inspec/lib/resources/passwd.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH

# The file format consists of
# - username
# - password
# - userid
# - groupid
# - user id info
# - home directory
# - command

require 'utils/parser'
require 'utils/filter'
require 'utils/file_reader'

module Inspec::Resources
  class Passwd < Inspec.resource(1)
    name 'passwd'
    supports platform: 'unix'
    desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
    example "
      describe passwd do
        its('users') { should_not include 'forbidden_user' }
      end

      describe passwd.uids(0) do
        its('users') { should cmp 'root' }
      end

      describe passwd.shells(/nologin/) do
        # find all users with a nologin shell
        its('users') { should_not include 'my_login_user' }
      end
    "

    include PasswdParser
    include FileReader

    attr_reader :params
    attr_reader :content
    attr_reader :lines

    def initialize(path = nil, opts = nil)
      opts ||= {}
      @path = path || '/etc/passwd'
      @content = opts[:content] || read_file_content(@path, allow_empty: true)
      @lines = @content.to_s.split("\n")
      @params = parse_passwd(@content)
    end

    filter = FilterTable.create
    filter.register_column(:users,     field: 'user')
          .register_column(:passwords, field: 'password')
          .register_column(:uids,      field: 'uid')
          .register_column(:gids,      field: 'gid')
          .register_column(:descs,     field: 'desc')
          .register_column(:homes,     field: 'home')
          .register_column(:shells,    field: 'shell')

    # rebuild the passwd line from raw content
    filter.register_custom_property(:content) { |t, _|
      t.entries.map do |e|
        [e.user, e.password, e.uid, e.gid, e.desc, e.home, e.shell].join(':')
      end.join("\n")
    }

    filter.install_filter_methods_on_resource(self, :params)

    def to_s
      '/etc/passwd'
    end
  end
end
update copyright header 2015-07-15 13:15:18 +00:00			`# encoding: utf-8`
			`# copyright: 2015, Vulcano Security GmbH`
add description for passwd file format 2015-07-15 13:15:53 +00:00
			`# The file format consists of`
			`# - username`
			`# - password`
			`# - userid`
			`# - groupid`
			`# - user id info`
			`# - home directory`
			`# - command`

externalize passwd parser 2015-10-04 15:59:13 +00:00			`require 'utils/parser'`
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`require 'utils/filter'`
Unify method in which file content is read across all resources (#2359) * Create file-check functionality into utility file There are the similar issues as PR #2302. Almost resources return false positives when a file does not exist or is not read. * Replace to file-check functionality * Fix dh_params and x509_certificate resources If a file is empty, OpenSSL::PKey::DH and OpenSSL::X509::Certificate have raised an exception and have skipped the inspection. Thus x509_certificate and dh_params resources are not allowed to read a empty file. * to_s of shadow expects filters is not nil * Remove workaround of sshd_config Removes the workaround of sshd_config since Travis CI fails due to a bug of dev-sec/ssh-baseline and the PR #100 will fix it. * Use init block variable in methods Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com> 2018-03-22 12:25:45 +00:00			`require 'utils/file_reader'`
externalize passwd parser 2015-10-04 15:59:13 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`module Inspec::Resources`
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`class Passwd < Inspec.resource(1)`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`name 'passwd'`
Add correct `supports platform` to resources. (#2674) * Add correct `supports platform` to resources. Signed-off-by: Miah Johnson <miah@chia-pet.org> * Remove 'os_family' and update platforms to specify what they did. Signed-off-by: Miah Johnson <miah@chia-pet.org> * Add esx and cisco to generic resources. Signed-off-by: Jared Quick <jquick@chef.io> 2018-02-19 14:26:49 +00:00			`supports platform: 'unix'`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'`
			`example "`
			`describe passwd do`
			`its('users') { should_not include 'forbidden_user' }`
			`end`
add filter to passwd 2016-02-17 11:35:46 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`describe passwd.uids(0) do`
			`its('users') { should cmp 'root' }`
			`end`
add filter to passwd 2016-02-17 11:35:46 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`describe passwd.shells(/nologin/) do`
			`# find all users with a nologin shell`
			`its('users') { should_not include 'my_login_user' }`
			`end`
			`"`

			`include PasswdParser`
Unify method in which file content is read across all resources (#2359) * Create file-check functionality into utility file There are the similar issues as PR #2302. Almost resources return false positives when a file does not exist or is not read. * Replace to file-check functionality * Fix dh_params and x509_certificate resources If a file is empty, OpenSSL::PKey::DH and OpenSSL::X509::Certificate have raised an exception and have skipped the inspection. Thus x509_certificate and dh_params resources are not allowed to read a empty file. * to_s of shadow expects filters is not nil * Remove workaround of sshd_config Removes the workaround of sshd_config since Travis CI fails due to a bug of dev-sec/ssh-baseline and the PR #100 will fix it. * Use init block variable in methods Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com> 2018-03-22 12:25:45 +00:00			`include FileReader`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00
			`attr_reader :params`
			`attr_reader :content`
			`attr_reader :lines`

			`def initialize(path = nil, opts = nil)`
			`opts \|\|= {}`
			`@path = path \|\| '/etc/passwd'`
Unify method in which file content is read across all resources (#2359) * Create file-check functionality into utility file There are the similar issues as PR #2302. Almost resources return false positives when a file does not exist or is not read. * Replace to file-check functionality * Fix dh_params and x509_certificate resources If a file is empty, OpenSSL::PKey::DH and OpenSSL::X509::Certificate have raised an exception and have skipped the inspection. Thus x509_certificate and dh_params resources are not allowed to read a empty file. * to_s of shadow expects filters is not nil * Remove workaround of sshd_config Removes the workaround of sshd_config since Travis CI fails due to a bug of dev-sec/ssh-baseline and the PR #100 will fix it. * Use init block variable in methods Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com> 2018-03-22 12:25:45 +00:00			`@content = opts[:content] \|\| read_file_content(@path, allow_empty: true)`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`@lines = @content.to_s.split("\n")`
			`@params = parse_passwd(@content)`
add filter to passwd 2016-02-17 11:35:46 +00:00			`end`
migrate passwd and processes Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:27:35 +00:00
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`filter = FilterTable.create`
Update core resources with filtertable API changes (#3117) * Search and replace filtertable methods to use new names, and rely on automatic methods * Remove spurious exists? matchers - see https://relishapp.com/rspec/rspec-expectations/docs/built-in-matchers/exist-matcher * Revert removing exists? - we'll do it on a separate PR * Gah, didn't save before resolving conflict * Add back name column on aws cloudtrail trails Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2018-06-26 19:14:21 +00:00			`filter.register_column(:users, field: 'user')`
			`.register_column(:passwords, field: 'password')`
			`.register_column(:uids, field: 'uid')`
			`.register_column(:gids, field: 'gid')`
			`.register_column(:descs, field: 'desc')`
			`.register_column(:homes, field: 'home')`
			`.register_column(:shells, field: 'shell')`
add description for passwd file format 2015-07-15 13:15:53 +00:00
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`# rebuild the passwd line from raw content`
Update core resources with filtertable API changes (#3117) * Search and replace filtertable methods to use new names, and rely on automatic methods * Remove spurious exists? matchers - see https://relishapp.com/rspec/rspec-expectations/docs/built-in-matchers/exist-matcher * Revert removing exists? - we'll do it on a separate PR * Gah, didn't save before resolving conflict * Add back name column on aws cloudtrail trails Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2018-06-26 19:14:21 +00:00			`filter.register_custom_property(:content) { \|t, _\|`
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`t.entries.map do \|e\|`
			`[e.user, e.password, e.uid, e.gid, e.desc, e.home, e.shell].join(':')`
			`end.join("\n")`
			`}`
add filter to passwd 2016-02-17 11:35:46 +00:00
Update core resources with filtertable API changes (#3117) * Search and replace filtertable methods to use new names, and rely on automatic methods * Remove spurious exists? matchers - see https://relishapp.com/rspec/rspec-expectations/docs/built-in-matchers/exist-matcher * Revert removing exists? - we'll do it on a separate PR * Gah, didn't save before resolving conflict * Add back name column on aws cloudtrail trails Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> 2018-06-26 19:14:21 +00:00			`filter.install_filter_methods_on_resource(self, :params)`
add to_s methods to resources, fixes #98 2015-10-12 11:01:58 +00:00
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`def to_s`
			`'/etc/passwd'`
add advanced passwd filters (experimental) 2016-03-30 23:51:43 +00:00			`end`
rewrite passwd resource to extract parser 2015-10-04 15:49:00 +00:00			`end`
refactor types 2015-07-26 10:30:12 +00:00			`end`