RubyGems - inspec - Versions diffs - 0.9.0 - Mend

inspec 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (247) hide show

checksums.yaml +7 -0
data/.gitignore +8 -0
data/.rubocop.yml +65 -0
data/.travis.yml +23 -0
data/CHANGELOG.md +38 -0
data/Gemfile +33 -0
data/LICENSE +201 -0
data/MAINTAINERS.md +28 -0
data/MAINTAINERS.toml +42 -0
data/README.md +257 -0
data/Rakefile +47 -0
data/bin/inspec +109 -0
data/docs/ctl_inspec.rst +195 -0
data/docs/dsl_inspec.rst +182 -0
data/docs/readme.rst +100 -0
data/docs/resources.rst +4319 -0
data/docs/template.rst +51 -0
data/examples/test-kitchen/.kitchen.yml +20 -0
data/examples/test-kitchen/Berksfile +3 -0
data/examples/test-kitchen/Gemfile +21 -0
data/examples/test-kitchen/README.md +27 -0
data/examples/test-kitchen/metadata.rb +7 -0
data/examples/test-kitchen/recipes/default.rb +6 -0
data/examples/test-kitchen/recipes/nginx.rb +30 -0
data/examples/test-kitchen/test/integration/default/web_spec.rb +28 -0
data/inspec.gemspec +30 -0
data/lib/inspec.rb +20 -0
data/lib/inspec/backend.rb +42 -0
data/lib/inspec/dsl.rb +151 -0
data/lib/inspec/log.rb +34 -0
data/lib/inspec/metadata.rb +79 -0
data/lib/inspec/plugins.rb +9 -0
data/lib/inspec/plugins/resource.rb +62 -0
data/lib/inspec/profile.rb +138 -0
data/lib/inspec/profile_context.rb +170 -0
data/lib/inspec/resource.rb +76 -0
data/lib/inspec/rspec_json_formatter.rb +27 -0
data/lib/inspec/rule.rb +170 -0
data/lib/inspec/runner.rb +154 -0
data/lib/inspec/shell.rb +66 -0
data/lib/inspec/targets.rb +9 -0
data/lib/inspec/targets/core.rb +27 -0
data/lib/inspec/targets/dir.rb +67 -0
data/lib/inspec/targets/file.rb +29 -0
data/lib/inspec/targets/folder.rb +43 -0
data/lib/inspec/targets/tar.rb +34 -0
data/lib/inspec/targets/url.rb +39 -0
data/lib/inspec/targets/zip.rb +47 -0
data/lib/inspec/version.rb +7 -0
data/lib/matchers/matchers.rb +221 -0
data/lib/resources/apache.rb +29 -0
data/lib/resources/apache_conf.rb +113 -0
data/lib/resources/apt.rb +140 -0
data/lib/resources/audit_policy.rb +63 -0
data/lib/resources/auditd_conf.rb +56 -0
data/lib/resources/auditd_rules.rb +53 -0
data/lib/resources/bond.rb +65 -0
data/lib/resources/bridge.rb +114 -0
data/lib/resources/command.rb +57 -0
data/lib/resources/csv.rb +32 -0
data/lib/resources/directory.rb +15 -0
data/lib/resources/etc_group.rb +150 -0
data/lib/resources/file.rb +110 -0
data/lib/resources/gem.rb +46 -0
data/lib/resources/group.rb +132 -0
data/lib/resources/host.rb +143 -0
data/lib/resources/inetd_conf.rb +56 -0
data/lib/resources/interface.rb +127 -0
data/lib/resources/iptables.rb +65 -0
data/lib/resources/json.rb +64 -0
data/lib/resources/kernel_module.rb +40 -0
data/lib/resources/kernel_parameter.rb +55 -0
data/lib/resources/limits_conf.rb +55 -0
data/lib/resources/login_def.rb +60 -0
data/lib/resources/mysql.rb +81 -0
data/lib/resources/mysql_conf.rb +116 -0
data/lib/resources/mysql_session.rb +52 -0
data/lib/resources/npm.rb +44 -0
data/lib/resources/ntp_conf.rb +58 -0
data/lib/resources/oneget.rb +63 -0
data/lib/resources/os.rb +22 -0
data/lib/resources/os_env.rb +34 -0
data/lib/resources/package.rb +169 -0
data/lib/resources/parse_config.rb +75 -0
data/lib/resources/passwd.rb +93 -0
data/lib/resources/pip.rb +75 -0
data/lib/resources/port.rb +296 -0
data/lib/resources/postgres.rb +37 -0
data/lib/resources/postgres_conf.rb +87 -0
data/lib/resources/postgres_session.rb +59 -0
data/lib/resources/processes.rb +57 -0
data/lib/resources/registry_key.rb +54 -0
data/lib/resources/script.rb +34 -0
data/lib/resources/security_policy.rb +73 -0
data/lib/resources/service.rb +379 -0
data/lib/resources/ssh_conf.rb +75 -0
data/lib/resources/user.rb +374 -0
data/lib/resources/windows_feature.rb +77 -0
data/lib/resources/yaml.rb +23 -0
data/lib/resources/yum.rb +154 -0
data/lib/utils/convert.rb +12 -0
data/lib/utils/detect.rb +15 -0
data/lib/utils/find_files.rb +36 -0
data/lib/utils/hash.rb +13 -0
data/lib/utils/modulator.rb +12 -0
data/lib/utils/parser.rb +61 -0
data/lib/utils/simpleconfig.rb +115 -0
data/tasks/maintainers.rb +213 -0
data/test/docker_run.rb +156 -0
data/test/docker_test.rb +51 -0
data/test/helper.rb +200 -0
data/test/integration/.kitchen.yml +42 -0
data/test/integration/Berksfile +4 -0
data/test/integration/cookbooks/os_prepare/metadata.rb +8 -0
data/test/integration/cookbooks/os_prepare/recipes/apt.rb +20 -0
data/test/integration/cookbooks/os_prepare/recipes/default.rb +9 -0
data/test/integration/cookbooks/os_prepare/recipes/file.rb +21 -0
data/test/integration/cookbooks/os_prepare/recipes/package.rb +26 -0
data/test/integration/default/_debug_spec.rb +1 -0
data/test/integration/default/apt_spec.rb +42 -0
data/test/integration/default/file_spec.rb +109 -0
data/test/integration/default/group_spec.rb +32 -0
data/test/integration/default/kernel_module_spec.rb +17 -0
data/test/integration/default/kernel_parameter_spec.rb +56 -0
data/test/integration/default/package_spec.rb +11 -0
data/test/integration/default/service_spec.rb +28 -0
data/test/integration/default/user_spec.rb +44 -0
data/test/resource/command_test.rb +33 -0
data/test/resource/dsl_test.rb +45 -0
data/test/resource/file_test.rb +130 -0
data/test/resource/ssh_config.rb +9 -0
data/test/resource/sshd_config.rb +9 -0
data/test/test-extra.yaml +11 -0
data/test/test.yaml +11 -0
data/test/unit/mock/cmd/Get-NetAdapter +24 -0
data/test/unit/mock/cmd/GetUserAccount +33 -0
data/test/unit/mock/cmd/GetWin32Group +23 -0
data/test/unit/mock/cmd/PATH +1 -0
data/test/unit/mock/cmd/Resolve-DnsName +26 -0
data/test/unit/mock/cmd/Test-NetConnection +4 -0
data/test/unit/mock/cmd/auditctl +7 -0
data/test/unit/mock/cmd/auditpol +2 -0
data/test/unit/mock/cmd/brew-info-jq +1 -0
data/test/unit/mock/cmd/chage-l-root +7 -0
data/test/unit/mock/cmd/dpkg-s-curl +21 -0
data/test/unit/mock/cmd/dscl +5 -0
data/test/unit/mock/cmd/etc-apt +7 -0
data/test/unit/mock/cmd/find-etc-rc-d-name-S +12 -0
data/test/unit/mock/cmd/find-net-interface +9 -0
data/test/unit/mock/cmd/gem-list-local-a-q-rubocop +1 -0
data/test/unit/mock/cmd/get-net-tcpconnection +24 -0
data/test/unit/mock/cmd/get-netadapter-binding-bridge +4 -0
data/test/unit/mock/cmd/get-package-firefox +30 -0
data/test/unit/mock/cmd/get-package-ruby +18 -0
data/test/unit/mock/cmd/get-service-dhcp +10 -0
data/test/unit/mock/cmd/get-windows-feature +7 -0
data/test/unit/mock/cmd/getent-hosts-example.com +1 -0
data/test/unit/mock/cmd/getent-passwd-root +1 -0
data/test/unit/mock/cmd/id-chartmann +1 -0
data/test/unit/mock/cmd/id-root +1 -0
data/test/unit/mock/cmd/initctl-show-config-ssh +3 -0
data/test/unit/mock/cmd/initctl-status-ssh +1 -0
data/test/unit/mock/cmd/iptables-s +6 -0
data/test/unit/mock/cmd/launchctl-list +3 -0
data/test/unit/mock/cmd/ls-1-etc-init.d +2 -0
data/test/unit/mock/cmd/ls-sys-class-net-br +2 -0
data/test/unit/mock/cmd/lsmod +2 -0
data/test/unit/mock/cmd/lsof-np-itcp +4 -0
data/test/unit/mock/cmd/netstat-tulpen +5 -0
data/test/unit/mock/cmd/npm-ls-g--json-bower +9 -0
data/test/unit/mock/cmd/pacman-qi-curl +21 -0
data/test/unit/mock/cmd/ping-example.com +6 -0
data/test/unit/mock/cmd/pip-show-jinja2 +11 -0
data/test/unit/mock/cmd/ps-aux +3 -0
data/test/unit/mock/cmd/pw-usershow-root-7 +1 -0
data/test/unit/mock/cmd/reg_schedule +1 -0
data/test/unit/mock/cmd/rpm-qia-curl +24 -0
data/test/unit/mock/cmd/sbin_sysctl +1 -0
data/test/unit/mock/cmd/secedit-export +7 -0
data/test/unit/mock/cmd/service-e +2 -0
data/test/unit/mock/cmd/service-sendmail-onestatus +3 -0
data/test/unit/mock/cmd/service-sshd-status +1 -0
data/test/unit/mock/cmd/sockstat +5 -0
data/test/unit/mock/cmd/success +0 -0
data/test/unit/mock/cmd/systemctl-show-all-sshd +6 -0
data/test/unit/mock/cmd/win32_product +8 -0
data/test/unit/mock/cmd/yum-repolist-all +52 -0
data/test/unit/mock/files/auditd.conf +4 -0
data/test/unit/mock/files/bond0 +37 -0
data/test/unit/mock/files/etcgroup +3 -0
data/test/unit/mock/files/example.csv +6 -0
data/test/unit/mock/files/inetd.conf +2 -0
data/test/unit/mock/files/kitchen.yml +7 -0
data/test/unit/mock/files/limits.conf +5 -0
data/test/unit/mock/files/login.defs +5 -0
data/test/unit/mock/files/mysql.conf +8 -0
data/test/unit/mock/files/mysql2.conf +2 -0
data/test/unit/mock/files/ntp.conf +5 -0
data/test/unit/mock/files/passwd +2 -0
data/test/unit/mock/files/policyfile.lock.json +12 -0
data/test/unit/mock/files/ssh_config +5 -0
data/test/unit/mock/files/sshd_config +7 -0
data/test/unit/mock/profiles/empty/metadata.rb +0 -0
data/test/unit/mock/profiles/metadata/metadata.rb +1 -0
data/test/unit/profile_context_test.rb +140 -0
data/test/unit/profile_test.rb +49 -0
data/test/unit/resources/apt_test.rb +46 -0
data/test/unit/resources/audit_policy_test.rb +13 -0
data/test/unit/resources/auditd_conf_test.rb +15 -0
data/test/unit/resources/auditd_rules_test.rb +21 -0
data/test/unit/resources/bond_test.rb +24 -0
data/test/unit/resources/bridge_test.rb +56 -0
data/test/unit/resources/csv_test.rb +35 -0
data/test/unit/resources/etc_group_test.rb +37 -0
data/test/unit/resources/gem_test.rb +20 -0
data/test/unit/resources/group_test.rb +96 -0
data/test/unit/resources/host_test.rb +38 -0
data/test/unit/resources/inetd_conf_test.rb +15 -0
data/test/unit/resources/interface_test.rb +54 -0
data/test/unit/resources/iptables_test.rb +30 -0
data/test/unit/resources/json_test.rb +36 -0
data/test/unit/resources/kernel_module_test.rb +23 -0
data/test/unit/resources/kernel_parameter_test.rb +13 -0
data/test/unit/resources/limits_conf_test.rb +14 -0
data/test/unit/resources/login_def_test.rb +16 -0
data/test/unit/resources/mysql_conf_test.rb +14 -0
data/test/unit/resources/npm_test.rb +20 -0
data/test/unit/resources/ntp_conf_test.rb +16 -0
data/test/unit/resources/oneget_test.rb +45 -0
data/test/unit/resources/os_env_test.rb +13 -0
data/test/unit/resources/package_test.rb +51 -0
data/test/unit/resources/passwd_test.rb +24 -0
data/test/unit/resources/pip_test.rb +15 -0
data/test/unit/resources/port_test.rb +46 -0
data/test/unit/resources/processes_test.rb +32 -0
data/test/unit/resources/registry_key_test.rb +19 -0
data/test/unit/resources/script_test.rb +19 -0
data/test/unit/resources/security_policy_test.rb +16 -0
data/test/unit/resources/service_test.rb +116 -0
data/test/unit/resources/ssh_conf_test.rb +33 -0
data/test/unit/resources/user_test.rb +93 -0
data/test/unit/resources/windows_feature.rb +17 -0
data/test/unit/resources/yaml_test.rb +34 -0
data/test/unit/resources/yum_test.rb +68 -0
data/test/unit/simpleconfig_test.rb +80 -0
data/test/unit/utils/content_parser_test.rb +30 -0
metadata +555 -0

data/lib/resources/postgres.rb ADDED Viewed

@@ -0,0 +1,37 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Dominik Richter
+# author: Christoph Hartmann
+# license: All rights reserved
+class Postgres < Inspec.resource(1)
+  name 'postgres'
+  attr_reader :service, :data_dir, :conf_dir, :conf_path
+  def initialize
+    case inspec.os[:family]
+    when 'ubuntu', 'debian'
+      @service = 'postgresql'
+      @data_dir = '/var/lib/postgresql'
+      @version = inspec.command('ls /etc/postgresql/').stdout.chomp
+      @conf_dir = "/etc/postgresql/#{@version}/main"
+      @conf_path = File.join @conf_dir, 'postgresql.conf'
+    when 'arch'
+      @service = 'postgresql'
+      @data_dir = '/var/lib/postgres/data'
+      @conf_dir = '/var/lib/postgres/data'
+      @conf_path = File.join @conf_dir, 'postgresql.conf'
+    else
+      @service = 'postgresql'
+      @data_dir = '/var/lib/postgresql'
+      @conf_dir = '/var/lib/pgsql/data'
+      @conf_path = File.join @conf_dir, 'postgresql.conf'
+    end
+  end
+  def to_s
+    'PostgreSQL'
+  end
+end

data/lib/resources/postgres_conf.rb ADDED Viewed

@@ -0,0 +1,87 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Dominik Richter
+# author: Christoph Hartmann
+# license: All rights reserved
+require 'utils/simpleconfig'
+require 'utils/find_files'
+require 'resources/postgres'
+class PostgresConf < Inspec.resource(1)
+  name 'postgres_conf'
+  include FindFiles
+  def initialize(conf_path = nil)
+    @conf_path = conf_path || inspec.postgres.conf_path
+    @conf_dir = File.expand_path(File.dirname @conf_path)
+    @files_contents = {}
+    @content = nil
+    @params = nil
+    read_content
+  end
+  def content
+    @content ||= read_content
+  end
+  def params(*opts)
+    @params || read_content
+    res = @params
+    opts.each do |opt|
+      res = res[opt] unless res.nil?
+    end
+    res
+  end
+  def read_content
+    @content = ''
+    @params = {}
+    # skip if the main configuration file doesn't exist
+    if !inspec.file(@conf_path).file?
+      return skip_resource "Can't find file \"#{@conf_path}\""
+    end
+    raw_conf = read_file(@conf_path)
+    if raw_conf.empty? && inspec.file(@conf_path).size > 0
+      return skip_resource("Can't read file \"#{@conf_path}\"")
+    end
+    to_read = [@conf_path]
+    until to_read.empty?
+      raw_conf = read_file(to_read[0])
+      @content += raw_conf
+      params = SimpleConfig.new(raw_conf).params
+      @params.merge!(params)
+      to_read = to_read.drop(1)
+      # see if there is more config files to include
+      to_read += include_files(params).find_all do |fp|
+        not @files_contents.key? fp
+      end
+    end
+    @content
+  end
+  def include_files(params)
+    include_files = params['include'] || []
+    include_files += params['include_if_exists'] || []
+    dirs = params['include_dir'] || []
+    dirs.each do |dir|
+      dir = File.join(@conf_dir, dir) if dir[0] != '/'
+      include_files += find_files(dir, depth: 1, type: 'file')
+    end
+    include_files
+  end
+  def read_file(path)
+    @files_contents[path] ||= inspec.file(path).content
+  end
+  def to_s
+    'PostgreSQL Configuration'
+  end
+end

data/lib/resources/postgres_session.rb ADDED Viewed

@@ -0,0 +1,59 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Dominik Richter
+# author: Christoph Hartmann
+# license: All rights reserved
+class Lines
+  def initialize(raw, desc)
+    @raw = raw
+    @desc = desc
+  end
+  def output
+    @raw
+  end
+  def lines
+    @raw.split("\n")
+  end
+  def to_s
+    @desc
+  end
+end
+class PostgresSession < Inspec.resource(1)
+  name 'postgres_session'
+  def initialize(user, pass)
+    @user = user || 'postgres'
+    @pass = pass
+  end
+  def query(query, db = [], &block)
+    dbs = db.map { |x| "-d #{x}" }.join(' ')
+    # TODO: simple escape, must be handled by a library
+    # that does this securely
+    escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
+    # run the query
+    cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -c \"#{escaped_query}\"")
+    out = cmd.stdout + "\n" + cmd.stderr
+    if out =~ /could not connect to .*/ or
+       out.downcase =~ /^error/
+      # skip this test if the server can't run the query
+      RSpec.describe(cmd) do
+        it 'is skipped', skip: out do
+        end
+      end
+    else
+      # remove the whole header (i.e. up to the first ^-----+------+------$)
+      # remove the tail
+      lines = cmd.stdout
+              .sub(/(.*\n)+([-]+[+])*[-]+\n/, '')
+              .sub(/\n[^\n]*\n\n$/, '')
+      l = Lines.new(lines.strip, "PostgreSQL query: #{query}")
+      RSpec.__send__('describe', l, &block)
+    end
+  end
+end

data/lib/resources/processes.rb ADDED Viewed

@@ -0,0 +1,57 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Dominik Richter
+# author: Christoph Hartmann
+# license: All rights reserved
+class Processes < Inspec.resource(1)
+  name 'processes'
+  attr_reader :list
+  def initialize(grep)
+    # turn into a regexp if it isn't one yet
+    if grep.class == String
+      grep = '(/[^/]*)*'+grep if grep[0] != '/'
+      grep = Regexp.new('^' + grep + '(\s|$)')
+    end
+    all_cmds = ps_aux
+    @list = all_cmds.find_all do |hm|
+      hm[:command] =~ grep
+    end
+  end
+  def to_s
+    'Processes'
+  end
+  private
+  def ps_aux
+    # get all running processes
+    cmd = inspec.command('ps aux')
+    all = cmd.stdout.split("\n")[1..-1]
+    return [] if all.nil?
+    lines = all.map do |line|
+      # user   32296  0.0  0.0  42592  7972 pts/15   Ss+  Apr06   0:00 zsh
+      line.match(/^([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/)
+    end.compact
+    lines.map do |m|
+      {
+        user: m[1],
+        pid: m[2],
+        cpu: m[3],
+        mem: m[4],
+        vsz: m[5],
+        rss: m[6],
+        tty: m[7],
+        stat: m[8],
+        start: m[9],
+        time: m[10],
+        command: m[11],
+      }
+    end
+  end
+end

data/lib/resources/registry_key.rb ADDED Viewed

@@ -0,0 +1,54 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Christoph Hartmann
+# license: All rights reserved
+require 'json'
+# Usage:
+# describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
+#   its('Start') { should eq 2 }
+# end
+class RegistryKey < Inspec.resource(1)
+  name 'registry_key'
+  attr_accessor :reg_key
+  def initialize(name, reg_key = nil)
+    # if we have one parameter, we use it as name
+    reg_key ||= name
+    @name = name
+    @reg_key = reg_key
+  end
+  def registry_value(path, key)
+    cmd = "(Get-Item 'Registry::#{path}').GetValue('#{key}')"
+    command_result ||= inspec.command(cmd)
+    val = { exit_code: command_result.exit_status.to_i, data: command_result.stdout }
+    val
+  end
+  def convert_value(value)
+    val = value.strip
+    val = val.to_i if val.match(/^\d+$/)
+    val
+  end
+  # returns nil, if not existant or value
+  def method_missing(meth)
+    # get data
+    val = registry_value(@reg_key, meth)
+    # verify data
+    if (val[:exit_code] == 0)
+      return convert_value(val[:data])
+    else
+      return nil
+    end
+  end
+  def to_s
+    "Registry Key #{@name}"
+  end
+end

data/lib/resources/script.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# encoding: utf-8
+# copyright: 2015, Vulcano Security GmbH
+# author: Christoph Hartmann
+# author: Dominik Richter
+# license: All rights reserved
+class Script < Cmd
+  name 'script'
+  attr_accessor :command
+  def initialize(script)
+    case inspec.os[:family]
+    when 'windows'
+      # encodes a script as base64 to run as powershell encodedCommand
+      # this comes with performance issues: @see https://gist.github.com/fnichol/7b20596b950e65fb96f9
+      require 'winrm'
+      script = WinRM::PowershellScript.new(script)
+      cmd = "powershell -encodedCommand #{script.encoded}"
+    else
+      return skip_resource 'The `script` resource is not supported on your OS yet.'
+    end
+    @command = cmd
+  end
+  # we cannot determine if a command exists, because that does not work for scripts
+  def exist?
+    nil
+  end
+  def to_s
+    'Script'
+  end
+end

data/lib/resources/security_policy.rb ADDED Viewed

@@ -0,0 +1,73 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+#
+# Security Configuration and Analysis
+#
+# Export local security policy:
+# secedit /export /cfg secpol.cfg
+#
+# @link http://www.microsoft.com/en-us/download/details.aspx?id=25250
+#
+# In Windows, some security options are managed differently that the local GPO
+# All local GPO parameters can be examined via Registry, but not all security
+# parameters. Therefore we need a combination of Registry and secedit output
+class SecurityPolicy < Inspec.resource(1)
+  name 'security_policy'
+  def initialize
+    @loaded = false
+    @policy = nil
+    @exit_status = nil
+  end
+  # load security content
+  def load
+    # export the security policy
+    inspec.command('secedit /export /cfg win_secpol.cfg')
+    # store file content
+    command_result ||= inspec.command('type win_secpol.cfg')
+    # delete temp file
+    inspec.command('del win_secpol.cfg')
+    @exit_status = command_result.exit_status.to_i
+    @policy = command_result.stdout
+    @loaded = true
+    # returns self
+    self
+  end
+  def method_missing(method)
+    # load data if needed
+    if (@loaded == false)
+      load
+    end
+    # find line with key
+    key = Regexp.escape(method.to_s)
+    target = ''
+    @policy.each_line {|s|
+      target = s.strip if s.match(/^\s*#{key}\s*=\s*(.*)\b/)
+    }
+    # extract variable value
+    result = target.match(/[=]{1}\s*(?<value>.*)/)
+    if !result.nil?
+      val = result[:value]
+      val = val.to_i if val.match(/^\d+$/)
+    else
+      # TODO: we may need to return skip or failure if the
+      # requested value is not available
+      val = nil
+    end
+    val
+  end
+  def to_s
+    'Security Policy'
+  end
+end

data/lib/resources/service.rb ADDED Viewed

@@ -0,0 +1,379 @@
+# encoding: utf-8
+# author: Christoph Hartmann
+# author: Dominik Richter
+# license: All rights reserved
+# Usage:
+# describe service('dhcp') do
+#   it { should be_enabled }
+#   it { should be_installed }
+#   it { should be_running }
+# end
+#
+# We detect the init system for each operating system, based on the operating
+# system.
+#
+# Fedora 15 : systemd
+# RedHat 7 : systemd
+# Ubuntu 15.04 : systemd
+# Ubuntu < 15.04 : upstart
+#
+# TODO: extend the logic to detect the running init system, independently of OS
+class Service < Inspec.resource(1)
+  name 'service'
+  def initialize(service_name)
+    @service_name = service_name
+    @service_mgmt = nil
+    @cache = nil
+    select_package_manager
+  end
+  def select_package_manager # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    family = inspec.os[:family]
+    case family
+    # Ubuntu
+    # @see: https://wiki.ubuntu.com/SystemdForUpstartUsers
+    # Ubuntu 15.04 : Systemd
+    #   Systemd runs with PID 1 as /sbin/init.
+    #   Upstart runs with PID 1 as /sbin/upstart.
+    # Ubuntu < 15.04 : Upstart
+    # Upstart runs with PID 1 as /sbin/init.
+    # Systemd runs with PID 1 as /lib/systemd/systemd.
+    when 'ubuntu'
+      version = inspec.os[:release].to_f
+      if version < 15.04
+        @service_mgmt = Upstart.new(inspec)
+      else
+        @service_mgmt = Systemd.new(inspec)
+      end
+    when 'debian'
+      version = inspec.os[:release].to_i
+      if version > 7
+        @service_mgmt = Systemd.new(inspec)
+      else
+        @service_mgmt = SysV.new(inspec)
+      end
+    when 'redhat', 'fedora', 'centos'
+      version = inspec.os[:release].to_i
+      if (%w{ redhat centos }.include?(family) && version >= 7) || (family == 'fedora' && version >= 15)
+        @service_mgmt = Systemd.new(inspec)
+      else
+        @service_mgmt = SysV.new(inspec)
+      end
+    when 'darwin'
+      @service_mgmt = LaunchCtl.new(inspec)
+    when 'windows'
+      @service_mgmt = WindowsSrv.new(inspec)
+    when 'freebsd'
+      @service_mgmt = BSDInit.new(inspec)
+    when 'arch', 'opensuse'
+      @service_mgmt = Systemd.new(inspec)
+    end
+    return skip_resource 'The `service` resource is not supported on your OS yet.' if @service_mgmt.nil?
+  end
+  def info
+    return @cache if !@cache.nil?
+    return nil if @service_mgmt.nil?
+    @cache = @service_mgmt.info(@service_name)
+  end
+  # verifies the service is enabled
+  def enabled?(_level = nil)
+    return false if info.nil?
+    info[:enabled]
+  end
+  # verifies the service is registered
+  def installed?(_name = nil, _version = nil)
+    return false if info.nil?
+    info[:installed]
+  end
+  # verifies the service is currently running
+  def running?(_under = nil)
+    return false if info.nil?
+    info[:running]
+  end
+  def to_s
+    "Service #{@service_name}"
+  end
+end
+class ServiceManager
+  attr_reader :inspec
+  def initialize(inspec)
+    @inspec = inspec
+  end
+end
+# @see: http://www.freedesktop.org/software/systemd/man/systemctl.html
+# @see: http://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
+class Systemd < ServiceManager
+  def info(service_name)
+    cmd = inspec.command("systemctl show --all #{service_name}")
+    return nil if cmd.exit_status.to_i != 0
+    # parse data
+    params = SimpleConfig.new(
+      cmd.stdout.chomp,
+      assignment_re: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/,
+      multiple_values: false,
+    ).params
+    # LoadState values eg. loaded, not-found
+    params['LoadState'] == 'loaded' ? (installed = true) : (installed = false)
+    # test via 'systemctl is-active service'
+    # SubState values running
+    params['SubState'] == 'running' ? (running = true) : (running = false)
+    # test via systemctl --quiet is-enabled
+    # ActiveState values eg.g inactive, active
+    params['ActiveState'] == 'active' ? (enabled = true) : (enabled = false)
+    {
+      name: params['Id'],
+      description: params['Description'],
+      installed: installed,
+      running: running,
+      enabled: enabled,
+      type: 'systemd',
+    }
+  end
+end
+# @see: http://upstart.ubuntu.com
+class Upstart < ServiceManager
+  def info(service_name)
+    # get the status of upstart service
+    cmd = inspec.command("initctl status #{service_name}")
+    return nil if cmd.exit_status != 0
+    # @see: http://upstart.ubuntu.com/cookbook/#job-states
+    # grep for running to indicate the service is there
+    match_running = /running/.match(cmd.stdout)
+    !match_running.nil? ? (running = true) : (running = false)
+    # check if a service is enabled
+    # http://upstart.ubuntu.com/cookbook/#determine-if-a-job-is-disabled
+    # $ initctl show-config $job | grep -q "^  start on" && echo enabled || echo disabled
+    # Ubuntu 10.04 show-config is not supported
+    # @see http://manpages.ubuntu.com/manpages/maverick/man8/initctl.8.html
+    config = inspec.command("initctl show-config #{service_name}")
+    match_enabled = /^\s*start on/.match(config.stdout)
+    !match_enabled.nil? ? (enabled = true) : (enabled = false)
+    # implement fallback for Ubuntu 10.04
+    if inspec.os[:family] == 'ubuntu' &&
+       inspec.os[:release].to_f >= 10.04 &&
+       inspec.os[:release].to_f < 12.04 &&
+       cmd.exit_status == 0
+      enabled = true
+    end
+    {
+      name: service_name,
+      description: nil,
+      installed: true,
+      running: running,
+      enabled: enabled,
+      type: 'upstart',
+    }
+  end
+end
+class SysV < ServiceManager
+  def info(service_name)
+    # check if service is installed
+    # read all available services via ls /etc/init.d/
+    srvlist = inspec.command('ls -1 /etc/init.d/')
+    return nil if srvlist.exit_status != 0
+    # check if the service is in list
+    service = srvlist.stdout.split("\n").select { |srv| srv == service_name }
+    # abort if we could not find any service
+    return nil if service.empty?
+    # read all enabled services from runlevel
+    # on rhel via: 'chkconfig --list', is not installed by default
+    # bash: for i in `find /etc/rc*.d -name S*`; do basename $i | sed -r 's/^S[0-9]+//'; done | sort | uniq
+    enabled_services_cmd = inspec.command('find /etc/rc*.d -name S*')
+    enabled_services = enabled_services_cmd.stdout.split("\n").select { |line|
+      /(^.*#{service_name}.*)/.match(line)
+    }
+    enabled_services.empty? ? enabled = false : enabled = true
+    # check if service is really running
+    # service throws an exit code if the service is not installed or
+    # not enabled
+    # on debian service is located /usr/sbin/service, on centos it is located here /sbin/service
+    service_cmd = 'service'
+    service_cmd = '/usr/sbin/service' if inspec.os[:family] == 'debian'
+    service_cmd = '/sbin/service' if inspec.os[:family] == 'centos'
+    cmd = inspec.command("#{service_cmd} #{service_name} status")
+    cmd.exit_status == 0 ? (running = true) : (running = false)
+    {
+      name: service_name,
+      description: nil,
+      installed: true,
+      running: running,
+      enabled: enabled,
+      type: 'sysv',
+    }
+  end
+end
+# @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
+# @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
+class BSDInit < ServiceManager
+  def info(service_name)
+    # check if service is enabled
+    # services are enabled in /etc/rc.conf and /etc/defaults/rc.conf
+    # via #{service_name}_enable="YES"
+    # service SERVICE status returns the following result if not activated:
+    #   Cannot 'status' sshd. Set sshd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.
+    # gather all enabled services
+    cmd = inspec.command('service -e')
+    return nil if cmd.exit_status != 0
+    # search for the service
+    srv = /(^.*#{service_name}$)/.match(cmd.stdout)
+    return nil if srv.nil? || srv[0].nil?
+    enabled = true
+    # check if the service is running
+    # if the service is not available or not running, we always get an error code
+    cmd = inspec.command("service #{service_name} onestatus")
+    cmd.exit_status == 0 ? (running = true) : (running = false)
+    {
+      name: service_name,
+      description: nil,
+      installed: true,
+      running: running,
+      enabled: enabled,
+      type: 'bsd-init',
+    }
+  end
+end
+# MacOS / Darwin
+# new launctl on macos 10.10
+class LaunchCtl < ServiceManager
+  def info(service_name)
+    # get the status of upstart service
+    cmd = inspec.command('launchctl list')
+    return nil if cmd.exit_status != 0
+    # search for the service
+    srv = /(^.*#{service_name}.*)/.match(cmd.stdout)
+    return nil if srv.nil? || srv[0].nil?
+    # extract values from service
+    parsed_srv = /^([0-9]+)\s*(\w*)\s*(\S*)/.match(srv[0])
+    !parsed_srv.nil? ? (enabled = true) : (enabled = false)
+    # check if the service is running
+    pid = parsed_srv[0]
+    !pid.nil? ? (running = true) : (running = false)
+    # extract service label
+    srv = parsed_srv[3] || service_name
+    {
+      name: srv,
+      description: nil,
+      installed: true,
+      running: running,
+      enabled: enabled,
+      type: 'darwin',
+    }
+  end
+end
+# Determine the service state from Windows
+# Uses Powershell to retrieve the information
+class WindowsSrv < ServiceManager
+  # Determine service details
+  # PS: Get-Service -Name 'dhcp'| Select-Object -Property Name, DisplayName, Status | ConvertTo-Json
+  # {
+  #     "Name":  "dhcp",
+  #     "DisplayName":  "DHCP Client",
+  #     "Status":  4
+  # }
+  #
+  # Until StartMode is not added to Get-Service, we need to do a workaround
+  # @see: https://connect.microsoft.com/PowerShell/feedback/details/424948/i-would-like-to-see-the-property-starttype-added-to-get-services
+  # Use the following powershell to determine the start mode
+  # PS: Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq $name -or $_.DisplayName -eq $name} | Select-Object -Prop
+  # erty Name, StartMode, State, Status | ConvertTo-Json
+  # {
+  #     "Name":  "Dhcp",
+  #     "StartMode":  "Auto",
+  #     "State":  "Running",
+  #     "Status":  "OK"
+  # }
+  #
+  # Windows Services have the following status code:
+  # @see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms685996(v=vs.85).aspx
+  # - 1: Stopped
+  # - 2: Starting
+  # - 3: Stopping
+  # - 4: Running
+  # - 5: Continue Pending
+  # - 6: Pause Pending
+  # - 7: Paused
+  def info(service_name)
+    cmd = inspec.command("New-Object -Type PSObject | Add-Member -MemberType NoteProperty -Name Service -Value (Get-Service -Name #{service_name}| Select-Object -Property Name, DisplayName, Status) -PassThru | Add-Member -MemberType NoteProperty -Name WMI -Value (Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -eq '#{service_name}' -or $_.DisplayName -eq '#{service_name}'} | Select-Object -Property StartMode) -PassThru | ConvertTo-Json")
+    # cannot rely on exit code for now, successful command returns exit code 1
+    # return nil if cmd.exit_status != 0
+    # try to parse json
+    begin
+      service = JSON.parse(cmd.stdout)
+    rescue JSON::ParserError => _e
+      return nil
+    end
+    # check that we got a response
+    return nil if service.nil? || service['Service'].nil?
+    {
+      name: service['Service']['Name'],
+      description: service['Service']['DisplayName'],
+      installed: true,
+      running: service_running?(service),
+      enabled: service_enabled?(service),
+      type: 'windows',
+    }
+  end
+  private
+  # detect if service is enabled
+  def service_enabled?(service)
+    if !service['WMI'].nil? &&
+       !service['WMI']['StartMode'].nil? &&
+       service['WMI']['StartMode'] == 'Auto'
+      true
+    else
+      false
+    end
+  end
+  # detect if service is running
+  def service_running?(service)
+    if !service['Service']['Status'].nil? &&
+       service['Service']['Status'] == 4
+      true
+    else
+      false
+    end
+  end
+end