lint rubocop offences

* Disables Lint/AmbiguousRegexpLiteral

  Inspec Style Guide suggests avoiding in matchers
  - https://docs.chef.io/inspec/style/#avoid-unnecessary-parentheses-in-matchers

  Examples in the documentation
  - https://docs.chef.io/inspec/matchers/#match
  - https://docs.chef.io/inspec/dsl_inspec/#test-if-mysql-passwords-are-in-env
  - https://docs.chef.io/inspec/dsl_inspec/#interactive-debugging-with-pry

* Other whitespace fixes

on-behalf-of: @Logicworks <dmiguel@logicworks.net>
Co-authored-by: amlodzianowski <adrianmlodzianowski@gmail.com>
Co-authored-by: gagarin-dev <37323962+gagarin-dev@users.noreply.github.com>
Signed-off-by: Deric Miguel <dmiguel@logicworks.net>
Signed-off-by: Dan Rosenbloom <drosenbloom@logicworks.net>
Signed-off-by: amlodzianowski <amlodzianowski@logicworks.net>
Signed-off-by: gagarin-dev <ygagarin@logicworks.net>

Author: 3 people

.rubocop.yml

@@ -3,6 +3,8 @@ Documentation:
   Enabled: false
 Layout/ParameterAlignment:
   Enabled: true
+Lint/AmbiguousRegexpLiteral:
+  Enabled: false
 HashSyntax:
   Enabled: true
 LineLength:

controls/1_1_filesystem_configuration.rb

@@ -373,9 +373,10 @@
   describe mount('/dev/shm') do
     its('options') { should include 'noexec' }
   end
-  only_if('/dev/shm is mounted') {
+
+  only_if('/dev/shm is mounted') do
     mount('/dev/shm').mounted?
-  }
+  end
 end
 
 control 'cis-dil-benchmark-1.1.18' do

controls/3_2_network_parameters_host_and_router.rb

@@ -163,4 +163,4 @@
       its(:value) { should eq 0 }
     end
   end
-end
+end

controls/3_3_tcp_wrappers.rb

@@ -116,7 +116,7 @@
     it { should exist }
     it { should be_file }
 
-    its('owner') { should cmp'root' }
+    its('owner') { should cmp 'root' }
     its('group') { should cmp 'root' }
 
     its('mode') { should cmp '0644' }

controls/3_5_firewall_configuration.rb

@@ -153,28 +153,27 @@
   describe.one do
     rules.each do |rule|
       describe rule do
-        it { should match(/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/) }
+        it { should match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/ }
       end
     end
   end
 
   describe.one do
     rules.each do |rule|
       describe rule do
-        it { should match(/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/) }
+        it { should match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/ }
       end
     end
   end
 
   describe.one do
     rules.each do |rule|
       describe rule do
-        it { should match(/(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/) }
+        it { should match %r{(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0/8)(?=.*-j DROP)} }
       end
     end
   end
 
-
 end
 
 control 'cis-dil-benchmark-3.5.2.3' do
@@ -191,15 +190,15 @@
     describe.one do
       rules.each do |rule|
         describe rule do
-          it { should match(/(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/) }
+          it { should match /(?=.*-A OUTPUT)(?=.*-p #{proto})(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/ }
         end
       end
     end
 
     describe.one do
       rules.each do |rule|
         describe rule do
-          it { should match(/(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/) }
+          it { should match /(?=.*-A INPUT)(?=.*-p #{proto})(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/ }
         end
       end
     end
@@ -233,4 +232,4 @@
   describe package('iptables') do
     it { should be_installed }
   end
-end
+end

controls/4_2_configure_logging.rb

@@ -101,20 +101,18 @@
     end
   end
 
-  
   # Check the new RainerScript format in addtion to the 'legacy' rsyslog syntax
   # which is documented as 'obsolete'
   # ref: https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfile.html#filecreatemode
   new_rsyslog_conf = command('grep -orE \'FileCreateMode="[0-7]{4}"\' /etc/rsyslog.*').stdout
-  new_rsyslog_conf.each_line do | result |
+  new_rsyslog_conf.each_line do |result|
     filename = result.split(':')[0]
     describe file(filename) do
       its('content') { should match(/FileCreateMode="0[0-6][0-4]0"/) }
     end
   end
 end
 
-
 control 'cis-dil-benchmark-4.2.1.5' do
   title 'Ensure rsyslog is configured to send logs to a remote log host'
   desc  '

controls/5_1_configure_cron.rb

@@ -21,7 +21,7 @@
   title 'Ensure cron daemon is enabled'
   desc  '
     The cron daemon is used to execute batch jobs on the system.
-  
+
     Rationale:
 
     While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include
@@ -47,9 +47,9 @@
   desc  '
     The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root
     is the user and group owner of the file and that only the owner can access the file.
-    
+
     Rationale:
-    
+
     This file contains information on what system jobs are run by cron. Write access to these files could provide
     unprivileged users with the ability to elevate their privileges. Read access to these files could provide user
     with the ability to gain insight on system jobs that run on the system and could provide them a way to gain
@@ -80,9 +80,9 @@
     directory cannot be manipulated by the crontab command, but are instead edited by system administrators
     using a text editor. The commands below restrict read/write and search access to user and group root,
     preventing regular users from accessing this directory.
-    
+
     Rationale:
-    
+
     Granting write access to this directory for non-privileged users could provide them the means
     for gaining unauthorized elevated privileges. Granting read access to this directory could give
     an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.
@@ -112,9 +112,9 @@
     The files in this directory cannot be manipulated by the crontab command, but are instead edited
     by system administrators using a text editor. The commands below restrict read/write and search
     access to user and group root, preventing regular users from accessing this directory.
-    
+
     Rationale:
-    
+
     Granting write access to this directory for non-privileged users could provide them the means for gaining
     unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user
     insight in how to gain elevated privileges or circumvent auditing controls.
@@ -144,9 +144,9 @@
     in this directory cannot be manipulated by the crontab command, but are instead edited by system
     administrators using a text editor. The commands below restrict read/write and search access to user
     and group root, preventing regular users from accessing this directory.
-    
+
     Rationale:
-    
+
     Granting write access to this directory for non-privileged users could provide them the means for gaining
     unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user
     insight in how to gain elevated privileges or circumvent auditing controls.
@@ -176,9 +176,9 @@
     in this directory cannot be manipulated by the crontab command, but are instead edited by system
     administrators using a text editor. The commands below restrict read/write and search access to user and
     group root, preventing regular users from accessing this directory.
-    
+
     Rationale:
-    
+
     Granting write access to this directory for non-privileged users could provide them the means for gaining
     unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user
     insight in how to gain elevated privileges or circumvent auditing controls.
@@ -209,9 +209,9 @@
     The files in this directory cannot be manipulated by the crontab command, but are instead edited by system
     administrators using a text editor. The commands below restrict read/write and search access to user and group
     root, preventing regular users from accessing this directory.
-    
+
     Rationale:
-    
+
     Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized
     elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain
     elevated privileges or circumvent auditing controls.
@@ -240,14 +240,14 @@
     Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services.
     If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked.
     Any user not specifically defined in those files is allowed to use at and cron. By removing the files,
-    only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. 
-    
+    only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron.
+
     Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user.
     The cron.allow file only controls administrative access to the crontab command for scheduling and modifying
     cron jobs.
-    
+
     Rationale:
-    
+
     On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file
     to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list.
     In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.

controls/5_2_ssh_server_configuration.rb

@@ -184,7 +184,7 @@
 control 'cis-dil-benchmark-5.2.8' do
   title 'Ensure SSH IgnoreRhosts is enabled (Scored)'
   desc  '
-    The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or 
+    The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or
     HostbasedAuthentication.
 
     Rationale: Setting this parameter forces users to enter a password when authenticating with ssh.
@@ -297,7 +297,7 @@
     its('Ciphers') { should_not be_nil }
   end
 
-  WEAK_CIPHERS = [
+  weak_ciphers = [
     '3des-cbc',
     'aes128-cbc',
     'aes192-cbc',
@@ -312,7 +312,7 @@
 
   if sshd_config.Ciphers
     describe sshd_config.Ciphers.split(',').each do
-      it { should_not be_in WEAK_CIPHERS }
+      it { should_not be_in weak_ciphers }
     end
   end
 end
@@ -336,7 +336,7 @@
     its('MACs') { should_not be_nil }
   end
 
-  ALLOWED_MACS = [
+  allowed_macs = [
     'hmac-sha2-512-etm@openssh.com',
     'hmac-sha2-256-etm@openssh.com',
     'hmac-sha2-512',
@@ -346,7 +346,7 @@
   if sshd_config.MACs
     sshd_config.MACs.split(',').each do |m|
       describe m do
-        it { should be_in ALLOWED_MACS }
+        it { should be_in allowed_macs }
       end
     end
   end
@@ -369,7 +369,7 @@
     its('KexAlgorithms') { should_not be_nil }
   end
 
-  ALLOWED_KEX_ALGORITHMS = [
+  allowed_kex_algorithms = [
     'curve25519-sha256',
     'curve25519-sha256@libssh.org',
     'ecdh-sha2-nistp256',
@@ -384,7 +384,7 @@
   if sshd_config.KexAlgorithms
     sshd_config.KexAlgorithms.split(',').each do |m|
       describe m do
-        it { should be_in ALLOWED_KEX_ALGORITHMS }
+        it { should be_in allowed_kex_algorithms }
       end
     end
   end

controls/5_3_configure_pam.rb

@@ -33,17 +33,17 @@
     * ucredit=-1 - provide at least one uppercase character
     * ocredit=-1 - provide at least one special character
     * lcredit=-1 - provide at least one lowercase character
-    
+
     The pam_pwquality.so module functions similarly but the minlen, dcredit,
     ucredit , ocredit , and lcredit parameters are stored in the
     /etc/security/pwquality.conf file. The settings shown above are one possible
     policy. Alter these values to conform to your own organization`s password
     policies.
-    
+
     Rationale: Strong passwords protect systems from being hacked through brute
     force methods.
   '
-  
+
   impact 1.0
 
   tag cis: 'distribution-independent-linux:5.3.1'
@@ -102,11 +102,11 @@
     users. Check the documentation for each secondary program for instructions
     on how to configure them to work with PAM.
     Set the lockout number to the policy in effect at your site.
-    
+
     Rationale: Locking out user IDs after n unsuccessful consecutive login
     attempts mitigates brute force password attacks against your systems.
   '
-  
+
   impact 0.0
 
   tag cis: 'distribution-independent-linux:5.3.2'
@@ -122,12 +122,12 @@
   desc  '
     The /etc/security/opasswd file stores the users` old passwords and can be
     checked to ensure that users are not recycling recent passwords.
-    
+
     Rationale: Forcing users not to reuse their past 5 passwords make it less
     likely that an attacker will be able to guess the password. Note that these
     change only apply to accounts configured on the local system.
   '
-  
+
   impact 0.0
 
   tag cis: 'distribution-independent-linux:5.3.3'
@@ -152,13 +152,13 @@
     The commands below change password encryption from md5 to sha512 (a much
     stronger hashing algorithm). All existing accounts will need to perform
     a password change to upgrade the stored hashes to the new algorithm.
-    
+
     Rationale: The SHA-512 algorithm provides much stronger hashing than MD5,
     thus providing additional protection to the system by increasing the level
     of effort for an attacker to successfully determine passwords. Note that
     these change only apply to accounts configured on the local system.
   '
-  
+
   impact 0.0
 
   tag cis: 'distribution-independent-linux:5.3.4'

controls/5_4_user_accounts_and_environments.rb

@@ -25,7 +25,7 @@
 passwd_files = ['/etc/passwd']
 passwd_files << '/usr/share/baselayout/passwd' if file('/etc/nsswitch.conf').content =~ /^passwd:\s+(\S+\s+)*usrfiles/
 
-shell_config_files = %w(bash.bashrc profile bashrc).map {|f| "/etc/#{f}"}.select {|f| file(f).file?}
+shell_config_files = %w(bash.bashrc profile bashrc).map { |f| "/etc/#{f}" }.select { |f| file(f).file? }
 
 control 'cis-dil-benchmark-5.4.1.1' do
   title 'Ensure password expiration is 365 days or less'
@@ -189,11 +189,6 @@
   shell_config_files.each do |f|
     describe file(f) do
       its('content') { should_not match(/^\s*umask [0-7](0[1-7]|[1-7][1-6])\s*(?:#.*)?$/) }
-    end
-  end
-
-  shell_config_files.each do |f|
-    describe file(f) do
       its('content') { should match(/^\s*umask [0-7][2367]7\s*(?:#.*)?$/) }
     end
   end