Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-11-26 14:40:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

Remove deprecations for InSpec 2.0 (#2506)

Browse source 
* Add `release-2.0` target branch to AppVeyor/Travis (#2510)

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* simpleconfig: Remove deprecated config keys

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* cli (exec): Remove `--cache` command line argument

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* platform: Remove lowercase os name protection

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `contain_legacy_plus` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `contain_match` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `with_version` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `belong_to_group` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `belong_to_primary_group` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* matcher: Remove `contain` matcher

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* passwd: Remove deprecated properties

This removes:
  - `passwd.count`
  - `passwd.username`
  - `passwd.usernames`
  - `passwd.uid`

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* auditd_rules: Remove in favor of `auditd` resource

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* cli: Remove `login_automate` command

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>

* Remove `resource_skipped` message method

Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com>
This commit is contained in:
Jerry Aldrich 2018-02-08 10:05:21 +00:00 committed by Christoph Hartmann
parent b40876715f
commit 84817366a1
20 changed files with 7 additions and 675 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

116
docs/resources/auditd_rules.md.erb
View file

@ -1,116 +0,0 @@
---
title: About the auditd_rules Resource
---
# auditd_rules
Use the `auditd_rules` InSpec audit resource to test the rules for logging that exist on the system. The `audit.rules` file is typically located under `/etc/audit/` and contains the list of rules that define what is captured in log files. This resource uses `auditctl` to query the run-time `auditd` rules setup, which may be different from `audit.rules`.
<br>
## Syntax
An `auditd_rules` resource block declares one (or more) rules to be tested, and then what that rule should do. The syntax depends on the version of `audit`:
For `audit` >= 2.3:
describe auditd_rules do
its('lines') { should contain_match(rule) }
end
For `audit` < 2.3:
describe audit_daemon_rules do
its("LIST_RULES") {
rule
}
end
For example:
describe auditd_rules do
its('LIST_RULES') { should eq [
'exit,always syscall=rmdir,unlink',
'exit,always auid=1001 (0x3e9) syscall=open',
'exit,always watch=/etc/group perm=wa',
'exit,always watch=/etc/passwd perm=wa',
'exit,always watch=/etc/shadow perm=wa',
'exit,always watch=/etc/sudoers perm=wa',
'exit,always watch=/etc/secret_directory perm=r',
] }
end
or test that individual rules are defined:
describe auditd_rules do
its('LIST_RULES') {
should contain_match(/^exit,always watch=\/etc\/group perm=wa key=identity/)
}
its('LIST_RULES') {
should contain_match(/^exit,always watch=\/etc\/passwd perm=wa key=identity/)
}
its('LIST_RULES') {
should contain_match(/^exit,always watch=\/etc\/gshadow perm=wa key=identity/)
}
its('LIST_RULES') {
should contain_match(/^exit,always watch=\/etc\/shadow perm=wa key=identity/)
}
its('LIST_RULES') {
should contain_match(/^exit,always watch=\/etc\/security\/opasswd perm=wa key=identity/)
}
end
where each test must declare one (or more) rules to be tested.
<br>
## Examples
The following examples show how to use this InSpec audit resource.
### Test if a rule contains a matching element that is identified by a regular expression
For `audit` >= 2.3:
describe auditd_rules do
its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
end
For `audit` < 2.3:
describe audit_daemon_rules do
its("LIST_RULES") {
should contain_match(/^exit,always arch=.*\
key=time-change\
syscall=adjtimex,settimeofday/)
}
end
### Query the audit daemon status
describe auditd_rules.status('backlog') do
it { should cmp 0 }
end
### Query properties of rules targeting specific syscalls or files
describe auditd_rules.syscall('open').action do
it { should eq(['always']) }
end
describe auditd_rules.key('sshd_config') do
its('permissions') { should contain_match(/x/) }
end
Filters may be chained. For example:
describe auditd_rules.syscall('open').action('always').list do
it { should eq(['exit']) }
end
<br>
## Matchers
For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).

32
lib/bundles/inspec-compliance/cli.rb
View file

@ -46,38 +46,6 @@ module Compliance
Compliance::API.login(options)
end
desc "login_automate https://SERVER --insecure --user='USER' --ent='ENTERPRISE' --usertoken='TOKEN'", 'Log in to a Chef Automate SERVER (DEPRECATED: Please use `login`)'
long_desc <<-LONGDESC
This commmand is deprecated and will be removed, please use `--login`.
`login_automate` allows you to use InSpec with Chef Automate.
You need to a token for communication. More information about token retrieval
is available at:
https://docs.chef.io/api_automate.html#authentication-methods
https://docs.chef.io/api_compliance.html#obtaining-an-api-token
LONGDESC
option :insecure, aliases: :k, type: :boolean,
desc: 'Explicitly allows InSpec to perform "insecure" SSL connections and transfers'
option :user, type: :string, required: true,
desc: 'Username'
option :usertoken, type: :string, required: false,
desc: 'Access token (DEPRECATED: Please use `--token`)'
option :token, type: :string, required: false,
desc: 'Access token'
option :dctoken, type: :string, required: false,
desc: 'Data Collector token'
option :ent, type: :string, required: true,
desc: 'Enterprise for Chef Automate reporting'
def login_automate(server)
warn '[DEPRECATION] `inspec compliance login_automate` is deprecated. Please use `inspec compliance login`'
options['server'] = server
options['token'] = options['usertoken'] if options['usertoken']
Compliance::API.login(options)
end
desc 'profiles', 'list all available profiles in Chef Compliance'
option :owner, type: :string, required: false,
desc: 'owner whose profiles to list'

2
lib/inspec/base_cli.rb
View file

@ -63,8 +63,6 @@ module Inspec
desc: 'Use colors in output.'
option :attrs, type: :array,
desc: 'Load attributes file (experimental)'
option :cache, type: :string,
desc: '[DEPRECATED] Please use --vendor-cache - this will be removed in InSpec 2.0'
option :vendor_cache, type: :string,
desc: 'Use the given path for caching dependencies. (default: ~/.inspec/cache)'
option :create_lockfile, type: :boolean,

7
lib/inspec/cli.rb
View file

@ -156,13 +156,6 @@ class Inspec::InspecCLI < Inspec::BaseCLI
o = opts(:exec).dup
configure_logger(o)
# check for deprecated --cache
# TODO: REMOVE for inspec 2.0
if o.key?('cache')
o[:vendor_cache] = o[:cache]
o[:logger].warn '[DEPRECATED] The use of `--cache` is being deprecated in InSpec 2.0. Please use `--vendor-cache` instead.'
end
# run tests
run_tests(targets, o)
rescue StandardError => e

11
lib/inspec/plugins/resource.rb
View file

@ -43,8 +43,8 @@ module Inspec
Inspec::Resource.registry
end
def __register(name, obj) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
cl = Class.new(obj) do # rubocop:disable Metrics/BlockLength
def __register(name, obj) # rubocop:disable Metrics/MethodLength
cl = Class.new(obj) do
attr_reader :resource_exception_message
def initialize(backend, name, *args)
@ -94,13 +94,6 @@ module Inspec
@resource_skipped
end
def resource_skipped
warn('[DEPRECATION] Use `resource_exception_message` for the resource skipped message. This method will be removed in InSpec 2.0.')
# Returning `nil` here to match previous behavior
return nil if @resource_skipped == false
@resource_exception_message
end
def fail_resource(message)
@resource_failed = true
@resource_exception_message = message

1
lib/inspec/resource.rb
View file

@ -86,7 +86,6 @@ require 'resources/apt'
require 'resources/audit_policy'
require 'resources/auditd'
require 'resources/auditd_conf'
require 'resources/auditd_rules'
require 'resources/bash'
require 'resources/bond'
require 'resources/bridge'

58
lib/matchers/matchers.rb
View file

@ -66,25 +66,6 @@ RSpec::Matchers.define :be_executable do
end
end
# matcher to check /etc/passwd, /etc/shadow and /etc/group
RSpec::Matchers.define :contain_legacy_plus do
match do |file|
warn '[DEPRECATION] `contain_legacy_plus` is deprecated and will be removed in the next major version. Please use `describe file(\'/etc/passwd\') do its(\'content\') { should_not match /^\+:/ } end`'
file.content =~ /^\+:/
end
end
# verifies that no entry in an array contains a value
RSpec::Matchers.define :contain_match do |regex|
match do |arr|
warn '[DEPRECATION] `contain_match` is deprecated and will be removed in the next major version. See https://github.com/chef/inspec/issues/738 for more details'
arr.inject { |result, i|
result = i.match(regex)
result || i.match(/$/)
}
end
end
RSpec::Matchers.define :contain_duplicates do
match do |arr|
dup = arr.select { |element| arr.count(element) > 1 }
@ -105,11 +86,6 @@ RSpec::Matchers.define :be_installed do
chain :by do
raise "[UNSUPPORTED] Please use the new resources 'gem', 'npm' or 'pip'."
end
chain :with_version do |version|
warn "[DEPRECATION] `with_version` is deprecated. Please use `its('version') { should eq '1.4.1' }` instead."
@version = version
end
end
# for services
@ -143,32 +119,6 @@ RSpec::Matchers.define :be_running do
end
end
# user resource matcher for serverspec compatibility
# Deprecated: You should not use this matcher anymore
RSpec::Matchers.define :belong_to_group do |compare_group|
match do |user|
warn "[DEPRECATION] `belong_to_group` is deprecated. Please use `its('groups') { should include('root') }` instead."
user.groups.include?(compare_group)
end
failure_message do |group|
"expected that the user belongs to group `#{group}`"
end
end
# user resource matcher for serverspec compatibility
# Deprecated: You should not use this matcher anymore
RSpec::Matchers.define :belong_to_primary_group do |compare_group|
match do |user|
warn "[DEPRECATION] `belong_to_primary_group` is deprecated. Please use `its('group') { should eq 'root' }` instead."
user.group == compare_group
end
failure_message do |group|
"expected that the user belongs to primary group `#{group}`"
end
end
# matcher to check if host is reachable
RSpec::Matchers.define :be_reachable do
match do |host|
@ -214,14 +164,6 @@ RSpec::Matchers.define :have_rule do |rule|
end
end
# deprecated
RSpec::Matchers.define :contain do |rule|
match do |resource|
warn "[DEPRECATION] `contain` matcher. Please use the following syntax `its('content') { should include('value') }`."
expect(resource).to include(rule)
end
end
# `be_in` matcher
# You can use it in the following cases:
# - check if an item or array is included in a given array

205
lib/resources/auditd_rules.rb
View file

@ -1,205 +0,0 @@
# encoding: utf-8
# copyright: 2015, Vulcano Security GmbH
# author: Christoph Hartmann
# author: Dominik Richter
require 'forwardable'
require 'utils/filter_array'
module Inspec::Resources
class AuditdRulesLegacy
def initialize(content)
@content = content
@opts = {
assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
multiple_values: true,
}
end
def params
@params ||= SimpleConfig.new(@content, @opts).params
end
def method_missing(name)
params[name.to_s]
end
def status(name)
@status_opts = {
assignment_regex: /^\s*([^:]*?)\s*:\s*(.*?)\s*$/,
multiple_values: false,
}
@status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
@status_params = SimpleConfig.new(@status_content, @status_opts).params
status = @status_params['AUDIT_STATUS']
return nil if status.nil?
items = Hash[status.scan(/([^=]+)=(\w*)\s*/)]
items[name]
end
def to_s
'Audit Daemon Rules (for auditd version < 2.3)'
end
end
class AuditDaemonRules < Inspec.resource(1)
extend Forwardable
attr_accessor :rules, :lines
name 'auditd_rules'
desc 'Use the auditd_rules InSpec audit resource to test the rules for logging that exist on the system. The audit.rules file is typically located under /etc/audit/ and contains the list of rules that define what is captured in log files.'
example "
# syntax for auditd < 2.3
describe auditd_rules do
its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=adjtimex,settimeofday/) }
its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=stime,settimeofday,adjtimex/) }
its('LIST_RULES') {should contain_match(/^exit,always arch=.* key=time-change syscall=clock_settime/)}
its('LIST_RULES') {should contain_match(/^exit,always watch=\/etc\/localtime perm=wa key=time-change/)}
end
# syntax for auditd >= 2.3
describe auditd_rules.syscall('open').action do
it { should eq(['always']) }
end
describe auditd_rules.key('sshd_config') do
its('permissions') { should contain_match(/x/) }
end
describe auditd_rules do
its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
end
"
def initialize
@content = inspec.command('/sbin/auditctl -l').stdout.chomp
if @content =~ /^LIST_RULES:/
# do not warn on centos 5
unless inspec.os[:name] == 'centos' && inspec.os[:release].to_i == 5
warn '[WARN] this version of auditd is outdated. Updating it allows for using more precise matchers.'
end
@legacy = AuditdRulesLegacy.new(@content)
else
parse_content
@legacy = nil
end
warn '[DEPRECATION] The `auditd_rules` resource is deprecated and will be removed in InSpec 2.0. Use the `auditd` resource instead.'
end
# non-legacy instances are not asked for `its('LIST_RULES')`
# rubocop:disable Style/MethodName
def LIST_RULES
return @legacy.LIST_RULES if @legacy
raise 'Using legacy auditd_rules LIST_RULES interface with non-legacy audit package. Please use the new syntax.'
end
def status(name = nil)
return @legacy.status(name) if @legacy
@status_content ||= inspec.command('/sbin/auditctl -s').stdout.chomp
@status_params ||= Hash[@status_content.scan(/^([^ ]+) (.*)$/)]
return @status_params[name] if name
@status_params
end
def parse_content
@rules = {
syscalls: [],
files: [],
}
@lines = @content.lines.map(&:chomp)
lines.each do |line|
if is_syscall?(line)
syscalls = get_syscalls line
action, list = get_action_list line
fields, opts = get_fields line
# create a 'flatter' structure because sanity
syscalls.each do |s|
@rules[:syscalls] << { syscall: s, list: list, action: action, fields: fields }.merge(opts)
end
elsif is_file?(line)
file = get_file line
perms = get_permissions line
key = get_key line
@rules[:files] << { file: file, key: key, permissions: perms }
end
end
end
def syscall(name)
select_name(:syscall, name)
end
def file(name)
select_name(:file, name)
end
# both files and syscalls have `key` identifiers
def key(name)
res = rules.values.flatten.find_all { |rule| rule[:key] == name }
FilterArray.new(res)
end
def to_s
'Audit Daemon Rules'
end
private
def select_name(key, name)
plural = "#{key}s".to_sym
res = rules[plural].find_all { |rule| rule[key] == name }
FilterArray.new(res)
end
def is_syscall?(line)
line.match(/\ -S /)
end
def is_file?(line)
line.match(/-w /)
end
def get_syscalls(line)
line.scan(/-S ([^ ]+) /).flatten.first.split(',')
end
def get_action_list(line)
line.scan(/-a ([^,]+),([^ ]+)/).flatten
end
# NB only in file lines
def get_key(line)
line.match(/-k ([^ ]+)/)[1] if line.include?('-k ')
end
# NOTE there are NO precautions wrt. filenames containing spaces in auditctl
# `auditctl -w /foo\ bar` gives the following line: `-w /foo bar -p rwxa`
def get_file(line)
line.match(/-w (.+) -p/)[1]
end
def get_permissions(line)
line.match(/-p ([^ ]+)/)[1]
end
def get_fields(line)
fields = line.gsub(/-[aS] [^ ]+ /, '').split('-F ').map { |l| l.split(' ') }.flatten
opts = {}
fields.find_all { |x| x.match(/[a-z]+=.*/) }.each do |kv|
k, v = kv.split('=')
opts[k.to_sym] = v
end
[fields, opts]
end
end
end

21
lib/resources/passwd.rb
View file

@ -26,7 +26,6 @@ module Inspec::Resources
describe passwd.uids(0) do
its('users') { should cmp 'root' }
its('count') { should eq 1 }
end
describe passwd.shells(/nologin/) do
@ -60,21 +59,6 @@ module Inspec::Resources
.add(:homes, field: 'home')
.add(:shells, field: 'shell')
filter.add(:count) { |t, _|
warn '[DEPRECATION] `passwd.count` is deprecated. Please use `passwd.entries.length` instead. It will be removed in the next major version.'
t.entries.length
}
filter.add(:usernames) { |t, x|
warn '[DEPRECATION] `passwd.usernames` is deprecated. Please use `passwd.users` instead. It will be removed in the next major version.'
t.users(x)
}
filter.add(:username) { |t, x|
warn '[DEPRECATION] `passwd.username` is deprecated. Please use `passwd.users` instead. It will be removed in the next major version.'
t.users(x)[0]
}
# rebuild the passwd line from raw content
filter.add(:content) { |t, _|
t.entries.map do |e|
@ -82,11 +66,6 @@ module Inspec::Resources
end.join("\n")
}
def uid(x)
warn '[DEPRECATION] `passwd.uid(arg)` is deprecated. Please use `passwd.uids(arg)` instead. It will be removed in the next major version.'
uids(x)
end
filter.connect(self, :params)
def to_s

16
lib/resources/platform.rb
View file

@ -25,22 +25,8 @@ module Inspec::Resources
end
end
# This is a string override for platform.name.
# TODO: removed in inspec 2.0
class NameCleaned < String
def ==(other)
if other =~ /[A-Z ]/
cleaned = other.downcase.tr(' ', '_')
Inspec::Log.warn "[DEPRECATED] Platform names will become lowercase in InSpec 2.0. Please match on '#{cleaned}' instead of '#{other}'"
super(cleaned)
else
super(other)
end
end
end
def name
NameCleaned.new(@platform.name)
@platform.name
end
def [](key)

12
lib/utils/simpleconfig.rb
View file

@ -54,18 +54,6 @@ class SimpleConfig
end
def parse_params_line(line, opts)
# Deprecation handling
if opts.key?(:assignment_re)
warn '[DEPRECATION] `:assignment_re` is deprecated in favor of `:assignment_regex` '\
'and will be removed in the next major version. See: https://github.com/chef/inspec/issues/1709'
opts[:assignment_regex] = opts[:assignment_re]
end
if opts.key?(:key_vals)
warn '[DEPRECATION] `:key_vals` is deprecated in favor of `:key_values` '\
'and will be removed in the next major version. See: https://github.com/chef/inspec/issues/1709'
opts[:key_values] = opts[:key_vals]
end
# now line contains what we are interested in parsing
# check if it is an assignment
m = opts[:assignment_regex].match(line)

32
test/integration/default/controls/auditd_rules_spec.rb
View file

@ -1,32 +0,0 @@
# encoding: utf-8
# based on operating system we select the available service
return unless os[:family] == 'centos'
describe auditd_rules.syscall('open') do
its('action') { should eq(['always']) }
end
describe auditd_rules.syscall('open').action do
it { should eq(['always']) }
end
describe auditd_rules.key('sshd_config') do
its('permissions') { should contain_match(/x/) }
end
describe auditd_rules.file('/etc/ssh/sshd_config').permissions do
it { should eq(['rwxa']) }
end
describe auditd_rules do
its('lines') { should contain_match(%r{-w /etc/ssh/sshd_config/}) }
end
describe auditd_rules.syscall('open').action('always').list do
it { should eq(['exit']) }
end
describe auditd_rules.status('backlog') do
it { should cmp 0 }
end

2
test/integration/default/controls/cmp_matcher_spec.rb
View file

@ -25,7 +25,7 @@ if os.linux?
it { should cmp 'x' }
end
describe passwd.usernames do
describe passwd.users do
it { should include 'root' }
it { should_not cmp 'root' }
end

1
test/integration/default/controls/file_spec.rb
View file

@ -117,7 +117,6 @@ if os.unix?
its('content') { should eq 'hello world' }
its('content') { should match('world') }
its('content') { should contain('hello') }
its('content') { should include('hello') }
its('size') { should eq 11 }
its('md5sum') { should eq '5eb63bbbe01eeed093cb22bb8f5acdc3' }

7
test/unit/profiles/profile_resource_exceptions_test.rb
View file

@ -111,12 +111,5 @@ describe 'resource exception' do
it 'does not affect regular FilterTable usage' do
checks[12][0][1][0].another_filter.must_equal ['example']
end
end
describe 'when using deprecated `resource_skip` method' do
it 'warns the user' do
_, err = capture_io { checks[0][0][1][0].resource_skipped }
err.must_match(/DEPRECATION/)
end
end
end

106
test/unit/resources/auditd_rules_test.rb
View file

@ -1,106 +0,0 @@
# encoding: utf-8
# author: Christoph Hartmann
# author: Dominik Richter
require 'helper'
require 'inspec/resource'
describe 'Inspec::Resources::AuditDaemonRules' do
it 'auditd_rules interface' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('lines')).must_equal [
'-a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=access',
'-a always,exit -F arch=b32 -S open,openat -F exit=-EPERM -F key=access',
'-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 f24!=0 -F key=perm_mod',
'-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged',
'-a always,exit -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged',
'-w /etc/ssh/sshd_config -p rwxa -k CFG_sshd_config',
'-w /etc/sudoers -p wa',
'-w /etc/private-keys -p x',
]
end
it 'auditd_rules syscall interface' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('syscall', 'open').send('rules')).must_equal [
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b64", "exit=-EACCES", "key=access"], :arch=>"b64", :exit=>"-EACCES", :key=>"access"},
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b32", "exit=-EPERM", "key=access"], :arch=>"b32", :exit=>"-EPERM", :key=>"access"}
]
end
it 'auditd_rules syscall query chaining' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('syscall', 'open').field('key', 'access').send('rules')).must_equal [
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b64", "exit=-EACCES", "key=access"], :arch=>"b64", :exit=>"-EACCES", :key=>"access"},
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b32", "exit=-EPERM", "key=access"], :arch=>"b32", :exit=>"-EPERM", :key=>"access"}
]
end
it 'auditd_rules syscall query chaining with short syntax' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('syscall', 'open').key('access').list('exit').send('rules')).must_equal [
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b64", "exit=-EACCES", "key=access"], :arch=>"b64", :exit=>"-EACCES", :key=>"access"},
{:syscall=>"open", :list=>"exit", :action=>"always", :fields=>["arch=b32", "exit=-EPERM", "key=access"], :arch=>"b32", :exit=>"-EPERM", :key=>"access"}
]
end
it 'check auditd_rules syscall query chaining empty results' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('syscall', 'open').field('key', 'access').field('foo', 'bar').send('rules')).must_equal []
end
it 'check auditd_rules file interface' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('file', '/etc/ssh/sshd_config').send('rules')).must_equal [
{ file: '/etc/ssh/sshd_config', key: 'CFG_sshd_config', permissions: 'rwxa'},
]
end
it 'check auditd_rules key interface' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('key', 'CFG_sshd_config').send('rules')).must_equal [
{ file: '/etc/ssh/sshd_config', key: 'CFG_sshd_config', permissions: 'rwxa'},
]
end
it 'check auditd_rules file interface with no keys' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('file', '/etc/private-keys').send('rules')).must_equal [
{ file: '/etc/private-keys', key: nil, permissions: 'x'},
]
end
it 'check auditd_rules status interface' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('status')).must_equal({
'enabled' => '1',
'flag' => '2',
'pid' => '547',
'rate_limit' => '0',
'backlog_limit' => '8192',
'lost' => '0',
'backlog' => '0',
'loginuid_immutable' => '0 unlocked',
})
end
it 'check auditd_rules status interface querying a key' do
resource = MockLoader.new(:centos7).load_resource('auditd_rules')
_(resource.send('status', 'enabled')).must_equal('1')
end
# TODO(sr) figure out how to feed resource the legacy auditctl mock cmd output
# it 'check legacy audit policy parsing' do
# resource = MockLoader.new(:undefined).load_resource('auditd_rules')
# _(resource.send('LIST_RULES')).must_equal [
# 'exit,always syscall=rmdir,unlink',
# 'exit,always auid=1001 (0x3e9) syscall=open',
# 'exit,always watch=/etc/group perm=wa',
# 'exit,always watch=/etc/passwd perm=wa',
# 'exit,always watch=/etc/shadow perm=wa',
# 'exit,always watch=/etc/sudoers perm=wa',
# 'exit,always watch=/etc/secret_directory perm=r',
# ]
# end
end

2
test/unit/resources/package_test.rb
View file

@ -72,7 +72,7 @@ describe 'Inspec::Resources::Package' do
_(resource.info).must_equal pkg
end
it 'can add to `resource_skipped` when `--rpmdb` path does not exist' do
it 'can set `resource_skipped` when `--rpmdb` path does not exist' do
resource = MockLoader.new(:centos7).load_resource(
'package',
'curl',

18
test/unit/resources/passwd_test.rb
View file

@ -47,7 +47,7 @@ describe 'Inspec::Resources::Passwd' do
it 'retrieves singular elements instead of arrays when filter has only one entry' do
_(child.users).must_equal ['root']
_(child.count).must_equal 1
_(child.entries.length).must_equal 1
end
end
@ -55,7 +55,7 @@ describe 'Inspec::Resources::Passwd' do
let(:child) { passwd.users(/^www/) }
it 'filters by user via name (regex)' do
_(child.users).must_equal ['www-data']
_(child.count).must_equal 1
_(child.entries.length).must_equal 1
end
it 'prints a nice to_s string' do
@ -63,20 +63,6 @@ describe 'Inspec::Resources::Passwd' do
end
end
describe 'deprecated calls' do
it 'retrieves a username via uid' do
_(passwd.uid(0).username).must_equal 'root'
end
it 'retrieves a usercount via uid' do
_(passwd.uid(0).count).must_equal 1
end
it 'retrieves usernames' do
_(passwd.usernames).must_equal ['root', 'www-data']
end
end
describe 'where clause' do
it 'retrieves username via uids < x' do
_(passwd.where { uid.to_i < 33 }.entries.length).must_equal 1

19
test/unit/resources/platform_test.rb
View file

@ -6,25 +6,6 @@ require 'inspec/resource'
describe 'Inspec::Resources::Platform' do
let(:resource) { resource = MockLoader.new(:ubuntu1504).load_resource('platform') }
describe 'NamedCleaned' do
let(:cleaner) { Inspec::Resources::PlatformResource::NameCleaned }
it 'verify name cleaned with uppercase' do
name = cleaner.new('upper_case_with_spaces')
_(name == 'Upper Case with Spaces').must_equal true
end
it 'verify name cleaned with uppercase fail' do
name = cleaner.new('upper_case_with_spaces')
_(name == 'Upper Case withFAIL Spaces').must_equal false
end
it 'verify name cleaned with lowercase' do
name = cleaner.new('lower_case_with_underscore')
_(name == 'lower_case_with_underscore').must_equal true
end
end
it 'verify platform parsing on Ubuntu' do
_(resource.name).must_equal 'ubuntu'
_(resource.family).must_equal 'debian'

14
test/unit/utils/simpleconfig_test.rb
View file

@ -90,13 +90,6 @@ describe 'SimpleConfig Default Parser' do
cur.params.must_equal({'key' => 'val'})
end
it 'supports :assignment_re for specifying the assignment with a deprecation warning' do
assert_output(nil, /DEPRECATION/) do
cur = SimpleConfig.new("key:::val", assignment_re: /^(.*):::(.*)$/)
cur.params.must_equal({'key' => 'val'})
end
end
it 'only reads the first assignment match group by default' do
cur = SimpleConfig.new("1:2:3", assignment_regex: /^(.*):(.*):(.*)$/)
cur.params.must_equal({'1' => '2'})
@ -111,11 +104,4 @@ describe 'SimpleConfig Default Parser' do
cur = SimpleConfig.new("1:2:3", assignment_regex: /^(.*):(.*):(.*)$/, key_values: 4)
cur.params.must_equal({'1' => ['2', '3', nil, nil]})
end
it 'supports :key_vals for specifying the assignment with a deprecation warning' do
assert_output(nil, /DEPRECATION/) do
cur = SimpleConfig.new("1:2:3", assignment_regex: /^(.*):(.*):(.*)$/, key_vals: 2)
cur.params.must_equal({'1' => ['2', '3']})
end
end
end