Inspec and ruby


#1

Guys,

got some code that runs fine but causes the inspec check to fail - any ideas ?

if os.family == 'redhat'
  sysacc = yaml(content: inspec.profile.file('SystemAccountsLinux.yml')).params
elsif os.family == 'solaris'
  sysacc = yaml(content: inspec.profile.file('SystemAccountsSolaris.yml')).params
end
 
AccountsList = sysacc['Accounts']
puts AccountsList
control 'SEG_15.02.01' do
  title 'SEG_15.02.01 - Ensure system accounts are non-login'
  impact 0.5
  desc 'Ensure system accounts cannot be logged into'
 
  if os.family == 'redhat'
    describe passwd.shells(/nologin/) do
      AccountsList.each do |account|
        its('users') { should include account }
      end
    end
  elsif os.family == 'solaris'
    AccountsList.each do |account|
      describe passwd.users(account) do
        its('shells') { should match [nil] }
      end
    end
  end
end

But

[root@lnx-dockd1 Inspec]# inspec check sgcb
Traceback (most recent call last):
                23: from /usr/local/bundle/bin/inspec:23:in `<main>'
                22: from /usr/local/bundle/bin/inspec:23:in `load'
                21: from /usr/local/bundle/gems/inspec-2.2.10/bin/inspec:12:in `<top (required)>'
                20: from /usr/local/bundle/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
                19: from /usr/local/bundle/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
                18: from /usr/local/bundle/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
                17: from /usr/local/bundle/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
                16: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/cli.rb:76:in `check'
                15: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:297:in `check'
                14: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:326:in `controls_count'
                13: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:160:in `params'
                12: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:466:in `load_params'
                11: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:473:in `load_checks_params'
                10: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:165:in `collect_tests'
                9: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/dependencies/dependency_set.rb:64:in `each'
                8: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/dependencies/dependency_set.rb:64:in `each'
                7: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/dependencies/dependency_set.rb:65:in `block in each'
                6: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:167:in `collect_tests'
                5: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:167:in `each'
                4: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile.rb:170:in `block in collect_tests'
                3: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile_context.rb:142:in `load_control_file'
                2: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile_context.rb:158:in `load_with_context'
                1: from /usr/local/bundle/gems/inspec-2.2.10/lib/inspec/profile_context.rb:158:in `instance_eval'
/share/sgcb/SGCBCustom/controls/UserIDAuth.rb:10:in `load_with_context': undefined method `[]' for nil:NilClass (NoMethodError)

#2

Looks like the error specific to your control is on line 10. Your sample code doesn’t seem to match up with this, so I’m assuming that your line 10 is:

AccountsList = sysacc['Accounts']

If that’s the case, then sysacc is nil, so your yaml file was never loaded and assigned to that variable. The conditional block that controls this is explicitly checking for redhat and solaris. Is that the host operating system where you are running the inspec check command? The check command will interpret and run the ruby profile as is on the local system where it’s being invoked. So for example, if I ran check on my mac with this profile, I would see the same error. But if I ran this on a redhat box, assuming I had that SystemAccountsLinux.yml file available, it should yield a different result.