2015-04-09 20:01:23 +00:00
|
|
|
# encoding: utf-8
|
2015-07-15 13:15:18 +00:00
|
|
|
# copyright: 2015, Vulcano Security GmbH
|
2015-04-09 20:01:23 +00:00
|
|
|
|
2017-07-03 06:10:27 +00:00
|
|
|
require 'shellwords'
|
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
module Inspec::Resources
|
|
|
|
class Lines
|
|
|
|
attr_reader :output
|
2015-12-08 11:32:23 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
def initialize(raw, desc)
|
|
|
|
@output = raw
|
|
|
|
@desc = desc
|
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
def lines
|
|
|
|
output.split("\n")
|
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
def to_s
|
|
|
|
@desc
|
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
end
|
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
class PostgresSession < Inspec.resource(1)
|
|
|
|
name 'postgres_session'
|
2018-02-19 14:26:49 +00:00
|
|
|
supports platform: 'unix'
|
|
|
|
supports platform: 'windows'
|
2016-03-08 18:06:55 +00:00
|
|
|
desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'
|
|
|
|
example "
|
2017-04-25 23:33:10 +00:00
|
|
|
sql = postgres_session('username', 'password', 'host')
|
|
|
|
query('sql_query', ['database_name'])` contains the query and (optional) database to execute
|
|
|
|
|
|
|
|
# default values:
|
|
|
|
# username: 'postgres'
|
|
|
|
# host: 'localhost'
|
|
|
|
# db: databse == db_user running the sql query
|
2015-11-27 13:02:38 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
describe sql.query('SELECT * FROM pg_shadow WHERE passwd IS NULL;') do
|
2017-07-03 06:10:27 +00:00
|
|
|
its('output') { should eq '' }
|
2016-03-08 18:06:55 +00:00
|
|
|
end
|
|
|
|
"
|
2015-10-26 15:47:45 +00:00
|
|
|
|
2017-04-25 23:33:10 +00:00
|
|
|
def initialize(user, pass, host = nil)
|
2016-03-08 18:06:55 +00:00
|
|
|
@user = user || 'postgres'
|
|
|
|
@pass = pass
|
2017-04-25 23:33:10 +00:00
|
|
|
@host = host || 'localhost'
|
2016-03-08 18:06:55 +00:00
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
|
2016-03-08 18:06:55 +00:00
|
|
|
def query(query, db = [])
|
2017-07-03 06:10:27 +00:00
|
|
|
psql_cmd = create_psql_cmd(query, db)
|
|
|
|
cmd = inspec.command(psql_cmd)
|
2016-03-08 18:06:55 +00:00
|
|
|
out = cmd.stdout + "\n" + cmd.stderr
|
2017-07-03 06:10:27 +00:00
|
|
|
if cmd.exit_status != 0 || out =~ /could not connect to .*/ || out.downcase =~ /^error:.*/
|
2017-09-23 07:27:05 +00:00
|
|
|
Lines.new(out, "PostgreSQL query with errors: #{query}")
|
2016-03-08 18:06:55 +00:00
|
|
|
else
|
2017-04-25 23:33:10 +00:00
|
|
|
Lines.new(cmd.stdout.strip, "PostgreSQL query: #{query}")
|
2016-03-08 18:06:55 +00:00
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
end
|
2017-07-03 06:10:27 +00:00
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def escaped_query(query)
|
|
|
|
Shellwords.escape(query)
|
|
|
|
end
|
|
|
|
|
|
|
|
def create_psql_cmd(query, db = [])
|
|
|
|
dbs = db.map { |x| "-d #{x}" }.join(' ')
|
|
|
|
"PGPASSWORD='#{@pass}' psql -U #{@user} #{dbs} -h #{@host} -A -t -c #{escaped_query(query)}"
|
|
|
|
end
|
2015-04-09 20:01:23 +00:00
|
|
|
end
|
|
|
|
end
|