inspec 0.14.8 → 0.15.0

data/lib/resources/audit_policy.rb

@@ -24,40 +24,42 @@
 #
 # Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx
 
-class AuditPolicy < Inspec.resource(1)
-  name 'audit_policy'
-  desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
-  example "
-    describe audit_policy do
-      its('parameter') { should eq 'value' }
-    end
-  "
-
-  def method_missing(method)
-    key = method.to_s
-
-    # expected result:
-    # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
-    # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
-    result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout
-
-    # find line
-    target = nil
-    result.each_line {|s|
-      target = s.strip if s =~ /\b.*#{key}.*\b/
-    }
-
-    # extract value
-    values = nil
-    unless target.nil?
-      # split csv values and return value
-      values = target.split(',')[4]
-    end
+module Inspec::Resources
+  class AuditPolicy < Inspec.resource(1)
+    name 'audit_policy'
+    desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
+    example "
+      describe audit_policy do
+        its('parameter') { should eq 'value' }
+      end
+    "
 
-    values
-  end
+    def method_missing(method)
+      key = method.to_s
+
+      # expected result:
+      # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
+      # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
+      result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout
+
+      # find line
+      target = nil
+      result.each_line {|s|
+        target = s.strip if s =~ /\b.*#{key}.*\b/
+      }
 
-  def to_s
-    'Audit Policy'
+      # extract value
+      values = nil
+      unless target.nil?
+        # split csv values and return value
+        values = target.split(',')[4]
+      end
+
+      values
+    end
+
+    def to_s
+      'Audit Policy'
+    end
   end
 end

data/lib/resources/auditd_conf.rb

@@ -6,50 +6,52 @@
 
 require 'utils/simpleconfig'
 
-class AuditDaemonConf < Inspec.resource(1)
-  name 'auditd_conf'
-  desc "Use the auditd_conf InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under /etc/audit/auditd.conf' on UNIX and Linux platforms."
-  example "
-    describe auditd_conf do
-      its('space_left_action') { should eq 'email' }
+module Inspec::Resources
+  class AuditDaemonConf < Inspec.resource(1)
+    name 'auditd_conf'
+    desc "Use the auditd_conf InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under /etc/audit/auditd.conf' on UNIX and Linux platforms."
+    example "
+      describe auditd_conf do
+        its('space_left_action') { should eq 'email' }
+      end
+    "
+
+    def initialize(path = nil)
+      @conf_path = path || '/etc/audit/auditd.conf'
     end
-  "
 
-  def initialize(path = nil)
-    @conf_path = path || '/etc/audit/auditd.conf'
-  end
-
-  def method_missing(name)
-    read_params[name.to_s]
-  end
-
-  def to_s
-    'Audit Daemon Config'
-  end
-
-  private
-
-  def read_params
-    return @params if defined?(@params)
-
-    # read the file
-    file = inspec.file(@conf_path)
-    if !file.file?
-      skip_resource "Can't find file '#{@conf_path}'"
-      return @params = {}
+    def method_missing(name)
+      read_params[name.to_s]
     end
 
-    content = file.content
-    if content.empty? && file.size > 0
-      skip_resource "Can't read file '#{@conf_path}'"
-      return @params = {}
+    def to_s
+      'Audit Daemon Config'
     end
 
-    # parse the file
-    conf = SimpleConfig.new(
-      content,
-      multiple_values: false,
-    )
-    @params = conf.params
+    private
+
+    def read_params
+      return @params if defined?(@params)
+
+      # read the file
+      file = inspec.file(@conf_path)
+      if !file.file?
+        skip_resource "Can't find file '#{@conf_path}'"
+        return @params = {}
+      end
+
+      content = file.content
+      if content.empty? && file.size > 0
+        skip_resource "Can't read file '#{@conf_path}'"
+        return @params = {}
+      end
+
+      # parse the file
+      conf = SimpleConfig.new(
+        content,
+        multiple_values: false,
+      )
+      @params = conf.params
+    end
   end
 end

data/lib/resources/auditd_rules.rb

@@ -7,197 +7,199 @@
 require 'forwardable'
 require 'utils/filter_array'
 
-class AuditdRulesLegacy
-  def initialize(content)
-    @content = content
-    @opts = {
-      assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
-      multiple_values: true,
-    }
-  end
+module Inspec::Resources
+  class AuditdRulesLegacy
+    def initialize(content)
+      @content = content
+      @opts = {
+        assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
+        multiple_values: true,
+      }
+    end
 
-  def params
-    @params ||= SimpleConfig.new(@content, @opts).params
-  end
+    def params
+      @params ||= SimpleConfig.new(@content, @opts).params
+    end
 
-  def method_missing(name)
-    params[name.to_s]
-  end
+    def method_missing(name)
+      params[name.to_s]
+    end
 
-  def status(name)
-    @status_opts = {
-      assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
-      multiple_values: false,
-    }
-    @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
-    @status_params = SimpleConfig.new(@status_content, @status_opts).params
+    def status(name)
+      @status_opts = {
+        assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
+        multiple_values: false,
+      }
+      @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
+      @status_params = SimpleConfig.new(@status_content, @status_opts).params
 
-    status = @status_params['AUDIT_STATUS']
-    return nil if status.nil?
+      status = @status_params['AUDIT_STATUS']
+      return nil if status.nil?
 
-    items = Hash[status.scan(/([^=]+)=(\w*)\s*/)]
-    items[name]
-  end
+      items = Hash[status.scan(/([^=]+)=(\w*)\s*/)]
+      items[name]
+    end
 
-  def to_s
-    'Audit Daemon Rules (for auditd version < 2.3)'
+    def to_s
+      'Audit Daemon Rules (for auditd version < 2.3)'
+    end
   end
-end
-
-# rubocop:disable Metrics/ClassLength
-class AuditDaemonRules < Inspec.resource(1)
-  extend Forwardable
-  attr_accessor :rules, :lines
 
-  name 'auditd_rules'
-  desc 'Use the auditd_rules InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files.'
-  example "
-    # syntax for auditd < 2.3
-    describe auditd_rules do
-      its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/) }
-      its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=stime,settimeofday,adjtimex/) }
-      its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=clock_settime/)}
-      its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/localtime perm=wa key=time-change/)}
-    end
+  # rubocop:disable Metrics/ClassLength
+  class AuditDaemonRules < Inspec.resource(1)
+    extend Forwardable
+    attr_accessor :rules, :lines
+
+    name 'auditd_rules'
+    desc 'Use the auditd_rules InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files.'
+    example "
+      # syntax for auditd < 2.3
+      describe auditd_rules do
+        its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/) }
+        its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=stime,settimeofday,adjtimex/) }
+        its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=clock_settime/)}
+        its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/localtime perm=wa key=time-change/)}
+      end
 
-    # syntax for auditd >= 2.3
-    describe auditd_rules.syscall('open').action do
-      it { should eq(['always']) }
-    end
+      # syntax for auditd >= 2.3
+      describe auditd_rules.syscall('open').action do
+        it { should eq(['always']) }
+      end
 
-    describe auditd_rules.key('sshd_config') do
-      its(:permissions) { should contain_match(/x/) }
-    end
+      describe auditd_rules.key('sshd_config') do
+        its(:permissions) { should contain_match(/x/) }
+      end
 
-    describe auditd_rules do
-      its(:lines) { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
-    end
-  "
+      describe auditd_rules do
+        its(:lines) { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
+      end
+    "
 
-  def initialize
-    @content = inspec.command('/sbin/auditctl -l').stdout.chomp
+    def initialize
+      @content = inspec.command('/sbin/auditctl -l').stdout.chomp
 
-    if @content =~ /^LIST_RULES:/
-      # do not warn on centos 5
-      unless inspec.os[:family] == 'centos' && inspec.os[:release].to_i == 5
-        warn '[WARN] this version of auditd is outdated. Updating it allows for using more precise matchers.'
+      if @content =~ /^LIST_RULES:/
+        # do not warn on centos 5
+        unless inspec.os[:family] == 'centos' && inspec.os[:release].to_i == 5
+          warn '[WARN] this version of auditd is outdated. Updating it allows for using more precise matchers.'
+        end
+        @legacy = AuditdRulesLegacy.new(@content)
+      else
+        parse_content
       end
-      @legacy = AuditdRulesLegacy.new(@content)
-    else
-      parse_content
     end
-  end
 
-  # non-legacy instances are not asked for `its('LIST_RULES')`
-  # rubocop:disable Style/MethodName
-  def LIST_RULES
-    return @legacy.LIST_RULES if @legacy
-    fail 'Using legacy auditd_rules LIST_RULES interface with non-legacy audit package. Please use the new syntax.'
-  end
+    # non-legacy instances are not asked for `its('LIST_RULES')`
+    # rubocop:disable Style/MethodName
+    def LIST_RULES
+      return @legacy.LIST_RULES if @legacy
+      fail 'Using legacy auditd_rules LIST_RULES interface with non-legacy audit package. Please use the new syntax.'
+    end
 
-  def status(name = nil)
-    return @legacy.status(name) if @legacy
+    def status(name = nil)
+      return @legacy.status(name) if @legacy
 
-    @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
-    @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]
+      @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
+      @status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]
 
-    return @status_params[name] if name
-    @status_params
-  end
+      return @status_params[name] if name
+      @status_params
+    end
 
-  def parse_content
-    @rules = {
-      syscalls: [],
-      files: [],
-    }
-    @lines = @content.lines.map(&:chomp)
-
-    lines.each do |line|
-      if is_syscall?(line)
-        syscalls = get_syscalls line
-        action, list = get_action_list line
-        fields, opts = get_fields line
-
-        # create a 'flatter' structure because sanity
-        syscalls.each do |s|
-          @rules[:syscalls] << { syscall: s, list: list, action: action, fields: fields }.merge(opts)
+    def parse_content
+      @rules = {
+        syscalls: [],
+        files: [],
+      }
+      @lines = @content.lines.map(&:chomp)
+
+      lines.each do |line|
+        if is_syscall?(line)
+          syscalls = get_syscalls line
+          action, list = get_action_list line
+          fields, opts = get_fields line
+
+          # create a 'flatter' structure because sanity
+          syscalls.each do |s|
+            @rules[:syscalls] << { syscall: s, list: list, action: action, fields: fields }.merge(opts)
+          end
+        elsif is_file?(line)
+          file = get_file line
+          perms = get_permissions line
+          key = get_key line
+
+          @rules[:files] << { file: file, key: key, permissions: perms }
         end
-      elsif is_file?(line)
-        file = get_file line
-        perms = get_permissions line
-        key = get_key line
-
-        @rules[:files] << { file: file, key: key, permissions: perms }
       end
     end
-  end
 
-  def syscall(name)
-    select_name(:syscall, name)
-  end
+    def syscall(name)
+      select_name(:syscall, name)
+    end
 
-  def file(name)
-    select_name(:file, name)
-  end
+    def file(name)
+      select_name(:file, name)
+    end
 
-  # both files and syscalls have `key` identifiers
-  def key(name)
-    res = rules.values.flatten.find_all { |rule| rule[:key] == name }
-    FilterArray.new(res)
-  end
+    # both files and syscalls have `key` identifiers
+    def key(name)
+      res = rules.values.flatten.find_all { |rule| rule[:key] == name }
+      FilterArray.new(res)
+    end
 
-  def to_s
-    'Audit Daemon Rules'
-  end
+    def to_s
+      'Audit Daemon Rules'
+    end
 
-  private
+    private
 
-  def select_name(key, name)
-    plural = "#{key}s".to_sym
-    res = rules[plural].find_all { |rule| rule[key] == name }
-    FilterArray.new(res)
-  end
+    def select_name(key, name)
+      plural = "#{key}s".to_sym
+      res = rules[plural].find_all { |rule| rule[key] == name }
+      FilterArray.new(res)
+    end
 
-  def is_syscall?(line)
-    line.match(/\ -S /)
-  end
+    def is_syscall?(line)
+      line.match(/\ -S /)
+    end
 
-  def is_file?(line)
-    line.match(/-w /)
-  end
+    def is_file?(line)
+      line.match(/-w /)
+    end
 
-  def get_syscalls(line)
-    line.scan(/-S ([^ ]+) /).flatten.first.split(',')
-  end
+    def get_syscalls(line)
+      line.scan(/-S ([^ ]+) /).flatten.first.split(',')
+    end
 
-  def get_action_list(line)
-    line.scan(/-a ([^,]+),([^ ]+)/).flatten
-  end
+    def get_action_list(line)
+      line.scan(/-a ([^,]+),([^ ]+)/).flatten
+    end
 
-  # NB only in file lines
-  def get_key(line)
-    line.match(/-k ([^ ]+)/)[1]
-  end
+    # NB only in file lines
+    def get_key(line)
+      line.match(/-k ([^ ]+)/)[1]
+    end
 
-  # NOTE there are NO precautions wrt. filenames containing spaces in auditctl
-  # `auditctl -w /foo\ bar` gives the following line: `-w /foo bar -p rwxa`
-  def get_file(line)
-    line.match(/-w (.+) -p/)[1]
-  end
+    # NOTE there are NO precautions wrt. filenames containing spaces in auditctl
+    # `auditctl -w /foo\ bar` gives the following line: `-w /foo bar -p rwxa`
+    def get_file(line)
+      line.match(/-w (.+) -p/)[1]
+    end
 
-  def get_permissions(line)
-    line.match(/-p ([^ ]+)/)[1]
-  end
+    def get_permissions(line)
+      line.match(/-p ([^ ]+)/)[1]
+    end
 
-  def get_fields(line)
-    fields = line.gsub(/-[aS] [^ ]+ /, '').split('-F ').map { |l| l.split(' ') }.flatten
+    def get_fields(line)
+      fields = line.gsub(/-[aS] [^ ]+ /, '').split('-F ').map { |l| l.split(' ') }.flatten
 
-    opts = {}
-    fields.find_all { |x| x.match(/[a-z]+=.*/) }.each do |kv|
-      k, v = kv.split('=')
-      opts[k.to_sym] = v
-    end
+      opts = {}
+      fields.find_all { |x| x.match(/[a-z]+=.*/) }.each do |kv|
+        k, v = kv.split('=')
+        opts[k.to_sym] = v
+      end
 
-    [fields, opts]
+      [fields, opts]
+    end
   end
 end