mirror of
https://github.com/inspec/inspec
synced 2024-09-21 06:51:56 +00:00
c7e87ca3e3
* Create file-check functionality into utility file There are the similar issues as PR #2302. Almost resources return false positives when a file does not exist or is not read. * Replace to file-check functionality * Fix dh_params and x509_certificate resources If a file is empty, OpenSSL::PKey::DH and OpenSSL::X509::Certificate have raised an exception and have skipped the inspection. Thus x509_certificate and dh_params resources are not allowed to read a empty file. * to_s of shadow expects filters is not nil * Remove workaround of sshd_config Removes the workaround of sshd_config since Travis CI fails due to a bug of dev-sec/ssh-baseline and the PR #100 will fix it. * Use init block variable in methods Signed-off-by: ERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>
94 lines
2.7 KiB
Ruby
94 lines
2.7 KiB
Ruby
# encoding: utf-8
|
|
# copyright:
|
|
|
|
require 'utils/parser'
|
|
require 'utils/file_reader'
|
|
|
|
module Inspec::Resources
|
|
class EtcFstab < Inspec.resource(1)
|
|
name 'etc_fstab'
|
|
supports platform: 'unix'
|
|
desc 'Use the etc_fstab InSpec audit resource to check the configuration of the etc/fstab file.'
|
|
example "
|
|
nfs_systems = etc_fstab.nfs_file_systems.entries
|
|
nfs_systems.each do |file_system|
|
|
describe file_system do
|
|
its ('mount_options') { should include 'nosuid' }
|
|
its ('mount_options') { should include 'noexec' }
|
|
its ('mount_options') { should include 'sec=krb5:krb5i:krb5p }
|
|
end
|
|
end
|
|
|
|
describe etc_fstab do
|
|
its ('home_mount_options') { should include 'nosuid' }
|
|
end
|
|
"
|
|
|
|
attr_reader :params
|
|
|
|
include CommentParser
|
|
include FileReader
|
|
|
|
def initialize(fstab_path = nil)
|
|
@conf_path = fstab_path || '/etc/fstab'
|
|
@files_contents = {}
|
|
@content = nil
|
|
@params = nil
|
|
read_content
|
|
end
|
|
|
|
filter = FilterTable.create
|
|
filter.add_accessor(:where)
|
|
.add_accessor(:entries)
|
|
.add(:device_name, field: 'device_name')
|
|
.add(:mount_point, field: 'mount_point')
|
|
.add(:file_system_type, field: 'file_system_type')
|
|
.add(:mount_options, field: 'mount_options')
|
|
.add(:dump_options, field: 'dump_options')
|
|
.add(:file_system_options, field: 'file_system_options')
|
|
.add(:configured?) { |x| x.entries.any? }
|
|
|
|
filter.connect(self, :params)
|
|
|
|
def nfs_file_systems
|
|
where { file_system_type.match(/nfs/) }
|
|
end
|
|
|
|
def home_mount_options
|
|
return nil unless where { mount_point == '/home' }.configured?
|
|
where { mount_point == '/home' }.entries[0].mount_options
|
|
end
|
|
|
|
private
|
|
|
|
def read_content
|
|
@content = ''
|
|
@params = {}
|
|
@content = read_file(@conf_path)
|
|
@params = parse_conf(@content)
|
|
end
|
|
|
|
def parse_conf(content)
|
|
content.map do |line|
|
|
data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
|
|
parse_line(data) unless data == ''
|
|
end.compact
|
|
end
|
|
|
|
def parse_line(line)
|
|
attributes = line.split
|
|
{
|
|
'device_name' => attributes[0],
|
|
'mount_point' => attributes[1],
|
|
'file_system_type' => attributes[2],
|
|
'mount_options' => attributes[3].split(','),
|
|
'dump_options' => attributes[4].to_i,
|
|
'file_system_options' => attributes[5].to_i,
|
|
}
|
|
end
|
|
|
|
def read_file(conf_path = @conf_path)
|
|
read_file_content(conf_path).lines
|
|
end
|
|
end
|
|
end
|