inspec/lib/resources/passwd.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Christoph Hartmann
# author: Dominik Richter

# The file format consists of
# - username
# - password
# - userid
# - groupid
# - user id info
# - home directory
# - command

require 'utils/parser'
require 'utils/filter'

module Inspec::Resources
  class Passwd < Inspec.resource(1)
    name 'passwd'
    desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
    example "
      describe passwd do
        its('users') { should_not include 'forbidden_user' }
      end

      describe passwd.uids(0) do
        its('users') { should cmp 'root' }
        its('count') { should eq 1 }
      end

      describe passwd.shells(/nologin/) do
        # find all users with a nologin shell
        its('users') { should_not include 'my_login_user' }
      end
    "

    include PasswdParser

    attr_reader :params
    attr_reader :content
    attr_reader :lines

    def initialize(path = nil, opts = nil)
      opts ||= {}
      @path = path || '/etc/passwd'
      @content = opts[:content] || inspec.file(@path).content
      @lines = @content.to_s.split("\n")
      @params = parse_passwd(@content)
    end

    filter = FilterTable.create
    filter.add_accessor(:where)
          .add_accessor(:entries)
          .add(:users,     field: 'user')
          .add(:passwords, field: 'password')
          .add(:uids,      field: 'uid')
          .add(:gids,      field: 'gid')
          .add(:descs,     field: 'desc')
          .add(:homes,     field: 'home')
          .add(:shells,    field: 'shell')

    filter.add(:count) { |t, _|
      warn '[DEPRECATION] `passwd.count` is deprecated. Please use `passwd.entries.length` instead. It will be removed in the next major version.'
      t.entries.length
    }

    filter.add(:usernames) { |t, x|
      warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in the next major version.'
      t.users(x)
    }

    filter.add(:username) { |t, x|
      warn '[DEPRECATION] `passwd.username` is deprecated. Please use `passwd.users` instead. It will be removed in the next major version.'
      t.users(x)[0]
    }

    # rebuild the passwd line from raw content
    filter.add(:content) { |t, _|
      t.entries.map do |e|
        [e.user, e.password, e.uid, e.gid, e.desc, e.home, e.shell].join(':')
      end.join("\n")
    }

    def uid(x)
      warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in the next major version.'
      uids(x)
    end

    filter.connect(self, :params)

    def to_s
      '/etc/passwd'
    end
  end
end
update copyright header 2015-07-15 13:15:18 +00:00			`# encoding: utf-8`
			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Christoph Hartmann`
			`# author: Dominik Richter`
add description for passwd file format 2015-07-15 13:15:53 +00:00
			`# The file format consists of`
			`# - username`
			`# - password`
			`# - userid`
			`# - groupid`
			`# - user id info`
			`# - home directory`
			`# - command`

externalize passwd parser 2015-10-04 15:59:13 +00:00			`require 'utils/parser'`
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`require 'utils/filter'`
externalize passwd parser 2015-10-04 15:59:13 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`module Inspec::Resources`
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`class Passwd < Inspec.resource(1)`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`name 'passwd'`
			`desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'`
			`example "`
			`describe passwd do`
			`its('users') { should_not include 'forbidden_user' }`
			`end`
add filter to passwd 2016-02-17 11:35:46 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`describe passwd.uids(0) do`
			`its('users') { should cmp 'root' }`
			`its('count') { should eq 1 }`
			`end`
add filter to passwd 2016-02-17 11:35:46 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`describe passwd.shells(/nologin/) do`
			`# find all users with a nologin shell`
			`its('users') { should_not include 'my_login_user' }`
			`end`
			`"`

			`include PasswdParser`

			`attr_reader :params`
			`attr_reader :content`
			`attr_reader :lines`

			`def initialize(path = nil, opts = nil)`
			`opts \|\|= {}`
			`@path = path \|\| '/etc/passwd'`
			`@content = opts[:content] \|\| inspec.file(@path).content`
			`@lines = @content.to_s.split("\n")`
			`@params = parse_passwd(@content)`
add filter to passwd 2016-02-17 11:35:46 +00:00			`end`
migrate passwd and processes Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:27:35 +00:00
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`filter = FilterTable.create`
			`filter.add_accessor(:where)`
			`.add_accessor(:entries)`
			`.add(:users, field: 'user')`
			`.add(:passwords, field: 'password')`
			`.add(:uids, field: 'uid')`
			`.add(:gids, field: 'gid')`
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`.add(:descs, field: 'desc')`
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`.add(:homes, field: 'home')`
			`.add(:shells, field: 'shell')`
add description for passwd file format 2015-07-15 13:15:53 +00:00
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`filter.add(:count) { \|t, _\|`
rename old deprecations that were meant for 1.0 Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2017-04-28 10:08:51 +00:00			warn '[DEPRECATION] `passwd.count` is deprecated. Please use `passwd.entries.length` instead. It will be removed in the next major version.'
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`t.entries.length`
			`}`

			`filter.add(:usernames) { \|t, x\|`
rename old deprecations that were meant for 1.0 Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2017-04-28 10:08:51 +00:00			warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in the next major version.'
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`t.users(x)`
			`}`
add filter to passwd 2016-02-17 11:35:46 +00:00
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`filter.add(:username) { \|t, x\|`
rename old deprecations that were meant for 1.0 Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2017-04-28 10:08:51 +00:00			warn '[DEPRECATION] `passwd.username` is deprecated. Please use `passwd.users` instead. It will be removed in the next major version.'
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`t.users(x)[0]`
			`}`

			`# rebuild the passwd line from raw content`
			`filter.add(:content) { \|t, _\|`
			`t.entries.map do \|e\|`
			`[e.user, e.password, e.uid, e.gid, e.desc, e.home, e.shell].join(':')`
			`end.join("\n")`
			`}`
add filter to passwd 2016-02-17 11:35:46 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def uid(x)`
rename old deprecations that were meant for 1.0 Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2017-04-28 10:08:51 +00:00			warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in the next major version.'
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`uids(x)`
			`end`
add description for passwd file format 2015-07-15 13:15:53 +00:00
expose deprecated fields in passwd 2016-04-29 17:10:15 +00:00			`filter.connect(self, :params)`
add to_s methods to resources, fixes #98 2015-10-12 11:01:58 +00:00
use filtertable with passwd resource 2016-04-26 12:27:21 +00:00			`def to_s`
			`'/etc/passwd'`
add advanced passwd filters (experimental) 2016-03-30 23:51:43 +00:00			`end`
rewrite passwd resource to extract parser 2015-10-04 15:49:00 +00:00			`end`
refactor types 2015-07-26 10:30:12 +00:00			`end`