inspec_tools 2.0.7

data/lib/inspec_tools/pdf.rb

@@ -0,0 +1,125 @@
+require 'digest'
+
+require_relative '../utilities/inspec_util'
+require_relative '../utilities/extract_pdf_text'
+require_relative '../utilities/parser'
+require_relative '../utilities/text_cleaner'
+require_relative '../utilities/cis_to_nist'
+
+# rubocop:disable Metrics/AbcSize
+# rubocop:disable Metrics/PerceivedComplexity
+# rubocop:disable Metrics/CyclomaticComplexity
+
+module InspecTools
+  class PDF
+    def initialize(pdf, profile_name, debug = false)
+      raise ArgumentError if pdf.nil?
+
+      @pdf = pdf
+      @name = profile_name
+      @debug = debug
+    end
+
+    def to_inspec
+      @controls = []
+      @csv_handle = nil
+      @cci_xml = nil
+      @nist_mapping = Utils::CisToNist.get_mapping('cis_to_nist_critical_controls')
+      @pdf_text = ''
+      @clean_text = ''
+      @transformed_data = ''
+      @profile = {}
+      read_pdf
+      @title ||= extract_title
+      clean_pdf_text
+      transform_data
+      insert_json_metadata
+      @profile['controls'] = parse_controls
+      @profile['sha256'] = Digest::SHA256.hexdigest @profile.to_s
+      @profile
+    end
+
+    def to_csv
+      # TODO: to_csv
+    end
+
+    def to_xccdf
+      # TODO: to_xccdf
+    end
+
+    def to_ckl
+      # TODO: to_ckl
+    end
+
+    private
+
+    # converts passed in data into InSpec format
+    def parse_controls
+      controls = []
+      @transformed_data.each do |contr|
+        nist = find_nist(contr[:cis]) unless contr[:cis] == 'No CIS Control'
+        control = {}
+        control['id'] = 'M-' + contr[:title].split(' ')[0]
+        control['title'] = contr[:title]
+        control['desc'] = contr[:descr]
+        control['impact'] = Utils::InspecUtil.get_impact('medium')
+        control['tags'] = {}
+        control['tags']['severity'] = Utils::InspecUtil.get_impact_string(control['impact'])
+        control['tags']['ref'] = contr[:ref] unless contr[:ref].nil?
+        control['tags']['applicability'] = contr[:applicability] unless contr[:applicability].nil?
+        control['tags']['cis_id'] = contr[:title].split(' ')[0] unless contr[:title].nil?
+        control['tags']['cis_control'] = [contr[:cis], @nist_mapping[0][:cis_ver]] unless contr[:cis].nil? # tag cis_control: [5, 6.1] ##6.1 is the version
+        control['tags']['cis_level'] = contr[:level] unless contr[:level].nil?
+        control['tags']['nist'] = nist unless nist.nil? # tag nist: [AC-3, 4]  ##4 is the version
+        control['tags']['check'] = contr[:check] unless contr[:check].nil?
+        control['tags']['fix'] = contr[:fix] unless contr[:fix].nil?
+        control['tags']['Default Value'] = contr[:default] unless contr[:default].nil?
+        controls << control
+      end
+      controls
+    end
+
+    def insert_json_metadata
+      @profile['name'] = @name
+      @profile['title'] = @title
+      @profile['maintainer'] = 'The Authors'
+      @profile['copyright'] = 'The Authors'
+      @profile['copyright_email'] = 'you@example.com'
+      @profile['license'] = 'Apache-2.0'
+      @profile['summary'] = 'An InSpec Compliance Profile'
+      @profile['version'] = '0.1.0'
+      @profile['supports'] = []
+      @profile['attributes'] = []
+      @profile['generator'] = {
+        'name': 'inspec_tools',
+        'version': VERSION
+      }
+    end
+
+    def extract_title
+      @pdf_text.match(/([^\n]*)\n/).captures[0]
+    end
+
+    def read_pdf
+      @pdf_text = Util::ExtractPdfText.new(@pdf).extracted_text
+      write_pdf_text if @debug
+    end
+
+    def clean_pdf_text
+      @clean_text = Util::TextCleaner.new.clean_data(@pdf_text)
+      write_clean_text if @debug
+    end
+
+    def transform_data
+      @transformed_data = Util::PrepareData.new(@clean_text).transformed_data
+    end
+
+    def write_pdf_text
+      File.write('pdf_text', @pdf_text)
+    end
+
+    def write_clean_text
+      File.write('debug_text', @clean_text)
+    end
+  end
+end

data/lib/inspec_tools/plugin.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module InspecToolsPlugin
+  class Plugin < Inspec.plugin(2)
+    # Metadata
+    # Must match entry in plugins.json
+    plugin_name :'inspec-tools_plugin'
+
+    # Activation hooks (CliCommand as an example)
+    cli_command :tools do
+      require_relative 'plugin_cli'
+      InspecPlugins::InspecToolsPlugin::CliCommand
+    end
+  end
+end

data/lib/inspec_tools/plugin_cli.rb

@@ -0,0 +1,275 @@
+require 'yaml'
+require 'json'
+require 'roo'
+require_relative '../utilities/inspec_util'
+require_relative '../utilities/csv_util'
+
+module InspecTools
+  autoload :Help, 'inspec_tools/help'
+  autoload :Command, 'inspec_tools/command'
+  autoload :XCCDF, 'inspec_tools/xccdf'
+  autoload :PDF, 'inspec_tools/pdf'
+  autoload :CSVTool, 'inspec_tools/csv'
+  autoload :CKL, 'inspec_tools/ckl'
+  autoload :Inspec, 'inspec_tools/inspec'
+  autoload :Summary, 'inspec_tools/summary'
+  autoload :Threshold, 'inspec_tools/threshold'
+  autoload :XLSXTool, 'inspec_tools/xlsx_tool'
+end
+
+# rubocop:disable Style/GuardClause
+module InspecPlugins
+  module InspecToolsPlugin
+    class CliCommand < Inspec.plugin(2, :cli_command) # rubocop:disable Metrics/ClassLength
+      POSSIBLE_LOG_LEVELS = %w{debug info warn error fatal}.freeze
+
+      class_option :log_directory, type: :string, aliases: :l, desc: 'Provie log location'
+      class_option :log_level, type: :string, desc: "Set the logging level: #{POSSIBLE_LOG_LEVELS}"
+
+      subcommand_desc 'tools [COMMAND]', 'Runs inspec_tools commands through Inspec'
+
+      desc 'xccdf2inspec', 'xccdf2inspec translates an xccdf file to an inspec profile'
+      long_desc InspecTools::Help.text(:xccdf2inspec)
+      option :xccdf, required: true, aliases: '-x'
+      option :attributes, required: false, aliases: '-a'
+      option :output, required: false, aliases: '-o', default: 'profile'
+      option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+      option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      option :replace_tags, type: :array, required: false, aliases: '-r'
+      option :metadata, required: false, aliases: '-m'
+      def xccdf2inspec
+        xccdf = InspecTools::XCCDF.new(File.read(options[:xccdf]), options[:replace_tags])
+        profile = xccdf.to_inspec
+
+        if !options[:metadata].nil?
+          xccdf.inject_metadata(File.read(options[:metadata]))
+        end
+
+        Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+        if !options[:attributes].nil?
+          attributes = xccdf.to_attributes
+          File.write(options[:attributes], YAML.dump(attributes))
+        end
+      end
+
+      desc 'inspec2xccdf', 'inspec2xccdf translates an inspec profile and attributes files to an xccdf file'
+      long_desc InspecTools::Help.text(:inspec2xccdf)
+      option :inspec_json, required: true, aliases: '-j'
+      option :attributes,  required: true, aliases: '-a'
+      option :output, required: true, aliases: '-o'
+      def inspec2xccdf
+        json = File.read(options[:inspec_json])
+        inspec_tool = InspecTools::Inspec.new(json)
+        attr_hsh = YAML.load_file(options[:attributes])
+        xccdf = inspec_tool.to_xccdf(attr_hsh)
+        File.write(options[:output], xccdf)
+      end
+
+      desc 'csv2inspec', 'csv2inspec translates CSV to Inspec controls using a mapping file'
+      long_desc InspecTools::Help.text(:csv2inspec)
+      option :csv, required: true, aliases: '-c'
+      option :mapping, required: true, aliases: '-m'
+      option :verbose, required: false, type: :boolean, aliases: '-V'
+      option :output, required: false, aliases: '-o', default: 'profile'
+      option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+      option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      def csv2inspec
+        csv = CSV.read(options[:csv], encoding: 'ISO8859-1')
+        mapping = YAML.load_file(options[:mapping])
+        profile = InspecTools::CSVTool.new(csv, mapping, options[:csv].split('/')[-1].split('.')[0], options[:verbose]).to_inspec
+        Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+      end
+
+      desc 'xlsx2inspec', 'xlsx2inspec translates CIS XLSX to Inspec controls using a mapping file'
+      long_desc InspecTools::Help.text(:xlsx2inspec)
+      option :xlsx, required: true, aliases: '-x'
+      option :mapping, required: true, aliases: '-m'
+      option :control_name_prefix, required: true, aliases: '-p'
+      option :verbose, required: false, type: :boolean, aliases: '-V'
+      option :output, required: false, aliases: '-o', default: 'profile'
+      option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+      option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      def xlsx2inspec
+        xlsx = Roo::Spreadsheet.open(options[:xlsx])
+        mapping = YAML.load_file(options[:mapping])
+        profile = InspecTools::XLSXTool.new(xlsx, mapping, options[:xlsx].split('/')[-1].split('.')[0], options[:verbose]).to_inspec(options[:control_name_prefix])
+        Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+      end
+
+      desc 'inspec2csv', 'inspec2csv translates Inspec controls to CSV'
+      long_desc InspecTools::Help.text(:inspec2csv)
+      option :inspec_json, required: true, aliases: '-j'
+      option :output, required: true, aliases: '-o'
+      option :verbose, required: false, type: :boolean, aliases: '-V'
+      def inspec2csv
+        csv = InspecTools::Inspec.new(File.read(options[:inspec_json])).to_csv
+        Utils::CSVUtil.unpack_csv(csv, options[:output])
+      end
+
+      desc 'inspec2ckl', 'inspec2ckl translates an inspec json file to a Checklist file'
+      long_desc InspecTools::Help.text(:inspec2ckl)
+      option :inspec_json, required: true, aliases: '-j'
+      option :output, required: true, aliases: '-o'
+      option :verbose, type: :boolean, aliases: '-V'
+      option :metadata, required: false, aliases: '-m'
+      def inspec2ckl
+        metadata = '{}'
+        if !options[:metadata].nil?
+          metadata = File.read(options[:metadata])
+        end
+        ckl = InspecTools::Inspec.new(File.read(options[:inspec_json]), metadata).to_ckl
+        File.write(options[:output], ckl)
+      end
+
+      desc 'pdf2inspec', 'pdf2inspec translates a PDF Security Control Speficication to Inspec Security Profile'
+      long_desc InspecTools::Help.text(:pdf2inspec)
+      option :pdf, required: true, aliases: '-p'
+      option :output, required: false, aliases: '-o', default: 'profile'
+      option :debug, required: false, aliases: '-d', type: :boolean, default: false
+      option :format, required: false, aliases: '-f', enum: %w{ruby hash}, default: 'ruby'
+      option :separate_files, required: false, type: :boolean, default: true, aliases: '-s'
+      def pdf2inspec
+        pdf = File.open(options[:pdf])
+        profile = InspecTools::PDF.new(pdf, options[:output], options[:debug]).to_inspec
+        Utils::InspecUtil.unpack_inspec_json(options[:output], profile, options[:separate_files], options[:format])
+      end
+
+      desc 'generate_map', 'Generates mapping template from CSV to Inspec Controls'
+      def generate_map
+        template = '
+        # Setting csv_header to true will skip the csv file header
+        skip_csv_header: true
+        width   : 80
+
+
+        control.id: 0
+        control.title: 15
+        control.desc: 16
+        control.tags:
+                severity: 1
+                rid: 8
+                stig_id: 3
+                cci: 2
+                check: 12
+                fix: 10
+        '
+        myfile = File.new('mapping.yml', 'w')
+        myfile.puts template
+        myfile.close
+      end
+
+      desc 'generate_ckl_metadata', 'Generate metadata file that can be passed to inspec2ckl'
+      def generate_ckl_metadata
+        metadata = {}
+
+        metadata['stigid'] = ask('STID ID: ')
+        metadata['role'] = ask('Role: ')
+        metadata['type'] = ask('Type: ')
+        metadata['hostname'] = ask('Hostname: ')
+        metadata['ip'] = ask('IP Address: ')
+        metadata['mac'] = ask('MAC Address: ')
+        metadata['fqdn'] = ask('FQDN: ')
+        metadata['tech_area'] = ask('Tech Area: ')
+        metadata['target_key'] = ask('Target Key: ')
+        metadata['web_or_database'] = ask('Web or Database: ')
+        metadata['web_db_site'] = ask('Web DB Site: ')
+        metadata['web_db_instance'] = ask('Web DB Instance: ')
+
+        metadata.delete_if { |_key, value| value.empty? }
+        File.open('metadata.json', 'w') do |f|
+          f.write(metadata.to_json)
+        end
+      end
+
+      desc 'generate_inspec_metadata', 'Generate mapping file that can be passed to xccdf2inspec'
+      def generate_inspec_metadata
+        metadata = {}
+
+        metadata['maintainer'] = ask('Maintainer: ')
+        metadata['copyright'] = ask('Copyright: ')
+        metadata['copyright_email'] = ask('Copyright Email: ')
+        metadata['license'] = ask('License: ')
+        metadata['version'] = ask('Version: ')
+
+        metadata.delete_if { |_key, value| value.empty? }
+        File.open('metadata.json', 'w') do |f|
+          f.write(metadata.to_json)
+        end
+      end
+
+      desc 'summary', 'summary parses an inspec results json to create a summary json'
+      long_desc InspecTools::Help.text(:summary)
+      option :inspec_json, required: true, aliases: '-j'
+      option :verbose, type: :boolean, aliases: '-V'
+      option :json_full, type: :boolean, required: false, aliases: '-f'
+      option :json_counts, type: :boolean, required: false, aliases: '-k'
+
+      def summary
+        summary = InspecTools::Summary.new(File.read(options[:inspec_json])).to_summary
+
+        unless options.include?('json_full') || options.include?('json_counts')
+          puts "\nOverall compliance: #{summary[:compliance]}%\n\n"
+          summary[:status].keys.each do |category|
+            puts category
+            summary[:status][category].keys.each do |impact|
+              puts "\t#{impact} : #{summary[:status][category][impact]}"
+            end
+          end
+        end
+
+        json_summary = summary.to_json
+        puts json_summary if options[:json_full]
+        puts summary[:status].to_json if options[:json_counts]
+      end
+
+      desc 'compliance', 'compliance parses an inspec results json to check if the compliance level meets a specified threshold'
+      long_desc InspecTools::Help.text(:compliance)
+      option :inspec_json, required: true, aliases: '-j'
+      option :threshold_file, required: false, aliases: '-f'
+      option :threshold_inline, required: false, aliases: '-i'
+      option :verbose, type: :boolean, aliases: '-V'
+
+      def compliance
+        if options[:threshold_file].nil? && options[:threshold_inline].nil?
+          puts 'Please provide threshold as a yaml file or inline yaml'
+          exit(1)
+        end
+        threshold = YAML.load_file(options[:threshold_file]) unless options[:threshold_file].nil?
+        threshold = YAML.safe_load(options[:threshold_inline]) unless options[:threshold_inline].nil?
+        compliance = InspecTools::Summary.new(File.read(options[:inspec_json])).threshold(threshold)
+        compliance ? exit(0) : exit(1)
+      end
+    end
+  end
+end
+
+#=====================================================================#
+#                        Pre-Flight Code
+#=====================================================================#
+help_commands = ['-h', '--help', 'help']
+log_commands = ['-l', '--log-directory']
+version_commands = ['-v', '--version', 'version']
+
+#---------------------------------------------------------------------#
+# Adjustments for non-required version commands
+#---------------------------------------------------------------------#
+unless (version_commands & ARGV).empty?
+  puts InspecTools::VERSION
+  exit 0
+end
+
+#---------------------------------------------------------------------#
+# Adjustments for non-required log-directory
+#---------------------------------------------------------------------#
+ARGV.push("--log-directory=#{Dir.pwd}/logs") if (log_commands & ARGV).empty? && (help_commands & ARGV).empty?
+
+# Push help to front of command so thor recognizes subcommands are called with help
+if help_commands.any? { |cmd| ARGV.include? cmd }
+  help_commands.each do |cmd|
+    if (match = ARGV.delete(cmd))
+      ARGV.unshift match
+    end
+  end
+end
+
+# rubocop:enable Style/GuardClause

data/lib/inspec_tools/summary.rb

@@ -0,0 +1,126 @@
+require 'json'
+require 'yaml'
+require_relative '../utilities/inspec_util'
+
+# rubocop:disable Metrics/AbcSize
+
+# Impact Definitions
+CRITICAL = 0.9
+HIGH = 0.7
+MEDIUM = 0.5
+LOW = 0.3
+
+BUCKETS = %i(failed passed no_impact skipped error).freeze
+TALLYS = %i(total critical high medium low).freeze
+
+THRESHOLD_TEMPLATE = File.expand_path('../data/threshold.yaml', File.dirname(__FILE__))
+
+module InspecTools
+  class Summary
+    def initialize(inspec_json)
+      @json = JSON.parse(inspec_json)
+    end
+
+    def to_summary
+      @data = Utils::InspecUtil.parse_data_for_ckl(@json)
+      @summary = {}
+      @data.keys.each do |control_id|
+        current_control = @data[control_id]
+        current_control[:compliance_status] = Utils::InspecUtil.control_status(current_control, true)
+        current_control[:finding_details] = Utils::InspecUtil.control_finding_details(current_control, current_control[:compliance_status])
+      end
+      compute_summary
+      @summary
+    end
+
+    def threshold(threshold = nil)
+      @summary = to_summary
+      @threshold = Utils::InspecUtil.to_dotted_hash(YAML.load_file(THRESHOLD_TEMPLATE))
+      parse_threshold(Utils::InspecUtil.to_dotted_hash(threshold))
+      threshold_compliance
+    end
+
+    private
+
+    def compute_summary
+      @summary[:buckets] = {}
+      @summary[:buckets][:failed]    = select_by_status(@data, 'Open')
+      @summary[:buckets][:passed]    = select_by_status(@data, 'NotAFinding')
+      @summary[:buckets][:no_impact] = select_by_status(@data, 'Not_Applicable')
+      @summary[:buckets][:skipped]   = select_by_status(@data, 'Not_Reviewed')
+      @summary[:buckets][:error]     = select_by_status(@data, 'Profile_Error')
+
+      @summary[:status] = {}
+      @summary[:status][:failed]    = tally_by_impact(@summary[:buckets][:failed])
+      @summary[:status][:passed]    = tally_by_impact(@summary[:buckets][:passed])
+      @summary[:status][:no_impact] = tally_by_impact(@summary[:buckets][:no_impact])
+      @summary[:status][:skipped]   = tally_by_impact(@summary[:buckets][:skipped])
+      @summary[:status][:error]     = tally_by_impact(@summary[:buckets][:error])
+
+      @summary[:compliance] = compute_compliance
+    end
+
+    def select_by_impact(controls, impact)
+      controls.select { |_key, value| value[:impact].to_f.eql?(impact) }
+    end
+
+    def select_by_status(controls, status)
+      controls.select { |_key, value| value[:compliance_status].eql?(status) }
+    end
+
+    def tally_by_impact(controls)
+      tally = {}
+      tally[:total]    = controls.count
+      tally[:critical] = select_by_impact(controls, CRITICAL).count
+      tally[:high]     = select_by_impact(controls, HIGH).count
+      tally[:medium]   = select_by_impact(controls, MEDIUM).count
+      tally[:low]      = select_by_impact(controls, LOW).count
+      tally
+    end
+
+    def compute_compliance
+      (@summary[:status][:passed][:total]*100.0/
+        (@summary[:status][:passed][:total]+
+         @summary[:status][:failed][:total]+
+         @summary[:status][:skipped][:total]+
+         @summary[:status][:error][:total])).floor
+    end
+
+    def threshold_compliance
+      compliance = true
+      failure = []
+      max = @threshold['compliance.max']
+      min = @threshold['compliance.min']
+      if max != -1 and @summary[:compliance] > max
+        compliance = false
+        failure << "Expected compliance.max:#{max} got:#{@summary[:compliance]}"
+      end
+      if min != -1 and @summary[:compliance] < min
+        compliance = false
+        failure << "Expected compliance.min:#{min} got:#{@summary[:compliance]}"
+      end
+      status = @summary[:status]
+      BUCKETS.each do |bucket|
+        TALLYS.each do |tally|
+          max = @threshold["#{bucket}.#{tally}.max"]
+          min = @threshold["#{bucket}.#{tally}.min"]
+          if max != -1 and status[bucket][tally] > max
+            compliance = false
+            failure << "Expected #{bucket}.#{tally}.max:#{max} got:#{status[bucket][tally]}"
+          end
+          if min != -1 and status[bucket][tally] < min
+            compliance = false
+            failure << "Expected #{bucket}.#{tally}.min:#{min} got:#{status[bucket][tally]}"
+          end
+        end
+      end
+      puts failure.join("\n") unless compliance
+      puts 'Compliance threshold met' if compliance
+      compliance
+    end
+
+    def parse_threshold(new_threshold)
+      @threshold.merge!(new_threshold)
+    end
+  end
+end