linux-baseline/libraries/suid_check.rb

# author: Christoph Hartmann

class SUIDCheck < Inspec.resource(1)
  name 'suid_check'
  desc 'Use the suid_check resource to verify the current SUID/SGID against a blacklist'
  example "
     describe suid_check(blacklist) do
       its('diff') { should be_empty }
     end
   "

  def initialize(blacklist = nil)
    blacklist = default if blacklist.nil?
    @blacklist = blacklist
  end

  def permissions
    output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
    output.stdout.split(/\r?\n/)
  end

  def diff
    permissions & @blacklist
  end
end
Fixes #86 by deferring the execution of permissions to profile execution instead of profile initialisation Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2017-11-19 10:48:07 +00:00			`# author: Christoph Hartmann`

			`class SUIDCheck < Inspec.resource(1)`
			`name 'suid_check'`
			`desc 'Use the suid_check resource to verify the current SUID/SGID against a blacklist'`
			`example "`
			`describe suid_check(blacklist) do`
			`its('diff') { should be_empty }`
			`end`
			`"`

			`def initialize(blacklist = nil)`
			`blacklist = default if blacklist.nil?`
			`@blacklist = blacklist`
			`end`

			`def permissions`
			`output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/\' ! -path \'/var/lib/lxd/containers/\' -print 2>/dev/null \| grep -v \'^find:\'')`
			`output.stdout.split(/\r?\n/)`
			`end`

			`def diff`
			`permissions & @blacklist`
			`end`
			`end`