inspec 4.3.2 → 4.6.3

data/lib/{resources → inspec/resources}/processes.rb

@@ -1,15 +1,15 @@
-# encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
 
-require 'utils/filter'
-require 'ostruct'
+require "inspec/utils/filter"
+require "ostruct"
+require "inspec/resources/command"
 
 module Inspec::Resources
   class Processes < Inspec.resource(1)
-    name 'processes'
-    supports platform: 'unix'
-    supports platform: 'windows'
-    desc 'Use the processes InSpec audit resource to test properties for programs that are running on the system.'
+    name "processes"
+    supports platform: "unix"
+    supports platform: "windows"
+    desc "Use the processes InSpec audit resource to test properties for programs that are running on the system."
     example <<~EXAMPLE
       describe processes('mysqld') do
         its('entries.length') { should eq 1 }
@@ -33,10 +33,10 @@ module Inspec::Resources
       if grep.class == String
         # if windows ignore case as we can't make up our minds
         if inspec.os.windows?
-          grep = '(?i)' + grep
+          grep = "(?i)" + grep
         else
-          grep = '(/[^/]*)*' + grep unless grep[0] == '/'
-          grep = '^' + grep + '(\s|$)'
+          grep = "(/[^/]*)*" + grep unless grep[0] == "/"
+          grep = "^" + grep + '(\s|$)'
         end
         grep = Regexp.new(grep)
       end
@@ -56,23 +56,23 @@ module Inspec::Resources
     end
 
     def list
-      Inspec.deprecate(:property_processes_list, 'The processes `list` property is deprecated. Please use `entries` instead.')
+      Inspec.deprecate(:property_processes_list, "The processes `list` property is deprecated. Please use `entries` instead.")
       @list
     end
 
     filter = FilterTable.create
-    filter.register_column(:labels,   field: 'label')
-          .register_column(:pids,     field: 'pid')
-          .register_column(:cpus,     field: 'cpu')
-          .register_column(:mem,      field: 'mem')
-          .register_column(:vsz,      field: 'vsz')
-          .register_column(:rss,      field: 'rss')
-          .register_column(:tty,      field: 'tty')
-          .register_column(:states,   field: 'stat')
-          .register_column(:start,    field: 'start')
-          .register_column(:time,     field: 'time')
-          .register_column(:users,    field: 'user')
-          .register_column(:commands, field: 'command')
+    filter.register_column(:labels,   field: "label")
+          .register_column(:pids,     field: "pid")
+          .register_column(:cpus,     field: "cpu")
+          .register_column(:mem,      field: "mem")
+          .register_column(:vsz,      field: "vsz")
+          .register_column(:rss,      field: "rss")
+          .register_column(:tty,      field: "tty")
+          .register_column(:states,   field: "stat")
+          .register_column(:start,    field: "start")
+          .register_column(:time,     field: "time")
+          .register_column(:users,    field: "user")
+          .register_column(:commands, field: "command")
           .install_filter_methods_on_resource(self, :filtered_processes)
 
     private
@@ -104,7 +104,7 @@ module Inspec::Resources
           command: 12,
         }
       else
-        command = 'ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command'
+        command = "ps axo pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user,command"
         regex = /^\s*([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
         field_map = {
           pid: 1,
@@ -125,7 +125,7 @@ module Inspec::Resources
 
     def ps_configuration_for_linux
       if busybox_ps?
-        command = 'ps -o pid,vsz,rss,tty,stat,time,ruser,args'
+        command = "ps -o pid,vsz,rss,tty,stat,time,ruser,args"
         regex = /^\s*(\d+)\s+(\d+(?:\.\d+)?[gm]?)\s+(\d+(?:\.\d+)?[gm]?)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)$/
         field_map = {
           pid: 1,
@@ -138,7 +138,7 @@ module Inspec::Resources
           command: 8,
         }
       else
-        command = 'ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command'
+        command = "ps axo label,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,user:32,command"
         regex = /^(.+?)\s+(\d+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+([^ ]+)\s+(\w{3} \d{2}|\d{2}:\d{2}:\d{2})\s+([^ ]+)\s+([^ ]+)\s+(.*)$/
         field_map = {
           label: 1,
@@ -160,15 +160,15 @@ module Inspec::Resources
     end
 
     def busybox_ps?
-      @busybox_ps ||= inspec.command('ps --help').stderr.include?('BusyBox')
+      @busybox_ps ||= inspec.command("ps --help").stderr.include?("BusyBox")
     end
 
     def convert_to_kilobytes(param)
       return param.to_i unless param.is_a?(String)
 
-      if param.end_with?('g')
+      if param.end_with?("g")
         (param[0..-2].to_f * 1024 * 1024).to_i
-      elsif param.end_with?('m')
+      elsif param.end_with?("m")
         (param[0..-2].to_f * 1024).to_i
       else
         param.to_i

data/lib/{resources/rabbitmq_conf.rb → inspec/resources/rabbitmq_config.rb}

@@ -1,15 +1,14 @@
-# encoding: utf-8
-
-require 'utils/erlang_parser'
-require 'utils/file_reader'
+require "inspec/utils/erlang_parser"
+require "inspec/utils/file_reader"
 
 module Inspec::Resources
-  class RabbitmqConf < Inspec.resource(1)
-    name 'rabbitmq_config'
-    supports platform: 'unix'
-    desc 'Use the rabbitmq_config InSpec resource to test configuration data '\
-         'for the RabbitMQ service located in /etc/rabbitmq/rabbitmq.config on '\
-         'Linux and UNIX platforms.'
+  class RabbitmqConfig < Inspec.resource(1)
+    name "rabbitmq_conf" # TODO: this is an alias. do we want this?
+    name "rabbitmq_config"
+    supports platform: "unix"
+    desc "Use the rabbitmq_config InSpec resource to test configuration data "\
+         "for the RabbitMQ service located in /etc/rabbitmq/rabbitmq.config on "\
+         "Linux and UNIX platforms."
     example <<~EXAMPLE
       describe rabbitmq_config.params('rabbit', 'ssl_listeners') do
         it { should cmp 5671 }
@@ -19,7 +18,7 @@ module Inspec::Resources
     include FileReader
 
     def initialize(conf_path = nil)
-      @conf_path = conf_path || '/etc/rabbitmq/rabbitmq.config'
+      @conf_path = conf_path || "/etc/rabbitmq/rabbitmq.config"
       @content = read_file_content(@conf_path, allow_empty: true)
     end
 

data/lib/{resources → inspec/resources}/registry_key.rb

@@ -1,11 +1,11 @@
-# encoding: utf-8
 # copyright: 2015, Vulcano Security GmbH
 
-require 'json'
+require "json"
+require "inspec/resources/powershell"
 
 # Three constructor methods are available:
 # 1. resistry_key(path'):
-# describe registry_key('Task Scheduler','HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
+# describe registry_key('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule') do
 #   its('Start') { should eq 2 }
 # end
 #
@@ -47,9 +47,9 @@ require 'json'
 
 module Inspec::Resources
   class RegistryKey < Inspec.resource(1)
-    name 'registry_key'
-    supports platform: 'windows'
-    desc 'Use the registry_key InSpec audit resource to test key values in the Microsoft Windows registry.'
+    name "registry_key"
+    supports platform: "windows"
+    desc "Use the registry_key InSpec audit resource to test key values in the Microsoft Windows registry."
     example <<~EXAMPLE
       describe registry_key('path\to\key') do
         its('name') { should eq 'value' }
@@ -71,7 +71,7 @@ module Inspec::Resources
         @options[:path] = reg_key
       end
 
-      return skip_resource 'The `registry_key` resource is not supported on your OS yet.' if !inspec.os.windows?
+      return skip_resource "The `registry_key` resource is not supported on your OS yet." if !inspec.os.windows?
     end
 
     def exists?
@@ -80,7 +80,7 @@ module Inspec::Resources
 
     def has_value?(value)
       val = registry_key(@options[:path])
-      !val.nil? && registry_property_value(val, '(default)') == value ? true : false
+      !val.nil? && registry_property_value(val, "(default)") == value ? true : false
     end
 
     def has_property?(property_name, property_type = nil)
@@ -140,13 +140,13 @@ module Inspec::Resources
     def registry_property_value(regkey, property)
       return nil if !registry_property_exists(regkey, property)
       # always ensure the key is lower case
-      regkey[prep_prop(property)]['value']
+      regkey[prep_prop(property)]["value"]
     end
 
     def registry_property_type(regkey, property)
       return nil if !registry_property_exists(regkey, property)
       # always ensure the key is lower case
-      regkey[prep_prop(property)]['type']
+      regkey[prep_prop(property)]["type"]
     end
 
     def registry_key(path)
@@ -197,7 +197,7 @@ module Inspec::Resources
       @registry_cache
     end
 
-    def children_keys(path, filter = '')
+    def children_keys(path, filter = "")
       return @children_cache if defined?(@children_cache)
       filter = filter.source if filter.is_a? ::Regexp
       script = <<-EOH
@@ -274,17 +274,17 @@ module Inspec::Resources
 
     def format_key_from_options
       key = @options[:key]
-      return '' unless key
+      return "" unless key
 
       key.start_with?('\\') ? key : "\\#{key}"
     end
   end
 
   class WindowsRegistryKey < RegistryKey
-    name 'windows_registry_key'
+    name "windows_registry_key"
 
     def initialize(name)
-      Inspec.deprecate(:resource_windows_registry_key, 'The `windows_registry_key` resource is deprecated. Please use `registry_key` instead.')
+      Inspec.deprecate(:resource_windows_registry_key, "The `windows_registry_key` resource is deprecated. Please use `registry_key` instead.")
       super(name)
     end
   end

data/lib/inspec/resources/script.rb

@@ -0,0 +1 @@
+require "inspec/resources/powershell"

data/lib/{resources → inspec/resources}/security_identifier.rb

@@ -1,11 +1,12 @@
-# encoding: utf-8
 # frozen_string_literal: true
 
+require "inspec/resources/command"
+
 module Inspec::Resources
   class SecurityIdentifier < Inspec.resource(1)
-    name 'security_identifier'
-    supports platform: 'windows'
-    desc 'Resource that returns a Security Identifier for a given entity name in Windows.'
+    name "security_identifier"
+    supports platform: "windows"
+    desc "Resource that returns a Security Identifier for a given entity name in Windows."
     example <<~EXAMPLE
       describe security_identifier(group: 'Everyone') do
         it { should exist }
@@ -17,7 +18,7 @@ module Inspec::Resources
       supported_opt_keys = [:user, :group, :unspecified]
       raise ArgumentError, "Invalid security_identifier param '#{opts}'. Please pass a hash with these supported keys: #{supported_opt_keys}" unless opts.respond_to?(:keys)
       raise ArgumentError, "Unsupported security_identifier options '#{opts.keys - supported_opt_keys}'. Supported keys: #[supported_opt_keys]" unless (opts.keys - supported_opt_keys).empty?
-      raise ArgumentError, 'Specifying more than one of :user :group or :unspecified for security_identifier is not supported' unless opts.keys && (opts.keys & supported_opt_keys).length == 1
+      raise ArgumentError, "Specifying more than one of :user :group or :unspecified for security_identifier is not supported" unless opts.keys && (opts.keys & supported_opt_keys).length == 1
       if opts[:user]
         @type = :user
         @name = opts[:user]
@@ -30,7 +31,7 @@ module Inspec::Resources
         @type = :unspecified
         @name = opts[:unspecified]
       end
-      raise ArgumentError, 'Specify one of :user :group or :unspecified for security_identifier' unless @name
+      raise ArgumentError, "Specify one of :user :group or :unspecified for security_identifier" unless @name
       @sids = nil
     end
 
@@ -66,19 +67,19 @@ module Inspec::Resources
     end
 
     def wmi_results(type)
-      query = 'wmic '
+      query = "wmic "
       case type
       when :group
-        query += 'group'
+        query += "group"
       when :user
-        query += 'useraccount'
+        query += "useraccount"
       end
       query += " where 'Name=\"#{@name}\"' get Name\",\"SID /format:csv"
       # Example output:
       #     inspec> command("wmic useraccount where 'Name=\"Administrator\"' get Name\",\"SID /format:csv").stdout
       #     => "\r\n\r\nNode,Name,SID\r\n\r\nComputer1,Administrator,S-1-5-21-650485088-1194226989-968533923-500\r\n\r\n"
       # Remove the \r characters, split on \n\n, ignore the CSV header row
-      inspec.command(query).stdout.strip.tr("\r", '').split("\n\n")[1..-1].map { |entry| entry.split(',') }
+      inspec.command(query).stdout.strip.tr("\r", "").split("\n\n")[1..-1].map { |entry| entry.split(",") }
     end
   end
 end

data/lib/{resources → inspec/resources}/security_policy.rb

@@ -1,4 +1,3 @@
-# encoding: utf-8
 #
 # Security Configuration and Analysis
 #
@@ -11,64 +10,66 @@
 # All local GPO parameters can be examined via Registry, but not all security
 # parameters. Therefore we need a combination of Registry and secedit output
 
-require 'hashie'
+require "hashie"
+require "inspec/resources/command"
+require "inspec/utils/simpleconfig"
 
 module Inspec::Resources
   # known and supported MS privilege rights
   # @see https://technet.microsoft.com/en-us/library/dd277311.aspx
   # @see https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
   MS_PRIVILEGES_RIGHTS = [
-    'SeNetworkLogonRight',
-    'SeBackupPrivilege',
-    'SeChangeNotifyPrivilege',
-    'SeSystemtimePrivilege',
-    'SeCreatePagefilePrivilege',
-    'SeDebugPrivilege',
-    'SeRemoteShutdownPrivilege',
-    'SeAuditPrivilege',
-    'SeIncreaseQuotaPrivilege',
-    'SeIncreaseBasePriorityPrivilege',
-    'SeLoadDriverPrivilege',
-    'SeBatchLogonRight',
-    'SeServiceLogonRight',
-    'SeInteractiveLogonRight',
-    'SeSecurityPrivilege',
-    'SeSystemEnvironmentPrivilege',
-    'SeProfileSingleProcessPrivilege',
-    'SeSystemProfilePrivilege',
-    'SeAssignPrimaryTokenPrivilege',
-    'SeRestorePrivilege',
-    'SeShutdownPrivilege',
-    'SeTakeOwnershipPrivilege',
-    'SeUndockPrivilege',
-    'SeManageVolumePrivilege',
-    'SeRemoteInteractiveLogonRight',
-    'SeImpersonatePrivilege',
-    'SeCreateGlobalPrivilege',
-    'SeIncreaseWorking',
-    'SeTimeZonePrivilege',
-    'SeCreateSymbolicLinkPrivilege',
-    'SeDenyNetworkLogonRight', # Deny access to this computer from the network
-    'SeDenyInteractiveLogonRight', # Deny logon locally
-    'SeDenyBatchLogonRight', # Deny logon as a batch job
-    'SeDenyServiceLogonRight', # Deny logon as a service
-    'SeTcbPrivilege',
-    'SeMachineAccountPrivilege',
-    'SeCreateTokenPrivilege',
-    'SeCreatePermanentPrivilege',
-    'SeEnableDelegationPrivilege',
-    'SeLockMemoryPrivilege',
-    'SeSyncAgentPrivilege',
-    'SeUnsolicitedInputPrivilege',
-    'SeTrustedCredManAccessPrivilege',
-    'SeRelabelPrivilege', # the privilege to change a Windows integrity label (new to Windows Vista)
-    'SeDenyRemoteInteractiveLogonRight', # Deny logon through Terminal Services
+    "SeNetworkLogonRight",
+    "SeBackupPrivilege",
+    "SeChangeNotifyPrivilege",
+    "SeSystemtimePrivilege",
+    "SeCreatePagefilePrivilege",
+    "SeDebugPrivilege",
+    "SeRemoteShutdownPrivilege",
+    "SeAuditPrivilege",
+    "SeIncreaseQuotaPrivilege",
+    "SeIncreaseBasePriorityPrivilege",
+    "SeLoadDriverPrivilege",
+    "SeBatchLogonRight",
+    "SeServiceLogonRight",
+    "SeInteractiveLogonRight",
+    "SeSecurityPrivilege",
+    "SeSystemEnvironmentPrivilege",
+    "SeProfileSingleProcessPrivilege",
+    "SeSystemProfilePrivilege",
+    "SeAssignPrimaryTokenPrivilege",
+    "SeRestorePrivilege",
+    "SeShutdownPrivilege",
+    "SeTakeOwnershipPrivilege",
+    "SeUndockPrivilege",
+    "SeManageVolumePrivilege",
+    "SeRemoteInteractiveLogonRight",
+    "SeImpersonatePrivilege",
+    "SeCreateGlobalPrivilege",
+    "SeIncreaseWorking",
+    "SeTimeZonePrivilege",
+    "SeCreateSymbolicLinkPrivilege",
+    "SeDenyNetworkLogonRight", # Deny access to this computer from the network
+    "SeDenyInteractiveLogonRight", # Deny logon locally
+    "SeDenyBatchLogonRight", # Deny logon as a batch job
+    "SeDenyServiceLogonRight", # Deny logon as a service
+    "SeTcbPrivilege",
+    "SeMachineAccountPrivilege",
+    "SeCreateTokenPrivilege",
+    "SeCreatePermanentPrivilege",
+    "SeEnableDelegationPrivilege",
+    "SeLockMemoryPrivilege",
+    "SeSyncAgentPrivilege",
+    "SeUnsolicitedInputPrivilege",
+    "SeTrustedCredManAccessPrivilege",
+    "SeRelabelPrivilege", # the privilege to change a Windows integrity label (new to Windows Vista)
+    "SeDenyRemoteInteractiveLogonRight", # Deny logon through Terminal Services
   ].freeze
 
   class SecurityPolicy < Inspec.resource(1)
-    name 'security_policy'
-    supports platform: 'windows'
-    desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
+    name "security_policy"
+    supports platform: "windows"
+    desc "Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform."
     example <<~EXAMPLE
       describe security_policy do
         its('SeNetworkLogonRight') { should include 'S-1-5-11' }
@@ -107,7 +108,7 @@ module Inspec::Resources
     end
 
     def to_s
-      'Security Policy'
+      "Security Policy"
     end
 
     private
@@ -138,7 +139,7 @@ module Inspec::Resources
 
       conf = SimpleConfig.new(
         @content,
-        assignment_regex: /^\s*(.*)=\s*(\S*)\s*$/,
+        assignment_regex: /^\s*(.*)=\s*(\S*)\s*$/
       )
       @params = convert_hash(conf.params)
     end
@@ -151,14 +152,14 @@ module Inspec::Resources
       # special handling for SID array
       elsif val =~ /[,]{0,1}\*\S/
         if @translate_sid
-          val.split(',').map { |v|
+          val.split(",").map do |v|
             object_name = inspec.command("(New-Object System.Security.Principal.SecurityIdentifier(\"#{v.sub('*S', 'S')}\")).Translate( [System.Security.Principal.NTAccount]).Value").stdout.to_s.strip
-            object_name.empty? || object_name.nil? ? v.sub('*S', 'S') : object_name
-          }
+            object_name.empty? || object_name.nil? ? v.sub("*S", "S") : object_name
+          end
         else
-          val.split(',').map { |v|
-            v.sub('*S', 'S')
-          }
+          val.split(",").map do |v|
+            v.sub("*S", "S")
+          end
         end
       # special handling for string values with "
       elsif !(m = /^\"(.*)\"$/.match(val)).nil?