inspec 1.30.0 → 1.31.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 745f9c48fb9d28298944aef579f3d8d24255acf5
4
- data.tar.gz: 0e69074ae2ba59b6fd09c6f09ddb784a97fd4fee
3
+ metadata.gz: 0f63e2bc3c79b42602da904d3a7d1c270eb82281
4
+ data.tar.gz: 0f288778eab441b7325fb7f4401c15a24cca1abb
5
5
  SHA512:
6
- metadata.gz: '043509ac03b2be5d7025476cbe33ffff43cf8cc6b5176b4f2519317ef8c3190302b3edc2d870a218c10192699b927b4e6027806fdd3ff677bdcbbf51d605d051'
7
- data.tar.gz: '009d85fe8d9e0f0e778286b229e1ef4ad70ee18e023bfd638143cf2a68db068272fc862bc17161151842e3e0fd7b16cb516c0b9079a73f13ad327baf1e171aa9'
6
+ metadata.gz: 036eaca5d11a52c0218416510139b133547811ceecfc8ac19659cbec50951a61d8eb7bfda9a3280b3e3944c7bfd0b295d8691124ed6984372968330d8af8db0f
7
+ data.tar.gz: fc6b35830b818319d4a13ec75015b16e9dca38f048d52ed2f1c1d034b7a87a16d08a1deea09010cbc153f82de8ba24dc4ce4c2d1b777676f26affc69d79da7c0
data/CHANGELOG.md CHANGED
@@ -1,5 +1,20 @@
1
1
  # Change Log
2
2
 
3
+ ## [v1.31.0](https://github.com/chef/inspec/tree/v1.31.0) (2017-07-06)
4
+ [Full Changelog](https://github.com/chef/inspec/compare/v1.30.0...v1.31.0)
5
+
6
+ **Implemented enhancements:**
7
+
8
+ - Add support for ncat in host resource for CoreOS [\#1993](https://github.com/chef/inspec/pull/1993) ([adamleff](https://github.com/adamleff))
9
+ - New postgres\_hba\_conf resource [\#1964](https://github.com/chef/inspec/pull/1964) ([aaronlippold](https://github.com/aaronlippold))
10
+ - New postgres\_ident\_conf resource [\#1963](https://github.com/chef/inspec/pull/1963) ([aaronlippold](https://github.com/aaronlippold))
11
+
12
+ **Fixed bugs:**
13
+
14
+ - Fix formatter when two profiles have the same name [\#1991](https://github.com/chef/inspec/pull/1991) ([adamleff](https://github.com/adamleff))
15
+ - Fix host resolution on Darwin, use dig wherever possible [\#1986](https://github.com/chef/inspec/pull/1986) ([adamleff](https://github.com/adamleff))
16
+ - updated postgres\_session resource properly escape queries [\#1939](https://github.com/chef/inspec/pull/1939) ([aaronlippold](https://github.com/aaronlippold))
17
+
3
18
  ## [v1.30.0](https://github.com/chef/inspec/tree/v1.30.0) (2017-06-29)
4
19
  [Full Changelog](https://github.com/chef/inspec/compare/v1.29.0...v1.30.0)
5
20
 
data/README.md CHANGED
@@ -284,7 +284,7 @@ Gentoo Linux | | x86_64
284
284
  Arch Linux | | x86_64
285
285
  HP-UX | 11.31 | ia64
286
286
 
287
- *For Windows 2008 and 2008 R2 an updated Powershell (Windows Management Framework 5.0) is required.*
287
+ *For Windows, PowerShell 3.0 or above is required.*
288
288
 
289
289
  In addition, runtime support is provided for:
290
290
 
@@ -14,6 +14,8 @@ A `host` resource block declares a host name, and then (depending on what is to
14
14
 
15
15
  describe host('example.com', port: 80, protocol: 'tcp') do
16
16
  it { should be_reachable }
17
+ it { should be_resolvable }
18
+ its('ipaddress') { should include '12.34.56.78' }
17
19
  end
18
20
 
19
21
  where
@@ -22,7 +24,6 @@ where
22
24
  * `'example.com'` is the host name
23
25
  * `port:` is the port number
24
26
  * `protocol: 'name'` is the Internet protocol: TCP (`protocol: 'tcp'`), UDP (`protocol: 'udp'` or ICMP (`protocol: 'icmp'`))
25
- * `be_reachable` is a valid matcher for this resource
26
27
 
27
28
 
28
29
  ## Matchers
@@ -83,3 +84,11 @@ The following examples show how to use this InSpec audit resource.
83
84
  it { should be_resolvable }
84
85
  its('ipaddress') { should include '192.168.1.1' }
85
86
  end
87
+
88
+ ### Review the connection setup and socket contents when checking reachability
89
+
90
+ describe host('example.com', port: 12345, protocol: 'tcp') do
91
+ it { should be_reachable }
92
+ its('connection') { should_not match /connection refused/ }
93
+ its('socket') { should match /STATUS_OK/ }
94
+ end
@@ -4,20 +4,33 @@ title: About the kernel_module Resource
4
4
 
5
5
  # kernel_module
6
6
 
7
- Use the `kernel_module` InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under `/lib/modules`. Any submodule may be tested using this resource.
7
+ Use the `kernel_module` InSpec audit resource to test kernel modules on Linux
8
+ platforms. These parameters are located under `/lib/modules`. Any submodule may
9
+ be tested using this resource.
10
+
11
+ The `kernel_module` resource can also verify if a kernel module is `blacklisted`
12
+ or if a module is disabled via a fake install using the `bin_true` or `bin_false`
13
+ method.
8
14
 
9
15
  ## Syntax
10
16
 
11
- A `kernel_module` resource block declares a module name, and then tests if that module is a loadable kernel module:
17
+ A `kernel_module` resource block declares a module name, and then tests if that
18
+ module is a loadable kernel module, if it is enabled, disabled or if it is
19
+ blacklisted:
12
20
 
13
21
  describe kernel_module('module_name') do
14
22
  it { should be_loaded }
23
+ it { should_not be_disabled }
24
+ it { should_not be_blacklisted }
25
+ end
15
26
  end
16
27
 
17
28
  where
18
29
 
19
30
  * `'module_name'` must specify a kernel module, such as `'bridge'`
20
31
  * `{ should be_loaded }` tests if the module is a loadable kernel module
32
+ * `{ should be_blacklisted }` tests if the module is blacklisted or if the module is disabled via a fake install using /bin/false or /bin/true
33
+ * `{ should be_disabled }` tests if the module is disabled via a fake install using /bin/false or /bin/true
21
34
 
22
35
  ## Matchers
23
36
 
@@ -59,9 +72,50 @@ The `version` matcher tests if the named module version is on the system:
59
72
 
60
73
  The following examples show how to use this InSpec audit resource.
61
74
 
62
- ### Test if a module is loaded
75
+ ### Test a modules 'version'
63
76
 
64
77
  describe kernel_module('bridge') do
65
78
  it { should be_loaded }
66
79
  its(:version) { should cmp >= '2.2.2' }
67
80
  end
81
+
82
+ ### Test if a module is loaded, not disabled and not blacklisted
83
+
84
+ describe kernel_module('video') do
85
+ it { should be_loaded }
86
+ it { should_not be_disabled }
87
+ it { should_not be_blacklisted }
88
+ end
89
+
90
+ ### Check if a module is blacklisted
91
+
92
+ describe kernel_module('floppy') do
93
+ it { should be_blacklisted }
94
+ end
95
+
96
+ ### Ensure a module is *not* blacklisted and it is loaded
97
+
98
+ describe kernel_module('video') do
99
+ it { should_not be_blacklisted }
100
+ it { should be_loaded }
101
+ end
102
+
103
+ ### Ensure a module is disabled via 'bin_false'
104
+
105
+ describe kernel_module('sstfb') do
106
+ it { should_not be_loaded }
107
+ it { should be_disabled }
108
+ end
109
+
110
+ ### Ensure a module is 'blacklisted'/'disabled' via 'bin_true'
111
+
112
+ describe kernel_module('nvidiafb') do
113
+ it { should_not be_loaded }
114
+ it { should be_blacklisted }
115
+ end
116
+
117
+ ### Ensure a module is not loaded
118
+
119
+ describe kernel_module('dhcp') do
120
+ it { should_not be_loaded }
121
+ end
@@ -0,0 +1,104 @@
1
+ ---
2
+ title: About the postgres_hba_conf Resource
3
+ ---
4
+
5
+ # postgres_hba_conf
6
+
7
+ Use the `postgres_hba_conf` InSpec audit resource to test the client authentication data defined in the pg_hba.conf file.
8
+ ## Syntax
9
+
10
+ An `postgres_hba_conf` InSpec audit resource block declares client authentication data that should be tested:
11
+
12
+ describe postgres_hba_conf.where { type == 'local' } do
13
+ its('auth_method') { should eq ['peer'] }
14
+ end
15
+
16
+ where
17
+
18
+ * `'attribute'` is a attribute in the pg hba configuration file
19
+ * `'filter_value'` is the value that is to be filtered for
20
+ * `'value'` is the value that is to be matched expected
21
+
22
+ ## Matchers
23
+
24
+ This InSpec audit resource matches any service that is listed in the HBA configuration file:
25
+
26
+ its('auth_method') { should_not cmp 'peer' }
27
+
28
+ or:
29
+
30
+ its('auth_method') { should cmp 'peer' }
31
+
32
+ For example:
33
+
34
+ describe postgres_hba_conf.where { type == 'type' } do
35
+ its('auth_method') { should cmp 'value' }
36
+ its('user') { should cmp 'value' }
37
+ end
38
+
39
+ ### be
40
+
41
+ <%= partial "/shared/matcher_be" %>
42
+
43
+ ### cmp
44
+
45
+ <%= partial "/shared/matcher_cmp" %>
46
+
47
+ ### eq
48
+
49
+ <%= partial "/shared/matcher_eq" %>
50
+
51
+ ### include
52
+
53
+ <%= partial "/shared/matcher_include" %>
54
+
55
+ ### match
56
+
57
+ <%= partial "/shared/matcher_match" %>
58
+
59
+
60
+ ## Supported Properties
61
+
62
+ 'address', 'auth_method', 'auth_params', 'conf_dir' , 'conf_file' , 'database', 'params' ,'type', 'user'
63
+
64
+ ## Property Examples and Return Types
65
+
66
+ ### address([String])
67
+
68
+ `address` returns a an array of strings that matches the where condition of the filter table
69
+
70
+ describe postgres_hba_conf.where { type == 'local' } do
71
+ its('address') { should cmp 'value' }
72
+ end
73
+
74
+ ### auth_method([String])
75
+
76
+ `auth_method` returns a an array of strings that matches the where condition of the filter table
77
+
78
+ describe postgres_hba_conf.where { type == 'local' } do
79
+ its('auth_method') { should cmp 'value' }
80
+ end
81
+
82
+ ### database([String])
83
+
84
+ `database` returns a an array of strings that matches the where condition of the filter table
85
+
86
+ describe postgres_hba_conf.where { type == 'local' } do
87
+ its('database') { should cmp 'value' }
88
+ end
89
+
90
+ ### type([String])
91
+
92
+ `type` returns a an array of strings that matches the where condition of the filter table
93
+
94
+ describe postgres_hba_conf.where { database == 'acme_test_db' } do
95
+ its('type') { should cmp 'value' }
96
+ end
97
+
98
+ ### user([String])
99
+
100
+ `user` returns a an array of strings that matches the where condition of the filter table
101
+
102
+ describe postgres_hba_conf.where { database == 'acme_test_db' } do
103
+ its('user') { should cmp 'value' }
104
+ end
@@ -0,0 +1,87 @@
1
+ ---
2
+ title: About the postgres_ident_conf Resource
3
+ ---
4
+
5
+ # postgres_ident_conf
6
+
7
+ Use the `postgres_ident_conf` InSpec audit resource to test the client authentication data defined in the pg_hba.conf file.
8
+ ## Syntax
9
+
10
+ An `postgres_ident_conf` InSpec audit resource block declares client authentication data that should be tested:
11
+
12
+ describe postgres_ident_conf.where { pg_username == 'filter_value' } do
13
+ its('attribute') { should eq ['value'] }
14
+ end
15
+
16
+ where
17
+
18
+ * `'attribute'` is a attribute in the pg ident configuration file
19
+ * `'filter_value'` is the value that is to be filtered for
20
+ * `'value'` is the value that is to be matched expected
21
+
22
+ ## Matchers
23
+
24
+ This InSpec audit resource matches any service that is listed in the pg ident configuration file:
25
+
26
+ its('pg_username') { should_not eq ['peer'] }
27
+
28
+ or:
29
+
30
+ its('map_name') { should eq ['value'] }
31
+
32
+ For example:
33
+
34
+ describe postgres_ident_conf.where { pg_username == 'name' } do
35
+ its('system_username') { should eq ['value'] }
36
+ its('map_name') { should eq ['value'] }
37
+ end
38
+
39
+ ### be
40
+
41
+ <%= partial "/shared/matcher_be" %>
42
+
43
+ ### cmp
44
+
45
+ <%= partial "/shared/matcher_cmp" %>
46
+
47
+ ### eq
48
+
49
+ <%= partial "/shared/matcher_eq" %>
50
+
51
+ ### include
52
+
53
+ <%= partial "/shared/matcher_include" %>
54
+
55
+ ### match
56
+
57
+ <%= partial "/shared/matcher_match" %>
58
+
59
+
60
+ ## Supported Properties
61
+
62
+ 'conf_file', 'map_name', 'params', 'pg_username', 'system_username'
63
+
64
+ ## Property Examples and Return Types
65
+
66
+ ### map_name([String])
67
+
68
+ `address` returns a an array of strings that matches the where condition of the filter table
69
+
70
+ describe pg_hba_conf.where { pg_username == 'name' } do
71
+ its('map_name') { should eq ['value'] }
72
+ end
73
+ ### pg_username([String])
74
+
75
+ `pg_username` returns a an array of strings that matches the where condition of the filter table
76
+
77
+ describe pg_hba_conf.where { pg_username == 'name' } do
78
+ its('pg_username') { should eq ['value'] }
79
+ end
80
+
81
+ ### system_username([String])
82
+
83
+ `system_username` returns a an array of strings that matches the where condition of the filter table
84
+
85
+ describe pg_hba_conf.where { pg_username == 'name' } do
86
+ its('system_username') { should eq ['value'] }
87
+ end
@@ -122,6 +122,8 @@ require 'resources/package'
122
122
  require 'resources/packages'
123
123
  require 'resources/parse_config'
124
124
  require 'resources/passwd'
125
+ require 'resources/postgres_hba_conf'
126
+ require 'resources/postgres_ident_conf'
125
127
  require 'resources/pip'
126
128
  require 'resources/port'
127
129
  require 'resources/postgres'
@@ -243,7 +243,16 @@ class InspecRspecJson < InspecRspecMiniJson # rubocop:disable Metrics/ClassLengt
243
243
  # this example, leading to Ruby exceptions.
244
244
  return false if profile_name.nil? || example_profile_id.nil?
245
245
 
246
- profile_name == example_profile_id
246
+ # The correct profile is one where the name of the profile, and the profile
247
+ # name in the example match. Additionally, the list of controls in the
248
+ # profile must contain the example in question (which we match by ID).
249
+ #
250
+ # While the profile name match is usually good enough, we must also match by
251
+ # the control ID in the case where an InSpec runner has multiple profiles of
252
+ # the same name (i.e. when Test Kitchen is running concurrently using a
253
+ # single test suite that uses the Flat source reader, in which case InSpec
254
+ # creates a fake profile with a name like "tests from /path/to/tests")
255
+ profile_name == example_profile_id && profile[:controls].any? { |control| control[:id] == example[:id] }
247
256
  end
248
257
 
249
258
  def move_example_into_control(example, control)
@@ -4,5 +4,5 @@
4
4
  # author: Christoph Hartmann
5
5
 
6
6
  module Inspec
7
- VERSION = '1.30.0'.freeze
7
+ VERSION = '1.31.0'.freeze
8
8
  end
@@ -24,6 +24,8 @@
24
24
  # it { should be_resolvable.by('dns') }
25
25
  # end
26
26
 
27
+ require 'resolv'
28
+
27
29
  module Inspec::Resources
28
30
  class Host < Inspec.resource(1)
29
31
  name 'host'
@@ -31,6 +33,8 @@ module Inspec::Resources
31
33
  example "
32
34
  describe host('example.com') do
33
35
  it { should be_reachable }
36
+ it { should be_resolvable }
37
+ its('ipaddress') { should include '12.34.56.78' }
34
38
  end
35
39
 
36
40
  describe host('example.com', port: '80', protocol: 'tcp') do
@@ -140,7 +144,39 @@ module Inspec::Resources
140
144
  end
141
145
  end
142
146
 
143
- class DarwinHostProvider < HostProvider
147
+ class UnixHostProvider < HostProvider
148
+ def resolve_with_dig(hostname)
149
+ addresses = []
150
+
151
+ # look for IPv6 addresses
152
+ cmd = inspec.command("dig +short AAAA #{hostname}")
153
+ cmd.stdout.lines.each do |line|
154
+ matched = line.chomp.match(Resolv::IPv6::Regex)
155
+ addresses << matched.to_s unless matched.nil?
156
+ end
157
+
158
+ # look for IPv4 addresses
159
+ cmd = inspec.command("dig +short A #{hostname}")
160
+ cmd.stdout.lines.each do |line|
161
+ matched = line.chomp.match(Resolv::IPv4::Regex)
162
+ addresses << matched.to_s unless matched.nil?
163
+ end
164
+
165
+ addresses.empty? ? nil : addresses
166
+ end
167
+
168
+ def resolve_with_getent(hostname)
169
+ # TODO: we rely on getent hosts for now, but it prefers to return IPv6, only then IPv4
170
+ cmd = inspec.command("getent hosts #{hostname}")
171
+ return nil if cmd.exit_status.to_i != 0
172
+
173
+ # extract ip adress
174
+ resolve = /^\s*(?<ip>\S+)\s+(.*)\s*$/.match(cmd.stdout.chomp)
175
+ [resolve[1]] if resolve
176
+ end
177
+ end
178
+
179
+ class DarwinHostProvider < UnixHostProvider
144
180
  def missing_requirements(protocol)
145
181
  missing = []
146
182
 
@@ -166,24 +202,16 @@ module Inspec::Resources
166
202
  end
167
203
 
168
204
  def resolve(hostname)
169
- # Resolve IPv6 address first, if that fails try IPv4 to match Linux behaivor
170
- cmd = inspec.command("host -t AAAA #{hostname}")
171
- if cmd.exit_status.to_i != 0
172
- cmd = inspec.command("host -t A #{hostname}")
173
- end
174
- return nil if cmd.exit_status.to_i != 0
175
-
176
- resolve = /^.* has IPv\d address\s+(?<ip>\S+)\s*$/.match(cmd.stdout.chomp)
177
- [resolve[1]] if resolve
205
+ resolve_with_dig(hostname)
178
206
  end
179
207
  end
180
208
 
181
- class LinuxHostProvider < HostProvider
209
+ class LinuxHostProvider < UnixHostProvider
182
210
  def missing_requirements(protocol)
183
211
  missing = []
184
212
 
185
- if protocol == 'tcp'
186
- missing << 'netcat must be installed' unless inspec.command('nc').exist?
213
+ if protocol == 'tcp' && (!inspec.command('nc').exist? || !inspec.command('ncat').exist?)
214
+ missing << 'netcat must be installed'
187
215
  end
188
216
 
189
217
  missing
@@ -191,7 +219,7 @@ module Inspec::Resources
191
219
 
192
220
  def ping(hostname, port, protocol)
193
221
  if protocol == 'tcp'
194
- resp = inspec.command("echo | nc -v -w 1 #{hostname} #{port}")
222
+ resp = inspec.command(tcp_check_command(hostname, port))
195
223
  else
196
224
  # fall back to ping, but we can only test ICMP packages with ping
197
225
  resp = inspec.command("ping -w 1 -c 1 #{hostname}")
@@ -204,14 +232,20 @@ module Inspec::Resources
204
232
  }
205
233
  end
206
234
 
207
- def resolve(hostname)
208
- # TODO: we rely on getent hosts for now, but it prefers to return IPv6, only then IPv4
209
- cmd = inspec.command("getent hosts #{hostname}")
210
- return nil if cmd.exit_status.to_i != 0
235
+ def tcp_check_command(hostname, port)
236
+ if inspec.command('nc').exist?
237
+ base_cmd = 'nc'
238
+ elsif inspec.command('ncat').exist?
239
+ base_cmd = 'ncat'
240
+ else
241
+ return
242
+ end
211
243
 
212
- # extract ip adress
213
- resolve = /^\s*(?<ip>\S+)\s+(.*)\s*$/.match(cmd.stdout.chomp)
214
- [resolve[1]] if resolve
244
+ "echo | #{base_cmd} -v -w 1 #{hostname} #{port}"
245
+ end
246
+
247
+ def resolve(hostname)
248
+ inspec.command('dig').exist? ? resolve_with_dig(hostname) : resolve_with_getent(hostname)
215
249
  end
216
250
  end
217
251
 
@@ -1,20 +1,44 @@
1
1
  # encoding: utf-8
2
2
  # author: Christoph Hartmann
3
3
  # author: Dominik Richter
4
+ # author: Aaron Lippold
5
+ # author: Adam Leff
4
6
 
5
7
  module Inspec::Resources
6
8
  class KernelModule < Inspec.resource(1)
7
9
  name 'kernel_module'
8
- desc 'Use the kernel_module InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under /lib/modules. Any submodule may be tested using this resource.'
10
+ desc 'Use the kernel_module InSpec audit resource to test kernel modules on
11
+ Linux platforms. These parameters are located under /lib/modules. Any submodule
12
+ may be tested using this resource.
13
+
14
+ The `kernel_module` resource can also verify if a kernel module is `blacklisted`
15
+ or if a module is disabled via a fake install using the `bin_true` or `bin_false`
16
+ method.'
17
+
9
18
  example "
10
- describe kernel_module('bridge') do
11
- it { should be_loaded }
12
- end
19
+
20
+ describe kernel_module('video') do
21
+ it { should be_loaded }
22
+ it { should_not be_disabled }
23
+ it { should_not be_blacklisted }
24
+ end
25
+
26
+ describe kernel_module('sstfb') do
27
+ it { should_not be_loaded }
28
+ it { should be_disabled }
29
+ end
30
+
31
+ describe kernel_module('floppy') do
32
+ it { should be_blacklisted }
33
+ end
34
+
35
+ describe kernel_module('dhcp') do
36
+ it { should_not be_loaded }
37
+ end
13
38
  "
14
39
 
15
40
  def initialize(modulename = nil)
16
41
  @module = modulename
17
-
18
42
  # this resource is only supported on Linux
19
43
  return skip_resource 'The `kernel_parameter` resource is not supported on your OS.' if !inspec.os.linux?
20
44
  end
@@ -36,19 +60,51 @@ module Inspec::Resources
36
60
  !found.nil?
37
61
  end
38
62
 
63
+ def disabled?
64
+ !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/(true|false)}).nil?
65
+ end
66
+
67
+ def blacklisted?
68
+ !modprobe_output.match(/^blacklist\s+#{@module}/).nil? || disabled_via_bin_true? || disabled_via_bin_false?
69
+ end
70
+
39
71
  def version
72
+ cmd = inspec.command("#{modinfo_cmd_for_os} -F version #{@module}")
73
+ cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil
74
+ end
75
+
76
+ def to_s
77
+ "Kernel Module #{@module}"
78
+ end
79
+
80
+ private
81
+
82
+ def modprobe_output
83
+ @modprobe_output ||= inspec.command("#{modprobe_cmd_for_os} --showconfig").stdout
84
+ end
85
+
86
+ def modinfo_cmd_for_os
40
87
  if inspec.os.redhat? || inspec.os.name == 'fedora'
41
- modinfo_cmd = "/sbin/modinfo -F version #{@module}"
88
+ '/sbin/modinfo'
42
89
  else
43
- modinfo_cmd = "modinfo -F version #{@module}"
90
+ 'modinfo'
44
91
  end
92
+ end
45
93
 
46
- cmd = inspec.command(modinfo_cmd)
47
- cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil
94
+ def modprobe_cmd_for_os
95
+ if inspec.os.redhat? || inspec.os.name == 'fedora'
96
+ '/sbin/modprobe'
97
+ else
98
+ 'modprobe'
99
+ end
48
100
  end
49
101
 
50
- def to_s
51
- "Kernel Module #{@module}"
102
+ def disabled_via_bin_true?
103
+ !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/true}).nil?
104
+ end
105
+
106
+ def disabled_via_bin_false?
107
+ !modprobe_output.match(%r{^install\s+#{@module}\s+/(s?)bin/false}).nil?
52
108
  end
53
109
  end
54
110
  end
@@ -0,0 +1,101 @@
1
+ # encoding: utf-8
2
+ # author: Rony Xavier,rx294@nyu.edu
3
+ # author: Aaron Lippold, lippold@gmail.com
4
+
5
+ require 'resources/postgres'
6
+
7
+ module Inspec::Resources
8
+ class PostgresHbaConf < Inspec.resource(1)
9
+ name 'postgres_hba_conf'
10
+ desc 'Use the `postgres_hba_conf` InSpec audit resource to test the client
11
+ authentication data defined in the pg_hba.conf file.'
12
+ example "
13
+ describe postgres_hba_conf.where { type == 'local' } do
14
+ its('auth_method') { should eq ['peer'] }
15
+ end
16
+ "
17
+
18
+ attr_reader :conf_file, :params
19
+
20
+ # @todo add checks to ensure that we have data in our file
21
+ def initialize(hba_conf_path = nil)
22
+ return skip_resource 'The `postgres_hba_conf` resource is not supported on your OS.' unless inspec.os.linux?
23
+ @conf_file = hba_conf_path || File.expand_path('pg_hba.conf', inspec.postgres.conf_dir)
24
+ @content = ''
25
+ @params = {}
26
+ read_content
27
+ end
28
+
29
+ filter = FilterTable.create
30
+ filter.add_accessor(:where)
31
+ .add_accessor(:entries)
32
+ .add(:type, field: 'type')
33
+ .add(:database, field: 'database')
34
+ .add(:user, field: 'user')
35
+ .add(:address, field: 'address')
36
+ .add(:auth_method, field: 'auth_method')
37
+ .add(:auth_params, field: 'auth_params')
38
+
39
+ filter.connect(self, :params)
40
+
41
+ def to_s
42
+ "Postgres Hba Config #{@conf_file}"
43
+ end
44
+
45
+ private
46
+
47
+ def clean_conf_file(conf_file = @conf_file)
48
+ data = inspec.file(conf_file).content.to_s.lines
49
+ content = []
50
+ data.each do |line|
51
+ line.chomp!
52
+ content << line unless line.match(/^\s*#/) || line.empty?
53
+ end
54
+ content
55
+ end
56
+
57
+ def read_content(config_file = @conf_file)
58
+ file = inspec.file(config_file)
59
+
60
+ if !file.file?
61
+ return skip_resource "Can't find file \"#{@conf_file}\""
62
+ end
63
+
64
+ raw_conf = file.content
65
+
66
+ if raw_conf.empty? && !file.empty?
67
+ return skip_resource("Can't read the contents of \"#{@conf_file}\"")
68
+ end
69
+
70
+ # @todo use SimpleConfig here if we can
71
+ # ^\s*(\S+)\s+(\S+)\s+(\S+)\s(?:(\d*.\d*.\d*.\d*\/\d*)|(::\/\d+))\s+(\S+)\s*(.*)?\s*$
72
+
73
+ @content = clean_conf_file(@conf_file)
74
+ @params = parse_conf(@content)
75
+ @params.each do |line|
76
+ if line['type'] == 'local'
77
+ line['auth_method'] = line['address']
78
+ line['address'] = ''
79
+ end
80
+ end
81
+ end
82
+
83
+ def parse_conf(content)
84
+ content.map do |line|
85
+ parse_line(line)
86
+ end.compact
87
+ end
88
+
89
+ def parse_line(line)
90
+ x = line.split(/\s+/)
91
+ {
92
+ 'type' => x[0],
93
+ 'database' => x[1],
94
+ 'user' => x[2],
95
+ 'address' => x[3],
96
+ 'auth_method' => x[4],
97
+ 'auth_params' => ('' if x.length == 4) || x[5..-1].join(' '),
98
+ }
99
+ end
100
+ end
101
+ end
@@ -0,0 +1,79 @@
1
+ # encoding: utf-8
2
+ # author: Rony Xavier, rx294@nyu.edu
3
+ # author: Aaron Lippold, lippold@gmail.com
4
+
5
+ require 'resources/postgres'
6
+
7
+ module Inspec::Resources
8
+ class PostgresIdentConf < Inspec.resource(1)
9
+ name 'postgres_ident_conf'
10
+ desc 'Use the postgres_ident_conf InSpec audit resource to test the client
11
+ authentication data is controlled by a pg_ident.conf file.'
12
+ example "
13
+ describe postgres_ident_conf.where { pg_username == 'acme_user' } do
14
+ its('map_name') { should eq ['ssl-test'] }
15
+ end
16
+ "
17
+
18
+ attr_reader :params, :conf_file
19
+
20
+ def initialize(ident_conf_path = nil)
21
+ return skip_resource 'The `postgres_ident_conf` resource is not supported on your OS.' unless inspec.os.linux?
22
+ @conf_file = ident_conf_path || File.expand_path('pg_ident.conf', inspec.postgres.conf_dir)
23
+ @content = nil
24
+ @params = nil
25
+ read_content
26
+ return skip_resource '`pg_ident_conf` is not yet supported on your OS' if inspec.os.windows?
27
+ end
28
+
29
+ filter = FilterTable.create
30
+ filter.add_accessor(:where)
31
+ .add_accessor(:entries)
32
+ .add(:map_name, field: 'map_name')
33
+ .add(:system_username, field: 'system_username')
34
+ .add(:pg_username, field: 'pg_username')
35
+
36
+ filter.connect(self, :params)
37
+
38
+ def to_s
39
+ "PostgreSQL Ident Config #{@conf_file}"
40
+ end
41
+
42
+ private
43
+
44
+ def filter_comments(data)
45
+ content = []
46
+ data.each do |line|
47
+ line.chomp!
48
+ content << line unless line.match(/^\s*#/) || line.empty?
49
+ end
50
+ content
51
+ end
52
+
53
+ def read_content
54
+ @content = ''
55
+ @params = {}
56
+ @content = filter_comments(read_file(@conf_file))
57
+ @params = parse_conf(@content)
58
+ end
59
+
60
+ def parse_conf(content)
61
+ content.map do |line|
62
+ parse_line(line)
63
+ end.compact
64
+ end
65
+
66
+ def parse_line(line)
67
+ x = line.split(/\s+/)
68
+ {
69
+ 'map_name' => x[0],
70
+ 'system_username' => x[1],
71
+ 'pg_username' => x[2],
72
+ }
73
+ end
74
+
75
+ def read_file(conf_file = @conf_file)
76
+ inspec.file(conf_file).content.lines
77
+ end
78
+ end
79
+ end
@@ -4,6 +4,8 @@
4
4
  # author: Christoph Hartmann
5
5
  # author: Aaron Lippold
6
6
 
7
+ require 'shellwords'
8
+
7
9
  module Inspec::Resources
8
10
  class Lines
9
11
  attr_reader :output
@@ -35,7 +37,7 @@ module Inspec::Resources
35
37
  # db: databse == db_user running the sql query
36
38
 
37
39
  describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
38
- its('output') { should eq('') }
40
+ its('output') { should eq '' }
39
41
  end
40
42
  "
41
43
 
@@ -46,21 +48,25 @@ module Inspec::Resources
46
48
  end
47
49
 
48
50
  def query(query, db = [])
49
- dbs = db.map { |x| "-d #{x}" }.join(' ')
50
- # TODO: simple escape, must be handled by a library
51
- # that does this securely
52
- escaped_query = query.gsub(/\\/, '\\\\').gsub(/"/, '\\"').gsub(/\$/, '\\$')
53
- # run the query
54
- cmd = inspec.command("PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c \"#{escaped_query}\"")
51
+ psql_cmd = create_psql_cmd(query, db)
52
+ cmd = inspec.command(psql_cmd)
55
53
  out = cmd.stdout + "\n" + cmd.stderr
56
- if cmd.exit_status != 0 or
57
- out =~ /could not connect to .*/ or
58
- out.downcase =~ /^error/
59
- # skip this test if the server can't run the query
54
+ if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
60
55
  skip_resource "Can't read run query #{query.inspect} on postgres_session: #{out}"
61
56
  else
62
57
  Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
63
58
  end
64
59
  end
60
+
61
+ private
62
+
63
+ def escaped_query(query)
64
+ Shellwords.escape(query)
65
+ end
66
+
67
+ def create_psql_cmd(query, db = [])
68
+ dbs = db.map { |x| "-d #{x}" }.join(' ')
69
+ "PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
70
+ end
65
71
  end
66
72
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.30.0
4
+ version: 1.31.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dominik Richter
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-06-29 00:00:00.000000000 Z
11
+ date: 2017-07-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: train
@@ -319,7 +319,6 @@ files:
319
319
  - docs/migration.md
320
320
  - docs/plugin_kitchen_inspec.md
321
321
  - docs/profiles.md
322
- - docs/resources.md
323
322
  - docs/resources/apache_conf.md.erb
324
323
  - docs/resources/apt.md.erb
325
324
  - docs/resources/audit_policy.md.erb
@@ -375,6 +374,8 @@ files:
375
374
  - docs/resources/pip.md.erb
376
375
  - docs/resources/port.md.erb
377
376
  - docs/resources/postgres_conf.md.erb
377
+ - docs/resources/postgres_hba_conf.md.erb
378
+ - docs/resources/postgres_ident_conf.md.erb
378
379
  - docs/resources/postgres_session.md.erb
379
380
  - docs/resources/powershell.md.erb
380
381
  - docs/resources/processes.md.erb
@@ -413,7 +414,6 @@ files:
413
414
  - examples/README.md
414
415
  - examples/inheritance/README.md
415
416
  - examples/inheritance/controls/example.rb
416
- - examples/inheritance/inspec.lock
417
417
  - examples/inheritance/inspec.yml
418
418
  - examples/kitchen-ansible/.kitchen.yml
419
419
  - examples/kitchen-ansible/Gemfile
@@ -439,11 +439,7 @@ files:
439
439
  - examples/kitchen-puppet/test/integration/default/web_spec.rb
440
440
  - examples/meta-profile/README.md
441
441
  - examples/meta-profile/controls/example.rb
442
- - examples/meta-profile/inspec.lock
443
442
  - examples/meta-profile/inspec.yml
444
- - examples/meta-profile/vendor/0e6d170415e120af5f1dda113f96f7e0d156e49f82706ac41d13da00599f9b25.tar.gz
445
- - examples/meta-profile/vendor/403580959915ea24bc176b9ebdc555aeda5e2c957604b48d5f32b43554423582.tar.gz
446
- - examples/meta-profile/vendor/d08d3cc35debff04e708147cdd07739876c5d1c8357afb5e58adfaad92dd650f.tar.gz
447
443
  - examples/profile-attribute.yml
448
444
  - examples/profile-attribute/README.md
449
445
  - examples/profile-attribute/controls/example.rb
@@ -612,6 +608,8 @@ files:
612
608
  - lib/resources/port.rb
613
609
  - lib/resources/postgres.rb
614
610
  - lib/resources/postgres_conf.rb
611
+ - lib/resources/postgres_hba_conf.rb
612
+ - lib/resources/postgres_ident_conf.rb
615
613
  - lib/resources/postgres_session.rb
616
614
  - lib/resources/powershell.rb
617
615
  - lib/resources/processes.rb
data/docs/resources.md DELETED
@@ -1,91 +0,0 @@
1
- ---
2
- title: InSpec Resources Reference
3
- ---
4
-
5
- # InSpec Resources Reference
6
-
7
- The following InSpec audit resources are available:
8
-
9
- * [apache\_conf](resources/apache_conf.html)
10
- * [apt](resources/apt.html)
11
- * [audit\_policy](resources/audit_policy.html)
12
- * [auditd\_conf](resources/auditd_conf.html)
13
- * [auditd\_rules](resources/auditd_rules.html)
14
- * [bash](resources/bash.html)
15
- * [bond](resources/bond.html)
16
- * [bridge](resources/bridge.html)
17
- * [bsd\_service](resources/bsd_service.html)
18
- * [command](resources/command.html)
19
- * [crontab](resources/crontab.html)
20
- * [csv](resources/csv.html)
21
- * [directory](resources/directory.html)
22
- * [docker](resources/docker.html)
23
- * [docker\_container](resources/docker_container.html)
24
- * [docker\_image](resources/docker_image.html)
25
- * [etc\_group](resources/etc_group.html)
26
- * [etc\_passwd](resources/etc_passwd.html)
27
- * [etc\_shadow](resources/etc_shadow.html)
28
- * [file](resources/file.html)
29
- * [gem](resources/gem.html)
30
- * [group](resources/group.html)
31
- * [grub\_conf](resources/grub_conf.html)
32
- * [host](resources/host.html)
33
- * [http](resources/http.html)
34
- * [iis\_app](resources/iis_app.html)
35
- * [iis\_site](resources/iis_site.html)
36
- * [inetd\_conf](resources/inetd_conf.html)
37
- * [ini](resources/ini.html)
38
- * [interface](resources/interface.html)
39
- * [iptables](resources/iptables.html)
40
- * [json](resources/json.html)
41
- * [kernel\_module](resources/kernel_module.html)
42
- * [kernel\_parameter](resources/kernel_parameter.html)
43
- * [key\_rsa](resources/key_rsa.html)
44
- * [launchd\_service](resources/launchd_service.html)
45
- * [limits\_conf](resources/limits_conf.html)
46
- * [login\_def](resources/login_def.html)
47
- * [mount](resources/mount.html)
48
- * [mssql\_session](resources/mssql_session.html)
49
- * [mysql\_conf](resources/mysql_conf.html)
50
- * [mysql\_session](resources/mysql_session.html)
51
- * [npm](resources/npm.html)
52
- * [ntp\_conf](resources/ntp_conf.html)
53
- * [oneget](resources/oneget.html)
54
- * [oracledb\_session](resources/oracledb_session.html)
55
- * [os](resources/os.html)
56
- * [os\_env](resources/os_env.html)
57
- * [package](resources/package.html)
58
- * [parse\_config](resources/parse_config.html)
59
- * [parse\_config_file](resources/parse_config_file.html)
60
- * [pip](resources/pip.html)
61
- * [port](resources/port.html)
62
- * [postgres\_conf](resources/postgres_conf.html)
63
- * [postgres\_session](resources/postgres_session.html)
64
- * [powershell](resources/powershell.html)
65
- * [processes](resources/processes.html)
66
- * [rabbitmq\_config](resources/rabbitmq_config.html)
67
- * [registry\_key](resources/registry_key.html)
68
- * [runit\_service](resources/runit_service.html)
69
- * [security\_policy](resources/security_policy.html)
70
- * [service](resources/service.html)
71
- * [ssh\_config](resources/ssh_config.html)
72
- * [sshd\_config](resources/sshd_config.html)
73
- * [ssl](resources/ssl.html)
74
- * [sys\_info](resources/sys_info.html)
75
- * [systemd\_service](resources/systemd_service.html)
76
- * [sysv\_service](resources/sysv_service.html)
77
- * [upstart\_service](resources/upstart_service.html)
78
- * [user](resources/user.html)
79
- * [users](resources/users.html)
80
- * [vbscript](resources/vbscript.html)
81
- * [virtualization](resources/virtualization.html)
82
- * [windows\_feature](resources/windows_feature.html)
83
- * [windows\_task](resources/windows_task.html)
84
- * [wmi](resources/wmi.html)
85
- * [x509\_certificate](resources/x509_certificate.html)
86
- * [xinetd\_conf](resources/xinetd_conf.html)
87
- * [yaml](resources/yaml.html)
88
- * [yum](resources/yum.html)
89
- * [zfs\_dataset](resources/zfs_dataset.html)
90
- * [zfs\_pool](resources/zfs_pool.html)
91
-
@@ -1,11 +0,0 @@
1
- ---
2
- lockfile_version: 1
3
- depends:
4
- - name: profile
5
- resolved_source:
6
- path: "/Users/aleff/projects/inspec/examples/profile"
7
- version_constraints: ">= 0"
8
- - name: profile-attribute
9
- resolved_source:
10
- path: "/Users/aleff/projects/inspec/examples/profile-attribute"
11
- version_constraints: ">= 0"
@@ -1,18 +0,0 @@
1
- ---
2
- lockfile_version: 1
3
- depends:
4
- - name: dev-sec/ssh-baseline
5
- resolved_source:
6
- url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz
7
- sha256: 403580959915ea24bc176b9ebdc555aeda5e2c957604b48d5f32b43554423582
8
- version_constraints: ">= 0"
9
- - name: ssl-baseline
10
- resolved_source:
11
- url: https://github.com/dev-sec/ssl-baseline/archive/master.tar.gz
12
- sha256: 0e6d170415e120af5f1dda113f96f7e0d156e49f82706ac41d13da00599f9b25
13
- version_constraints: ">= 0"
14
- - name: windows-patch-benchmark
15
- resolved_source:
16
- url: https://github.com/chris-rock/windows-patch-benchmark/archive/master.tar.gz
17
- sha256: d08d3cc35debff04e708147cdd07739876c5d1c8357afb5e58adfaad92dd650f
18
- version_constraints: ">= 0"