Mirrors/inspec
2
0
Fork 0
mirror of https://github.com/inspec/inspec synced 2024-12-18 00:53:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #526 from chef/adamleff/resource-namespace

Browse source 
Placing all resources in the Inspec::Resources namespace
This commit is contained in:
Dominik Richter 2016-03-09 10:29:11 +01:00
commit 9cb2bc5dec
52 changed files with 4779 additions and 4677 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/resources/apache.rb
View file

@ -4,7 +4,8 @@
# author: Dominik Richter
# license: All rights reserved
class Apache < Inspec.resource(1)
module Inspec::Resources
class Apache < Inspec.resource(1)
name 'apache'
attr_reader :service, :conf_dir, :conf_path, :user
@ -13,12 +14,12 @@ class Apache < Inspec.resource(1)
when 'ubuntu', 'debian'
@service = 'apache2'
@conf_dir = '/etc/apache2/'
@conf_path = File.join @conf_dir, 'apache2.conf'
@conf_path = ::File.join @conf_dir, 'apache2.conf'
@user = 'www-data'
else
@service = 'httpd'
@conf_dir = '/etc/httpd/'
@conf_path = File.join @conf_dir, '/conf/httpd.conf'
@conf_path = ::File.join @conf_dir, '/conf/httpd.conf'
@user = 'apache'
end
end
@ -26,4 +27,5 @@ class Apache < Inspec.resource(1)
def to_s
'Apache Environment'
end
end
end

8
lib/resources/apache_conf.rb
View file

@ -7,7 +7,8 @@
require 'utils/simpleconfig'
require 'utils/find_files'
class ApacheConf < Inspec.resource(1)
module Inspec::Resources
class ApacheConf < Inspec.resource(1)
name 'apache_conf'
desc 'Use the apache_conf InSpec audit resource to test the configuration settings for Apache. This file is typically located under /etc/apache2 on the Debian and Ubuntu platforms and under /etc/httpd on the Fedora, CentOS, Red Hat Enterprise Linux, and Arch Linux platforms. The configuration settings may vary significantly from platform to platform.'
example "
@ -20,7 +21,7 @@ class ApacheConf < Inspec.resource(1)
def initialize(conf_path = nil)
@conf_path = conf_path || inspec.apache.conf_path
@conf_dir = File.dirname(@conf_path)
@conf_dir = ::File.dirname(@conf_path)
@files_contents = {}
@content = nil
@params = nil
@ -104,7 +105,7 @@ class ApacheConf < Inspec.resource(1)
includes = []
(include_files + include_files_optional).each do |f|
id = File.join(@conf_dir, f)
id = ::File.join(@conf_dir, f)
files = find_files(id, depth: 1, type: 'file')
includes.push(files) if files
@ -121,4 +122,5 @@ class ApacheConf < Inspec.resource(1)
def to_s
"Apache Config #{@conf_path}"
end
end
end

12
lib/resources/apt.rb
View file

@ -28,7 +28,8 @@
require 'uri'
class AptRepository < Inspec.resource(1)
module Inspec::Resources
class AptRepository < Inspec.resource(1)
name 'apt'
desc 'Use the apt InSpec audit resource to verify Apt repositories on the Debian and Ubuntu platforms, and also PPA repositories on the Ubuntu platform.'
example "
@ -124,11 +125,11 @@ class AptRepository < Inspec.resource(1)
# construct new ppa url and return it
format('http://ppa.launchpad.net/%s/%s/ubuntu', ppa_owner, ppa_repo)
end
end
end
# for compatability with serverspec
# this is deprecated syntax and will be removed in future versions
class PpaRepository < AptRepository
# for compatability with serverspec
# this is deprecated syntax and will be removed in future versions
class PpaRepository < AptRepository
name 'ppa'
def exists?
@ -144,4 +145,5 @@ class PpaRepository < AptRepository
def deprecated
warn '[DEPRECATION] `ppa(reponame)` is deprecated. Please use `apt(reponame)` instead.'
end
end
end

4
lib/resources/audit_policy.rb
View file

@ -24,7 +24,8 @@
#
# Further information is available at: https://msdn.microsoft.com/en-us/library/dd973859.aspx
class AuditPolicy < Inspec.resource(1)
module Inspec::Resources
class AuditPolicy < Inspec.resource(1)
name 'audit_policy'
desc 'Use the audit_policy InSpec audit resource to test auditing policies on the Microsoft Windows platform. An auditing policy is a category of security-related events to be audited. Auditing is disabled by default and may be enabled for categories like account management, logon events, policy changes, process tracking, privilege use, system events, or object access. For each auditing category property that is enabled, the auditing level may be set to No Auditing, Not Specified, Success, Success and Failure, or Failure.'
example "
@ -60,4 +61,5 @@ class AuditPolicy < Inspec.resource(1)
def to_s
'Audit Policy'
end
end
end

4
lib/resources/auditd_conf.rb
View file

@ -6,7 +6,8 @@
require 'utils/simpleconfig'
class AuditDaemonConf < Inspec.resource(1)
module Inspec::Resources
class AuditDaemonConf < Inspec.resource(1)
name 'auditd_conf'
desc "Use the auditd_conf InSpec audit resource to test the configuration settings for the audit daemon. This file is typically located under /etc/audit/auditd.conf' on UNIX and Linux platforms."
example "
@ -52,4 +53,5 @@ class AuditDaemonConf < Inspec.resource(1)
)
@params = conf.params
end
end
end

10
lib/resources/auditd_rules.rb
View file

@ -7,7 +7,8 @@
require 'forwardable'
require 'utils/filter_array'
class AuditdRulesLegacy
module Inspec::Resources
class AuditdRulesLegacy
def initialize(content)
@content = content
@opts = {
@ -42,10 +43,10 @@ class AuditdRulesLegacy
def to_s
'Audit Daemon Rules (for auditd version < 2.3)'
end
end
end
# rubocop:disable Metrics/ClassLength
class AuditDaemonRules < Inspec.resource(1)
# rubocop:disable Metrics/ClassLength
class AuditDaemonRules < Inspec.resource(1)
extend Forwardable
attr_accessor :rules, :lines
@ -200,4 +201,5 @@ class AuditDaemonRules < Inspec.resource(1)
[fields, opts]
end
end
end

36
lib/resources/bridge.rb
View file

@ -8,7 +8,8 @@
# it { should have_interface 'eth0' }
# end
class Bridge < Inspec.resource(1)
module Inspec::Resources
class Bridge < Inspec.resource(1)
name 'bridge'
desc 'Use the bridge InSpec audit resource to test basic network bridge properties, such as name, if an interface is defined, and the associations for any defined interface.'
example "
@ -54,21 +55,21 @@ class Bridge < Inspec.resource(1)
return @cache if defined?(@cache)
@cache = @bridge_provider.bridge_info(@bridge_name) if !@bridge_provider.nil?
end
end
end
class BridgeDetection
class BridgeDetection
attr_reader :inspec
def initialize(inspec)
@inspec = inspec
end
end
end
# Linux Bridge
# If /sys/class/net/{interface}/bridge exists then it must be a bridge
# /sys/class/net/{interface}/brif contains the network interfaces
# @see http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/set-up-the-bridge.html
# @see http://unix.stackexchange.com/questions/40560/how-to-know-if-a-network-interface-is-tap-tun-bridge-or-physical
class LinuxBridge < BridgeDetection
# Linux Bridge
# If /sys/class/net/{interface}/bridge exists then it must be a bridge
# /sys/class/net/{interface}/brif contains the network interfaces
# @see http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/set-up-the-bridge.html
# @see http://unix.stackexchange.com/questions/40560/how-to-know-if-a-network-interface-is-tap-tun-bridge-or-physical
class LinuxBridge < BridgeDetection
def bridge_info(bridge_name)
# read bridge information
bridge = inspec.file("/sys/class/net/#{bridge_name}/bridge").directory?
@ -82,14 +83,14 @@ class LinuxBridge < BridgeDetection
interfaces: interfaces,
}
end
end
end
# Windows Bridge
# select netadapter by adapter binding for windows
# Get-NetAdapterBinding -ComponentID ms_bridge | Get-NetAdapter
# @see https://technet.microsoft.com/en-us/library/jj130921(v=wps.630).aspx
# RegKeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
class WindowsBridge < BridgeDetection
# Windows Bridge
# select netadapter by adapter binding for windows
# Get-NetAdapterBinding -ComponentID ms_bridge | Get-NetAdapter
# @see https://technet.microsoft.com/en-us/library/jj130921(v=wps.630).aspx
# RegKeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
class WindowsBridge < BridgeDetection
def bridge_info(bridge_name)
# find all bridge adapters
cmd = inspec.command('Get-NetAdapterBinding -ComponentID ms_bridge | Get-NetAdapter | Select-Object -Property Name, InterfaceDescription | ConvertTo-Json')
@ -118,4 +119,5 @@ class WindowsBridge < BridgeDetection
warn "[Possible Error] detected multiple bridges interfaces with the name #{bridge_name}" if bridges.size > 1
bridges[0]
end
end
end

4
lib/resources/command.rb
View file

@ -4,7 +4,8 @@
# author: Christoph Hartmann
# license: All rights reserved
class Cmd < Inspec.resource(1)
module Inspec::Resources
class Cmd < Inspec.resource(1)
name 'command'
desc 'Use the command InSpec audit resource to test an arbitrary command that is run on the system.'
example "
@ -58,4 +59,5 @@ class Cmd < Inspec.resource(1)
def to_s
"Command #{@command}"
end
end
end

4
lib/resources/csv.rb
View file

@ -5,7 +5,8 @@
# Parses a csv document
# This implementation was inspired by a blog post
# @see http://technicalpickles.com/posts/parsing-csv-with-ruby
class CsvConfig < JsonConfig
module Inspec::Resources
class CsvConfig < JsonConfig
name 'csv'
desc 'Use the csv InSpec audit resource to test configuration data in a CSV file.'
example "
@ -30,4 +31,5 @@ class CsvConfig < JsonConfig
def to_s
"Csv #{@path}"
end
end
end

10
lib/resources/etc_group.rb
View file

@ -24,7 +24,8 @@
require 'utils/convert'
require 'utils/parser'
class EtcGroup < Inspec.resource(1)
module Inspec::Resources
class EtcGroup < Inspec.resource(1)
include Converter
include CommentParser
@ -127,10 +128,10 @@ class EtcGroup < Inspec.resource(1)
'members' => x.at(3), # Group members.
}
end
end
end
# object that hold a specifc view on etc group
class EtcGroupView
# object that hold a specifc view on etc group
class EtcGroupView
def initialize(parent, filter)
@parent = parent
@filter = filter
@ -155,4 +156,5 @@ class EtcGroupView
def users
@parent.users(@filter)
end
end
end

4
lib/resources/gem.rb
View file

@ -2,7 +2,8 @@
# author: Christoph Hartmann
# author: Dominik Richter
class GemPackage < Inspec.resource(1)
module Inspec::Resources
class GemPackage < Inspec.resource(1)
name 'gem'
desc 'Use the gem InSpec audit resource to test if a global gem package is installed.'
example "
@ -45,4 +46,5 @@ class GemPackage < Inspec.resource(1)
def to_s
"gem package #{@package_name}"
end
end
end

18
lib/resources/group.rb
View file

@ -13,7 +13,8 @@
# it { should have_gid 0 }
# end
class Group < Inspec.resource(1)
module Inspec::Resources
class Group < Inspec.resource(1)
name 'group'
desc 'Use the group InSpec audit resource to test groups on the system.'
example "
@ -82,17 +83,17 @@ class Group < Inspec.resource(1)
return @cache if !@cache.nil?
@cache = @group_provider.group_info(@group, @domain) if !@group_provider.nil?
end
end
end
class GroupInfo
class GroupInfo
attr_reader :inspec
def initialize(inspec)
@inspec = inspec
end
end
end
# implements generic unix groups via /etc/group
class UnixGroup < GroupInfo
# implements generic unix groups via /etc/group
class UnixGroup < GroupInfo
def group_info(group, _domain = nil)
inspec.etc_group.where(name: group).entries.map { |grp|
{
@ -101,9 +102,9 @@ class UnixGroup < GroupInfo
}
}
end
end
end
class WindowsGroup < GroupInfo
class WindowsGroup < GroupInfo
def group_info(compare_group, compare_domain = nil)
cmd = inspec.command('Get-WmiObject Win32_Group | Select-Object -Property Caption, Domain, Name, SID, LocalAccount | ConvertTo-Json')
@ -132,4 +133,5 @@ class WindowsGroup < GroupInfo
return grp_collection.push(grp_info) if grp_info[:name].casecmp(compare_group) == 0 && (compare_domain.nil? || grp_info[:domain].casecmp(compare_domain) == 0)
end
end
end
end

24
lib/resources/host.rb
View file

@ -24,7 +24,8 @@
# it { should be_resolvable.by('dns') }
# end
class Host < Inspec.resource(1)
module Inspec::Resources
class Host < Inspec.resource(1)
name 'host'
desc 'Use the host InSpec audit resource to test the name used to refer to a specific host and its availability, including the Internet protocols and ports over which that host name should be available.'
example "
@ -79,16 +80,16 @@ class Host < Inspec.resource(1)
return @ip_cache if defined?(@ip_cache)
@ip_cache = @host_provider.resolve(@hostname) if !@host_provider.nil?
end
end
end
class HostProvider
class HostProvider
attr_reader :inspec
def initialize(inspec)
@inspec = inspec
end
end
end
class LinuxHostProvider < HostProvider
class LinuxHostProvider < HostProvider
# ping is difficult to achieve, since we are not sure
def ping(hostname, _port = nil, _proto = nil)
# fall back to ping, but we can only test ICMP packages with ping
@ -106,13 +107,13 @@ class LinuxHostProvider < HostProvider
resolve = /^\s*(?<ip>\S+)\s+(.*)\s*$/.match(cmd.stdout.chomp)
[resolve[1]] if resolve
end
end
end
# Windows
# TODO: UDP is not supported yey, we need a custom ps1 script to add udp support
# @see http://blogs.technet.com/b/josebda/archive/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup.aspx
# @see http://blogs.technet.com/b/heyscriptingguy/archive/2014/03/19/creating-a-port-scanner-with-windows-powershell.aspx
class WindowsHostProvider < HostProvider
# Windows
# TODO: UDP is not supported yey, we need a custom ps1 script to add udp support
# @see http://blogs.technet.com/b/josebda/archive/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup.aspx
# @see http://blogs.technet.com/b/heyscriptingguy/archive/2014/03/19/creating-a-port-scanner-with-windows-powershell.aspx
class WindowsHostProvider < HostProvider
def ping(hostname, port = nil, proto = nil)
# TODO: abort if we cannot run it via udp
return nil if proto == 'udp'
@ -146,4 +147,5 @@ class WindowsHostProvider < HostProvider
resolv = [resolv] unless resolv.is_a?(Array)
resolv.map { |entry| entry['IPAddress'] }
end
end
end

4
lib/resources/inetd_conf.rb
View file

@ -6,7 +6,8 @@
require 'utils/simpleconfig'
class InetdConf < Inspec.resource(1)
module Inspec::Resources
class InetdConf < Inspec.resource(1)
name 'inetd_conf'
desc 'Use the inetd_conf InSpec audit resource to test if a service is enabled in the inetd.conf file on Linux and UNIX platforms. inetd---the Internet service daemon---listens on dedicated ports, and then loads the appropriate program based on a request. The inetd.conf file is typically located at /etc/inetd.conf and contains a list of Internet services associated to the ports on which that service will listen. Only enabled services may handle a request; only services that are required by the system should be enabled.'
example "
@ -53,4 +54,5 @@ class InetdConf < Inspec.resource(1)
def to_s
'inetd.conf'
end
end
end

4
lib/resources/ini.rb
View file

@ -4,7 +4,8 @@
require 'utils/simpleconfig'
class IniConfig < JsonConfig
module Inspec::Resources
class IniConfig < JsonConfig
name 'ini'
desc 'Use the ini InSpec audit resource to test data in a INI file.'
example "
@ -20,4 +21,5 @@ class IniConfig < JsonConfig
def to_s
"INI #{@path}"
end
end
end

16
lib/resources/interface.rb
View file

@ -4,7 +4,8 @@
require 'utils/convert'
class NetworkInterface < Inspec.resource(1)
module Inspec::Resources
class NetworkInterface < Inspec.resource(1)
name 'interface'
desc 'Use the interface InSpec audit resource to test basic network adapter properties, such as name, status, state, address, and link speed (in MB/sec).'
example "
@ -50,17 +51,17 @@ class NetworkInterface < Inspec.resource(1)
return @cache if defined?(@cache)
@cache = @interface_provider.interface_info(@iface) if !@interface_provider.nil?
end
end
end
class InterfaceInfo
class InterfaceInfo
include Converter
attr_reader :inspec
def initialize(inspec)
@inspec = inspec
end
end
end
class LinuxInterface < InterfaceInfo
class LinuxInterface < InterfaceInfo
def interface_info(iface)
# will return "[mtu]\n1500\n[type]\n1"
cmd = inspec.command("find /sys/class/net/#{iface}/ -type f -maxdepth 1 -exec sh -c 'echo \"[$(basename {})]\"; cat {} || echo -n' \\;")
@ -92,9 +93,9 @@ class LinuxInterface < InterfaceInfo
speed: speed,
}
end
end
end
class WindowsInterface < InterfaceInfo
class WindowsInterface < InterfaceInfo
def interface_info(iface)
# gather all network interfaces
cmd = inspec.command('Get-NetAdapter | Select-Object -Property Name, InterfaceDescription, Status, State, MacAddress, LinkSpeed, ReceiveLinkSpeed, TransmitLinkSpeed, Virtual | ConvertTo-Json')
@ -124,4 +125,5 @@ class WindowsInterface < InterfaceInfo
warn "[Possible Error] detected multiple network interfaces with the name #{iface}" if adapters.size > 1
adapters[0]
end
end
end

4
lib/resources/iptables.rb
View file

@ -21,7 +21,8 @@
# @see http://ipset.netfilter.org/iptables.man.html
# @see http://ipset.netfilter.org/iptables.man.html
# @see https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
class IpTables < Inspec.resource(1)
module Inspec::Resources
class IpTables < Inspec.resource(1)
name 'iptables'
desc 'Use the iptables InSpec audit resource to test rules that are defined in iptables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.'
example "
@ -65,4 +66,5 @@ class IpTables < Inspec.resource(1)
def to_s
format('Iptables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
end
end
end

4
lib/resources/json.rb
View file

@ -2,7 +2,8 @@
# author: Christoph Hartmann
# author: Dominik Richter
class JsonConfig < Inspec.resource(1)
module Inspec::Resources
class JsonConfig < Inspec.resource(1)
name 'json'
desc 'Use the json InSpec audit resource to test data in a JSON file.'
example "
@ -79,4 +80,5 @@ class JsonConfig < Inspec.resource(1)
# if there are more keys, extract more
extract_value(keys.clone, value)
end
end
end

4
lib/resources/kernel_module.rb
View file

@ -3,7 +3,8 @@
# author: Dominik Richter
# license: All rights reserved
class KernelModule < Inspec.resource(1)
module Inspec::Resources
class KernelModule < Inspec.resource(1)
name 'kernel_module'
desc 'Use the kernel_module InSpec audit resource to test kernel modules on Linux platforms. These parameters are located under /lib/modules. Any submodule may be tested using this resource.'
example "
@ -38,4 +39,5 @@ class KernelModule < Inspec.resource(1)
def to_s
"Kernel Module #{@module}"
end
end
end

12
lib/resources/kernel_parameter.rb
View file

@ -2,7 +2,8 @@
# author: Christoph Hartmann
# license: All rights reserved
class KernelParameter < Inspec.resource(1)
module Inspec::Resources
class KernelParameter < Inspec.resource(1)
name 'kernel_parameter'
desc 'Use the kernel_parameter InSpec audit resource to test kernel parameters on Linux platforms.'
example "
@ -31,11 +32,11 @@ class KernelParameter < Inspec.resource(1)
def to_s
"Kernel Parameter #{@parameter}"
end
end
end
# for compatability with serverspec
# this is deprecated syntax and will be removed in future versions
class LinuxKernelParameter < KernelParameter
# for compatability with serverspec
# this is deprecated syntax and will be removed in future versions
class LinuxKernelParameter < KernelParameter
name 'linux_kernel_parameter'
def initialize(parameter)
@ -54,4 +55,5 @@ class LinuxKernelParameter < KernelParameter
def to_s
"Kernel Parameter #{@parameter}"
end
end
end

4
lib/resources/limits_conf.rb
View file

@ -6,7 +6,8 @@
require 'utils/simpleconfig'
class LimitsConf < Inspec.resource(1)
module Inspec::Resources
class LimitsConf < Inspec.resource(1)
name 'limits_conf'
desc 'Use the limits_conf InSpec audit resource to test configuration settings in the /etc/security/limits.conf file. The limits.conf defines limits for processes (by user and/or group names) and helps ensure that the system on which those processes are running remains stable. Each process may be assigned a hard or soft limit.'
example "
@ -52,4 +53,5 @@ class LimitsConf < Inspec.resource(1)
def to_s
'limits.conf'
end
end
end

4
lib/resources/login_def.rb
View file

@ -18,7 +18,8 @@ require 'utils/simpleconfig'
# }
# end
class LoginDef < Inspec.resource(1)
module Inspec::Resources
class LoginDef < Inspec.resource(1)
name 'login_defs'
desc 'Use the login_defs InSpec audit resource to test configuration settings in the /etc/login.defs file. The logins.defs file defines site-specific configuration for the shadow password suite on Linux and UNIX platforms, such as password expiration ranges, minimum/maximum values for automatic selection of user and group identifiers, or the method with which passwords are encrypted.'
example "
@ -63,4 +64,5 @@ class LoginDef < Inspec.resource(1)
def to_s
'login.defs'
end
end
end

4
lib/resources/mount.rb
View file

@ -4,7 +4,8 @@
require 'utils/simpleconfig'
class Mount < Inspec.resource(1)
module Inspec::Resources
class Mount < Inspec.resource(1)
name 'mount'
desc 'Use the mount InSpec audit resource to test if mount points.'
example "
@ -54,4 +55,5 @@ class Mount < Inspec.resource(1)
def to_s
"Mount #{@path}"
end
end
end

4
lib/resources/mysql.rb
View file

@ -4,7 +4,8 @@
# author: Christoph Hartmann
# license: All rights reserved
class Mysql < Inspec.resource(1)
module Inspec::Resources
class Mysql < Inspec.resource(1)
name 'mysql'
attr_reader :package, :service, :conf_dir, :conf_path, :data_dir, :log_dir, :log_path, :log_group, :log_dir_group
@ -78,4 +79,5 @@ class Mysql < Inspec.resource(1)
def to_s
'MySQL'
end
end
end

12
lib/resources/mysql_conf.rb
View file

@ -8,7 +8,8 @@ require 'utils/find_files'
require 'utils/hash'
require 'resources/mysql'
class MysqlConfEntry
module Inspec::Resources
class MysqlConfEntry
def initialize(path, params)
@params = params
@path = path
@ -24,9 +25,9 @@ class MysqlConfEntry
def to_s
"MySQL Config entry [#{@path.join(' ')}]"
end
end
end
class MysqlConf < Inspec.resource(1)
class MysqlConf < Inspec.resource(1)
name 'mysql_conf'
desc 'Use the mysql_conf InSpec audit resource to test the contents of the configuration file for MySQL, typically located at /etc/mysql/my.cnf or /etc/my.cnf.'
example "
@ -88,7 +89,7 @@ class MysqlConf < Inspec.resource(1)
to_read = to_read.drop(1)
# see if there is more stuff to include
dir = File.dirname(cur_file)
dir = ::File.dirname(cur_file)
to_read += include_files(dir, raw_conf).find_all do |fp|
not @files_contents.key? fp
end
@ -109,7 +110,7 @@ class MysqlConf < Inspec.resource(1)
def abs_path(dir, f)
return f if f.start_with? '/'
File.join(dir, f)
::File.join(dir, f)
end
def read_file(path)
@ -119,4 +120,5 @@ class MysqlConf < Inspec.resource(1)
def to_s
'MySQL Configuration'
end
end
end

4
lib/resources/mysql_session.rb
View file

@ -4,7 +4,8 @@
# author: Christoph Hartmann
# license: All rights reserved
class MysqlSession < Inspec.resource(1)
module Inspec::Resources
class MysqlSession < Inspec.resource(1)
name 'mysql_session'
desc 'Use the mysql_session InSpec audit resource to test SQL commands run against a MySQL database.'
example "
@ -56,4 +57,5 @@ class MysqlSession < Inspec.resource(1)
@user = user[1]
@pass = pass[1]
end
end
end

4
lib/resources/npm.rb
View file

@ -2,7 +2,8 @@
# author: Christoph Hartmann
# author: Dominik Richter
class NpmPackage < Inspec.resource(1)
module Inspec::Resources
class NpmPackage < Inspec.resource(1)
name 'npm'
desc 'Use the npm InSpec audit resource to test if a global npm package is installed. npm is the the package manager for Nodejs packages, such as bower and StatsD.'
example "
@ -43,4 +44,5 @@ class NpmPackage < Inspec.resource(1)
def to_s
"Npm Package #{@package_name}"
end
end
end

4
lib/resources/ntp_conf.rb
View file

@ -6,7 +6,8 @@
require 'utils/simpleconfig'
class NtpConf < Inspec.resource(1)
module Inspec::Resources
class NtpConf < Inspec.resource(1)
name 'ntp_conf'
desc 'Use the ntp_conf InSpec audit resource to test the synchronization settings defined in the ntp.conf file. This file is typically located at /etc/ntp.conf.'
example "
@ -55,4 +56,5 @@ class NtpConf < Inspec.resource(1)
)
@params = conf.params
end
end
end

4
lib/resources/oneget.rb
View file

@ -9,7 +9,8 @@
# describe oneget('zoomit') do
# it { should be_installed }
# end
class OneGetPackage < Inspec.resource(1)
module Inspec::Resources
class OneGetPackage < Inspec.resource(1)
name 'oneget'
desc 'Use the oneget InSpec audit resource to test if the named package and/or package version is installed on the system. This resource uses OneGet, which is part of the Windows Management Framework 5.0 and Windows 10. This resource uses the Get-Package cmdlet to return all of the package names in the OneGet repository.'
example "
@ -66,4 +67,5 @@ class OneGetPackage < Inspec.resource(1)
def to_s
"OneGet Package #{@package_name}"
end
end
end

4
lib/resources/os.rb
View file

@ -2,7 +2,8 @@
# author: Dominik Richter
# author: Christoph Hartmann
class OS < Inspec.resource(1)
module Inspec::Resources
class OS < Inspec.resource(1)
name 'os'
desc 'Use the os InSpec audit resource to test the platform on which the system is running.'
example "
@ -27,4 +28,5 @@ class OS < Inspec.resource(1)
def to_s
'Operating System Detection'
end
end
end

4
lib/resources/os_env.rb
View file

@ -13,7 +13,8 @@
require 'utils/simpleconfig'
class OsEnv < Inspec.resource(1)
module Inspec::Resources
class OsEnv < Inspec.resource(1)
name 'os_env'
desc 'Use the os_env InSpec audit resource to test the environment variables for the platform on which the system is running.'
example "
@ -69,4 +70,5 @@ class OsEnv < Inspec.resource(1)
params[env]
end
end
end
end

56
lib/resources/package.rb
View file

@ -8,7 +8,8 @@
# describe package('nginx') do
# it { should be_installed }
# end
class Package < Inspec.resource(1)
module Inspec::Resources
class Package < Inspec.resource(1)
name 'package'
desc 'Use the package InSpec audit resource to test if the named package and/or package version is installed on the system.'
example "
@ -68,17 +69,17 @@ class Package < Inspec.resource(1)
def to_s
"System Package #{@package_name}"
end
end
end
class PkgManagement
class PkgManagement
attr_reader :inspec
def initialize(inspec)
@inspec = inspec
end
end
end
# Debian / Ubuntu
class Deb < PkgManagement
# Debian / Ubuntu
class Deb < PkgManagement
def info(package_name)
cmd = inspec.command("dpkg -s #{package_name}")
return nil if cmd.exit_status.to_i != 0
@ -95,10 +96,10 @@ class Deb < PkgManagement
type: 'deb',
}
end
end
end
# RHEL family
class Rpm < PkgManagement
# RHEL family
class Rpm < PkgManagement
def info(package_name)
cmd = inspec.command("rpm -qia #{package_name}")
# CentOS does not return an error code if the package is not installed,
@ -128,10 +129,10 @@ class Rpm < PkgManagement
type: 'rpm',
}
end
end
end
# MacOS / Darwin implementation
class Brew < PkgManagement
# MacOS / Darwin implementation
class Brew < PkgManagement
def info(package_name)
cmd = inspec.command("brew info --json=v1 #{package_name}")
return nil if cmd.exit_status.to_i != 0
@ -144,10 +145,10 @@ class Brew < PkgManagement
type: 'brew',
}
end
end
end
# Arch Linux
class Pacman < PkgManagement
# Arch Linux
class Pacman < PkgManagement
def info(package_name)
cmd = inspec.command("pacman -Qi #{package_name}")
return nil if cmd.exit_status.to_i != 0
@ -165,13 +166,13 @@ class Pacman < PkgManagement
type: 'pacman',
}
end
end
end
# Determines the installed packages on Windows
# Currently we use 'Get-WmiObject -Class Win32_Product' as a detection method
# TODO: evaluate if alternative methods as proposed by Microsoft are still valid:
# @see: http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/15/use-powershell-to-find-installed-software.aspx
class WindowsPkg < PkgManagement
# Determines the installed packages on Windows
# Currently we use 'Get-WmiObject -Class Win32_Product' as a detection method
# TODO: evaluate if alternative methods as proposed by Microsoft are still valid:
# @see: http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/15/use-powershell-to-find-installed-software.aspx
class WindowsPkg < PkgManagement
def info(package_name)
# Find the package
cmd = inspec.command("Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -eq '#{package_name}'} | Select-Object -Property Name,Version,Vendor,PackageCode,Caption,Description | ConvertTo-Json")
@ -189,10 +190,10 @@ class WindowsPkg < PkgManagement
type: 'windows',
}
end
end
end
# AIX
class BffPkg < PkgManagement
# AIX
class BffPkg < PkgManagement
def info(package_name)
cmd = inspec.command("lslpp -cL #{package_name}")
return nil if cmd.exit_status.to_i != 0
@ -205,10 +206,10 @@ class BffPkg < PkgManagement
type: 'bff',
}
end
end
end
# Solaris
class SolarisPkg < PkgManagement
# Solaris
class SolarisPkg < PkgManagement
def info(package_name)
if inspec.os[:release].to_i <= 10
solaris10_info(package_name)
@ -257,4 +258,5 @@ class SolarisPkg < PkgManagement
type: 'pkg',
}
end
end
end

8
lib/resources/parse_config.rb
View file

@ -13,7 +13,8 @@
# }
# describe parse_config(audit, options ) do
class PConfig < Inspec.resource(1)
module Inspec::Resources
class PConfig < Inspec.resource(1)
name 'parse_config'
desc 'Use the parse_config InSpec audit resource to test arbitrary configuration files.'
example "
@ -67,9 +68,9 @@ class PConfig < Inspec.resource(1)
def to_s
"Parse Config #{@conf_path}"
end
end
end
class PConfigFile < PConfig
class PConfigFile < PConfig
name 'parse_config_file'
desc 'Use the parse_config_file InSpec audit resource to test arbitrary configuration files. It works identiacal to parse_config. Instead of using a command output, this resource works with files.'
example "
@ -86,4 +87,5 @@ class PConfigFile < PConfig
def to_s
"Parse Config File #{@conf_path}"
end
end
end

4
lib/resources/passwd.rb
View file

@ -15,7 +15,8 @@
require 'utils/parser'
class Passwd < Inspec.resource(1)
module Inspec::Resources
class Passwd < Inspec.resource(1)
name 'passwd'
desc 'Use the passwd InSpec audit resource to test the contents of /etc/passwd, which contains the following information for users that may log into the system and/or as users that own running processes.'
example "
@ -123,4 +124,5 @@ class Passwd < Inspec.resource(1)
def map_data(id)
@params.map { |x| x[id] }
end
end
end

4
lib/resources/pip.rb
View file

@ -7,7 +7,8 @@
# it { should be_installed }
# end
#
class PipPackage < Inspec.resource(1)
module Inspec::Resources
class PipPackage < Inspec.resource(1)
name 'pip'
desc 'Use the pip InSpec audit resource to test packages that are installed using the pip installer.'
example "
@ -78,4 +79,5 @@ class PipPackage < Inspec.resource(1)
end
pipcmd || 'pip'
end
end
end

68
lib/resources/port.rb
View file

@ -17,7 +17,8 @@ require 'utils/parser'
#
# TODO: currently we return local ip only
# TODO: improve handling of same port on multiple interfaces
class Port < Inspec.resource(1)
module Inspec::Resources
class Port < Inspec.resource(1)
name 'port'
desc "Use the port InSpec audit resource to test basic port properties, such as port, process, if it's listening."
example "
@ -84,33 +85,33 @@ class Port < Inspec.resource(1)
ports = @port_manager.info || []
@cache = ports.select { |p| p[:port] == @port && (!@ip || p[:address] == @ip) }
end
end
end
# implements an info method and returns all ip adresses and protocols for
# each port
# [{
# port: 22,
# address: '0.0.0.0'
# protocol: 'tcp'
# },
# {
# port: 22,
# address: '::'
# protocol: 'tcp6'
# }]
class PortsInfo
# implements an info method and returns all ip adresses and protocols for
# each port
# [{
# port: 22,
# address: '0.0.0.0'
# protocol: 'tcp'
# },
# {
# port: 22,
# address: '::'
# protocol: 'tcp6'
# }]
class PortsInfo
attr_reader :inspec
def initialize(inspec)
@inspec = inspec
end
end
end
# TODO: Add UDP infromation Get-NetUDPEndpoint
# TODO: currently Windows only supports tcp ports
# TODO: Get-NetTCPConnection does not return PIDs
# TODO: double-check output with 'netstat -ano'
# @see https://connect.microsoft.com/PowerShell/feedback/details/1349420/get-nettcpconnection-does-not-show-processid
class WindowsPorts < PortsInfo
# TODO: Add UDP infromation Get-NetUDPEndpoint
# TODO: currently Windows only supports tcp ports
# TODO: Get-NetTCPConnection does not return PIDs
# TODO: double-check output with 'netstat -ano'
# @see https://connect.microsoft.com/PowerShell/feedback/details/1349420/get-nettcpconnection-does-not-show-processid
class WindowsPorts < PortsInfo
def info
# get all port information
cmd = inspec.command('Get-NetTCPConnection | Select-Object -Property State, Caption, Description, LocalAddress, LocalPort, RemoteAddress, RemotePort, DisplayName, Status | ConvertTo-Json')
@ -133,10 +134,10 @@ class WindowsPorts < PortsInfo
}
}
end
end
end
# extracts udp and tcp ports from the lsof command
class LsofPorts < PortsInfo
# extracts udp and tcp ports from the lsof command
class LsofPorts < PortsInfo
attr_reader :lsof
def initialize(inspec, lsofpath = nil)
@ -239,10 +240,10 @@ class LsofPorts < PortsInfo
procs
end
end
end
# extract port information from netstat
class LinuxPorts < PortsInfo
# extract port information from netstat
class LinuxPorts < PortsInfo
def info
cmd = inspec.command('netstat -tulpen')
return nil if cmd.exit_status.to_i != 0
@ -313,10 +314,10 @@ class LinuxPorts < PortsInfo
pid: pid,
}
end
end
end
# extracts information from sockstat
class FreeBsdPorts < PortsInfo
# extracts information from sockstat
class FreeBsdPorts < PortsInfo
def info
cmd = inspec.command('sockstat -46l')
return nil if cmd.exit_status.to_i != 0
@ -389,9 +390,9 @@ class FreeBsdPorts < PortsInfo
pid: pid,
}
end
end
end
class SolarisPorts < FreeBsdPorts
class SolarisPorts < FreeBsdPorts
include SolarisNetstatParser
def info
@ -426,4 +427,5 @@ class SolarisPorts < FreeBsdPorts
}
ports
end
end
end

10
lib/resources/postgres.rb
View file

@ -4,7 +4,8 @@
# author: Christoph Hartmann
# license: All rights reserved
class Postgres < Inspec.resource(1)
module Inspec::Resources
class Postgres < Inspec.resource(1)
name 'postgres'
attr_reader :service, :data_dir, :conf_dir, :conf_path
@ -15,23 +16,24 @@ class Postgres < Inspec.resource(1)
@data_dir = '/var/lib/postgresql'
@version = inspec.command('ls /etc/postgresql/').stdout.chomp
@conf_dir = "/etc/postgresql/#{@version}/main"
@conf_path = File.join @conf_dir, 'postgresql.conf'
@conf_path = ::File.join @conf_dir, 'postgresql.conf'
when 'arch'
@service = 'postgresql'
@data_dir = '/var/lib/postgres/data'
@conf_dir = '/var/lib/postgres/data'
@conf_path = File.join @conf_dir, 'postgresql.conf'
@conf_path = ::File.join @conf_dir, 'postgresql.conf'
else
@service = 'postgresql'
@data_dir = '/var/lib/postgresql'
@conf_dir = '/var/lib/pgsql/data'
@conf_path = File.join @conf_dir, 'postgresql.conf'
@conf_path = ::File.join @conf_dir, 'postgresql.conf'
end
end
def to_s
'PostgreSQL'
end
end
end

6
lib/resources/postgres_conf.rb
View file

@ -8,7 +8,8 @@ require 'utils/simpleconfig'
require 'utils/find_files'
require 'resources/postgres'
class PostgresConf < Inspec.resource(1)
module Inspec::Resources
class PostgresConf < Inspec.resource(1)
name 'postgres_conf'
desc 'Use the postgres_conf InSpec audit resource to test the contents of the configuration file for PostgreSQL, typically located at /etc/postgresql/<version>/main/postgresql.conf or /var/lib/postgres/data/postgresql.conf, depending on the platform.'
example "
@ -21,7 +22,7 @@ class PostgresConf < Inspec.resource(1)
def initialize(conf_path = nil)
@conf_path = conf_path || inspec.postgres.conf_path
@conf_dir = File.expand_path(File.dirname(@conf_path))
@conf_dir = ::File.expand_path(::File.dirname(@conf_path))
@files_contents = {}
@content = nil
@params = nil
@ -90,4 +91,5 @@ class PostgresConf < Inspec.resource(1)
def to_s
'PostgreSQL Configuration'
end
end
end

8
lib/resources/postgres_session.rb
View file

@ -4,7 +4,8 @@
# author: Christoph Hartmann
# license: All rights reserved
class Lines
module Inspec::Resources
class Lines
attr_reader :output
def initialize(raw, desc)
@ -19,9 +20,9 @@ class Lines
def to_s
@desc
end
end
end
class PostgresSession < Inspec.resource(1)
class PostgresSession < Inspec.resource(1)
name 'postgres_session'
desc 'Use the postgres_session InSpec audit resource to test SQL commands run against a PostgreSQL database.'
example "
@ -59,4 +60,5 @@ class PostgresSession < Inspec.resource(1)
Lines.new(lines.strip, "PostgreSQL query: #{query}")
end
end
end
end

4
lib/resources/processes.rb
View file

@ -4,7 +4,8 @@
# author: Christoph Hartmann
# license: All rights reserved
class Processes < Inspec.resource(1)
module Inspec::Resources
class Processes < Inspec.resource(1)
name 'processes'
desc 'Use the processes InSpec audit resource to test properties for programs that are running on the system.'
example "
@ -70,4 +71,5 @@ class Processes < Inspec.resource(1)
}
end
end
end
end

12
lib/resources/registry_key.rb
View file

@ -10,7 +10,8 @@ require 'json'
# its('Start') { should eq 2 }
# end
class RegistryKey < Inspec.resource(1)
module Inspec::Resources
class RegistryKey < Inspec.resource(1)
name 'registry_key'
desc 'Use the registry_key InSpec audit resource to test key values in the Microsoft Windows registry.'
example "
@ -165,11 +166,11 @@ class RegistryKey < Inspec.resource(1)
options[symbol]
end
end
end
# for compatability with serverspec
# this is deprecated syntax and will be removed in future versions
class WindowsRegistryKey < RegistryKey
# for compatability with serverspec
# this is deprecated syntax and will be removed in future versions
class WindowsRegistryKey < RegistryKey
name 'windows_registry_key'
def initialize(name)
@ -180,4 +181,5 @@ class WindowsRegistryKey < RegistryKey
def deprecated
warn '[DEPRECATION] `windows_registry_key(reg_key)` is deprecated. Please use `registry_key(\'path\to\key\')` instead.'
end
end
end

4
lib/resources/script.rb
View file

@ -4,7 +4,8 @@
# author: Dominik Richter
# license: All rights reserved
class Script < Cmd
module Inspec::Resources
class Script < Cmd
name 'script'
desc 'Use the script InSpec audit resource to test a Windows PowerShell script on the Microsoft Windows platform.'
example "
@ -38,4 +39,5 @@ class Script < Cmd
def to_s
'Script'
end
end
end

4
lib/resources/security_policy.rb
View file

@ -13,7 +13,8 @@
# All local GPO parameters can be examined via Registry, but not all security
# parameters. Therefore we need a combination of Registry and secedit output
class SecurityPolicy < Inspec.resource(1)
module Inspec::Resources
class SecurityPolicy < Inspec.resource(1)
name 'security_policy'
desc 'Use the security_policy InSpec audit resource to test security policies on the Microsoft Windows platform.'
example "
@ -79,4 +80,5 @@ class SecurityPolicy < Inspec.resource(1)
def to_s
'Security Policy'
end
end
end

114
lib/resources/service.rb
View file

@ -4,7 +4,8 @@
# author: Stephan Renatus
# license: All rights reserved
class Runlevels < Hash
module Inspec::Resources
class Runlevels < Hash
attr_accessor :owner
def self.from_hash(owner, hash = {}, filter = nil)
@ -55,18 +56,18 @@ class Runlevels < Hash
def to_s
"#{owner} runlevels #{keys.join(', ')}"
end
end
end
# We detect the init system for each operating system, based on the operating
# system.
#
# Fedora 15 : systemd
# RedHat 7 : systemd
# Ubuntu 15.04 : systemd
# Ubuntu < 15.04 : upstart
#
# TODO: extend the logic to detect the running init system, independently of OS
class Service < Inspec.resource(1)
# We detect the init system for each operating system, based on the operating
# system.
#
# Fedora 15 : systemd
# RedHat 7 : systemd
# Ubuntu 15.04 : systemd
# Ubuntu < 15.04 : upstart
#
# TODO: extend the logic to detect the running init system, independently of OS
class Service < Inspec.resource(1)
name 'service'
desc 'Use the service InSpec audit resource to test if the named service is installed, running and/or enabled.'
example "
@ -175,19 +176,19 @@ class Service < Inspec.resource(1)
def to_s
"Service #{@service_name}"
end
end
end
class ServiceManager
class ServiceManager
attr_reader :inspec, :service_ctl
def initialize(inspec, service_ctl = nil)
@inspec = inspec
@service_ctl ||= service_ctl
end
end
end
# @see: http://www.freedesktop.org/software/systemd/man/systemctl.html
# @see: http://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
class Systemd < ServiceManager
# @see: http://www.freedesktop.org/software/systemd/man/systemctl.html
# @see: http://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
class Systemd < ServiceManager
def initialize(inspec, service_ctl = nil)
@service_ctl = service_ctl || 'systemctl'
super
@ -222,10 +223,10 @@ class Systemd < ServiceManager
type: 'systemd',
}
end
end
end
# AIX services
class SrcMstr < ServiceManager
# AIX services
class SrcMstr < ServiceManager
attr_reader :name
def info(service_name)
@ -265,10 +266,10 @@ class SrcMstr < ServiceManager
def enabled_inittab?
inspec.command("lsitab #{name}").exit_status == 0
end
end
end
# @see: http://upstart.ubuntu.com
class Upstart < ServiceManager
# @see: http://upstart.ubuntu.com
class Upstart < ServiceManager
def initialize(service_name, service_ctl = nil)
@service_ctl = service_ctl || 'initctl'
super
@ -332,9 +333,9 @@ class Upstart < ServiceManager
Gem::Version.new(out[/\(upstart ([^\)]+)\)/, 1])
)
end
end
end
class SysV < ServiceManager
class SysV < ServiceManager
RUNLEVELS = { 0=>false, 1=>false, 2=>false, 3=>false, 4=>false, 5=>false, 6=>false }.freeze
def initialize(service_name, service_ctl = nil)
@ -384,11 +385,11 @@ class SysV < ServiceManager
type: 'sysv',
}
end
end
end
# @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
class BSDInit < ServiceManager
# @see: https://www.freebsd.org/doc/en/articles/linux-users/startup.html
# @see: https://www.freebsd.org/cgi/man.cgi?query=rc.conf&sektion=5
class BSDInit < ServiceManager
def initialize(service_name, service_ctl = nil)
@service_ctl = service_ctl || 'service'
super
@ -423,9 +424,9 @@ class BSDInit < ServiceManager
type: 'bsd-init',
}
end
end
end
class Runit < ServiceManager
class Runit < ServiceManager
def initialize(service_name, service_ctl = nil)
@service_ctl = service_ctl || 'sv'
super
@ -450,11 +451,11 @@ class Runit < ServiceManager
type: 'runit',
}
end
end
end
# MacOS / Darwin
# new launctl on macos 10.10
class LaunchCtl < ServiceManager
# MacOS / Darwin
# new launctl on macos 10.10
class LaunchCtl < ServiceManager
def initialize(service_name, service_ctl = nil)
@service_ctl = service_ctl || 'launchctl'
super
@ -489,11 +490,11 @@ class LaunchCtl < ServiceManager
type: 'darwin',
}
end
end
end
# Determine the service state from Windows
# Uses Powershell to retrieve the information
class WindowsSrv < ServiceManager
# Determine the service state from Windows
# Uses Powershell to retrieve the information
class WindowsSrv < ServiceManager
# Determine service details
# PS: Get-Service -Name 'dhcp'| Select-Object -Property Name, DisplayName, Status | ConvertTo-Json
# {
@ -561,10 +562,10 @@ class WindowsSrv < ServiceManager
def service_running?(service)
!service['Service']['Status'].nil? && service['Service']['Status'] == 4
end
end
end
# Solaris services
class Svcs < ServiceManager
# Solaris services
class Svcs < ServiceManager
def initialize(service_name, service_ctl = nil)
@service_ctl = service_ctl || 'svcs'
super
@ -594,11 +595,11 @@ class Svcs < ServiceManager
type: 'svcs',
}
end
end
end
# specific resources for specific service managers
# specific resources for specific service managers
class SystemdService < Service
class SystemdService < Service
name 'systemd_service'
desc 'Use the systemd_service InSpec audit resource to test if the named service (controlled by systemd) is installed, running and/or enabled.'
example "
@ -618,9 +619,9 @@ class SystemdService < Service
def select_service_mgmt
Systemd.new(inspec, service_ctl)
end
end
end
class UpstartService < Service
class UpstartService < Service
name 'upstart_service'
desc 'Use the upstart_service InSpec audit resource to test if the named service (controlled by upstart) is installed, running and/or enabled.'
example "
@ -640,9 +641,9 @@ class UpstartService < Service
def select_service_mgmt
Upstart.new(inspec, service_ctl)
end
end
end
class SysVService < Service
class SysVService < Service
name 'sysv_service'
desc 'Use the sysv_service InSpec audit resource to test if the named service (controlled by SysV) is installed, running and/or enabled.'
example "
@ -662,9 +663,9 @@ class SysVService < Service
def select_service_mgmt
SysV.new(inspec, service_ctl)
end
end
end
class BSDService < Service
class BSDService < Service
name 'bsd_service'
desc 'Use the bsd_service InSpec audit resource to test if the named service (controlled by BSD init) is installed, running and/or enabled.'
example "
@ -684,9 +685,9 @@ class BSDService < Service
def select_service_mgmt
BSDInit.new(inspec, service_ctl)
end
end
end
class LaunchdService < Service
class LaunchdService < Service
name 'launchd_service'
desc 'Use the launchd_service InSpec audit resource to test if the named service (controlled by launchd) is installed, running and/or enabled.'
example "
@ -706,9 +707,9 @@ class LaunchdService < Service
def select_service_mgmt
LaunchCtl.new(inspec, service_ctl)
end
end
end
class RunitService < Service
class RunitService < Service
name 'runit_service'
desc 'Use the runit_service InSpec audit resource to test if the named service (controlled by runit) is installed, running and/or enabled.'
example "
@ -728,4 +729,5 @@ class RunitService < Service
def select_service_mgmt
Runit.new(inspec, service_ctl)
end
end
end

4
lib/resources/shadow.rb
View file

@ -15,7 +15,8 @@ require 'forwardable'
# - inactive_days before deactivating the account
# - expiry_date when this account will expire
class Shadow < Inspec.resource(1)
module Inspec::Resources
class Shadow < Inspec.resource(1)
name 'shadow'
desc 'Use the shadow InSpec resource to test the contents of /etc/shadow, '\
'which contains the following information for users that may log into '\
@ -132,4 +133,5 @@ class Shadow < Inspec.resource(1)
'reserved' => x.at(8),
}
end
end
end

8
lib/resources/ssh_conf.rb
View file

@ -6,7 +6,8 @@
require 'utils/simpleconfig'
class SshConf < Inspec.resource(1)
module Inspec::Resources
class SshConf < Inspec.resource(1)
name 'ssh_config'
desc 'Use the sshd_config InSpec audit resource to test configuration data for the Open SSH daemon located at /etc/ssh/sshd_config on Linux and UNIX platforms. sshd---the Open SSH daemon---listens on dedicated ports, starts a daemon for each incoming connection, and then handles encryption, authentication, key exchanges, command executation, and data exchanges.'
example "
@ -70,12 +71,13 @@ class SshConf < Inspec.resource(1)
)
@params = conf.params
end
end
end
class SshdConf < SshConf
class SshdConf < SshConf
name 'sshd_config'
def initialize(path = nil)
super(path || '/etc/ssh/sshd_config')
end
end
end

90
lib/resources/user.rb
View file

@ -38,7 +38,8 @@
require 'utils/parser'
require 'utils/convert'
class User < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
module Inspec::Resources
class User < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
name 'user'
desc 'Use the user InSpec audit resource to test user profiles, including the groups to which they belong, the frequency of required password changes, the directory paths to home and shell.'
example "
@ -172,9 +173,9 @@ class User < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
return @cred_cache if defined?(@cred_cache)
@cred_cache = @user_provider.credentials(@user) if !@user_provider.nil?
end
end
end
class UserInfo
class UserInfo
include Converter
attr_reader :inspec
@ -184,10 +185,10 @@ class UserInfo
def credentials(_username)
end
end
end
# implements generic unix id handling
class UnixUser < UserInfo
# implements generic unix id handling
class UnixUser < UserInfo
attr_reader :inspec, :id_cmd
def initialize(inspec)
@inspec = inspec
@ -238,9 +239,9 @@ class UnixUser < UserInfo
data.push(raw) if !raw.nil?
data.join("\n")
end
end
end
class LinuxUser < UnixUser
class LinuxUser < UnixUser
include PasswdParser
include CommentParser
@ -272,9 +273,9 @@ class LinuxUser < UnixUser
warndays: convert_to_i(params['Number of days of warning before password expires']),
}
end
end
end
class SolarisUser < LinuxUser
class SolarisUser < LinuxUser
def initialize(inspec)
@inspec = inspec
@id_cmd ||= 'id -a'
@ -284,9 +285,9 @@ class SolarisUser < LinuxUser
def credentials(_username)
nil
end
end
end
class AixUser < UnixUser
class AixUser < UnixUser
def identity(username)
id = super(username)
return nil if id.nil?
@ -327,14 +328,14 @@ class AixUser < UnixUser
warndays: user_sec[3].to_i,
}
end
end
end
# we do not use 'finger' for MacOS, because it is harder to parse data with it
# @see https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/fingerd.8.html
# instead we use 'dscl' to request user data
# @see https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/dscl.1.html
# @see http://superuser.com/questions/592921/mac-osx-users-vs-dscl-command-to-list-user
class DarwinUser < UnixUser
# we do not use 'finger' for MacOS, because it is harder to parse data with it
# @see https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/fingerd.8.html
# instead we use 'dscl' to request user data
# @see https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/dscl.1.html
# @see http://superuser.com/questions/592921/mac-osx-users-vs-dscl-command-to-list-user
class DarwinUser < UnixUser
def meta_info(username)
cmd = inspec.command("dscl -q . -read /Users/#{username} NFSHomeDirectory PrimaryGroupID RecordName UniqueID UserShell")
return nil if cmd.exit_status != 0
@ -351,17 +352,17 @@ class DarwinUser < UnixUser
shell: params['UserShell'],
}
end
end
end
# FreeBSD recommends to use the 'pw' command for user management
# @see: https://www.freebsd.org/doc/handbook/users-synopsis.html
# @see: https://www.freebsd.org/cgi/man.cgi?pw(8)
# It offers the following commands:
# - adduser(8) The recommended command-line application for adding new users.
# - rmuser(8) The recommended command-line application for removing users.
# - chpass(1) A flexible tool for changing user database information.
# - passwd(1) The command-line tool to change user passwords.
class FreeBSDUser < UnixUser
# FreeBSD recommends to use the 'pw' command for user management
# @see: https://www.freebsd.org/doc/handbook/users-synopsis.html
# @see: https://www.freebsd.org/cgi/man.cgi?pw(8)
# It offers the following commands:
# - adduser(8) The recommended command-line application for adding new users.
# - rmuser(8) The recommended command-line application for removing users.
# - chpass(1) A flexible tool for changing user database information.
# - passwd(1) The command-line tool to change user passwords.
class FreeBSDUser < UnixUser
include PasswdParser
def meta_info(username)
@ -374,22 +375,22 @@ class FreeBSDUser < UnixUser
shell: passwd['shell'],
}
end
end
end
# For now, we stick with WMI Win32_UserAccount
# @see https://msdn.microsoft.com/en-us/library/aa394507(v=vs.85).aspx
# @see https://msdn.microsoft.com/en-us/library/aa394153(v=vs.85).aspx
#
# using Get-AdUser would be the best command for domain machines, but it will not be installed
# on client machines by default
# @see https://technet.microsoft.com/en-us/library/ee617241.aspx
# @see https://technet.microsoft.com/en-us/library/hh509016(v=WS.10).aspx
# @see http://woshub.com/get-aduser-getting-active-directory-users-data-via-powershell/
# @see http://stackoverflow.com/questions/17548523/the-term-get-aduser-is-not-recognized-as-the-name-of-a-cmdlet
#
# Just for reference, we could also use ADSI (Active Directory Service Interfaces)
# @see https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx
class WindowsUser < UserInfo
# For now, we stick with WMI Win32_UserAccount
# @see https://msdn.microsoft.com/en-us/library/aa394507(v=vs.85).aspx
# @see https://msdn.microsoft.com/en-us/library/aa394153(v=vs.85).aspx
#
# using Get-AdUser would be the best command for domain machines, but it will not be installed
# on client machines by default
# @see https://technet.microsoft.com/en-us/library/ee617241.aspx
# @see https://technet.microsoft.com/en-us/library/hh509016(v=WS.10).aspx
# @see http://woshub.com/get-aduser-getting-active-directory-users-data-via-powershell/
# @see http://stackoverflow.com/questions/17548523/the-term-get-aduser-is-not-recognized-as-the-name-of-a-cmdlet
#
# Just for reference, we could also use ADSI (Active Directory Service Interfaces)
# @see https://mcpmag.com/articles/2015/04/15/reporting-on-local-accounts.aspx
class WindowsUser < UserInfo
# parse windows account name
def parse_windows_account(username)
account = username.split('\\')
@ -455,4 +456,5 @@ class WindowsUser < UserInfo
shell: nil,
}
end
end
end

4
lib/resources/windows_feature.rb
View file

@ -27,7 +27,8 @@
# "Installed": false,
# "InstallState": 0
# }
class WindowsFeature < Inspec.resource(1)
module Inspec::Resources
class WindowsFeature < Inspec.resource(1)
name 'windows_feature'
desc 'Use the windows_feature InSpec audit resource to test features on Microsoft Windows.'
example "
@ -80,4 +81,5 @@ class WindowsFeature < Inspec.resource(1)
def to_s
"Windows Feature '#{@feature}'"
end
end
end

4
lib/resources/xinetd.rb
View file

@ -4,7 +4,8 @@
require 'utils/parser'
class XinetdConf < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
module Inspec::Resources
class XinetdConf < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
name 'xinetd_conf'
desc 'Xinetd services configuration.'
example "
@ -139,4 +140,5 @@ class XinetdConf < Inspec.resource(1) # rubocop:disable Metrics/ClassLength
@contents[path]
end
end
end

4
lib/resources/yaml.rb
View file

@ -9,7 +9,8 @@ require 'yaml'
# describe yaml('.kitchen.yaml') do
# its('driver.name') { should eq('vagrant') }
# end
class YamlConfig < JsonConfig
module Inspec::Resources
class YamlConfig < JsonConfig
name 'yaml'
desc 'Use the yaml InSpec audit resource to test configuration data in a YAML file.'
example "
@ -26,4 +27,5 @@ class YamlConfig < JsonConfig
def to_s
"YAML #{@path}"
end
end
end

16
lib/resources/yum.rb
View file

@ -30,7 +30,8 @@ require 'resources/file'
# it { should be_enabled }
# end
class Yum < Inspec.resource(1)
module Inspec::Resources
class Yum < Inspec.resource(1)
name 'yum'
desc 'Use the yum InSpec audit resource to test packages in the Yum repository.'
example "
@ -102,9 +103,9 @@ class Yum < Inspec.resource(1)
return key if key.nil?
key.gsub('Repo-', '').downcase
end
end
end
class YumRepo
class YumRepo
def initialize(yum, reponame)
@yum = yum
@reponame = reponame
@ -133,11 +134,11 @@ class YumRepo
return false if repo.nil?
info['status'] == 'enabled'
end
end
end
# for compatability with serverspec
# this is deprecated syntax and will be removed in future versions
class YumRepoLegacy < Yum
# for compatability with serverspec
# this is deprecated syntax and will be removed in future versions
class YumRepoLegacy < Yum
name 'yumrepo'
def initialize(name)
@ -158,4 +159,5 @@ class YumRepoLegacy < Yum
def deprecated
warn '[DEPRECATION] `yumrepo(reponame)` is deprecated. Please use `yum.repo(reponame)` instead.'
end
end
end

4
test/helper.rb
View file

@ -136,7 +136,7 @@ class MockLoader
'$Env:PATH' => cmd.call('$env-PATH'),
# registry key test (winrm 1.6.0, 1.6.1)
'2790db1e88204a073ed7fd3493f5445e5ce531afd0d2724a0e36c17110c535e6' => cmd.call('reg_schedule'),
'b00eb49a98c96a808c469e4894b5123a913e354c9ffea5b785898fe30d288ee0' => cmd.call('reg_schedule'),
'25a1a38fafc289a646d30f7aa966ce0901c267798f47abf2f9440e27d31a5b7d' => cmd.call('reg_schedule'),
'Auditpol /get /subcategory:\'User Account Management\' /r' => cmd.call('auditpol'),
'/sbin/auditctl -l' => cmd.call('auditctl'),
'/sbin/auditctl -s' => cmd.call('auditctl-s'),
@ -196,7 +196,7 @@ class MockLoader
'pw usershow root -7' => cmd.call('pw-usershow-root-7'),
# user info for windows (winrm 1.6.0, 1.6.1)
'650b6b72a66316418b25421a54afe21a230704558082914c54711904bb10e370' => cmd.call('GetUserAccount'),
'272e1d767fe6e28c86cfba1a75c3d458acade1f4a36cfd5e711b97884879de24' => cmd.call('GetUserAccount'),
'174686f0441b8dd387b35cf1cbeed3f98441544351de5d8fb7b54f655e75583f' => cmd.call('GetUserAccount'),
# group info for windows
'Get-WmiObject Win32_Group | Select-Object -Property Caption, Domain, Name, SID, LocalAccount | ConvertTo-Json' => cmd.call('GetWin32Group'),
# network interface