inspec 0.9.0

data/lib/resources/gem.rb

@@ -0,0 +1,46 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+# Usage:
+# describe gem('rubocop') do
+#   it { should be_installed }
+# end
+class GemPackage < Inspec.resource(1)
+  name 'gem'
+
+  def initialize(package_name)
+    @package_name = package_name
+  end
+
+  def info
+    return @info if defined?(@info)
+
+    cmd = inspec.command("gem list --local -a -q \^#{@package_name}\$")
+    @info = {
+      installed: cmd.exit_status == 0,
+      type: 'gem',
+    }
+    return @info unless @info[:installed]
+
+    # extract package name and version
+    # parses data like winrm (1.3.4, 1.3.3)
+    params = /^\s*([^\(]*?)\s*\((.*?)\)\s*$/.match(cmd.stdout.chomp)
+    versions = params[2].split(',')
+    @info[:name] = params[1]
+    @info[:version] = versions[0]
+    @info
+  end
+
+  def installed?
+    info[:installed] == true
+  end
+
+  def version
+    info[:version]
+  end
+
+  def to_s
+    "gem package #{@package_name}"
+  end
+end

data/lib/resources/group.rb

@@ -0,0 +1,132 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+# Usage:
+# describe group('root') do
+#   it { should exist }
+#   its('gid') { should eq 0 }
+# end
+#
+# deprecated has matcher
+# describe group('root') do
+#  it { should have_gid 0 }
+# end
+
+class Group < Inspec.resource(1)
+  name 'group'
+
+  def initialize(groupname, domain = nil)
+    @group = groupname.downcase
+    @domain = domain
+    @domain = @domain.downcase unless @domain.nil?
+
+    @cache = nil
+
+    # select group manager
+    @group_provider = nil
+    if inspec.os.unix?
+      @group_provider = UnixGroup.new(inspec)
+    elsif inspec.os.windows?
+      @group_provider = WindowsGroup.new(inspec)
+    else
+      return skip_resource 'The `group` resource is not supported on your OS yet.'
+    end
+  end
+
+  # verifies if a group exists
+  def exists?
+    # ensure that we found one group
+    !group_info.nil? && group_info.size > 0
+  end
+
+  def gid
+    if group_info.nil? || group_info.size == 0
+      return nil
+    elsif group_info.size == 1
+      # the default case should be one group
+      return group_info[0][:gid]
+    else
+      # return array if we got multiple gids
+      return group_info.map { |grp| grp[:gid] }
+    end
+  end
+
+  # implements rspec has matcher, to be compatible with serverspec
+  def has_gid?(compare_gid)
+    gid == compare_gid
+  end
+
+  def local
+    if group_info.nil? || group_info.size == 0
+      return nil
+    elsif group_info.size == 1
+      # the default case should be one group
+      return group_info[0][:local]
+    else
+      # return array if we got multiple gids
+      return group_info.map { |grp| grp[:local] }
+    end
+  end
+
+  def to_s
+    "Group #{@group}"
+  end
+
+  private
+
+  def group_info
+    return @cache if !@cache.nil?
+    @cache = @group_provider.group_info(@group, @domain) if !@group_provider.nil?
+  end
+end
+
+class GroupInfo
+  attr_reader :inspec
+  def initialize(inspec)
+    @inspec = inspec
+  end
+end
+
+# implements generic unix groups via /etc/group
+class UnixGroup < GroupInfo
+  def group_info(group, _domain = nil)
+    inspec.etc_group.where(name: group).entries.map { |grp|
+      {
+        name: grp['name'],
+        gid: grp['gid'],
+      }
+    }
+  end
+end
+
+class WindowsGroup < GroupInfo
+  def group_info(compare_group, compare_domain = nil)
+    cmd = inspec.command('Get-WmiObject Win32_Group | Select-Object -Property Caption, Domain, Name, SID, LocalAccount | ConvertTo-Json')
+
+    # cannot rely on exit code for now, successful command returns exit code 1
+    # return nil if cmd.exit_status != 0, try to parse json
+    begin
+      groups = JSON.parse(cmd.stdout)
+    rescue JSON::ParserError => _e
+      return nil
+    end
+
+    # ensure we have an array of groups
+    groups = [groups] if !groups.is_a?(Array)
+
+    # reduce list
+    groups.each_with_object([]) do |grp, grp_collection|
+      # map object
+      grp_info = {
+        name: grp['Name'],
+        domain: grp['Domain'],
+        caption: grp['Caption'],
+        gid: nil,
+        sid: grp['SID'],
+        local: grp['LocalAccount'],
+      }
+      return grp_collection.push(grp_info) if grp_info[:name].casecmp(compare_group) == 0 && (compare_domain.nil? || grp_info[:domain].casecmp(compare_domain) == 0)
+    end
+  end
+end

data/lib/resources/host.rb

@@ -0,0 +1,143 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+# Usage:
+# describe host('example.com') do
+#   it { should be_resolvable }
+#   it { should be_reachable }
+#   its(:ipaddress) { should include '93.184.216.34' }
+# end
+#
+# To verify a hostname with protocol and port
+# describe host('example.com', port: 53, proto: 'udp') do
+#   it { should be_reachable }
+# end
+#
+# We do not support the following serverspec syntax:
+# describe host('example.com') do
+#   it { should be_reachable.with( :port => 22 ) }
+#   it { should be_reachable.with( :port => 22, :proto => 'tcp' ) }
+#   it { should be_reachable.with( :port => 53, :proto => 'udp' ) }
+#
+#   it { should be_resolvable.by('hosts') }
+#   it { should be_resolvable.by('dns') }
+# end
+
+class Host < Inspec.resource(1)
+  name 'host'
+
+  def initialize(hostname, params = {})
+    @hostname = hostname
+    @port = params[:port]   || nil
+    @proto = params[:proto] || nil
+
+    @host_provider = nil
+    if inspec.os.linux?
+      @host_provider = LinuxHostProvider.new(inspec)
+    elsif inspec.os.windows?
+      @host_provider = WindowsHostProvider.new(inspec)
+    else
+      return skip_resource 'The `host` resource is not supported on your OS yet.'
+    end
+  end
+
+  # if we get the IP adress, the host is resolvable
+  def resolvable?(type = nil)
+    warn "The `host` resource ignores #{type} parameters. Continue to resolve host." if !type.nil?
+    resolve.nil? || resolve.empty? ? false : true
+  end
+
+  def reachable?(port = nil, proto = nil, timeout = nil)
+    fail "Use `host` resource with host('#{@hostname}', port: #{port}, proto: '#{proto}') parameters." if !port.nil? || !proto.nil? || !timeout.nil?
+    ping.nil? ? false : ping
+  end
+
+  # returns all A records of the IP adress, will return an array
+  def ipaddress
+    resolve.nil? || resolve.empty? ? nil : resolve
+  end
+
+  def to_s
+    "Host #{@hostname}"
+  end
+
+  private
+
+  def ping
+    return @ping_cache if defined?(@ping_cache)
+    @ping_cache = @host_provider.ping(@hostname, @port, @proto) if !@host_provider.nil?
+  end
+
+  def resolve
+    return @ip_cache if defined?(@ip_cache)
+    @ip_cache = @host_provider.resolve(@hostname) if !@host_provider.nil?
+  end
+end
+
+class HostProvider
+  attr_reader :inspec
+  def initialize(inspec)
+    @inspec = inspec
+  end
+end
+
+class LinuxHostProvider < HostProvider
+  # ping is difficult to achieve, since we are not sure
+  def ping(hostname, _port = nil, _proto = nil)
+    # fall back to ping, but we can only test ICMP packages with ping
+    # therefore we have to skip the test, if we do not have everything on the node to run the test
+    ping = inspec.command("ping -w 1 -c 1 #{hostname}")
+    ping.exit_status.to_i != 0 ? false : true
+  end
+
+  def resolve(hostname)
+    # TODO: we rely on getent hosts for now, but it prefers to return IPv6, only then IPv4
+    cmd = inspec.command("getent hosts #{hostname}")
+    return nil if cmd.exit_status.to_i != 0
+
+    # extract ip adress
+    resolve = /^\s*(?<ip>\S+)\s+(.*)\s*$/.match(cmd.stdout.chomp)
+    [resolve[1]] if resolve
+  end
+end
+
+# Windows
+# TODO: UDP is not supported yey, we need a custom ps1 script to add udp support
+# @see http://blogs.technet.com/b/josebda/archive/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup.aspx
+# @see http://blogs.technet.com/b/heyscriptingguy/archive/2014/03/19/creating-a-port-scanner-with-windows-powershell.aspx
+class WindowsHostProvider < HostProvider
+  def ping(hostname, port = nil, proto = nil)
+    # TODO: abort if we cannot run it via udp
+    return nil if proto == 'udp'
+
+    # ICMP: Test-NetConnection www.microsoft.com
+    # TCP and port: Test-NetConnection -ComputerName www.microsoft.com -RemotePort 80
+    request = "Test-NetConnection -ComputerName #{hostname}"
+    request += " -RemotePort #{port}" unless port.nil?
+    request += '| Select-Object -Property ComputerName, RemoteAddress, RemotePort, SourceAddress, PingSucceeded | ConvertTo-Json'
+    p request
+    request += '| Select-Object -Property ComputerName, PingSucceeded | ConvertTo-Json'
+    cmd = inspec.command(request)
+
+    begin
+      ping = JSON.parse(cmd.stdout)
+    rescue JSON::ParserError => _e
+      return nil
+    end
+
+    ping['PingSucceeded']
+  end
+
+  def resolve(hostname)
+    cmd = inspec.command("Resolve-DnsName –Type A #{hostname} | ConvertTo-Json")
+    begin
+      resolv = JSON.parse(cmd.stdout)
+    rescue JSON::ParserError => _e
+      return nil
+    end
+
+    resolv = [resolv] unless resolv.is_a?(Array)
+    resolv.map { |entry| entry['IPAddress'] }
+  end
+end

data/lib/resources/inetd_conf.rb

@@ -0,0 +1,56 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Christoph Hartmann
+# author: Dominik Richter
+# license: All rights reserved
+
+require 'utils/simpleconfig'
+
+# Usage:
+#
+# describe inetd_conf do
+#   its('shell') { should eq nil }
+#   its('login') { should eq nil }
+#   its('exec') { should eq nil }
+# end
+
+class InetdConf < Inspec.resource(1)
+  name 'inetd_conf'
+
+  def initialize(path = nil)
+    @conf_path = path || '/etc/inetd.conf'
+  end
+
+  def method_missing(name)
+    read_params[name.to_s]
+  end
+
+  def read_params
+    return @params if defined?(@params)
+
+    # read the file
+    file = inspec.file(@conf_path)
+    if !file.file?
+      skip_resource "Can't find file \"#{@conf_path}\""
+      return @params = {}
+    end
+
+    content = file.content
+    if content.empty? && file.size > 0
+      skip_resource "Can't read file \"#{@conf_path}\""
+      return @params = {}
+    end
+    # parse the file
+    conf = SimpleConfig.new(
+      content,
+      assignment_re: /^\s*(\S+?)\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*?)\s+(.*?)\s*$/,
+      key_vals: 6,
+      multiple_values: false,
+    )
+    @params = conf.params
+  end
+
+  def to_s
+    'inetd.conf'
+  end
+end

data/lib/resources/interface.rb

@@ -0,0 +1,127 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+
+# Usage:
+# describe interface('eth0') do
+#   it { should exist }
+#   it { should be_up }
+#   its(:speed) { should eq 1000 }
+# end
+
+require 'utils/convert'
+
+class NetworkInterface < Inspec.resource(1)
+  name 'interface'
+
+  def initialize(iface)
+    @iface = iface
+
+    @interface_provider = nil
+    if inspec.os.linux?
+      @interface_provider = LinuxInterface.new(inspec)
+    elsif inspec.os.windows?
+      @interface_provider = WindowsInterface.new(inspec)
+    else
+      return skip_resource 'The `interface` resource is not supported on your OS yet.'
+    end
+  end
+
+  def exists?
+    !interface_info.nil? && !interface_info[:name].nil?
+  end
+
+  def up?
+    interface_info.nil? ? false : interface_info[:up]
+  end
+
+  # returns link speed in Mbits/sec
+  def speed
+    interface_info.nil? ? nil : interface_info[:speed]
+  end
+
+  def to_s
+    "Interface #{@iface}"
+  end
+
+  private
+
+  def interface_info
+    return @cache if defined?(@cache)
+    @cache = @interface_provider.interface_info(@iface) if !@interface_provider.nil?
+  end
+end
+
+class InterfaceInfo
+  include Converter
+  attr_reader :inspec
+  def initialize(inspec)
+    @inspec = inspec
+  end
+end
+
+class LinuxInterface < InterfaceInfo
+  def interface_info(iface)
+    # will return "[mtu]\n1500\n[type]\n1"
+    cmd = inspec.command("find /sys/class/net/#{iface}/ -type f -maxdepth 1 -exec sh -c 'echo \"[$(basename {})]\"; cat {} || echo -n' \\;")
+    return nil if cmd.exit_status.to_i != 0
+
+    # parse values, we only recieve values, therefore we threat them as keys
+    params = SimpleConfig.new(cmd.stdout.chomp).params
+
+    # abort if we got an empty result-set
+    return nil if params.empty?
+
+    # parse state
+    state = false
+    if params.key?('operstate')
+      operstate, _value = params['operstate'].first
+      state = operstate == 'up'
+    end
+
+    # parse speed
+    speed = nil
+    if params.key?('speed')
+      speed, _value = params['speed'].first
+      speed = convert_to_i(speed)
+    end
+
+    {
+      name: iface,
+      up: state,
+      speed: speed,
+    }
+  end
+end
+
+class WindowsInterface < InterfaceInfo
+  def interface_info(iface)
+    # gather all network interfaces
+    cmd = inspec.command('Get-NetAdapter | Select-Object -Property Name, InterfaceDescription, Status, State, MacAddress, LinkSpeed, ReceiveLinkSpeed, TransmitLinkSpeed, Virtual | ConvertTo-Json')
+
+    # filter network interface
+    begin
+      net_adapter = JSON.parse(cmd.stdout)
+    rescue JSON::ParserError => _e
+      return nil
+    end
+
+    # ensure we have an array of groups
+    net_adapter = [net_adapter] if !net_adapter.is_a?(Array)
+
+    # select the requested interface
+    adapters = net_adapter.each_with_object([]) do |adapter, adapter_collection|
+      # map object
+      info = {
+        name: adapter['Name'],
+        up: adapter['State'] == 2,
+        speed: adapter['ReceiveLinkSpeed'] / 1000,
+      }
+      adapter_collection.push(info) if info[:name].casecmp(iface) == 0
+    end
+
+    return nil if adapters.size == 0
+    warn "[Possible Error] detected multiple network interfaces with the name #{iface}" if adapters.size > 1
+    adapters[0]
+  end
+end