inspec/lib/resources/passwd.rb

# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Christoph Hartmann
# author: Dominik Richter
# license: All rights reserved

# The file format consists of
# - username
# - password
# - userid
# - groupid
# - user id info
# - home directory
# - command

require 'utils/parser'

class Passwd < Inspec.resource(1)
  name 'passwd'
  desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
  example "
    describe passwd do
      its('users') { should_not include 'forbidden_user' }
    end

    describe passwd.uids(0) do
      its('users') { should cmp 'root' }
      its('count') { should eq 1 }
    end

    describe passwd.shells(/nologin/) do
      # find all users with a nologin shell
      its('users') { should_not include 'my_login_user' }
    end
  "

  include PasswdParser

  attr_reader :uid
  attr_reader :params
  attr_reader :content
  attr_reader :lines

  def initialize(path = nil, opts = nil)
    opts ||= {}
    @path = path || '/etc/passwd'
    @content = opts[:content] || inspec.file(@path).content
    @lines = @content.to_s.split("\n")
    @filters = opts[:filters] || ''
    @params = parse_passwd(@content)
  end

  def filter(hm = {})
    return self if hm.nil? || hm.empty?
    res = @params
    filters = ''
    hm.each do |attr, condition|
      condition = condition.to_s if condition.is_a? Integer
      filters += " #{attr} = #{condition.inspect}"
      res = res.find_all do |line|
        case line[attr.to_s]
        when condition
          true
        else
          false
        end
      end
    end
    content = res.map { |x| x.values.join(':') }.join("\n")
    Passwd.new(@path, content: content, filters: @filters + filters)
  end

  def usernames
    warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
    users
  end

  def username
    warn '[DEPRECATION] `passwd.user` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
    users[0]
  end

  def uid(x)
    warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in version 1.0.0.'
    uids(x)
  end

  def users(name = nil)
    name.nil? ? map_data('user') : filter(user: name)
  end

  def passwords(password = nil)
    password.nil? ? map_data('password') : filter(password: password)
  end

  def uids(uid = nil)
    uid.nil? ? map_data('uid') : filter(uid: uid)
  end

  def gids(gid = nil)
    gid.nil? ? map_data('gid') : filter(gid: gid)
  end

  def homes(home = nil)
    home.nil? ? map_data('home') : filter(home: home)
  end

  def shells(shell = nil)
    shell.nil? ? map_data('shell') : filter(shell: shell)
  end

  def to_s
    f = @filters.empty? ? '' : ' with'+@filters
    "/etc/passwd#{f}"
  end

  def count
    @params.length
  end

  private

  def map_data(id)
    @params.map { |x| x[id] }
  end
end
update copyright header 2015-07-15 13:15:18 +00:00			`# encoding: utf-8`
			`# copyright: 2015, Vulcano Security GmbH`
add author header 2015-10-06 16:55:44 +00:00			`# author: Christoph Hartmann`
			`# author: Dominik Richter`
update copyright header 2015-07-15 13:15:18 +00:00			`# license: All rights reserved`
add description for passwd file format 2015-07-15 13:15:53 +00:00
			`# The file format consists of`
			`# - username`
			`# - password`
			`# - userid`
			`# - groupid`
			`# - user id info`
			`# - home directory`
			`# - command`

externalize passwd parser 2015-10-04 15:59:13 +00:00			`require 'utils/parser'`

rename vulcanosec -> inspec 2015-10-26 03:04:18 +00:00			`class Passwd < Inspec.resource(1)`
migrate passwd and processes Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:27:35 +00:00			`name 'passwd'`
add inline documentation 2015-11-27 13:02:38 +00:00			`desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'`
			`example "`
add filter to passwd 2016-02-17 11:35:46 +00:00			`describe passwd do`
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`its('users') { should_not include 'forbidden_user' }`
add filter to passwd 2016-02-17 11:35:46 +00:00			`end`

expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`describe passwd.uids(0) do`
minor typo fix 2016-02-18 20:12:25 +00:00			`its('users') { should cmp 'root' }`
add inline documentation 2015-11-27 13:02:38 +00:00			`its('count') { should eq 1 }`
			`end`
add filter to passwd 2016-02-17 11:35:46 +00:00
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`describe passwd.shells(/nologin/) do`
			`# find all users with a nologin shell`
			`its('users') { should_not include 'my_login_user' }`
add filter to passwd 2016-02-17 11:35:46 +00:00			`end`
add inline documentation 2015-11-27 13:02:38 +00:00			`"`
add passwd support 2015-07-14 22:47:17 +00:00
more fine-grained utils parser 2015-12-31 00:01:11 +00:00			`include PasswdParser`
externalize passwd parser 2015-10-04 15:59:13 +00:00
improve handling on uid data view 2015-09-05 17:05:18 +00:00			`attr_reader :uid`
add filter to passwd 2016-02-17 11:35:46 +00:00			`attr_reader :params`
			`attr_reader :content`
			`attr_reader :lines`
add passwd support 2015-07-14 22:47:17 +00:00
add filter to passwd 2016-02-17 11:35:46 +00:00			`def initialize(path = nil, opts = nil)`
			`opts \|\|= {}`
migrate passwd and processes Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:27:35 +00:00			`@path = path \|\| '/etc/passwd'`
add filter to passwd 2016-02-17 11:35:46 +00:00			`@content = opts[:content] \|\| inspec.file(@path).content`
			`@lines = @content.to_s.split("\n")`
			`@filters = opts[:filters] \|\| ''`
			`@params = parse_passwd(@content)`
migrate passwd and processes Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:27:35 +00:00			`end`

add filter to passwd 2016-02-17 11:35:46 +00:00			`def filter(hm = {})`
			`return self if hm.nil? \|\| hm.empty?`
			`res = @params`
			`filters = ''`
			`hm.each do \|attr, condition\|`
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`condition = condition.to_s if condition.is_a? Integer`
add filter to passwd 2016-02-17 11:35:46 +00:00			`filters += " #{attr} = #{condition.inspect}"`
			`res = res.find_all do \|line\|`
			`case line[attr.to_s]`
			`when condition`
			`true`
			`else`
			`false`
			`end`
			`end`
			`end`
			`content = res.map { \|x\| x.values.join(':') }.join("\n")`
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`Passwd.new(@path, content: content, filters: @filters + filters)`
refactor types 2015-07-26 10:30:12 +00:00			`end`
add description for passwd file format 2015-07-15 13:15:53 +00:00
refactor types 2015-07-26 10:30:12 +00:00			`def usernames`
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
add filter to passwd 2016-02-17 11:35:46 +00:00			`users`
			`end`

ensure deprecated methods still work 2016-02-18 11:00:34 +00:00			`def username`
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			warn '[DEPRECATION] `passwd.user` is deprecated. Please use `passwd.users` instead. It will be removed in version 1.0.0.'
ensure deprecated methods still work 2016-02-18 11:00:34 +00:00			`users[0]`
add filter to passwd 2016-02-17 11:35:46 +00:00			`end`

expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`def uid(x)`
			warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in version 1.0.0.'
			`uids(x)`
refactor types 2015-07-26 10:30:12 +00:00			`end`
add description for passwd file format 2015-07-15 13:15:53 +00:00
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`def users(name = nil)`
			`name.nil? ? map_data('user') : filter(user: name)`
refactor types 2015-07-26 10:30:12 +00:00			`end`
add description for passwd file format 2015-07-15 13:15:53 +00:00
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`def passwords(password = nil)`
			`password.nil? ? map_data('password') : filter(password: password)`
add filter to passwd 2016-02-17 11:35:46 +00:00			`end`

expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`def uids(uid = nil)`
			`uid.nil? ? map_data('uid') : filter(uid: uid)`
refactor types 2015-07-26 10:30:12 +00:00			`end`
add passwd support 2015-07-14 22:47:17 +00:00
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`def gids(gid = nil)`
			`gid.nil? ? map_data('gid') : filter(gid: gid)`
add filter to passwd 2016-02-17 11:35:46 +00:00			`end`

expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`def homes(home = nil)`
			`home.nil? ? map_data('home') : filter(home: home)`
refactor types 2015-07-26 10:30:12 +00:00			`end`
add passwd support 2015-07-14 22:47:17 +00:00
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`def shells(shell = nil)`
			`shell.nil? ? map_data('shell') : filter(shell: shell)`
add filter to passwd 2016-02-17 11:35:46 +00:00			`end`

add to_s methods to resources, fixes #98 2015-10-12 11:01:58 +00:00			`def to_s`
add filter to passwd 2016-02-17 11:35:46 +00:00			`f = @filters.empty? ? '' : ' with'+@filters`
			`"/etc/passwd#{f}"`
			`end`

			`def count`
			`@params.length`
add to_s methods to resources, fixes #98 2015-10-12 11:01:58 +00:00			`end`

migrate passwd and processes Signed-off-by: Dominik Richter <dominik.richter@gmail.com> 2015-08-28 19:27:35 +00:00			`private`

rewrite passwd resource to extract parser 2015-10-04 15:49:00 +00:00			`def map_data(id)`
expose all fields + deprecate singular accessors 2016-02-17 16:49:44 +00:00			`@params.map { \|x\| x[id] }`
rewrite passwd resource to extract parser 2015-10-04 15:49:00 +00:00			`end`
refactor types 2015-07-26 10:30:12 +00:00			`end`