inspec 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (247) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +8 -0
  3. data/.rubocop.yml +65 -0
  4. data/.travis.yml +23 -0
  5. data/CHANGELOG.md +38 -0
  6. data/Gemfile +33 -0
  7. data/LICENSE +201 -0
  8. data/MAINTAINERS.md +28 -0
  9. data/MAINTAINERS.toml +42 -0
  10. data/README.md +257 -0
  11. data/Rakefile +47 -0
  12. data/bin/inspec +109 -0
  13. data/docs/ctl_inspec.rst +195 -0
  14. data/docs/dsl_inspec.rst +182 -0
  15. data/docs/readme.rst +100 -0
  16. data/docs/resources.rst +4319 -0
  17. data/docs/template.rst +51 -0
  18. data/examples/test-kitchen/.kitchen.yml +20 -0
  19. data/examples/test-kitchen/Berksfile +3 -0
  20. data/examples/test-kitchen/Gemfile +21 -0
  21. data/examples/test-kitchen/README.md +27 -0
  22. data/examples/test-kitchen/metadata.rb +7 -0
  23. data/examples/test-kitchen/recipes/default.rb +6 -0
  24. data/examples/test-kitchen/recipes/nginx.rb +30 -0
  25. data/examples/test-kitchen/test/integration/default/web_spec.rb +28 -0
  26. data/inspec.gemspec +30 -0
  27. data/lib/inspec.rb +20 -0
  28. data/lib/inspec/backend.rb +42 -0
  29. data/lib/inspec/dsl.rb +151 -0
  30. data/lib/inspec/log.rb +34 -0
  31. data/lib/inspec/metadata.rb +79 -0
  32. data/lib/inspec/plugins.rb +9 -0
  33. data/lib/inspec/plugins/resource.rb +62 -0
  34. data/lib/inspec/profile.rb +138 -0
  35. data/lib/inspec/profile_context.rb +170 -0
  36. data/lib/inspec/resource.rb +76 -0
  37. data/lib/inspec/rspec_json_formatter.rb +27 -0
  38. data/lib/inspec/rule.rb +170 -0
  39. data/lib/inspec/runner.rb +154 -0
  40. data/lib/inspec/shell.rb +66 -0
  41. data/lib/inspec/targets.rb +9 -0
  42. data/lib/inspec/targets/core.rb +27 -0
  43. data/lib/inspec/targets/dir.rb +67 -0
  44. data/lib/inspec/targets/file.rb +29 -0
  45. data/lib/inspec/targets/folder.rb +43 -0
  46. data/lib/inspec/targets/tar.rb +34 -0
  47. data/lib/inspec/targets/url.rb +39 -0
  48. data/lib/inspec/targets/zip.rb +47 -0
  49. data/lib/inspec/version.rb +7 -0
  50. data/lib/matchers/matchers.rb +221 -0
  51. data/lib/resources/apache.rb +29 -0
  52. data/lib/resources/apache_conf.rb +113 -0
  53. data/lib/resources/apt.rb +140 -0
  54. data/lib/resources/audit_policy.rb +63 -0
  55. data/lib/resources/auditd_conf.rb +56 -0
  56. data/lib/resources/auditd_rules.rb +53 -0
  57. data/lib/resources/bond.rb +65 -0
  58. data/lib/resources/bridge.rb +114 -0
  59. data/lib/resources/command.rb +57 -0
  60. data/lib/resources/csv.rb +32 -0
  61. data/lib/resources/directory.rb +15 -0
  62. data/lib/resources/etc_group.rb +150 -0
  63. data/lib/resources/file.rb +110 -0
  64. data/lib/resources/gem.rb +46 -0
  65. data/lib/resources/group.rb +132 -0
  66. data/lib/resources/host.rb +143 -0
  67. data/lib/resources/inetd_conf.rb +56 -0
  68. data/lib/resources/interface.rb +127 -0
  69. data/lib/resources/iptables.rb +65 -0
  70. data/lib/resources/json.rb +64 -0
  71. data/lib/resources/kernel_module.rb +40 -0
  72. data/lib/resources/kernel_parameter.rb +55 -0
  73. data/lib/resources/limits_conf.rb +55 -0
  74. data/lib/resources/login_def.rb +60 -0
  75. data/lib/resources/mysql.rb +81 -0
  76. data/lib/resources/mysql_conf.rb +116 -0
  77. data/lib/resources/mysql_session.rb +52 -0
  78. data/lib/resources/npm.rb +44 -0
  79. data/lib/resources/ntp_conf.rb +58 -0
  80. data/lib/resources/oneget.rb +63 -0
  81. data/lib/resources/os.rb +22 -0
  82. data/lib/resources/os_env.rb +34 -0
  83. data/lib/resources/package.rb +169 -0
  84. data/lib/resources/parse_config.rb +75 -0
  85. data/lib/resources/passwd.rb +93 -0
  86. data/lib/resources/pip.rb +75 -0
  87. data/lib/resources/port.rb +296 -0
  88. data/lib/resources/postgres.rb +37 -0
  89. data/lib/resources/postgres_conf.rb +87 -0
  90. data/lib/resources/postgres_session.rb +59 -0
  91. data/lib/resources/processes.rb +57 -0
  92. data/lib/resources/registry_key.rb +54 -0
  93. data/lib/resources/script.rb +34 -0
  94. data/lib/resources/security_policy.rb +73 -0
  95. data/lib/resources/service.rb +379 -0
  96. data/lib/resources/ssh_conf.rb +75 -0
  97. data/lib/resources/user.rb +374 -0
  98. data/lib/resources/windows_feature.rb +77 -0
  99. data/lib/resources/yaml.rb +23 -0
  100. data/lib/resources/yum.rb +154 -0
  101. data/lib/utils/convert.rb +12 -0
  102. data/lib/utils/detect.rb +15 -0
  103. data/lib/utils/find_files.rb +36 -0
  104. data/lib/utils/hash.rb +13 -0
  105. data/lib/utils/modulator.rb +12 -0
  106. data/lib/utils/parser.rb +61 -0
  107. data/lib/utils/simpleconfig.rb +115 -0
  108. data/tasks/maintainers.rb +213 -0
  109. data/test/docker_run.rb +156 -0
  110. data/test/docker_test.rb +51 -0
  111. data/test/helper.rb +200 -0
  112. data/test/integration/.kitchen.yml +42 -0
  113. data/test/integration/Berksfile +4 -0
  114. data/test/integration/cookbooks/os_prepare/metadata.rb +8 -0
  115. data/test/integration/cookbooks/os_prepare/recipes/apt.rb +20 -0
  116. data/test/integration/cookbooks/os_prepare/recipes/default.rb +9 -0
  117. data/test/integration/cookbooks/os_prepare/recipes/file.rb +21 -0
  118. data/test/integration/cookbooks/os_prepare/recipes/package.rb +26 -0
  119. data/test/integration/default/_debug_spec.rb +1 -0
  120. data/test/integration/default/apt_spec.rb +42 -0
  121. data/test/integration/default/file_spec.rb +109 -0
  122. data/test/integration/default/group_spec.rb +32 -0
  123. data/test/integration/default/kernel_module_spec.rb +17 -0
  124. data/test/integration/default/kernel_parameter_spec.rb +56 -0
  125. data/test/integration/default/package_spec.rb +11 -0
  126. data/test/integration/default/service_spec.rb +28 -0
  127. data/test/integration/default/user_spec.rb +44 -0
  128. data/test/resource/command_test.rb +33 -0
  129. data/test/resource/dsl_test.rb +45 -0
  130. data/test/resource/file_test.rb +130 -0
  131. data/test/resource/ssh_config.rb +9 -0
  132. data/test/resource/sshd_config.rb +9 -0
  133. data/test/test-extra.yaml +11 -0
  134. data/test/test.yaml +11 -0
  135. data/test/unit/mock/cmd/Get-NetAdapter +24 -0
  136. data/test/unit/mock/cmd/GetUserAccount +33 -0
  137. data/test/unit/mock/cmd/GetWin32Group +23 -0
  138. data/test/unit/mock/cmd/PATH +1 -0
  139. data/test/unit/mock/cmd/Resolve-DnsName +26 -0
  140. data/test/unit/mock/cmd/Test-NetConnection +4 -0
  141. data/test/unit/mock/cmd/auditctl +7 -0
  142. data/test/unit/mock/cmd/auditpol +2 -0
  143. data/test/unit/mock/cmd/brew-info-jq +1 -0
  144. data/test/unit/mock/cmd/chage-l-root +7 -0
  145. data/test/unit/mock/cmd/dpkg-s-curl +21 -0
  146. data/test/unit/mock/cmd/dscl +5 -0
  147. data/test/unit/mock/cmd/etc-apt +7 -0
  148. data/test/unit/mock/cmd/find-etc-rc-d-name-S +12 -0
  149. data/test/unit/mock/cmd/find-net-interface +9 -0
  150. data/test/unit/mock/cmd/gem-list-local-a-q-rubocop +1 -0
  151. data/test/unit/mock/cmd/get-net-tcpconnection +24 -0
  152. data/test/unit/mock/cmd/get-netadapter-binding-bridge +4 -0
  153. data/test/unit/mock/cmd/get-package-firefox +30 -0
  154. data/test/unit/mock/cmd/get-package-ruby +18 -0
  155. data/test/unit/mock/cmd/get-service-dhcp +10 -0
  156. data/test/unit/mock/cmd/get-windows-feature +7 -0
  157. data/test/unit/mock/cmd/getent-hosts-example.com +1 -0
  158. data/test/unit/mock/cmd/getent-passwd-root +1 -0
  159. data/test/unit/mock/cmd/id-chartmann +1 -0
  160. data/test/unit/mock/cmd/id-root +1 -0
  161. data/test/unit/mock/cmd/initctl-show-config-ssh +3 -0
  162. data/test/unit/mock/cmd/initctl-status-ssh +1 -0
  163. data/test/unit/mock/cmd/iptables-s +6 -0
  164. data/test/unit/mock/cmd/launchctl-list +3 -0
  165. data/test/unit/mock/cmd/ls-1-etc-init.d +2 -0
  166. data/test/unit/mock/cmd/ls-sys-class-net-br +2 -0
  167. data/test/unit/mock/cmd/lsmod +2 -0
  168. data/test/unit/mock/cmd/lsof-np-itcp +4 -0
  169. data/test/unit/mock/cmd/netstat-tulpen +5 -0
  170. data/test/unit/mock/cmd/npm-ls-g--json-bower +9 -0
  171. data/test/unit/mock/cmd/pacman-qi-curl +21 -0
  172. data/test/unit/mock/cmd/ping-example.com +6 -0
  173. data/test/unit/mock/cmd/pip-show-jinja2 +11 -0
  174. data/test/unit/mock/cmd/ps-aux +3 -0
  175. data/test/unit/mock/cmd/pw-usershow-root-7 +1 -0
  176. data/test/unit/mock/cmd/reg_schedule +1 -0
  177. data/test/unit/mock/cmd/rpm-qia-curl +24 -0
  178. data/test/unit/mock/cmd/sbin_sysctl +1 -0
  179. data/test/unit/mock/cmd/secedit-export +7 -0
  180. data/test/unit/mock/cmd/service-e +2 -0
  181. data/test/unit/mock/cmd/service-sendmail-onestatus +3 -0
  182. data/test/unit/mock/cmd/service-sshd-status +1 -0
  183. data/test/unit/mock/cmd/sockstat +5 -0
  184. data/test/unit/mock/cmd/success +0 -0
  185. data/test/unit/mock/cmd/systemctl-show-all-sshd +6 -0
  186. data/test/unit/mock/cmd/win32_product +8 -0
  187. data/test/unit/mock/cmd/yum-repolist-all +52 -0
  188. data/test/unit/mock/files/auditd.conf +4 -0
  189. data/test/unit/mock/files/bond0 +37 -0
  190. data/test/unit/mock/files/etcgroup +3 -0
  191. data/test/unit/mock/files/example.csv +6 -0
  192. data/test/unit/mock/files/inetd.conf +2 -0
  193. data/test/unit/mock/files/kitchen.yml +7 -0
  194. data/test/unit/mock/files/limits.conf +5 -0
  195. data/test/unit/mock/files/login.defs +5 -0
  196. data/test/unit/mock/files/mysql.conf +8 -0
  197. data/test/unit/mock/files/mysql2.conf +2 -0
  198. data/test/unit/mock/files/ntp.conf +5 -0
  199. data/test/unit/mock/files/passwd +2 -0
  200. data/test/unit/mock/files/policyfile.lock.json +12 -0
  201. data/test/unit/mock/files/ssh_config +5 -0
  202. data/test/unit/mock/files/sshd_config +7 -0
  203. data/test/unit/mock/profiles/empty/metadata.rb +0 -0
  204. data/test/unit/mock/profiles/metadata/metadata.rb +1 -0
  205. data/test/unit/profile_context_test.rb +140 -0
  206. data/test/unit/profile_test.rb +49 -0
  207. data/test/unit/resources/apt_test.rb +46 -0
  208. data/test/unit/resources/audit_policy_test.rb +13 -0
  209. data/test/unit/resources/auditd_conf_test.rb +15 -0
  210. data/test/unit/resources/auditd_rules_test.rb +21 -0
  211. data/test/unit/resources/bond_test.rb +24 -0
  212. data/test/unit/resources/bridge_test.rb +56 -0
  213. data/test/unit/resources/csv_test.rb +35 -0
  214. data/test/unit/resources/etc_group_test.rb +37 -0
  215. data/test/unit/resources/gem_test.rb +20 -0
  216. data/test/unit/resources/group_test.rb +96 -0
  217. data/test/unit/resources/host_test.rb +38 -0
  218. data/test/unit/resources/inetd_conf_test.rb +15 -0
  219. data/test/unit/resources/interface_test.rb +54 -0
  220. data/test/unit/resources/iptables_test.rb +30 -0
  221. data/test/unit/resources/json_test.rb +36 -0
  222. data/test/unit/resources/kernel_module_test.rb +23 -0
  223. data/test/unit/resources/kernel_parameter_test.rb +13 -0
  224. data/test/unit/resources/limits_conf_test.rb +14 -0
  225. data/test/unit/resources/login_def_test.rb +16 -0
  226. data/test/unit/resources/mysql_conf_test.rb +14 -0
  227. data/test/unit/resources/npm_test.rb +20 -0
  228. data/test/unit/resources/ntp_conf_test.rb +16 -0
  229. data/test/unit/resources/oneget_test.rb +45 -0
  230. data/test/unit/resources/os_env_test.rb +13 -0
  231. data/test/unit/resources/package_test.rb +51 -0
  232. data/test/unit/resources/passwd_test.rb +24 -0
  233. data/test/unit/resources/pip_test.rb +15 -0
  234. data/test/unit/resources/port_test.rb +46 -0
  235. data/test/unit/resources/processes_test.rb +32 -0
  236. data/test/unit/resources/registry_key_test.rb +19 -0
  237. data/test/unit/resources/script_test.rb +19 -0
  238. data/test/unit/resources/security_policy_test.rb +16 -0
  239. data/test/unit/resources/service_test.rb +116 -0
  240. data/test/unit/resources/ssh_conf_test.rb +33 -0
  241. data/test/unit/resources/user_test.rb +93 -0
  242. data/test/unit/resources/windows_feature.rb +17 -0
  243. data/test/unit/resources/yaml_test.rb +34 -0
  244. data/test/unit/resources/yum_test.rb +68 -0
  245. data/test/unit/simpleconfig_test.rb +80 -0
  246. data/test/unit/utils/content_parser_test.rb +30 -0
  247. metadata +555 -0
@@ -0,0 +1,29 @@
1
+ # encoding: utf-8
2
+ # copyright: 2015, Vulcano Security GmbH
3
+ # author: Christoph Hartmann
4
+ # author: Dominik Richter
5
+ # license: All rights reserved
6
+
7
+ class Apache < Inspec.resource(1)
8
+ name 'apache'
9
+
10
+ attr_reader :service, :conf_dir, :conf_path, :user
11
+ def initialize
12
+ case inspec.os[:family]
13
+ when 'ubuntu', 'debian'
14
+ @service = 'apache2'
15
+ @conf_dir = '/etc/apache2/'
16
+ @conf_path = File.join @conf_dir, 'apache2.conf'
17
+ @user = 'www-data'
18
+ else
19
+ @service = 'httpd'
20
+ @conf_dir = '/etc/httpd/'
21
+ @conf_path = File.join @conf_dir, '/conf/httpd.conf'
22
+ @user = 'apache'
23
+ end
24
+ end
25
+
26
+ def to_s
27
+ 'Apache Environment'
28
+ end
29
+ end
@@ -0,0 +1,113 @@
1
+ # encoding: utf-8
2
+ # copyright: 2015, Vulcano Security GmbH
3
+ # author: Dominik Richter
4
+ # author: Christoph Hartmann
5
+ # license: All rights reserved
6
+
7
+ require 'utils/simpleconfig'
8
+ require 'utils/find_files'
9
+
10
+ class ApacheConf < Inspec.resource(1)
11
+ name 'apache_conf'
12
+
13
+ include FindFiles
14
+
15
+ def initialize(conf_path = nil)
16
+ @conf_path = conf_path || inspec.apache.conf_path
17
+ @conf_dir = File.dirname(@conf_path)
18
+ @files_contents = {}
19
+ @content = nil
20
+ @params = nil
21
+ read_content
22
+ end
23
+
24
+ def content
25
+ @content ||= read_content
26
+ end
27
+
28
+ def params(*opts)
29
+ @params || read_content
30
+ res = @params
31
+ opts.each do |opt|
32
+ res = res[opt] unless res.nil?
33
+ end
34
+ res
35
+ end
36
+
37
+ def filter_comments(data)
38
+ content = ''
39
+ data.each_line do |line|
40
+ if !line.match(/^\s*#/)
41
+ content << line
42
+ end
43
+ end
44
+ content
45
+ end
46
+
47
+ def read_content
48
+ @content = ''
49
+ @params = {}
50
+
51
+ # skip if the main configuration file doesn't exist
52
+ file = inspec.file(@conf_path)
53
+ if !file.file?
54
+ return skip_resource "Can't find file \"#{@conf_path}\""
55
+ end
56
+
57
+ raw_conf = file.content
58
+ if raw_conf.empty? && file.size > 0
59
+ return skip_resource("Can't read file \"#{@conf_path}\"")
60
+ end
61
+
62
+ to_read = [@conf_path]
63
+ until to_read.empty?
64
+ raw_conf = read_file(to_read[0])
65
+ @content += raw_conf
66
+
67
+ # parse include file parameters
68
+ params = SimpleConfig.new(
69
+ raw_conf,
70
+ assignment_re: /^\s*(\S+)\s+(.*)\s*$/,
71
+ multiple_values: true,
72
+ ).params
73
+ @params.merge!(params)
74
+
75
+ to_read = to_read.drop(1)
76
+ to_read += include_files(params).find_all do |fp|
77
+ not @files_contents.key? fp
78
+ end
79
+ end
80
+
81
+ # fiter comments
82
+ @content = filter_comments @content
83
+ @content
84
+ end
85
+
86
+ def include_files(params)
87
+ # see if there is more config files to include
88
+ include_files = params['Include'] || []
89
+ include_files_optional = params['IncludeOptional'] || []
90
+
91
+ required = []
92
+ include_files.each do |f|
93
+ id = File.join(@conf_dir, f)
94
+ required.push(find_files(id, depth: 1, type: 'file'))
95
+ end
96
+
97
+ optional = []
98
+ include_files_optional.each do |f|
99
+ id = File.join(@conf_dir, f)
100
+ optional.push(find_files(id, depth: 1, type: 'file'))
101
+ end
102
+
103
+ required.flatten! + optional.flatten!
104
+ end
105
+
106
+ def read_file(path)
107
+ @files_contents[path] ||= inspec.file(path).content
108
+ end
109
+
110
+ def to_s
111
+ "Apache Config #{@conf_path}"
112
+ end
113
+ end
@@ -0,0 +1,140 @@
1
+ # encoding: utf-8
2
+ # author: Christoph Hartmann
3
+ # author: Dominik Richter
4
+
5
+ # Verifies apt and ppa repositories
6
+ #
7
+ # Usage:
8
+ # describe apt('ubuntu-wine/ppa') do
9
+ # it { should exist }
10
+ # it { should be_enabled }
11
+ # end
12
+ #
13
+ # it also understands a ppa url
14
+ # describe apt('ppa:ubuntu-wine/ppa') do
15
+ # it { should exist }
16
+ # it { should be_enabled }
17
+ # end
18
+ #
19
+ # The following ppa formats are supported:
20
+ # - ubuntu-wine/ppa
21
+ # - ppa:ubuntu-wine/ppa
22
+ # - http://ppa.launchpad.net/juju/stable/ubuntu
23
+ #
24
+ # Install a ppa as following:
25
+ # apt-get install python-software-properties
26
+ # apt-get install software-properties-common
27
+ # add-apt-repository ppa:ubuntu-wine/ppa
28
+
29
+ require 'uri'
30
+
31
+ class AptRepository < Inspec.resource(1)
32
+ name 'apt'
33
+
34
+ def initialize(ppa_name)
35
+ @deb_url = nil
36
+ # check if the os is ubuntu or debian
37
+ if inspec.os.debian?
38
+ @deb_url = determine_ppa_url(ppa_name)
39
+ else
40
+ # this resource is only supported on ubuntu and debian
41
+ skip_resource 'The `apt` resource is not supported on your OS yet.'
42
+ end
43
+ end
44
+
45
+ def exists?
46
+ find_repo.count > 0
47
+ end
48
+
49
+ def enabled?
50
+ return false if find_repo.count == 0
51
+ actives = find_repo.map { |repo| repo[:active] }
52
+ actives = actives.uniq
53
+ actives.size == 1 && actives[0] = true
54
+ end
55
+
56
+ def to_s
57
+ "Apt Repository #{@deb_url}"
58
+ end
59
+
60
+ private
61
+
62
+ def find_repo
63
+ read_debs.select { |repo| repo[:url] == @deb_url && repo[:type] == 'deb' }
64
+ end
65
+
66
+ HTTP_URL_RE = /\A#{URI::DEFAULT_PARSER.make_regexp(%w{http https})}\z/
67
+
68
+ # read
69
+ def read_debs
70
+ return @repo_cache if defined?(@repo_cache)
71
+
72
+ # load all lists
73
+ cmd = inspec.command("find /etc/apt/ -name \*.list -exec sh -c 'cat {} || echo -n' \\;")
74
+
75
+ # @see https://help.ubuntu.com/community/Repositories/CommandLine#Explanation_of_the_Repository_Format
76
+ @repo_cache = cmd.stdout.chomp.split("\n").each_with_object([]) do |raw_line, lines|
77
+ active = true
78
+
79
+ # detect if the repo is commented out
80
+ line = raw_line.gsub(/^(#\s*)*/, '')
81
+ active = false if raw_line != line
82
+
83
+ # eg.: deb http://archive.ubuntu.com/ubuntu/ wily main restricted
84
+ parse_repo = /^\s*(\S+)\s+"?([^ "\t\r\n\f]+)"?\s+(\S+)\s+(.*)$/.match(line)
85
+
86
+ # check if we got any result and the second param is an url
87
+ next if parse_repo.nil? || !parse_repo[2] =~ HTTP_URL_RE
88
+
89
+ # map data
90
+ repo = {
91
+ type: parse_repo[1],
92
+ url: parse_repo[2],
93
+ distro: parse_repo[3],
94
+ components: parse_repo[4].chomp.split(' '),
95
+ active: active,
96
+ }
97
+ next unless ['deb', 'deb-src'].include? repo[:type]
98
+
99
+ lines.push(repo)
100
+ end
101
+ end
102
+
103
+ # resolves ppa urls
104
+ # @see http://bazaar.launchpad.net/~ubuntu-core-dev/software-properties/main/view/head:/softwareproperties/ppa.py
105
+ def determine_ppa_url(ppa_url)
106
+ # verify if we have the url already, then just return
107
+ return ppa_url if ppa_url =~ HTTP_URL_RE
108
+ # otherwise start generating the ppa url
109
+
110
+ # special care if the name stats with :
111
+ ppa_url = ppa_url.split(':')[1] if ppa_url.start_with?('ppa:')
112
+
113
+ # parse ppa owner and repo
114
+ ppa_owner, ppa_repo = ppa_url.split('/')
115
+ ppa_repo = 'ppa' if ppa_repo.nil?
116
+
117
+ # construct new ppa url and return it
118
+ format('http://ppa.launchpad.net/%s/%s/ubuntu', ppa_owner, ppa_repo)
119
+ end
120
+ end
121
+
122
+ # for compatability with serverspec
123
+ # this is deprecated syntax and will be removed in future versions
124
+ class PpaRepository < AptRepository
125
+ name 'ppa'
126
+
127
+ def exists?
128
+ deprecated
129
+ super()
130
+ end
131
+
132
+ def enabled?
133
+ deprecated
134
+ super()
135
+ end
136
+
137
+ def deprecated
138
+ warn '[DEPRECATION] `ppa(reponame)` is deprecated. Please use `apt(reponame)` instead.'
139
+ end
140
+ end
@@ -0,0 +1,63 @@
1
+ # encoding: utf-8
2
+ # copyright: 2015, Vulcano Security GmbH
3
+ # author: Christoph Hartmann
4
+ # author: Dominik Richter
5
+ # license: All rights reserved
6
+
7
+ # Advanced Auditing:
8
+ # As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.
9
+ # reference: https://technet.microsoft.com/en-us/library/cc753632.aspx
10
+ # use:
11
+ # - list all categories: Auditpol /list /subcategory:* /r
12
+ # - list parameters: Auditpol /get /category:"System" /subcategory:"IPsec Driver"
13
+ # - list specific parameter: Auditpol /get /subcategory:"IPsec Driver"
14
+ #
15
+ # @link: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
16
+ #
17
+ # Valid values are:
18
+ #
19
+ # - "No Auditing"
20
+ # - "Not Specified"
21
+ # - "Success"
22
+ # - "Success and Failure"
23
+ # - "Failure"
24
+ #
25
+ # Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx
26
+ #
27
+ # Usage:
28
+ #
29
+ # describe audit_policy do
30
+ # its('Other Account Logon Events') { should_not eq 'No Auditing' }
31
+ # end
32
+
33
+ class AuditPolicy < Inspec.resource(1)
34
+ name 'audit_policy'
35
+
36
+ def method_missing(method)
37
+ key = method.to_s
38
+
39
+ # expected result:
40
+ # Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting
41
+ # WIN-MB8NINQ388J,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,
42
+ result ||= inspec.command("Auditpol /get /subcategory:'#{key}' /r").stdout
43
+
44
+ # find line
45
+ target = nil
46
+ result.each_line {|s|
47
+ target = s.strip if s.match(/\b.*#{key}.*\b/)
48
+ }
49
+
50
+ # extract value
51
+ values = nil
52
+ unless target.nil?
53
+ # split csv values and return value
54
+ values = target.split(',')[4]
55
+ end
56
+
57
+ values
58
+ end
59
+
60
+ def to_s
61
+ 'Audit Policy'
62
+ end
63
+ end
@@ -0,0 +1,56 @@
1
+ # encoding: utf-8
2
+ # copyright: 2015, Vulcano Security GmbH
3
+ # author: Christoph Hartmann
4
+ # author: Dominik Richter
5
+ # license: All rights reserved
6
+
7
+ require 'utils/simpleconfig'
8
+
9
+ # Usage:
10
+ # describe audit_daemon_conf do
11
+ # its("space_left_action") { should eq "email" }
12
+ # its("action_mail_acct") { should eq "root" }
13
+ # its("admin_space_left_action") { should eq "halt" }
14
+ # end
15
+
16
+ class AuditDaemonConf < Inspec.resource(1)
17
+ name 'auditd_conf'
18
+
19
+ def initialize(path = nil)
20
+ @conf_path = path || '/etc/audit/auditd.conf'
21
+ end
22
+
23
+ def method_missing(name)
24
+ read_params[name.to_s]
25
+ end
26
+
27
+ def to_s
28
+ 'Audit Daemon Config'
29
+ end
30
+
31
+ private
32
+
33
+ def read_params
34
+ return @params if defined?(@params)
35
+
36
+ # read the file
37
+ file = inspec.file(@conf_path)
38
+ if !file.file?
39
+ skip_resource "Can't find file '#{@conf_path}'"
40
+ return @params = {}
41
+ end
42
+
43
+ content = file.content
44
+ if content.empty? && file.size > 0
45
+ skip_resource "Can't read file '#{@conf_path}'"
46
+ return @params = {}
47
+ end
48
+
49
+ # parse the file
50
+ conf = SimpleConfig.new(
51
+ content,
52
+ multiple_values: false,
53
+ )
54
+ @params = conf.params
55
+ end
56
+ end
@@ -0,0 +1,53 @@
1
+ # encoding: utf-8
2
+ # copyright: 2015, Vulcano Security GmbH
3
+ # author: Christoph Hartmann
4
+ # author: Dominik Richter
5
+ # license: All rights reserved
6
+
7
+ # Usage:
8
+ # describe audit_daemon_rules do
9
+ # its("LIST_RULES") {should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/) }
10
+ # its("LIST_RULES") {should contain_match(/^exit,always arch=.* key=time-change syscall=stime,settimeofday,adjtimex/) }
11
+ # its("LIST_RULES") {should contain_match(/^exit,always arch=.* key=time-change syscall=clock_settime/)}
12
+ # its("LIST_RULES") {should contain_match(/^exit,always watch=\/etc\/localtime perm=wa key=time-change/)}
13
+ # end
14
+
15
+ class AuditDaemonRules < Inspec.resource(1)
16
+ name 'auditd_rules'
17
+
18
+ def initialize
19
+ @content = inspec.command('/sbin/auditctl -l').stdout.chomp
20
+
21
+ @opts = {
22
+ assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
23
+ multiple_values: true,
24
+ }
25
+ end
26
+
27
+ def params
28
+ @params ||= SimpleConfig.new(@content, @opts).params
29
+ end
30
+
31
+ def method_missing(name)
32
+ params[name.to_s]
33
+ end
34
+
35
+ def status(name)
36
+ @status_opts = {
37
+ assignment_re: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
38
+ multiple_values: false,
39
+ }
40
+ @status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
41
+ @status_params = SimpleConfig.new(@status_content, @status_opts).params
42
+
43
+ status = @status_params['AUDIT_STATUS']
44
+ return nil if status.nil?
45
+
46
+ items = Hash[status.scan(/([^=]+)=(\w*)\s*/)]
47
+ items[name]
48
+ end
49
+
50
+ def to_s
51
+ 'Audit Daemon Rules'
52
+ end
53
+ end