inspec 1.40.0 → 1.41.0

data/docs/resources/zfs_dataset.md.erb

@@ -6,6 +6,8 @@ title: About the zfs_dataset Resource
 
 Use the `zfs_dataset` InSpec audit resource to test the ZFS datasets on FreeBSD systems.
 
+<br>
+
 ## Syntax
 
 A `zfs_dataset` resource block declares the ZFS dataset properties that should be tested:
@@ -20,32 +22,7 @@ where
 * `MATCHER` is a valid matcher for this resource
 * `'value'` is the value to be tested
 
-
-## Matchers
-
-This InSpec audit resource has the matchers listed below, in addition to dynamically exposing all ZFS dataset properties available (see: `man zfs` for the list of supported properties.)
-
-### be
-
-<%= partial "/shared/matcher_be" %>
-
-### be_mounted
-
-The `be_mounted` matcher tests if the dataset is accessible from the file system:
-
-    it { should be_mounted }
-
-### cmp
-
-<%= partial "/shared/matcher_cmp" %>
-
-### eq
-
-<%= partial "/shared/matcher_eq" %>
-
-### match
-
-<%= partial "/shared/matcher_match" %>
+<br>
 
 ## Examples
 
@@ -61,3 +38,15 @@ The following examples show how to use this InSpec audit resource.
       its('readonly') { should eq  'off' }
       its('setuid') { should eq  'off' }
     end
+
+<br>
+
+## Matchers
+
+This InSpec audit resource has the matchers listed below, in addition to dynamically exposing all ZFS dataset properties available (see: `man zfs` for the list of supported properties). For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+### be_mounted
+
+The `be_mounted` matcher tests if the dataset is accessible from the file system:
+
+    it { should be_mounted }

data/docs/resources/zfs_pool.md.erb

@@ -6,6 +6,8 @@ title: About the zfs_pool Resource
 
 Use the `zfs_pool` InSpec audit resource to test the ZFS pools on FreeBSD systems.
 
+<br>
+
 ## Syntax
 
 A `zfs_pool` resource block declares the ZFS pool properties that should be tested:
@@ -20,26 +22,7 @@ where
 * `MATCHER` is a valid matcher for this resource
 * `'value'` is the value to be tested
 
-
-## Matchers
-
-This InSpec audit resource has the matchers listed below, in addition to dynamically exposing all ZFS pool properties available (see: `man zpool` for the list of supported properties.)
-
-### be
-
-<%= partial "/shared/matcher_be" %>
-
-### cmp
-
-<%= partial "/shared/matcher_cmp" %>
-
-### eq
-
-<%= partial "/shared/matcher_eq" %>
-
-### match
-
-<%= partial "/shared/matcher_match" %>
+<br>
 
 ## Examples
 
@@ -55,3 +38,9 @@ The following examples show how to use this InSpec audit resource.
       its('listsnapshots') { should eq  'off' }
       its('readonly') { should eq  'off' }
     end
+
+<br>
+
+## Matchers
+
+This InSpec audit resource dynamically exposes all ZFS pool properties available (see: `man zpool` for the list of supported properties). For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

data/lib/inspec/backend.rb

@@ -17,6 +17,14 @@ module Inspec
         Inspec::VERSION
       end
 
+      # Determine whether the connection/transport is a local connection
+      # Useful for resources to modify behavior as necessary, such as using
+      # the Ruby stdlib for a better experience.
+      def local_transport?
+        return false unless defined?(Train::Transports::Local)
+        backend.is_a?(Train::Transports::Local::Connection)
+      end
+
       # Ruby internal for printing a nice name for this class
       def to_s
         'Inspec::Backend::Class'

data/lib/inspec/profile.rb

@@ -93,12 +93,20 @@ module Inspec
       @writable = options[:writable] || false
       @profile_id = options[:id]
       @cache = options[:cache] || Cache.new
-      @backend = options[:backend] || Inspec::Backend.create(options.select { |k, _| k != 'target' })
       @attr_values = options[:attributes]
       @tests_collected = false
       @libraries_loaded = false
       Metadata.finalize(@source_reader.metadata, @profile_id, options)
 
+      # if a backend has already been created, clone it so each profile has its own unique backend object
+      # otherwise, create a new backend object
+      #
+      # This is necessary since we store the RuntimeProfile on the backend object. If a user runs `inspec exec`
+      # with multiple profiles, only the RuntimeProfile for the last-loaded profile will be available if
+      # we share the backend between profiles.
+      #
+      # This will cause issues if a profile attempts to load a file via `inspec.profile.file`
+      @backend = options[:backend].nil? ? Inspec::Backend.create(options) : options[:backend].dup
       @runtime_profile = RuntimeProfile.new(self)
       @backend.profile = @runtime_profile
 

data/lib/inspec/shell.rb

@@ -139,21 +139,21 @@ EOF
       elsif topic == 'matchers'
         print_matchers_help
       elsif !Inspec::Resource.registry[topic].nil?
-        puts <<EOF
-#{mark 'Name:'} #{topic}
-
-#{mark 'Description:'}
-
-#{Inspec::Resource.registry[topic].desc}
-
-#{mark 'Example:'}
-#{print_example(Inspec::Resource.registry[topic].example)}
-
-#{mark 'Web Reference:'}
+        topic_info = Inspec::Resource.registry[topic]
+        info = "#{mark 'Name:'} #{topic}\n\n"
+        unless topic_info.desc.nil?
+          info += "#{mark 'Description:'}\n\n"
+          info += "#{topic_info.desc}\n\n"
+        end
 
-https://www.inspec.io/docs/reference/resources/#{topic}
+        unless topic_info.example.nil?
+          info += "#{mark 'Example:'}\n"
+          info += "#{print_example(topic_info.example)}\n\n"
+        end
 
-EOF
+        info += "#{mark 'Web Reference:'}\n\n"
+        info += "https://www.inspec.io/docs/reference/resources/#{topic}\n\n"
+        puts info
       else
         puts "The resource #{topic} does not exist. For a list of valid resources, type: help resources"
       end

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.40.0'.freeze
+  VERSION = '1.41.0'.freeze
 end

data/lib/matchers/matchers.rb

@@ -316,6 +316,8 @@ RSpec::Matchers.define :cmp do |first_expected|
       return actual.to_i.method(op).call(expected)
     elsif expected.is_a?(Float) && float?(actual)
       return actual.to_f.method(op).call(expected)
+    elsif actual.is_a?(Symbol) && expected.is_a?(String)
+      return actual.to_s.method(op).call(expected)
     elsif octal?(expected) && actual.is_a?(Integer)
       return actual.method(op).call(expected.to_i(8))
     end

data/lib/resources/etc_hosts.rb

@@ -20,7 +20,7 @@ class EtcHosts < Inspec.resource(1)
   include CommentParser
 
   def initialize(hosts_path = nil)
-    return skip_resource 'The `etc_hosts` resource is not supported on your OS.' unless inspec.os.linux? || inspec.os.windows?
+    return skip_resource 'The `etc_hosts` resource is not supported on your OS.' unless inspec.os.bsd? || inspec.os.linux? || inspec.os.windows?
     @conf_path      = hosts_path || default_hosts_file_path
     @content        = nil
     @params         = nil

data/lib/resources/host.rb

@@ -113,7 +113,10 @@ module Inspec::Resources
     end
 
     def to_s
-      "Host #{hostname}"
+      resource_name = "Host #{hostname}"
+      resource_name += " port #{port} proto #{protocol}" if port
+
+      resource_name
     end
 
     private

data/lib/resources/http.rb

@@ -22,51 +22,201 @@ module Inspec::Resources
         its('Content-Length') { should cmp 258 }
         its('Content-Type') { should cmp 'text/html; charset=UTF-8' }
       end
+
+      # properly execute the HTTP call on the scanned machine instead of the
+      # machine executing InSpec. This will be the default behavior in InSpec 2.0.
+      describe http('http://localhost:8080', enable_remote_worker: true) do
+        its('body') { should cmp 'local web server on target machine' }
+      end
     "
 
     def initialize(url, opts = {})
       @url = url
-      @method = opts.fetch(:method, 'GET')
-      @params = opts.fetch(:params, nil)
-      @auth = opts.fetch(:auth, {})
-      @headers = opts.fetch(:headers, {})
-      @data = opts.fetch(:data, nil)
-      @open_timeout = opts.fetch(:open_timeout, 60)
-      @read_timeout = opts.fetch(:read_timeout, 60)
-      @ssl_verify = opts.fetch(:ssl_verify, true)
+      @opts = opts
+
+      if use_remote_worker?
+        return skip_resource 'curl is not available on the target machine' unless inspec.command('curl').exist?
+        @worker = Worker::Remote.new(inspec, http_method, url, opts)
+      else
+        @worker = Worker::Local.new(http_method, url, opts)
+      end
     end
 
     def status
-      response.status
+      @worker.status
+    end
+
+    def headers
+      Hashie::Mash.new(@worker.response_headers)
     end
 
     def body
-      response.body
+      @worker.body
     end
 
-    def headers
-      Hashie::Mash.new(response.headers.to_h)
+    def http_method
+      @opts.fetch(:method, 'GET')
     end
 
     def to_s
-      "http #{@method} on #{@url}"
+      "http #{http_method} on #{@url}"
     end
 
     private
 
-    def response
-      return @response if @response
-      conn = Faraday.new url: @url, headers: @headers, params: @params, ssl: { verify: @ssl_verify }
+    def use_remote_worker?
+      return false if inspec.local_transport?
+      return true if @opts[:enable_remote_worker]
+
+      warn "[DEPRECATION] #{self} will execute locally instead of the target machine. To execute remotely, add `enable_remote_worker: true`."
+      warn '[DEPRECATION] `enable_remote_worker: true` will be the default behavior in InSpec 2.0.'
+      false
+    end
+
+    class Worker
+      class Base
+        attr_reader :http_method, :opts, :url
+
+        def initialize(http_method, url, opts)
+          @http_method = http_method
+          @url = url
+          @opts = opts
+        end
+
+        private
+
+        def params
+          opts.fetch(:params, nil)
+        end
+
+        def username
+          opts.fetch(:auth, {})[:user]
+        end
+
+        def password
+          opts.fetch(:auth, {})[:pass]
+        end
+
+        def request_headers
+          opts.fetch(:headers, {})
+        end
+
+        def request_body
+          opts[:data]
+        end
+
+        def open_timeout
+          opts.fetch(:open_timeout, 60)
+        end
+
+        def read_timeout
+          opts.fetch(:read_timeout, 60)
+        end
+
+        def ssl_verify?
+          opts.fetch(:ssl_verify, true)
+        end
+      end
+
+      class Local < Base
+        def status
+          response.status
+        end
+
+        def body
+          response.body
+        end
+
+        def response_headers
+          response.headers.to_h
+        end
+
+        private
+
+        def response
+          return @response if @response
+          conn = Faraday.new url: url, headers: request_headers, params: params, ssl: { verify: ssl_verify? }
+
+          # set basic authentication
+          conn.basic_auth username, password unless username.nil? || password.nil?
+
+          # set default timeout
+          conn.options.timeout      = read_timeout  # open/read timeout in seconds
+          conn.options.open_timeout = open_timeout  # connection open timeout in seconds
+
+          @response = conn.send(http_method.downcase) do |req|
+            req.body = request_body
+          end
+        end
+      end
+
+      class Remote < Base
+        attr_reader :inspec
+
+        def initialize(inspec, http_method, url, opts)
+          @inspec = inspec
+          super(http_method, url, opts)
+        end
+
+        def status
+          run_curl
+          @status
+        end
+
+        def body
+          run_curl
+          @body
+        end
+
+        def response_headers
+          run_curl
+          @response_headers
+        end
+
+        private
+
+        def run_curl
+          return if @ran_curl
+
+          response = inspec.command(curl_command).stdout
+          @ran_curl = true
+          return if response.nil?
+
+          # strip any carriage returns to normalize output
+          response.delete!("\r")
+
+          # split the prelude (status line and headers) and the body
+          prelude, @body = response.split("\n\n", 2)
+          prelude = prelude.lines
+
+          # grab the status off of the first line of the prelude
+          status_line = prelude.shift
+          @status = status_line.split(' ', 3)[1].to_i
+
+          # parse the rest of the prelude which will be all the HTTP headers
+          @response_headers = {}
+          prelude.each do |line|
+            line.strip!
+            key, value = line.split(':', 2)
+            @response_headers[key] = value.strip
+          end
+        end
+
+        def curl_command
+          cmd = ["curl -i -X #{http_method}"]
+          cmd << "--connect-timeout #{open_timeout}"
+          cmd << "--user \'#{username}:#{password}\'" unless username.nil? || password.nil?
+          cmd << '--insecure' unless ssl_verify?
+          cmd << "--data #{Shellwords.shellescape(request_body)}" unless request_body.nil?
 
-      # set basic authentication
-      conn.basic_auth @auth[:user], @auth[:pass] unless @auth.empty?
+          request_headers.each do |k, v|
+            cmd << "-H '#{k}=#{v}'"
+          end
 
-      # set default timeout
-      conn.options.timeout      = @read_timeout  # open/read timeout in seconds
-      conn.options.open_timeout = @open_timeout  # connection open timeout in seconds
+          cmd << "'#{url}'"
 
-      @response = conn.send(@method.downcase) do |req|
-        req.body = @data
+          cmd.join(' ')
+        end
       end
     end
   end

data/lib/resources/processes.rb

@@ -4,9 +4,10 @@
 # author: Christoph Hartmann
 
 require 'utils/filter'
+require 'ostruct'
 
 module Inspec::Resources
-  class Processes < Inspec.resource(1)
+  class Processes < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
     name 'processes'
     desc 'Use the processes InSpec audit resource to test properties for programs that are running on the system.'
     example "
@@ -15,12 +16,18 @@ module Inspec::Resources
         its('users') { should eq ['mysql'] }
         its('states') { should include 'S' }
       end
+
       describe processes(/.+/).where { label != 'unconfined' && pid < 1000 } do
         its('users') { should cmp [] }
       end
+
+      # work with all processes
+      describe processes do
+        its('entries.length') { should be <= 100 }
+      end
     "
 
-    def initialize(grep)
+    def initialize(grep = /.*/)
       @grep = grep
       # turn into a regexp if it isn't one yet
       if grep.class == String
@@ -80,39 +87,118 @@ module Inspec::Resources
       os = inspec.os
 
       if os.linux?
-        command = 'ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command'
-        regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
+        command, regex, field_map = ps_configuration_for_linux
       elsif os.windows?
         command = '$Proc = Get-Process -IncludeUserName | Where-Object {$_.Path -ne $null } | Select-Object PriorityClass,Id,CPU,PM,VirtualMemorySize,NPM,SessionId,Responding,StartTime,TotalProcessorTime,UserName,Path | ConvertTo-Csv -NoTypeInformation;$Proc.Replace("""","").Replace("`r`n","`n")'
         # Wanted to use /(?:^|,)([^,]*)/; works on rubular.com not sure why here?
         regex = /^(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+),(.+)$/
+        field_map = {
+          pid: 2,
+          cpu: 3,
+          mem: 4,
+          vsz: 5,
+          rss: 6,
+          tty: 7,
+          stat: 8,
+          start: 9,
+          time: 10,
+          user: 11,
+          command: 12,
+        }
       else
         command = 'ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command'
         regex = /^\s*([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
+        field_map = {
+          pid: 1,
+          cpu: 2,
+          mem: 3,
+          vsz: 4,
+          rss: 5,
+          tty: 6,
+          stat: 7,
+          start: 8,
+          time: 9,
+          user: 10,
+          command: 11,
+        }
       end
-      build_process_list(command, regex, os)
+      build_process_list(command, regex, field_map)
     end
 
-    Process = Struct.new(:label, :pid,
-                         :cpu, :mem, :vsz,
-                         :rss, :tty, :stat,
-                         :start, :time, :user, :command)
+    def ps_configuration_for_linux
+      if busybox_ps?
+        command = 'ps -o pid,vsz,rss,tty,stat,time,ruser,args'
+        regex = /^\s*(\d+)\s+(\d+)\s+(\d+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$/
+        field_map = {
+          pid: 1,
+          vsz: 2,
+          rss: 3,
+          tty: 4,
+          stat: 5,
+          time: 6,
+          user: 7,
+          command: 8,
+        }
+      else
+        command = 'ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command'
+        regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
+        field_map = {
+          label: 1,
+          pid: 2,
+          cpu: 3,
+          mem: 4,
+          vsz: 5,
+          rss: 6,
+          tty: 7,
+          stat: 8,
+          start: 9,
+          time: 10,
+          user: 11,
+          command: 12,
+        }
+      end
+
+      [command, regex, field_map]
+    end
 
-    def build_process_list(command, regex, os)
+    def busybox_ps?
+      @busybox_ps ||= inspec.command('ps --help').stderr.include?('BusyBox')
+    end
+
+    def build_process_list(command, regex, field_map)
       cmd = inspec.command(command)
       all = cmd.stdout.split("\n")[1..-1]
       return [] if all.nil?
-      lines = all.map do |line|
-        line.match(regex)
+
+      # map all the process lines into match objects, fetch the available fields,
+      # and then build an OpenStruct of the process data for each process
+      all.map do |line|
+        line = line.match(regex)
+
+        # skip this line if we couldn't match the regular expression
+        next if line.nil?
+
+        # skip this entry if there's no command for this line
+        next if line[field_map[:command]].nil?
+
+        # build a hash of process data that we'll turn into a struct for FilterTable
+        process_data = {}
+        [:label, :pid, :cpu, :mem, :vsz, :rss, :tty, :stat, :start, :time, :user, :command].each do |param|
+          # not all operating systems support all fields, so skip the field if we don't have it
+          process_data[param] = line[field_map[param]] if field_map.key?(param)
+        end
+
+        # ensure pid, vsz, and rss are integers for backward compatibility
+        [:pid, :vsz, :rss].each do |int_param|
+          process_data[int_param] = process_data[int_param].to_i if process_data.key?(int_param)
+        end
+
+        # strip any newlines off the command
+        process_data[:command].strip!
+
+        # return an OpenStruct of the process for future use by FilterTable
+        OpenStruct.new(process_data)
       end.compact
-      lines.map do |m|
-        a = m.to_a[1..-1] # grab all matching groups
-        a.unshift(nil) unless os.linux? || os.windows?
-        a[1] = a[1].to_i
-        a[4] = a[4].to_i
-        a[5] = a[5].to_i
-        Process.new(*a)
-      end
     end
   end
 end