:\nServer 'SYBASE', Line 1:\nIncorrect syntax near '.'.\n"
+      raise Inspec::Exceptions::ResourceFailed.new("isql exited with error #{isql_cmd.stdout}") if isql_cmd.stdout.match?(/Msg\s\d+,\sLevel\s\d+,\sState\s\d+/)
+
+      # Clean up temporary file
+      rm_cmd = inspec.command("rm #{sql_file_path}")
+      res = rm_cmd.exit_status # TODO: handle
+      raise Inspec::Exceptions::ResourceFailed.new("Unable to delete temproary SQL input file at #{sql_file_path}: #{rm_cmd.stderr}") unless res == 0
+
+      DatabaseHelper::SQLQueryResult.new(isql_cmd, parse_csv_result(isql_cmd.stdout))
+    end
+
+    def to_s
+      "Sybase Session"
+    end
+
+    private
+
+    def parse_csv_result(stdout)
+      output = stdout.gsub(/\r/, "").strip
+      lines = output.lines
+      # Remove second row (all dashes) and last 2 rows (blank and summary lines)
+      trimmed_output = ([lines[0]] << lines.slice(2..-3)).join("")
+      header_converter = Proc.new do |header|
+        # This is here to suppress a warning from Hashie::Mash when it encounters a
+        # header column that ends up with the name "default", which happens when using the
+        # sybase_conf resource. It does mean that aly query whose output field includes the name
+        # Default (exactly) will get renamed to default_value, but that seems unlikely.
+        if header.match?(/^Default\s+$/)
+          "default_value"
+        else
+          header.downcase.strip
+        end
+      end
+      field_converter = ->(field) { field&.strip }
+      CSV.parse(trimmed_output, headers: true, header_converters: header_converter, converters: field_converter, col_sep: col_sep).map { |row| Hashie::Mash.new(row.to_h) }
+    end
+
+    def upload_sql_file(sql)
+      remote_temp_dir = "/tmp"
+      remote_file_path = nil
+      local_temp_file = Tempfile.new(["sybase", ".sql"])
+      begin
+        local_temp_file.write("#{sql}\n")
+        local_temp_file.write("go\n")
+        local_temp_file.flush
+        filename = File.basename(local_temp_file.path)
+        remote_file_path = "#{remote_temp_dir}/#{filename}"
+        inspec.backend.upload([local_temp_file.path], remote_temp_dir)
+      ensure
+        local_temp_file.close
+        local_temp_file.unlink
+      end
+      remote_file_path
+    end
+  end
+end

data/lib/inspec/resources.rb

@@ -58,6 +58,8 @@ require "inspec/resources/groups"
 require "inspec/resources/grub_conf"
 require "inspec/resources/host"
 require "inspec/resources/http"
+require "inspec/resources/ibmdb2_conf"
+require "inspec/resources/ibmdb2_session"
 require "inspec/resources/iis_app"
 require "inspec/resources/iis_app_pool"
 require "inspec/resources/iis_site"
@@ -76,6 +78,7 @@ require "inspec/resources/mongodb_conf"
 require "inspec/resources/mongodb_session"
 require "inspec/resources/mount"
 require "inspec/resources/mssql_session"
+require "inspec/resources/mssql_sys_conf"
 require "inspec/resources/mysql"
 require "inspec/resources/mysql_conf"
 require "inspec/resources/mysql_session"
@@ -84,6 +87,9 @@ require "inspec/resources/nginx_conf"
 require "inspec/resources/npm"
 require "inspec/resources/ntp_conf"
 require "inspec/resources/oneget"
+require "inspec/resources/oracle"
+require "inspec/resources/oracledb_conf"
+require "inspec/resources/oracledb_listener_conf"
 require "inspec/resources/opa_cli"
 require "inspec/resources/opa_api"
 require "inspec/resources/oracledb_session"

data/lib/inspec/run_data/profile.rb

@@ -49,7 +49,6 @@ module Inspec
     end
 
     class Profile
-      # Good candidate for keyword_init, but that is not in 2.4
       Dependency = Struct.new(
         :name, :path, :status, :status_message, :git, :url, :compliance, :supermarket, :branch, :tag, :commit, :version, :relative_path
       ) do
@@ -71,7 +70,6 @@ module Inspec
         end
       end
 
-      # Good candidate for keyword_init, but that is not in 2.4
       Group = Struct.new(
         :title, :controls, :id
       ) do

data/lib/inspec/version.rb

@@ -1,3 +1,3 @@
 module Inspec
-  VERSION = "4.41.20".freeze
+  VERSION = "4.46.13".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec-core
 version: !ruby/object:Gem::Version
-  version: 4.41.20
+  version: 4.46.13
 platform: ruby
 authors:
 - Chef InSpec Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-09-01 00:00:00.000000000 Z
+date: 2021-09-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-telemetry
@@ -506,6 +506,7 @@ files:
 - lib/inspec/resources/bridge.rb
 - lib/inspec/resources/bsd_service.rb
 - lib/inspec/resources/chocolatey_package.rb
+- lib/inspec/resources/chrony_conf.rb
 - lib/inspec/resources/command.rb
 - lib/inspec/resources/cpan.rb
 - lib/inspec/resources/cran.rb
@@ -535,6 +536,8 @@ files:
 - lib/inspec/resources/grub_conf.rb
 - lib/inspec/resources/host.rb
 - lib/inspec/resources/http.rb
+- lib/inspec/resources/ibmdb2_conf.rb
+- lib/inspec/resources/ibmdb2_session.rb
 - lib/inspec/resources/iis_app.rb
 - lib/inspec/resources/iis_app_pool.rb
 - lib/inspec/resources/iis_site.rb
@@ -559,6 +562,7 @@ files:
 - lib/inspec/resources/mongodb_session.rb
 - lib/inspec/resources/mount.rb
 - lib/inspec/resources/mssql_session.rb
+- lib/inspec/resources/mssql_sys_conf.rb
 - lib/inspec/resources/mysql.rb
 - lib/inspec/resources/mysql_conf.rb
 - lib/inspec/resources/mysql_session.rb
@@ -571,6 +575,9 @@ files:
 - lib/inspec/resources/opa.rb
 - lib/inspec/resources/opa_api.rb
 - lib/inspec/resources/opa_cli.rb
+- lib/inspec/resources/oracle.rb
+- lib/inspec/resources/oracledb_conf.rb
+- lib/inspec/resources/oracledb_listener_conf.rb
 - lib/inspec/resources/oracledb_session.rb
 - lib/inspec/resources/os.rb
 - lib/inspec/resources/os_env.rb
@@ -604,6 +611,8 @@ files:
 - lib/inspec/resources/ssh_config.rb
 - lib/inspec/resources/sshd_config.rb
 - lib/inspec/resources/ssl.rb
+- lib/inspec/resources/sybase_conf.rb
+- lib/inspec/resources/sybase_session.rb
 - lib/inspec/resources/sys_info.rb
 - lib/inspec/resources/systemd_service.rb
 - lib/inspec/resources/sysv_service.rb