inspec-core 5.14.0 → 5.17.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3cb92e0f21964ecac43d5d9f208e7a2b07a57c2daa0fef4aad06515f933b9072
4
- data.tar.gz: 6c4d5f59ed6dde73193198f4ad32c801515cec12d9c04924765d1ac7ee4bd5bc
3
+ metadata.gz: b31dbb074483f274162eeea0fde1b234cd19e1c65257e19f7d0bc2f46c375b70
4
+ data.tar.gz: 31756fedad66edc248e5ae7b1ca5ab08408f6d7d6e6ce6dfb9053d1323c1acac
5
5
  SHA512:
6
- metadata.gz: 8397f679eea47dead2cb1952026b74c800adf7ea650120597b714c3ccdef1c7e0eeb6af387458a31c028173a6bc332b07de103d4d545dbd37257573b77c6e0b1
7
- data.tar.gz: 96d8ac046aa00ec95fc173e81c28999d744ed823af7a4a6401e9d1776817e303e451e7c8d46450d2c39c02e6ef4ff4c82d1c425683e82299effa2f3384f9f93e
6
+ metadata.gz: e765163668a3799ae45fbe2a5ddd219832341c32b01b62422506324a62c44b99ad771f47c662be5abb1198fdd65969e2a038f54c5059841561edda42170f7631
7
+ data.tar.gz: bbbadea0724f15d1a67c895eab750eea1a660bfc2e65143af703f8b5a88eb9e0c9fde1f9c08356fd9e4b32d202d620902fbad8784618cc01eec866c20f5247c7
@@ -0,0 +1,9 @@
1
+ -----BEGIN PUBLIC KEY-----
2
+ MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8FWKhVwT5ilFdk5/schY
3
+ J3X6DkDbZPul7MAKYuicmyvrk4VZFqFJYzUo9G+ZvtWCjCMZF3JLDbg0VJ+V3j2b
4
+ A5MRUDMH1MtbQZS8u0AIUAitHsSiMgu4w/EHUSHODoDmbdaHT1xkFe9IxMSM1/AV
5
+ /s5u2uAMuiayo+dGW5i9xf/LMZN1JCeX8Yqw85CpS01gMC2XxoUu5wGLwBwXkdql
6
+ +H3SaWRdDTtccgtu0Rxt9dzRtHAPNWKSLl9TScW6Qt/+7bgb3M6+7od/FuPziAS9
7
+ 1NGUiKL9vajpafxUJF8863q0l64dAXGWXVFed7/7GFiNVuLxBksPzK8VrkyCS214
8
+ kQIDAQAB
9
+ -----END PUBLIC KEY-----
@@ -50,7 +50,11 @@ module Inspec
50
50
  end
51
51
 
52
52
  def gem_version_installed?(name, version)
53
- list_installed_gems.any? { |s| s.name == name && Gem::Requirement.new(version.split(",")) =~ s.version }
53
+ if version.nil?
54
+ list_installed_gems.any? { |s| s.name == name }
55
+ else
56
+ list_installed_gems.any? { |s| s.name == name && Gem::Requirement.new(version.split(",")) =~ s.version }
57
+ end
54
58
  end
55
59
 
56
60
  private
@@ -410,7 +410,7 @@ module Inspec
410
410
  else
411
411
  ui = Inspec::UI.new
412
412
  gem_dependencies.each { |gem_dependency| ui.list_item("#{gem_dependency[:name]} #{gem_dependency[:version]}") }
413
- choice = ui.prompt.select("Would you like to install profile gem dependencies listed above?", %w{Yes No})
413
+ choice = ui.prompt.select("The above listed gem dependencies are required to run the profile. Would you like to install them ?", %w{Yes No})
414
414
  if choice == "Yes"
415
415
  Inspec::Config.cached[:auto_install_gems] = true
416
416
  load_gem_dependencies
@@ -850,7 +850,12 @@ module Inspec
850
850
  f = load_rule_filepath(prefix, rule)
851
851
  load_rule(rule, f, controls, groups)
852
852
  end
853
- params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
853
+ if @profile_id.nil?
854
+ # identifying inputs using profile name
855
+ params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(params[:name])
856
+ else
857
+ params[:inputs] = Inspec::InputRegistry.list_inputs_for_profile(@profile_id)
858
+ end
854
859
  params
855
860
  end
856
861
 
@@ -113,6 +113,16 @@ module Inspec::Resources
113
113
  resolve.nil? || resolve.empty? ? nil : resolve
114
114
  end
115
115
 
116
+ # returns an array of the ipv4 addresses
117
+ def ipv4_address
118
+ ipaddress.select { |ip| ip.match(Resolv::IPv4::Regex) }
119
+ end
120
+
121
+ # returns an array of the ipv6 addresses
122
+ def ipv6_address
123
+ ipaddress.select { |ip| ip.match(Resolv::IPv6::Regex) }
124
+ end
125
+
116
126
  def to_s
117
127
  resource_name = "Host #{hostname}"
118
128
  resource_name += " port #{port} proto #{protocol}" if port
@@ -296,15 +306,44 @@ module Inspec::Resources
296
306
  end
297
307
 
298
308
  def resolve(hostname)
309
+ addresses = []
310
+ # -Type A is the DNS query for IPv4 server Address.
299
311
  cmd = inspec.command("Resolve-DnsName –Type A #{hostname} | ConvertTo-Json")
300
312
  begin
301
- resolv = JSON.parse(cmd.stdout)
313
+ resolve_ipv4 = JSON.parse(cmd.stdout)
302
314
  rescue JSON::ParserError => _e
303
315
  return nil
304
316
  end
305
317
 
306
- resolv = [resolv] unless resolv.is_a?(Array)
307
- resolv.map { |entry| entry["IPAddress"] }
318
+ resolve_ipv4 = resolve_ipv4.inject(:merge) if resolve_ipv4.is_a?(Array)
319
+
320
+ # Append the ipv4 addresses
321
+ resolve_ipv4.each_value do |ip|
322
+ matched = ip.to_s.chomp.match(Resolv::IPv4::Regex)
323
+ next if matched.nil? || addresses.include?(matched.to_s)
324
+
325
+ addresses << matched.to_s
326
+ end
327
+
328
+ # -Type AAAA is the DNS query for IPv6 server Address.
329
+ cmd = inspec.command("Resolve-DnsName –Type AAAA #{hostname} | ConvertTo-Json")
330
+ begin
331
+ resolve_ipv6 = JSON.parse(cmd.stdout)
332
+ rescue JSON::ParserError => _e
333
+ return nil
334
+ end
335
+
336
+ resolve_ipv6 = resolve_ipv6.inject(:merge) if resolve_ipv6.is_a?(Array)
337
+
338
+ # Append the ipv6 addresses
339
+ resolve_ipv6.each_value do |ip|
340
+ matched = ip.to_s.chomp.match(Resolv::IPv6::Regex)
341
+ next if matched.nil? || addresses.include?(matched.to_s)
342
+
343
+ addresses << matched.to_s
344
+ end
345
+
346
+ addresses
308
347
  end
309
348
  end
310
349
  end
@@ -0,0 +1,72 @@
1
+ require "inspec/resources/command"
2
+
3
+ module Inspec::Resources
4
+ class PhpConfig < Inspec.resource(1)
5
+ # Resource's internal name.
6
+ name "php_config"
7
+ supports platform: "unix"
8
+ supports platform: "windows"
9
+ desc "Use the php_config InSpec audit resource to test PHP config parameters"
10
+
11
+ example <<~EXAMPLE
12
+ describe php_config("config_param") do
13
+ its("value") { should eq "some_value" }
14
+ end
15
+
16
+ describe php_config("config_param", { "ini" => "path_to_ini_file" }) do
17
+ its("value") { should eq "some_value" }
18
+ end
19
+ EXAMPLE
20
+
21
+ # Resource initialization.
22
+ attr_reader :config_param, :config_file_or_path
23
+ def initialize(config_param, config_file_or_path = {})
24
+ @config_param = config_param
25
+ @config_file_or_path = config_file_or_path
26
+ end
27
+
28
+ # Unique resource id
29
+ def resource_id
30
+ config_param
31
+ end
32
+
33
+ # Resource appearance in test reports.
34
+ def to_s
35
+ "php_config #{resource_id}"
36
+ end
37
+
38
+ # Returns the value evaluated for the initialized config parameter
39
+ def value
40
+ php_utility = find_utility_or_error
41
+
42
+ # The keys in the hash provided by user can be string or symbols.
43
+ # Converting the key to symbols to handle scenario when "ini" key is provided as string.
44
+ config_file_or_path.transform_keys(&:to_sym)
45
+
46
+ # Assign the path with -c option for ini file provided by the user if any.
47
+ php_ini_file = !config_file_or_path.empty? && config_file_or_path.key?(:ini) ? "-c #{config_file_or_path[:ini]}" : ""
48
+
49
+ # The below command `get_cfg_var` is used to fetch the value for any config parameter.
50
+ php_cmd = "#{php_utility} #{php_ini_file} -r 'echo get_cfg_var(\"#{config_param}\");'"
51
+ config_value_cmd = inspec.command(php_cmd)
52
+
53
+ raise Inspec::Exceptions::ResourceFailed, "Executing #{php_cmd} failed: #{config_value_cmd.stderr}" if config_value_cmd.exit_status.to_i != 0
54
+
55
+ config_value = config_value_cmd.stdout.strip
56
+
57
+ # Convert value to integer if the config value are digits.
58
+ config_value.match(/^(\d)+$/) ? config_value.to_i : config_value
59
+ end
60
+
61
+ private
62
+
63
+ # Method to check if php is present or not on the system.
64
+ def find_utility_or_error
65
+ %w{/usr/sbin/php /sbin/php php}.each do |cmd|
66
+ return cmd if inspec.command(cmd).exist?
67
+ end
68
+
69
+ raise Inspec::Exceptions::ResourceFailed, "Could not find `php` on your system."
70
+ end
71
+ end
72
+ end
@@ -60,6 +60,17 @@ module Inspec::Resources
60
60
  @list
61
61
  end
62
62
 
63
+ # Matcher to check if the process is running
64
+ def running?
65
+ # A process is considered running if:
66
+ # unix: it is in running(R) state or either of sleep state(D: Uninterruptible or S: Interruptible)
67
+ # windows: it is responding i.e. state is True.
68
+
69
+ # Other codes like <(high priorty), N(low priority), +(foreground process group) etc. may appear after the state code in unix.
70
+ # Hence the regex used is /^statecode+/ where statecode is either R, S, or D.
71
+ states.any? and !!(states[0] =~ /True/ || states[0] =~ /^R+/ || states[0] =~ /^D+/ || states[0] =~ /^S+/)
72
+ end
73
+
63
74
  filter = FilterTable.create
64
75
  filter.register_column(:labels, field: "label")
65
76
  .register_column(:pids, field: "pid")
@@ -182,7 +182,9 @@ module Inspec::Resources
182
182
  when "aix"
183
183
  SrcMstr.new(inspec)
184
184
  when "amazon"
185
- if os[:release] =~ /^20\d\d/
185
+ # If `initctl` exists on the system, use `Upstart`. Else use `Systemd` since all-new Amazon Linux supports `systemctl`.
186
+ # This way, it is not dependent on the version of Amazon Linux.
187
+ if inspec.command("initctl").exist? || inspec.command("/sbin/initctl").exist?
186
188
  Upstart.new(inspec, service_ctl)
187
189
  else
188
190
  Systemd.new(inspec, service_ctl)
@@ -0,0 +1,93 @@
1
+ require "inspec/resources/file"
2
+
3
+ module Inspec::Resources
4
+ class X509PrivateKey < Inspec.resource(1)
5
+ # Resource internal name.
6
+ name "x509_private_key"
7
+
8
+ # Restrict to only run on the below platforms (if none were given,
9
+ # all OS's and cloud API's supported)
10
+ supports platform: "unix"
11
+ supports platform: "windows"
12
+
13
+ desc "Use the x509_private_key InSpec audit resource to test the x509 private key"
14
+
15
+ example <<~EXAMPLE
16
+ # With passphrase
17
+ describe x509_private_key("/home/openssl_activity/alice_private.pem", "password@123") do
18
+ it { should be_valid }
19
+ it { should be_encrypted }
20
+ it { should have_matching_certificate("/home/openssl_activity/alice_certificate.crt") }
21
+ end
22
+
23
+ # Without passphrase
24
+ describe x509_private_key("/home/openssl_activity/bob_private.pem") do
25
+ it { should be_valid }
26
+ it { should_not be_encrypted }
27
+ it { should have_matching_certificate("/home/openssl_activity/bob_certificate.crt") }
28
+ end
29
+ EXAMPLE
30
+
31
+ # Resource initialization.
32
+ attr_reader :secret_key_path, :passphrase, :openssl_utility
33
+
34
+ def initialize(secret_key_path, passphrase = nil)
35
+ @openssl_utility = check_openssl_or_error
36
+ @secret_key_path = secret_key_path
37
+ @passphrase = passphrase
38
+ end
39
+
40
+ # Resource appearance in test reports.
41
+ def to_s
42
+ "x509_private_key"
43
+ end
44
+
45
+ # Matcher to check if the given key is valid.
46
+ def valid?
47
+ # Below is the command to check if the key is valid.
48
+ openssl_key_validity_cmd = "#{openssl_utility} rsa -in #{secret_key_path} -check -noout"
49
+
50
+ # Additionally, if key is password protected, passphrase needs to be given with -passin argument
51
+ openssl_key_validity_cmd.concat(" -passin pass:#{passphrase}") if passphrase
52
+
53
+ openssl_key_validity = inspec.command(openssl_key_validity_cmd)
54
+ openssl_key_validity.exit_status.to_i == 0
55
+ end
56
+
57
+ # Matcher to check if the given key is encrypted.
58
+ def encrypted?
59
+ raise Inspec::Exceptions::ResourceFailed, "The given secret key #{secret_key_path} does not exist." unless inspec.file(secret_key_path).exist?
60
+
61
+ # All encrypted keys have the header of Proc-Type: 4,ENCRYPTED
62
+ key_file = inspec.file(secret_key_path)
63
+ key_file.content =~ /Proc-Type: 4,ENCRYPTED/
64
+ end
65
+
66
+ # Matcher to verify if the private key maatches the certificate
67
+ def has_matching_certificate?(cert_file_or_path)
68
+ cert_hash_cmd = "openssl x509 -noout -modulus -in #{cert_file_or_path} | openssl md5"
69
+ cert_hash = inspec.command(cert_hash_cmd)
70
+
71
+ raise Inspec::Exceptions::ResourceFailed, "Executing #{cert_hash_cmd} failed: #{cert_hash.stderr}" if cert_hash.exit_status.to_i != 0
72
+
73
+ key_hash_cmd = "openssl rsa -noout -modulus -in #{secret_key_path}"
74
+ passphrase ? key_hash_cmd.concat(" -passin pass:#{passphrase} | openssl md5") : key_hash_cmd.concat(" | openssl md5")
75
+ key_hash = inspec.command(key_hash_cmd)
76
+
77
+ raise Inspec::Exceptions::ResourceFailed, "Executing #{key_hash_cmd} failed: #{key_hash.stderr}" if key_hash.exit_status.to_i != 0
78
+
79
+ cert_hash.stdout == key_hash.stdout
80
+ end
81
+
82
+ private
83
+
84
+ # This resource requires openssl to be available on the system
85
+ def check_openssl_or_error
86
+ %w{/usr/sbin/openssl /usr/bin/openssl /sbin/openssl /bin/openssl openssl}.each do |cmd|
87
+ return cmd if inspec.command(cmd).exist?
88
+ end
89
+
90
+ raise Inspec::Exceptions::ResourceFailed, "Could not find `openssl` on your system."
91
+ end
92
+ end
93
+ end
@@ -0,0 +1,48 @@
1
+ require "inspec/resources/zfs_pool"
2
+
3
+ module Inspec::Resources
4
+ class Zfs < ZfsPool
5
+ # resource's internal name.
6
+ name "zfs"
7
+
8
+ # Restrict to only run on the below platforms
9
+ supports platform: "unix"
10
+
11
+ desc "Use the zfs InSpec audit resource to test if the named ZFS Pool is present and/or has certain properties."
12
+
13
+ example <<~EXAMPLE
14
+ describe zfs("new-pool") do
15
+ it { should exist }
16
+ it { should have_property({ "failmode" => "wait", "capacity" => "0" }) }
17
+ end
18
+ EXAMPLE
19
+
20
+ # Resource initialization is done in the parent class i.e. ZfsPool
21
+
22
+ # Unique identity for the resource.
23
+ def resource_id
24
+ # @zfs_pool is the zfs pool name assigned during initialization in the parent class i.e. ZfsPool
25
+ @zfs_pool
26
+ end
27
+
28
+ # Resource appearance in test reports.
29
+ def to_s
30
+ "zfs #{resource_id}"
31
+ end
32
+
33
+ # The below matcher checks if the given properties are valid properties of the zfs pool.
34
+ def has_property?(properties_hash)
35
+ raise Inspec::Exceptions::ResourceSkipped, "Provide a valid key-value pair of the zfs properties." if properties_hash.empty?
36
+
37
+ # Transform all the key & values provided by user to string,
38
+ # since hash keys can be symbols or strings & values can be integers or strings.
39
+ # @params is a hash populated in the parent class with the properties(key-value) of the current zfs pool.
40
+ # and the key-value in @params are of string type.
41
+ properties_hash.transform_keys(&:to_s)
42
+ properties_hash.transform_values(&:to_s)
43
+
44
+ # check if the given properties is a subset of @params
45
+ properties_hash <= @params
46
+ end
47
+ end
48
+ end
@@ -1,3 +1,3 @@
1
1
  module Inspec
2
- VERSION = "5.14.0".freeze
2
+ VERSION = "5.17.4".freeze
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 5.14.0
4
+ version: 5.17.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chef InSpec Team
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-04-20 00:00:00.000000000 Z
11
+ date: 2022-05-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: chef-telemetry
@@ -392,6 +392,7 @@ files:
392
392
  - Gemfile
393
393
  - LICENSE
394
394
  - etc/deprecations.json
395
+ - etc/keys/progress-2022-05-04.pem.pub
395
396
  - etc/plugin_filters.json
396
397
  - inspec-core.gemspec
397
398
  - lib/bundles/README.md
@@ -601,6 +602,7 @@ files:
601
602
  - lib/inspec/resources/parse_config.rb
602
603
  - lib/inspec/resources/parse_config_file.rb
603
604
  - lib/inspec/resources/passwd.rb
605
+ - lib/inspec/resources/php_config.rb
604
606
  - lib/inspec/resources/pip.rb
605
607
  - lib/inspec/resources/platform.rb
606
608
  - lib/inspec/resources/port.rb
@@ -647,10 +649,12 @@ files:
647
649
  - lib/inspec/resources/windows_task.rb
648
650
  - lib/inspec/resources/wmi.rb
649
651
  - lib/inspec/resources/x509_certificate.rb
652
+ - lib/inspec/resources/x509_private_key.rb
650
653
  - lib/inspec/resources/xinetd_conf.rb
651
654
  - lib/inspec/resources/xml.rb
652
655
  - lib/inspec/resources/yaml.rb
653
656
  - lib/inspec/resources/yum.rb
657
+ - lib/inspec/resources/zfs.rb
654
658
  - lib/inspec/resources/zfs_dataset.rb
655
659
  - lib/inspec/resources/zfs_pool.rb
656
660
  - lib/inspec/rspec_extensions.rb