inspec/lib/resources/passwd.rb

127 lines
3 KiB
Ruby
Raw Normal View History

2015-07-15 13:15:18 +00:00
# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
2015-10-06 16:55:44 +00:00
# author: Christoph Hartmann
# author: Dominik Richter
2015-07-15 13:15:18 +00:00
# license: All rights reserved
2015-07-15 13:15:53 +00:00
# The file format consists of
# - username
# - password
# - userid
# - groupid
# - user id info
# - home directory
# - command
2015-10-04 15:59:13 +00:00
require 'utils/parser'
2015-10-26 03:04:18 +00:00
class Passwd < Inspec.resource(1)
name 'passwd'
2015-11-27 13:02:38 +00:00
desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
example "
2016-02-17 11:35:46 +00:00
describe passwd do
its('users') { should_not include 'forbidden_user' }
2016-02-17 11:35:46 +00:00
end
describe passwd.uids(0) do
its('users') { should eq 'root' }
2015-11-27 13:02:38 +00:00
its('count') { should eq 1 }
end
2016-02-17 11:35:46 +00:00
describe passwd.shells(/nologin/) do
# find all users with a nologin shell
its('users') { should_not include 'my_login_user' }
2016-02-17 11:35:46 +00:00
end
2015-11-27 13:02:38 +00:00
"
2015-07-14 22:47:17 +00:00
2015-12-31 00:01:11 +00:00
include PasswdParser
2015-10-04 15:59:13 +00:00
2015-09-05 17:05:18 +00:00
attr_reader :uid
2016-02-17 11:35:46 +00:00
attr_reader :params
attr_reader :content
attr_reader :lines
2015-07-14 22:47:17 +00:00
2016-02-17 11:35:46 +00:00
def initialize(path = nil, opts = nil)
opts ||= {}
@path = path || '/etc/passwd'
2016-02-17 11:35:46 +00:00
@content = opts[:content] || inspec.file(@path).content
@lines = @content.to_s.split("\n")
@filters = opts[:filters] || ''
@params = parse_passwd(@content)
end
2016-02-17 11:35:46 +00:00
def filter(hm = {})
return self if hm.nil? || hm.empty?
res = @params
filters = ''
hm.each do |attr, condition|
condition = condition.to_s if condition.is_a? Integer
2016-02-17 11:35:46 +00:00
filters += " #{attr} = #{condition.inspect}"
res = res.find_all do |line|
case line[attr.to_s]
when condition
true
else
false
end
end
end
content = res.map { |x| x.values.join(':') }.join("\n")
Passwd.new(@path, content: content, filters: @filters + filters)
2015-07-26 10:30:12 +00:00
end
2015-07-15 13:15:53 +00:00
2015-07-26 10:30:12 +00:00
def usernames
warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
2016-02-17 11:35:46 +00:00
users
end
2016-02-18 11:00:34 +00:00
def username
warn '[DEPRECATION] `passwd.user` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
2016-02-18 11:00:34 +00:00
users[0]
2016-02-17 11:35:46 +00:00
end
def uid(x)
warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in version 1.0.0.'
uids(x)
2015-07-26 10:30:12 +00:00
end
2015-07-15 13:15:53 +00:00
def users(name = nil)
name.nil? ? map_data('user') : filter(user: name)
2015-07-26 10:30:12 +00:00
end
2015-07-15 13:15:53 +00:00
def passwords(password = nil)
password.nil? ? map_data('password') : filter(password: password)
2016-02-17 11:35:46 +00:00
end
def uids(uid = nil)
uid.nil? ? map_data('uid') : filter(uid: uid)
2015-07-26 10:30:12 +00:00
end
2015-07-14 22:47:17 +00:00
def gids(gid = nil)
gid.nil? ? map_data('gid') : filter(gid: gid)
2016-02-17 11:35:46 +00:00
end
def homes(home = nil)
home.nil? ? map_data('home') : filter(home: home)
2015-07-26 10:30:12 +00:00
end
2015-07-14 22:47:17 +00:00
def shells(shell = nil)
shell.nil? ? map_data('shell') : filter(shell: shell)
2016-02-17 11:35:46 +00:00
end
def to_s
2016-02-17 11:35:46 +00:00
f = @filters.empty? ? '' : ' with'+@filters
"/etc/passwd#{f}"
end
def count
@params.length
end
private
def map_data(id)
@params.map { |x| x[id] }
end
2015-07-26 10:30:12 +00:00
end