Shooting from the Hip, general thoughts and questions

[aaronlippold]

I was wondering, once we process all the lines and or rules we would have a data structure like:

rules => { [rule => settings], ... } 
or
rules => { {rule => settings }, ... }

Is the more natural check:

  describe aide_conf.rules do
    its('something') { should contain 'sha512' }
  end

Other thoughts, and I am just shooting off the hip here:

describe aide_conf.macro('ALL') do
    it { should include 'sha512' }
  end

describe aide_conf.macros do
    it { should include 'sha512' }
  end

describe aide_conf.groups do
    it { should include 'NORMAL' }
    it { should include 'DIR' }
    it { should include 'LSPP' }
  end

describe aide_conf.group('NORMAL') do
    its('something') { should match [R,rmd160,sha256]  }
  end

NORMAL = R+rmd160+sha256

# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs

# Access control only
PERMS = p+i+u+g+acl+selinux

# Logfile are special, in that they often change
LOG = >

# Just do md5 and sha256 hashes
LSPP = R+sha256```

Also, is it natural to assume we should have something like: `macro_lines' and `selection_lines` and `groups` ? 

I would also guess having the ability to return an array or hash of the parts or elements of a MACRO would be useful:

i.e. NORMAL => [R+rmd160+sha256] or NORMAL=>[R,rmd160,sha256]

Also, I may want to say:

All selection_lines that have a macro or that are part of a group. etc. For example, can I get this list of directories as part of the group/macro 'NORMAL'? Don't know if that makes sense but just some thoughts.

/boot   NORMAL
/bin    NORMAL
/sbin   NORMAL
/lib    NORMAL
/lib64  NORMAL
/opt    NORMAL
/usr    NORMAL
/root   NORMAL
# These are too volatile
!/usr/src
!/usr/tmp

# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc    PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports  NORMAL
/etc/fstab    NORMAL
/etc/passwd   NORMAL
/etc/group    NORMAL
/etc/gshadow  NORMAL
/etc/shadow   NORMAL
/etc/security/opasswd   NORMAL

/etc/hosts.allow   NORMAL
/etc/hosts.deny    NORMAL

/etc/sudoers NORMAL
/etc/skel NORMAL

/etc/logrotate.d NORMAL

/etc/resolv.conf DATAONLY

/etc/nscd.conf NORMAL
/etc/securetty NORMAL

inspec_profiles/profiles/disa_stig-rhel7-baseline/controls/V-72069.rb

Line 79 in 6f1e3d2

describe aide_conf("#{aide_conf_file}").all_have_rule('acl') do

[jburns12]

I'm going to put a PR up for the aide_conf resource today or tomorrow AM before the meeting with the inspec folks. Take a look at the different options it has here: https://github.com/aaronlippold/inspec/blob/al/aide_conf/lib/resources/aide_conf.rb

For the purposes of the controls that require the resource, I think having a single statement that checks that all selection lines contain a particular rule makes things short and sweet since that's all these controls ask for. The where clause in the resource allows the specification of a single selection_line directory to determine if it has a particular rule:

describe aide_conf.where { selection_line == '/bin' } do
  its('rules.flatten') { should include 'r' }
end

You can also see if particular directories are included or not included in the selection lines:

describe aide_conf do
  its('selection_lines') { should include '/sbin' }
end

or:

(The exclamation point means that a particular sub-dir should not be included)

describe aide_conf do
  its('selection_lines') { should include '!/sbin/bin' }
end

I think that matching based on the MACROS themselves gets into a bit of a gray area, as I think some developers would use the MACROS without checking that the MACROS actually contain the rules that they are trying to match upon since the name of the MACROS can be anything.