2015-07-15 13:15:18 +00:00
# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
2015-10-06 16:55:44 +00:00
# author: Christoph Hartmann
# author: Dominik Richter
2015-07-15 13:15:18 +00:00
# license: All rights reserved
2015-07-15 13:15:53 +00:00
# The file format consists of
# - username
# - password
# - userid
# - groupid
# - user id info
# - home directory
# - command
2015-10-04 15:59:13 +00:00
require 'utils/parser'
2016-04-26 12:27:21 +00:00
require 'utils/filter'
2015-10-04 15:59:13 +00:00
2016-03-08 18:06:55 +00:00
module Inspec::Resources
2016-04-26 12:27:21 +00:00
class Passwd < Inspec . resource ( 1 )
2016-03-08 18:06:55 +00:00
name 'passwd'
desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
example "
describe passwd do
its ( 'users' ) { should_not include 'forbidden_user' }
end
2016-02-17 11:35:46 +00:00
2016-03-08 18:06:55 +00:00
describe passwd . uids ( 0 ) do
its ( 'users' ) { should cmp 'root' }
its ( 'count' ) { should eq 1 }
end
2016-02-17 11:35:46 +00:00
2016-03-08 18:06:55 +00:00
describe passwd . shells ( / nologin / ) do
# find all users with a nologin shell
its ( 'users' ) { should_not include 'my_login_user' }
end
"
include PasswdParser
attr_reader :params
attr_reader :content
attr_reader :lines
def initialize ( path = nil , opts = nil )
opts || = { }
@path = path || '/etc/passwd'
@content = opts [ :content ] || inspec . file ( @path ) . content
@lines = @content . to_s . split ( " \n " )
@params = parse_passwd ( @content )
2016-02-17 11:35:46 +00:00
end
2015-08-28 19:27:35 +00:00
2016-04-26 12:27:21 +00:00
filter = FilterTable . create
filter . add_accessor ( :where )
. add_accessor ( :entries )
. add ( :users , field : 'user' )
. add ( :passwords , field : 'password' )
. add ( :uids , field : 'uid' )
. add ( :gids , field : 'gid' )
2016-04-29 17:10:15 +00:00
. add ( :descs , field : 'desc' )
2016-04-26 12:27:21 +00:00
. add ( :homes , field : 'home' )
. add ( :shells , field : 'shell' )
2015-07-15 13:15:53 +00:00
2016-04-29 17:10:15 +00:00
filter . add ( :count ) { | t , _ |
warn '[DEPRECATION] `passwd.count` is deprecated. Please use `passwd.entries.length` instead. It will be removed in version 1.0.0.'
t . entries . length
}
filter . add ( :usernames ) { | t , x |
2016-03-08 18:06:55 +00:00
warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
2016-04-29 17:10:15 +00:00
t . users ( x )
}
2016-02-17 11:35:46 +00:00
2016-04-29 17:10:15 +00:00
filter . add ( :username ) { | t , x |
2016-04-26 12:27:21 +00:00
warn '[DEPRECATION] `passwd.username` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
2016-04-29 17:10:15 +00:00
t . users ( x ) [ 0 ]
}
# rebuild the passwd line from raw content
filter . add ( :content ) { | t , _ |
t . entries . map do | e |
[ e . user , e . password , e . uid , e . gid , e . desc , e . home , e . shell ] . join ( ':' )
end . join ( " \n " )
}
2016-02-17 11:35:46 +00:00
2016-03-08 18:06:55 +00:00
def uid ( x )
warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in version 1.0.0.'
uids ( x )
end
2015-07-15 13:15:53 +00:00
2016-04-29 17:10:15 +00:00
filter . connect ( self , :params )
2015-10-12 11:01:58 +00:00
2016-04-26 12:27:21 +00:00
def to_s
'/etc/passwd'
2016-03-30 23:51:43 +00:00
end
2015-10-04 15:49:00 +00:00
end
2015-07-26 10:30:12 +00:00
end