inspec 0.14.8 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +25 -2
  3. data/bin/inspec +3 -4
  4. data/examples/inheritance/README.md +19 -0
  5. data/examples/inheritance/controls/example.rb +11 -0
  6. data/examples/inheritance/inspec.yml +10 -0
  7. data/lib/bundles/inspec-compliance/cli.rb +1 -4
  8. data/lib/bundles/inspec-supermarket/cli.rb +1 -4
  9. data/lib/inspec/dsl.rb +48 -55
  10. data/lib/inspec/profile.rb +6 -2
  11. data/lib/inspec/profile_context.rb +21 -8
  12. data/lib/inspec/runner.rb +17 -12
  13. data/lib/inspec/runner_rspec.rb +1 -0
  14. data/lib/inspec/version.rb +1 -1
  15. data/lib/resources/apache.rb +20 -18
  16. data/lib/resources/apache_conf.rb +92 -90
  17. data/lib/resources/apt.rb +92 -90
  18. data/lib/resources/audit_policy.rb +35 -33
  19. data/lib/resources/auditd_conf.rb +41 -39
  20. data/lib/resources/auditd_rules.rb +155 -153
  21. data/lib/resources/bond.rb +1 -1
  22. data/lib/resources/bridge.rb +97 -95
  23. data/lib/resources/command.rb +47 -45
  24. data/lib/resources/csv.rb +23 -21
  25. data/lib/resources/directory.rb +1 -1
  26. data/lib/resources/etc_group.rb +116 -114
  27. data/lib/resources/file.rb +1 -1
  28. data/lib/resources/gem.rb +39 -37
  29. data/lib/resources/group.rb +100 -98
  30. data/lib/resources/host.rb +103 -101
  31. data/lib/resources/inetd_conf.rb +42 -40
  32. data/lib/resources/ini.rb +15 -13
  33. data/lib/resources/interface.rb +106 -104
  34. data/lib/resources/iptables.rb +36 -34
  35. data/lib/resources/json.rb +64 -62
  36. data/lib/resources/kernel_module.rb +30 -28
  37. data/lib/resources/kernel_parameter.rb +44 -42
  38. data/lib/resources/limits_conf.rb +41 -39
  39. data/lib/resources/login_def.rb +38 -36
  40. data/lib/resources/mount.rb +43 -41
  41. data/lib/resources/mysql.rb +67 -65
  42. data/lib/resources/mysql_conf.rb +89 -87
  43. data/lib/resources/mysql_session.rb +46 -44
  44. data/lib/resources/npm.rb +35 -33
  45. data/lib/resources/ntp_conf.rb +44 -42
  46. data/lib/resources/oneget.rb +46 -44
  47. data/lib/resources/os.rb +22 -20
  48. data/lib/resources/os_env.rb +47 -45
  49. data/lib/resources/package.rb +213 -211
  50. data/lib/resources/parse_config.rb +59 -57
  51. data/lib/resources/passwd.rb +89 -87
  52. data/lib/resources/pip.rb +60 -58
  53. data/lib/resources/port.rb +352 -350
  54. data/lib/resources/postgres.rb +26 -24
  55. data/lib/resources/postgres_conf.rb +66 -64
  56. data/lib/resources/postgres_session.rb +47 -45
  57. data/lib/resources/processes.rb +56 -54
  58. data/lib/resources/registry_key.rb +150 -148
  59. data/lib/resources/script.rb +30 -28
  60. data/lib/resources/security_policy.rb +56 -54
  61. data/lib/resources/service.rb +638 -636
  62. data/lib/resources/shadow.rb +98 -96
  63. data/lib/resources/ssh_conf.rb +58 -56
  64. data/lib/resources/user.rb +363 -361
  65. data/lib/resources/windows_feature.rb +46 -44
  66. data/lib/resources/xinetd.rb +111 -109
  67. data/lib/resources/yaml.rb +16 -14
  68. data/lib/resources/yum.rb +107 -105
  69. data/lib/utils/base_cli.rb +18 -0
  70. data/test/helper.rb +2 -2
  71. data/test/unit/profile_context_test.rb +1 -1
  72. data/test/unit/resources/file_test.rb +1 -1
  73. data/test/unit/resources/mount_test.rb +1 -1
  74. metadata +5 -2
@@ -4,78 +4,80 @@
4
4
  # author: Christoph Hartmann
5
5
  # license: All rights reserved
6
6
 
7
- class Mysql < Inspec.resource(1)
8
- name 'mysql'
7
+ module Inspec::Resources
8
+ class Mysql < Inspec.resource(1)
9
+ name 'mysql'
9
10
 
10
- attr_reader :package, :service, :conf_dir, :conf_path, :data_dir, :log_dir, :log_path, :log_group, :log_dir_group
11
- def initialize
12
- # set OS-dependent filenames and paths
13
- case inspec.os[:family]
14
- when 'ubuntu', 'debian'
15
- init_ubuntu
16
- when 'redhat', 'fedora'
17
- init_redhat
18
- when 'arch'
19
- init_arch
20
- else
21
- # TODO: could not detect
22
- init_default
11
+ attr_reader :package, :service, :conf_dir, :conf_path, :data_dir, :log_dir, :log_path, :log_group, :log_dir_group
12
+ def initialize
13
+ # set OS-dependent filenames and paths
14
+ case inspec.os[:family]
15
+ when 'ubuntu', 'debian'
16
+ init_ubuntu
17
+ when 'redhat', 'fedora'
18
+ init_redhat
19
+ when 'arch'
20
+ init_arch
21
+ else
22
+ # TODO: could not detect
23
+ init_default
24
+ end
23
25
  end
24
- end
25
26
 
26
- def init_ubuntu
27
- @package = 'mysql-server'
28
- @service = 'mysql'
29
- @conf_path = '/etc/mysql/my.cnf'
30
- @conf_dir = '/etc/mysql/'
31
- @data_dir = '/var/lib/mysql/'
32
- @log_dir = '/var/log/'
33
- @log_path = '/var/log/mysql.log'
34
- @log_group = 'adm'
35
- case os[:release]
36
- when '14.04'
37
- @log_dir_group = 'syslog'
38
- else
39
- @log_dir_group = 'root'
27
+ def init_ubuntu
28
+ @package = 'mysql-server'
29
+ @service = 'mysql'
30
+ @conf_path = '/etc/mysql/my.cnf'
31
+ @conf_dir = '/etc/mysql/'
32
+ @data_dir = '/var/lib/mysql/'
33
+ @log_dir = '/var/log/'
34
+ @log_path = '/var/log/mysql.log'
35
+ @log_group = 'adm'
36
+ case os[:release]
37
+ when '14.04'
38
+ @log_dir_group = 'syslog'
39
+ else
40
+ @log_dir_group = 'root'
41
+ end
40
42
  end
41
- end
42
43
 
43
- def init_redhat
44
- @package = 'mysql-server'
45
- @service = 'mysqld'
46
- @conf_path = '/etc/my.cnf'
47
- @conf_dir = '/etc/'
48
- @data_dir = '/var/lib/mysql/'
49
- @log_dir = '/var/log/'
50
- @log_path = '/var/log/mysqld.log'
51
- @log_group = 'mysql'
52
- @log_dir_group = 'root'
53
- end
44
+ def init_redhat
45
+ @package = 'mysql-server'
46
+ @service = 'mysqld'
47
+ @conf_path = '/etc/my.cnf'
48
+ @conf_dir = '/etc/'
49
+ @data_dir = '/var/lib/mysql/'
50
+ @log_dir = '/var/log/'
51
+ @log_path = '/var/log/mysqld.log'
52
+ @log_group = 'mysql'
53
+ @log_dir_group = 'root'
54
+ end
54
55
 
55
- def init_arch
56
- @package = 'mariadb'
57
- @service = 'mysql'
58
- @conf_path = '/etc/mysql/my.cnf'
59
- @conf_dir = '/etc/mysql/'
60
- @data_dir = '/var/lib/mysql/'
61
- @log_dir = '/var/log/'
62
- @log_path = '/var/log/mysql.log'
63
- @log_group = 'mysql'
64
- @log_dir_group = 'root'
65
- end
56
+ def init_arch
57
+ @package = 'mariadb'
58
+ @service = 'mysql'
59
+ @conf_path = '/etc/mysql/my.cnf'
60
+ @conf_dir = '/etc/mysql/'
61
+ @data_dir = '/var/lib/mysql/'
62
+ @log_dir = '/var/log/'
63
+ @log_path = '/var/log/mysql.log'
64
+ @log_group = 'mysql'
65
+ @log_dir_group = 'root'
66
+ end
66
67
 
67
- def init_default
68
- @service = 'mysqld'
69
- @conf_path = '/etc/my.cnf'
70
- @conf_dir = '/etc/'
71
- @data_dir = '/var/lib/mysql/'
72
- @log_dir = '/var/log/'
73
- @log_path = '/var/log/mysqld.log'
74
- @log_group = 'mysql'
75
- @log_dir_group = 'root'
76
- end
68
+ def init_default
69
+ @service = 'mysqld'
70
+ @conf_path = '/etc/my.cnf'
71
+ @conf_dir = '/etc/'
72
+ @data_dir = '/var/lib/mysql/'
73
+ @log_dir = '/var/log/'
74
+ @log_path = '/var/log/mysqld.log'
75
+ @log_group = 'mysql'
76
+ @log_dir_group = 'root'
77
+ end
77
78
 
78
- def to_s
79
- 'MySQL'
79
+ def to_s
80
+ 'MySQL'
81
+ end
80
82
  end
81
83
  end
@@ -8,115 +8,117 @@ require 'utils/find_files'
8
8
  require 'utils/hash'
9
9
  require 'resources/mysql'
10
10
 
11
- class MysqlConfEntry
12
- def initialize(path, params)
13
- @params = params
14
- @path = path
15
- end
11
+ module Inspec::Resources
12
+ class MysqlConfEntry
13
+ def initialize(path, params)
14
+ @params = params
15
+ @path = path
16
+ end
16
17
 
17
- def method_missing(name, *_)
18
- k = name.to_s
19
- res = @params[k]
20
- return true if res.nil? && @params.key?(k)
21
- @params[k]
22
- end
18
+ def method_missing(name, *_)
19
+ k = name.to_s
20
+ res = @params[k]
21
+ return true if res.nil? && @params.key?(k)
22
+ @params[k]
23
+ end
23
24
 
24
- def to_s
25
- "MySQL Config entry [#{@path.join(' ')}]"
25
+ def to_s
26
+ "MySQL Config entry [#{@path.join(' ')}]"
27
+ end
26
28
  end
27
- end
28
29
 
29
- class MysqlConf < Inspec.resource(1)
30
- name 'mysql_conf'
31
- desc 'Use the mysql_conf InSpec audit resource to test the contents of the configuration file for MySQL, typically located at /etc/mysql/my.cnf or /etc/my.cnf.'
32
- example "
33
- describe mysql_conf('path') do
34
- its('setting') { should eq 'value' }
35
- end
36
- "
30
+ class MysqlConf < Inspec.resource(1)
31
+ name 'mysql_conf'
32
+ desc 'Use the mysql_conf InSpec audit resource to test the contents of the configuration file for MySQL, typically located at /etc/mysql/my.cnf or /etc/my.cnf.'
33
+ example "
34
+ describe mysql_conf('path') do
35
+ its('setting') { should eq 'value' }
36
+ end
37
+ "
37
38
 
38
- include FindFiles
39
+ include FindFiles
39
40
 
40
- def initialize(conf_path = nil)
41
- @conf_path = conf_path || inspec.mysql.conf_path
42
- @files_contents = {}
43
- @content = nil
44
- @params = nil
45
- read_content
46
- end
41
+ def initialize(conf_path = nil)
42
+ @conf_path = conf_path || inspec.mysql.conf_path
43
+ @files_contents = {}
44
+ @content = nil
45
+ @params = nil
46
+ read_content
47
+ end
47
48
 
48
- def content
49
- @content ||= read_content
50
- end
49
+ def content
50
+ @content ||= read_content
51
+ end
51
52
 
52
- def params(*opts)
53
- @params || read_content
54
- res = @params
55
- opts.each do |opt|
56
- res = res[opt] unless res.nil?
53
+ def params(*opts)
54
+ @params || read_content
55
+ res = @params
56
+ opts.each do |opt|
57
+ res = res[opt] unless res.nil?
58
+ end
59
+ MysqlConfEntry.new(opts, res)
57
60
  end
58
- MysqlConfEntry.new(opts, res)
59
- end
60
61
 
61
- def method_missing(name)
62
- @params || read_content
63
- @params[name.to_s]
64
- end
62
+ def method_missing(name)
63
+ @params || read_content
64
+ @params[name.to_s]
65
+ end
65
66
 
66
- def read_content
67
- @content = ''
68
- @params = {}
67
+ def read_content
68
+ @content = ''
69
+ @params = {}
69
70
 
70
- # skip if the main configuration file doesn't exist
71
- if !inspec.file(@conf_path).file?
72
- return skip_resource "Can't find file \"#{@conf_path}\""
73
- end
74
- raw_conf = read_file(@conf_path)
75
- if raw_conf.empty? && inspec.file(@conf_path).size > 0
76
- return skip_resource("Can't read file \"#{@conf_path}\"")
77
- end
71
+ # skip if the main configuration file doesn't exist
72
+ if !inspec.file(@conf_path).file?
73
+ return skip_resource "Can't find file \"#{@conf_path}\""
74
+ end
75
+ raw_conf = read_file(@conf_path)
76
+ if raw_conf.empty? && inspec.file(@conf_path).size > 0
77
+ return skip_resource("Can't read file \"#{@conf_path}\"")
78
+ end
78
79
 
79
- to_read = [@conf_path]
80
- until to_read.empty?
81
- cur_file = to_read[0]
82
- raw_conf = read_file(cur_file)
83
- @content += raw_conf
80
+ to_read = [@conf_path]
81
+ until to_read.empty?
82
+ cur_file = to_read[0]
83
+ raw_conf = read_file(cur_file)
84
+ @content += raw_conf
84
85
 
85
- params = SimpleConfig.new(raw_conf).params
86
- @params = @params.deep_merge(params)
86
+ params = SimpleConfig.new(raw_conf).params
87
+ @params = @params.deep_merge(params)
87
88
 
88
- to_read = to_read.drop(1)
89
- # see if there is more stuff to include
89
+ to_read = to_read.drop(1)
90
+ # see if there is more stuff to include
90
91
 
91
- dir = File.dirname(cur_file)
92
- to_read += include_files(dir, raw_conf).find_all do |fp|
93
- not @files_contents.key? fp
92
+ dir = File.dirname(cur_file)
93
+ to_read += include_files(dir, raw_conf).find_all do |fp|
94
+ not @files_contents.key? fp
95
+ end
94
96
  end
97
+ #
98
+ @content
95
99
  end
96
- #
97
- @content
98
- end
99
100
 
100
- def include_files(reldir, conf)
101
- files = conf.scan(/^!include\s+(.*)\s*/).flatten.compact.map { |x| abs_path(reldir, x) }
102
- dirs = conf.scan(/^!includedir\s+(.*)\s*/).flatten.compact.map { |x| abs_path(reldir, x) }
103
- dirs.map do |dir|
104
- # @TODO: non local glob
105
- files += find_files(dir, depth: 1, type: 'file')
101
+ def include_files(reldir, conf)
102
+ files = conf.scan(/^!include\s+(.*)\s*/).flatten.compact.map { |x| abs_path(reldir, x) }
103
+ dirs = conf.scan(/^!includedir\s+(.*)\s*/).flatten.compact.map { |x| abs_path(reldir, x) }
104
+ dirs.map do |dir|
105
+ # @TODO: non local glob
106
+ files += find_files(dir, depth: 1, type: 'file')
107
+ end
108
+ files
106
109
  end
107
- files
108
- end
109
110
 
110
- def abs_path(dir, f)
111
- return f if f.start_with? '/'
112
- File.join(dir, f)
113
- end
111
+ def abs_path(dir, f)
112
+ return f if f.start_with? '/'
113
+ File.join(dir, f)
114
+ end
114
115
 
115
- def read_file(path)
116
- @files_contents[path] ||= inspec.file(path).content
117
- end
116
+ def read_file(path)
117
+ @files_contents[path] ||= inspec.file(path).content
118
+ end
118
119
 
119
- def to_s
120
- 'MySQL Configuration'
120
+ def to_s
121
+ 'MySQL Configuration'
122
+ end
121
123
  end
122
124
  end
@@ -4,56 +4,58 @@
4
4
  # author: Christoph Hartmann
5
5
  # license: All rights reserved
6
6
 
7
- class MysqlSession < Inspec.resource(1)
8
- name 'mysql_session'
9
- desc 'Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database.'
10
- example "
11
- sql = mysql_session('my_user','password')
12
- describe sql.query('show databases like \'test\';') do
13
- its(:stdout) { should_not match(/test/) }
7
+ module Inspec::Resources
8
+ class MysqlSession < Inspec.resource(1)
9
+ name 'mysql_session'
10
+ desc 'Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database.'
11
+ example "
12
+ sql = mysql_session('my_user','password')
13
+ describe sql.query('show databases like \'test\';') do
14
+ its(:stdout) { should_not match(/test/) }
15
+ end
16
+ "
17
+
18
+ def initialize(user = nil, pass = nil)
19
+ @user = user
20
+ @pass = pass
21
+ init_fallback if user.nil? or pass.nil?
22
+ skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?
14
23
  end
15
- "
16
24
 
17
- def initialize(user = nil, pass = nil)
18
- @user = user
19
- @pass = pass
20
- init_fallback if user.nil? or pass.nil?
21
- skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?
22
- end
23
-
24
- def query(q, db = '')
25
- # TODO: simple escape, must be handled by a library
26
- # that does this securely
27
- escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
28
-
29
- # run the query
30
- cmd = inspec.command("mysql -u#{@user} -p#{@pass} #{db} -s -e \"#{escaped_query}\"")
31
- out = cmd.stdout + "\n" + cmd.stderr
32
- if out =~ /Can't connect to .* MySQL server/ or
33
- out.downcase =~ /^error/
34
- # skip this test if the server can't run the query
35
- skip_resource("Can't connect to MySQL instance for SQL checks.")
25
+ def query(q, db = '')
26
+ # TODO: simple escape, must be handled by a library
27
+ # that does this securely
28
+ escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
29
+
30
+ # run the query
31
+ cmd = inspec.command("mysql -u#{@user} -p#{@pass} #{db} -s -e \"#{escaped_query}\"")
32
+ out = cmd.stdout + "\n" + cmd.stderr
33
+ if out =~ /Can't connect to .* MySQL server/ or
34
+ out.downcase =~ /^error/
35
+ # skip this test if the server can't run the query
36
+ skip_resource("Can't connect to MySQL instance for SQL checks.")
37
+ end
38
+
39
+ # return the raw command output
40
+ cmd
36
41
  end
37
42
 
38
- # return the raw command output
39
- cmd
40
- end
41
-
42
- def to_s
43
- 'MySQL Session'
44
- end
43
+ def to_s
44
+ 'MySQL Session'
45
+ end
45
46
 
46
- private
47
+ private
47
48
 
48
- def init_fallback
49
- # support debian mysql administration login
50
- debian = inspec.command('test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf').stdout
51
- return if debian.empty?
49
+ def init_fallback
50
+ # support debian mysql administration login
51
+ debian = inspec.command('test -f /etc/mysql/debian.cnf && cat /etc/mysql/debian.cnf').stdout
52
+ return if debian.empty?
52
53
 
53
- user = debian.match(/^\s*user\s*=\s*([^ ]*)\s*$/)
54
- pass = debian.match(/^\s*password\s*=\s*([^ ]*)\s*$/)
55
- return if user.nil? or pass.nil?
56
- @user = user[1]
57
- @pass = pass[1]
54
+ user = debian.match(/^\s*user\s*=\s*([^ ]*)\s*$/)
55
+ pass = debian.match(/^\s*password\s*=\s*([^ ]*)\s*$/)
56
+ return if user.nil? or pass.nil?
57
+ @user = user[1]
58
+ @pass = pass[1]
59
+ end
58
60
  end
59
61
  end