mattlqx/linux-baseline.rb

## linux-baseline.rb
include_controls 'linux-baseline' do

  # Dynamic monkeypatch of the suid_check resource
  # must be done this way because resource classes are entirely dynamic
  suid_check = resource_class('linux-baseline', 'suid_check')
  suid_check.send(:define_method, :network_paths) do
    inspec.file('/etc/mtab').content.split("\n").select { |l| %w[nfs nfs4 cifs ceph].include?(l.split[2]) }.map { |m| m.split[1] }
  end

  suid_check.send(:define_method, :exclude_paths) do
    network_paths + %w[/sys /proc /var/lib/lxd/containers]
  end

  suid_check.send(:define_method, :permissions) do
    exclude_opts = exclude_paths.map { |p| "-path #{p} -prune" }.join(' -o ')
    output = inspec.command("find / \\( #{exclude_opts} \\) -o -perm -4000 -perm -2000 -type f -print 2>/dev/null " \
                            "| grep -v '^find:'")
    output.stdout.split(/\r?\n/)
  end
end
	include_controls 'linux-baseline' do

	# Dynamic monkeypatch of the suid_check resource
	# must be done this way because resource classes are entirely dynamic
	suid_check = resource_class('linux-baseline', 'suid_check')
	suid_check.send(:define_method, :network_paths) do
	inspec.file('/etc/mtab').content.split("\n").select { \|l\| %w[nfs nfs4 cifs ceph].include?(l.split[2]) }.map { \|m\| m.split[1] }
	end

	suid_check.send(:define_method, :exclude_paths) do
	network_paths + %w[/sys /proc /var/lib/lxd/containers]
	end

	suid_check.send(:define_method, :permissions) do
	exclude_opts = exclude_paths.map { \|p\| "-path #{p} -prune" }.join(' -o ')
	output = inspec.command("find / \\( #{exclude_opts} \\) -o -perm -4000 -perm -2000 -type f -print 2>/dev/null " \
	"\| grep -v '^find:'")
	output.stdout.split(/\r?\n/)
	end
	end