inspec/lib/resources/passwd.rb

98 lines
2.7 KiB
Ruby
Raw Normal View History

2015-07-15 13:15:18 +00:00
# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
2015-10-06 16:55:44 +00:00
# author: Christoph Hartmann
# author: Dominik Richter
2015-07-15 13:15:18 +00:00
# license: All rights reserved
2015-07-15 13:15:53 +00:00
# The file format consists of
# - username
# - password
# - userid
# - groupid
# - user id info
# - home directory
# - command
2015-10-04 15:59:13 +00:00
require 'utils/parser'
2016-04-26 12:27:21 +00:00
require 'utils/filter'
2015-10-04 15:59:13 +00:00
module Inspec::Resources
2016-04-26 12:27:21 +00:00
class Passwd < Inspec.resource(1)
name 'passwd'
desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
example "
describe passwd do
its('users') { should_not include 'forbidden_user' }
end
2016-02-17 11:35:46 +00:00
describe passwd.uids(0) do
its('users') { should cmp 'root' }
its('count') { should eq 1 }
end
2016-02-17 11:35:46 +00:00
describe passwd.shells(/nologin/) do
# find all users with a nologin shell
its('users') { should_not include 'my_login_user' }
end
"
include PasswdParser
attr_reader :params
attr_reader :content
attr_reader :lines
def initialize(path = nil, opts = nil)
opts ||= {}
@path = path || '/etc/passwd'
@content = opts[:content] || inspec.file(@path).content
@lines = @content.to_s.split("\n")
@params = parse_passwd(@content)
2016-02-17 11:35:46 +00:00
end
2016-04-26 12:27:21 +00:00
filter = FilterTable.create
filter.add_accessor(:where)
.add_accessor(:entries)
.add(:users, field: 'user')
.add(:passwords, field: 'password')
.add(:uids, field: 'uid')
.add(:gids, field: 'gid')
2016-04-29 17:10:15 +00:00
.add(:descs, field: 'desc')
2016-04-26 12:27:21 +00:00
.add(:homes, field: 'home')
.add(:shells, field: 'shell')
2015-07-15 13:15:53 +00:00
2016-04-29 17:10:15 +00:00
filter.add(:count) { |t, _|
warn '[DEPRECATION] `passwd.count` is deprecated. Please use `passwd.entries.length` instead. It will be removed in version 1.0.0.'
t.entries.length
}
filter.add(:usernames) { |t, x|
warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
2016-04-29 17:10:15 +00:00
t.users(x)
}
2016-02-17 11:35:46 +00:00
2016-04-29 17:10:15 +00:00
filter.add(:username) { |t, x|
2016-04-26 12:27:21 +00:00
warn '[DEPRECATION] `passwd.username` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
2016-04-29 17:10:15 +00:00
t.users(x)[0]
}
# rebuild the passwd line from raw content
filter.add(:content) { |t, _|
t.entries.map do |e|
[e.user, e.password, e.uid, e.gid, e.desc, e.home, e.shell].join(':')
end.join("\n")
}
2016-02-17 11:35:46 +00:00
def uid(x)
warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in version 1.0.0.'
uids(x)
end
2015-07-15 13:15:53 +00:00
2016-04-29 17:10:15 +00:00
filter.connect(self, :params)
2016-04-26 12:27:21 +00:00
def to_s
'/etc/passwd'
end
end
2015-07-26 10:30:12 +00:00
end