inspec 1.29.0 → 1.30.0

data/lib/inspec/profile.rb

@@ -1,5 +1,5 @@
 # encoding: utf-8
-# Copyright 2015 Dominik Richter. All rights reserved.
+# Copyright 2015 Dominik Richter
 # author: Dominik Richter
 # author: Christoph Hartmann
 

data/lib/inspec/resource.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
-# license: All rights reserved
 # author: Dominik Richter
 # author: Christoph Hartmann
 require 'inspec/plugins'
@@ -112,6 +111,7 @@ require 'resources/mssql_session'
 require 'resources/mysql'
 require 'resources/mysql_conf'
 require 'resources/mysql_session'
+require 'resources/nginx_conf'
 require 'resources/npm'
 require 'resources/ntp_conf'
 require 'resources/oneget'

data/lib/inspec/rule.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, Dominik Richter
-# license: All rights reserved
 # author: Dominik Richter
 # author: Christoph Hartmann
 

data/lib/inspec/runner.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # copyright: 2015, Dominik Richter
-# license: All rights reserved
 # author: Dominik Richter
 # author: Christoph Hartmann
 

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.29.0'.freeze
+  VERSION = '1.30.0'.freeze
 end

data/lib/matchers/matchers.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
-# license: All rights reserved
 
 RSpec::Matchers.define :be_readable do
   match do |file|

data/lib/resources/apache.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 module Inspec::Resources
   class Apache < Inspec.resource(1)

data/lib/resources/apache_conf.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
-# license: All rights reserved
 
 require 'utils/simpleconfig'
 require 'utils/find_files'

data/lib/resources/audit_policy.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 # Advanced Auditing:
 # As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.

data/lib/resources/auditd_conf.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 require 'utils/simpleconfig'
 

data/lib/resources/auditd_rules.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 require 'forwardable'
 require 'utils/filter_array'

data/lib/resources/command.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
-# license: All rights reserved
 
 module Inspec::Resources
   class Cmd < Inspec.resource(1)

data/lib/resources/directory.rb

@@ -13,9 +13,13 @@ module Inspec::Resources
         it { should be_directory }
       end
     "
-  end
 
-  def to_s
-    "Directory #{@path}"
+    def exist?
+      file.exist? && file.directory?
+    end
+
+    def to_s
+      "Directory #{source_path}"
+    end
   end
 end

data/lib/resources/docker.rb

@@ -107,7 +107,9 @@ module Inspec::Resources
 
     def version
       return @version if defined?(@version)
-      data = JSON.parse(inspec.command('docker version --format \'{{ json . }}\'').stdout)
+      data = {}
+      cmd = inspec.command('docker version --format \'{{ json . }}\'')
+      data = JSON.parse(cmd.stdout) if cmd.exit_status == 0
       @version = Hashie::Mash.new(data)
     rescue JSON::ParserError => _e
       return Hashie::Mash.new({})
@@ -115,7 +117,10 @@ module Inspec::Resources
 
     def info
       return @info if defined?(@info)
-      data = JSON.parse(inspec.command('docker info --format \'{{ json . }}\'').stdout)
+      data = {}
+      # docke info format is only supported for Docker 17.03+
+      cmd = inspec.command('docker info --format \'{{ json . }}\'')
+      data = JSON.parse(cmd.stdout) if cmd.exit_status == 0
       @info = Hashie::Mash.new(data)
     rescue JSON::ParserError => _e
       return Hashie::Mash.new({})
@@ -138,7 +143,19 @@ module Inspec::Resources
     private
 
     def parse_containers
-      raw_containers = inspec.command('docker ps -a --no-trunc --format \'{{ json . }}\'').stdout
+      # @see https://github.com/moby/moby/issues/20625, works for docker 1.13+
+      # raw_containers = inspec.command('docker ps -a --no-trunc --format \'{{ json . }}\'').stdout
+      # therefore we stick with older approach
+      labels = %w{Command CreatedAt ID Image Labels  Mounts Names Ports RunningFor Size Status}
+
+      # Networks LocalVolumes work with 1.13+ only
+      if !version.empty? && Gem::Version.new(version['Client']['Version']) >= Gem::Version.new('1.13')
+        labels.push('Networks')
+        labels.push('LocalVolumes')
+      end
+      # build command
+      format = labels.map { |label| "\"#{label}\": {{json .#{label}}}" }
+      raw_containers = inspec.command("docker ps -a --no-trunc --format '{#{format.join(', ')}}'").stdout
       ps = []
       # since docker is not outputting valid json, we need to parse each row
       raw_containers.each_line { |entry|
@@ -147,6 +164,9 @@ module Inspec::Resources
         j = j.map { |k, v|
           [k.downcase, v]
         }.to_h
+
+        # ensure all keys are there
+        j = ensure_container_keys(j)
         ps.push(j)
       }
       ps
@@ -155,6 +175,13 @@ module Inspec::Resources
       []
     end
 
+    def ensure_container_keys(entry)
+      %w{Command CreatedAt ID Image Labels  Mounts Names Ports RunningFor Size Status Networks LocalVolumes}.each { |key|
+        entry[key.downcase] = nil if !entry.key?(key.downcase)
+      }
+      entry
+    end
+
     def parse_images
       # docker does not support the `json .` function here, therefore we need to emulate that behavior.
       raw_images = inspec.command('docker images -a --no-trunc --format \'{ "id": {{json .ID}}, "repository": {{json .Repository}}, "tag": {{json .Tag}}, "size": {{json .Size}}, "digest": {{json .Digest}}, "createdat": {{json .CreatedAt}}, "createdsize": {{json .CreatedSince}} }\'').stdout

data/lib/resources/etc_group.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 # The file format consists of
 # - group name

data/lib/resources/file.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
-# license: All rights reserved
 
 require 'shellwords'
 

data/lib/resources/grub_conf.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # author: Thomas Cate
-# license: All rights reserved
 
 require 'utils/simpleconfig'
 

data/lib/resources/inetd_conf.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 require 'utils/simpleconfig'
 

data/lib/resources/kernel_module.rb

@@ -1,7 +1,6 @@
 # encoding: utf-8
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 module Inspec::Resources
   class KernelModule < Inspec.resource(1)

data/lib/resources/kernel_parameter.rb

@@ -1,6 +1,5 @@
 # encoding: utf-8
 # author: Christoph Hartmann
-# license: All rights reserved
 
 module Inspec::Resources
   class KernelParameter < Inspec.resource(1)

data/lib/resources/limits_conf.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 require 'utils/simpleconfig'
 

data/lib/resources/login_def.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Christoph Hartmann
 # author: Dominik Richter
-# license: All rights reserved
 
 require 'utils/simpleconfig'
 

data/lib/resources/mssql_session.rb

@@ -1,54 +1,102 @@
 # encoding: utf-8
+# author: Nolan Davidson
 # author: Christoph Hartmann
 # author: Dominik Richter
 
+require 'hashie/mash'
+require 'utils/database_helpers'
+
 module Inspec::Resources
+  # STABILITY: Experimental
+  # This resource needs further testing and refinement
+  #
+  # This requires the `sqlcmd` tool available on platform
+  # @see https://docs.microsoft.com/en-us/sql/relational-databases/scripting/sqlcmd-use-the-utility
+  # @see https://docs.microsoft.com/en-us/sql/linux/sql-server-linux-connect-and-query-sqlcmd
   class MssqlSession < Inspec.resource(1)
     name 'mssql_session'
     desc 'Use the mssql_session InSpec audit resource to test SQL commands run against a MS Sql Server database.'
     example "
       # Using SQL authentication
       sql = mssql_session(user: 'myuser', pass: 'mypassword')
-      describe sql.query('select * from sys.databases where name like \'*test*\') do
-        its('stdout') { should_not match(/test/) }
+      describe sql.query('SELECT * FROM table').row(0).column('columnname') do
+        its('value') { should cmp == 1 }
       end
 
       # Passing no credentials to mssql_session forces it to use Windows authentication
       sql_windows_auth = mssql_session
-      describe sql_window_auth.query('select * from sys.databases where name like \'*test*\') do
-        its('stdout') { should_not match(/test/) }
+      describe sql.query(\"SELECT SERVERPROPERTY('IsIntegratedSecurityOnly') as \\\"login_mode\\\";\").row(0).column('login_mode') do
+        its('value') { should_not be_empty }
+        its('value') { should cmp == 1 }
       end
     "
 
-    attr_reader :user, :pass, :host
-
+    attr_reader :user, :password, :host
     def initialize(opts = {})
       @user = opts[:user]
-      @pass = opts[:pass]
+      @password = opts[:password] || opts[:pass]
+      if opts[:pass]
+        warn '[DEPRECATED] use `password` option to supply password instead of `pass`'
+      end
       @host = opts[:host] || 'localhost'
       @instance = opts[:instance]
+
+      # check if sqlcmd is available
+      return skip_resource('sqlcmd is missing') if !inspec.command('sqlcmd').exist?
+      # check that database is reachable
+      return skip_resource("Can't connect to the MS SQL Server.") if !test_connection
     end
 
     def query(q)
-      escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$').gsub(/\@/, '`@')
-      cmd_string = "sqlcmd -Q \"#{escaped_query}\""
-      cmd_string += " -U #{@user} -P #{@pass}" unless @user.nil? or @pass.nil?
+      escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
+      # surpress 'x rows affected' in SQLCMD with 'set nocount on;'
+      cmd_string = "sqlcmd -Q \"set nocount on; #{escaped_query}\" -W -w 1024 -s ','"
+      cmd_string += " -U #{@user} -P '#{@password}'" unless @user.nil? || @password.nil?
       if @instance.nil?
         cmd_string += " -S #{@host}"
       else
         cmd_string += " -S #{@host}\\#{@instance}"
       end
-      puts cmd_string
       cmd = inspec.command(cmd_string)
       out = cmd.stdout + "\n" + cmd.stderr
-      if out =~ /Sqlcmd: Error/
-        skip_resource("Can't connect to the MS SQL Server.")
+      if cmd.exit_status != 0 || out =~ /Sqlcmd: Error/
+        # TODO: we need to throw an exception here
+        # change once https://github.com/chef/inspec/issues/1205 is in
+        warn "Could not execute the sql query #{out}"
+        DatabaseHelper::SQLQueryResult.new(cmd, Hashie::Mash.new({}))
+      else
+        DatabaseHelper::SQLQueryResult.new(cmd, parse_csv_result(cmd))
       end
-      cmd
     end
 
     def to_s
       'MSSQL session'
     end
+
+    private
+
+    def test_connection
+      !query('select getdate()').empty?
+    end
+
+    def parse_csv_result(cmd)
+      require 'csv'
+      table = CSV.parse(cmd.stdout, { headers: true })
+
+      # remove first row, since it will be a seperator line
+      table.delete(0)
+
+      # convert to hash
+      headers = table.headers
+
+      results = table.map { |row|
+        res = {}
+        headers.each { |header|
+          res[header.downcase] = row[header]
+        }
+        Hashie::Mash.new(res)
+      }
+      results
+    end
   end
 end

data/lib/resources/mysql.rb

@@ -2,7 +2,6 @@
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
 # author: Christoph Hartmann
-# license: All rights reserved
 
 module Inspec::Resources
   class Mysql < Inspec.resource(1)

data/lib/resources/mysql_conf.rb

@@ -1,7 +1,6 @@
 # encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
 # author: Dominik Richter
-# license: All rights reserved
 
 require 'utils/simpleconfig'
 require 'utils/find_files'

data/lib/resources/mysql_session.rb

@@ -3,7 +3,6 @@
 # author: Dominik Richter
 # author: Christoph Hartmann
 # author: Aaron Lippold
-# license: All rights reserved
 
 module Inspec::Resources
   class MysqlSession < Inspec.resource(1)
@@ -16,10 +15,12 @@ module Inspec::Resources
       end
     "
 
-    def initialize(user = nil, pass = nil, host = 'localhost')
+    def initialize(user = nil, pass = nil, host = 'localhost', port = nil, socket = nil)
       @user = user
       @pass = pass
       @host = host
+      @port = port
+      @socket = socket
       init_fallback if user.nil? or pass.nil?
       skip_resource("Can't run MySQL SQL checks without authentication") if @user.nil? or @pass.nil?
     end
@@ -30,12 +31,20 @@ module Inspec::Resources
       escaped_query = q.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
 
       # run the query
-      cmd = inspec.command("mysql -u#{@user} -p#{@pass} -h #{@host} #{db} -s -e \"#{escaped_query}\"")
+      command = "mysql -u#{@user} -p#{@pass}"
+      if !@socket.nil?
+        command += " -S #{@socket}"
+      else
+        command += " -h #{@host}"
+      end
+      command += " --port #{@port}" unless @port.nil?
+      command += " #{db} -s -S #{@socket} -e \"#{escaped_query}\""
+
+      cmd = inspec.command(command)
       out = cmd.stdout + "\n" + cmd.stderr
-      if out =~ /Can't connect to .* MySQL server/ or
-         out.downcase =~ /^error/
+      if out =~ /Can't connect to .* MySQL server/ || out.downcase =~ /^error/
         # skip this test if the server can't run the query
-        skip_resource("Can't connect to MySQL instance for SQL checks.")
+        warn("Can't connect to MySQL instance for SQL checks.")
       end
 
       # return the raw command output