fix syntax issues

.rubocop.yml

@@ -1,4 +1,5 @@
 AllCops:
+  NewCops: enable
   Exclude:
   - "libraries/**/*"
 
@@ -56,3 +57,109 @@ Style/FormatStringToken:
 
 Style/FrozenStringLiteralComment:
   Enabled: false
+
+# The following cops were added to RuboCop, but are not configured. Please set Enabled to either `true` or `false` in your `.rubocop.yml` file.
+# Please also note that you can opt-in to new cops by default by adding this to your config:
+# For more information: https://docs.rubocop.org/rubocop/versioning.html
+Gemspec/DateAssignment: # new in 1.10
+  Enabled: true
+Gemspec/RequireMFA: # new in 1.23
+  Enabled: true
+Layout/LineEndStringConcatenationIndentation: # new in 1.18
+  Enabled: true
+Layout/SpaceBeforeBrackets: # new in 1.7
+  Enabled: true
+Lint/AmbiguousAssignment: # new in 1.7
+  Enabled: true
+Lint/AmbiguousOperatorPrecedence: # new in 1.21
+  Enabled: true
+Lint/AmbiguousRange: # new in 1.19
+  Enabled: true
+Lint/DeprecatedConstants: # new in 1.8
+  Enabled: true
+Lint/DuplicateBranch: # new in 1.3
+  Enabled: true
+Lint/DuplicateRegexpCharacterClassElement: # new in 1.1
+  Enabled: true
+Lint/EmptyBlock: # new in 1.1
+  Enabled: true
+Lint/EmptyClass: # new in 1.3
+  Enabled: true
+Lint/EmptyInPattern: # new in 1.16
+  Enabled: true
+Lint/IncompatibleIoSelectWithFiberScheduler: # new in 1.21
+  Enabled: true
+Lint/LambdaWithoutLiteralBlock: # new in 1.8
+  Enabled: true
+Lint/NoReturnInBeginEndBlocks: # new in 1.2
+  Enabled: true
+Lint/NumberedParameterAssignment: # new in 1.9
+  Enabled: true
+Lint/OrAssignmentToConstant: # new in 1.9
+  Enabled: true
+Lint/RedundantDirGlobSort: # new in 1.8
+  Enabled: true
+Lint/RequireRelativeSelfPath: # new in 1.22
+  Enabled: true
+Lint/SymbolConversion: # new in 1.9
+  Enabled: true
+Lint/ToEnumArguments: # new in 1.1
+  Enabled: true
+Lint/TripleQuotes: # new in 1.9
+  Enabled: true
+Lint/UnexpectedBlockArity: # new in 1.5
+  Enabled: true
+Lint/UnmodifiedReduceAccumulator: # new in 1.1
+  Enabled: true
+Lint/UselessRuby2Keywords: # new in 1.23
+  Enabled: true
+Naming/BlockForwarding: # new in 1.24
+  Enabled: true
+Security/IoMethods: # new in 1.22
+  Enabled: true
+Style/ArgumentsForwarding: # new in 1.1
+  Enabled: true
+Style/CollectionCompact: # new in 1.2
+  Enabled: true
+Style/DocumentDynamicEvalDefinition: # new in 1.1
+  Enabled: true
+Style/EndlessMethod: # new in 1.8
+  Enabled: true
+Style/FileRead: # new in 1.24
+  Enabled: true
+Style/FileWrite: # new in 1.24
+  Enabled: true
+Style/HashConversion: # new in 1.10
+  Enabled: true
+Style/HashExcept: # new in 1.7
+  Enabled: true
+Style/IfWithBooleanLiteralBranches: # new in 1.9
+  Enabled: true
+Style/InPatternThen: # new in 1.16
+  Enabled: true
+Style/MapToHash: # new in 1.24
+  Enabled: true
+Style/MultilineInPatternThen: # new in 1.16
+  Enabled: true
+Style/NegatedIfElseCondition: # new in 1.2
+  Enabled: true
+Style/NilLambda: # new in 1.3
+  Enabled: true
+Style/NumberedParameters: # new in 1.22
+  Enabled: true
+Style/NumberedParametersLimit: # new in 1.22
+  Enabled: true
+Style/OpenStructUse: # new in 1.23
+  Enabled: true
+Style/QuotedSymbols: # new in 1.16
+  Enabled: true
+Style/RedundantArgument: # new in 1.4
+  Enabled: true
+Style/RedundantSelfAssignmentBranch: # new in 1.19
+  Enabled: true
+Style/SelectByRegexp: # new in 1.22
+  Enabled: true
+Style/StringChars: # new in 1.12
+  Enabled: true
+Style/SwapValues: # new in 1.1
+  Enabled: true

controls/SV-257787.rb

@@ -44,18 +44,18 @@
     !virtualization.system.eql?('docker')
   end
 
-  grubfile = file(input('grub_conf_path'))
-  grub_userfile = file(input('grub_user_conf_path'))
+  grubfile = input('grub_conf_path')
+  grub_userfile = input('grub_user_conf_path')
 
-  describe grubfile do
+  describe file(grubfile) do
     it { should exist }
   end
 
-  describe grub_userfile do
+  describe file(grub_userfile) do
     it { should exist }
   end
 
-  if grubfile.exist? && grub_userfile.exist?
+  if file(grubfile).exist? && file(grub_userfile).exist?
     password_set = file(grubfile).content.lines.select { |line| line.match(/password_pbkdf2\s+\w+\s+\$\{\w+\}/) }
 
     describe 'The GRUB bootloader superuser password' do
@@ -64,7 +64,7 @@
       end
 
       grub_envar = password_set.first.match(/\$\{(?<grub_pw_envar>\w+)\}/).captures.first
-      password_encrypted = file(grub_userfile).content.match(/#{grub_envar}=grub.pbkdf2/)
+      password_encrypted = file(grub_userfile).content.match?(/#{grub_envar}=grub.pbkdf2/)
       it "should be encrypted in the user config file (\'#{grub_userfile}\')" do
         expect(password_encrypted).to eq(true), "GRUB password environment variable not set to an encrypted value in \'#{grub_userfile}\'"
       end

controls/SV-257790.rb

@@ -29,7 +29,7 @@
     !virtualization.system.eql?('docker')
   }
 
-  grubfile = file(input('grub_conf_path'))
+  grubfile = input('grub_conf_path')
 
   describe file(grubfile) do
     it { should exist }

controls/SV-257791.rb

@@ -29,7 +29,7 @@
     !virtualization.system.eql?('docker')
   }
 
-  grubfile = file(input('grub_conf_path'))
+  grubfile = input('grub_conf_path')
 
   describe file(grubfile) do
     it { should exist }

controls/SV-257860.rb

@@ -29,18 +29,15 @@
     !virtualization.system.eql?('docker')
   }
 
-  directory = '/boot'
-  parameter = 'nodev'
-
   if file('/sys/firmware/efi').exist?
     impact 0.0
     describe 'System running UEFI' do
       skip 'The System is running UEFI, this control is Not Applicable.'
     end
   else
-    describe mount(directory) do
+    describe mount('/boot') do
       it { should be_mounted }
-      its('options') { should include parameter }
+      its('options') { should include 'nodev' }
     end
   end
 end

controls/SV-257935.rb

@@ -37,12 +37,12 @@
 
   alternate_firewall_tool = input('alternate_firewall_tool')
 
-  if alternate_firewall_tool != ''
-    describe package(alternate_firewall_tool) do
+  if alternate_firewall_tool == ''
+    describe package('firewalld') do
       it { should be_installed }
     end
   else
-    describe package('firewalld') do
+    describe package(alternate_firewall_tool) do
       it { should be_installed }
     end
   end

controls/SV-257937.rb

@@ -64,7 +64,7 @@
     its('zone') { should_not be_empty }
   end
 
-  failing_zones = firewalld.zone.reject { |fz| firewalld.zone(fz).target == 'DROP' }
+  failing_zones = firewalld.zone.select { |fz| firewalld.zone(fz).target == 'DROP' }
 
   describe 'All firewall zones' do
     it 'should be configured to drop all incoming network packets unless explicitly accepted' do

controls/SV-257953.rb

@@ -33,7 +33,7 @@
   tag nist: ['AU-5 a']
   tag 'host', 'container'
 
-  options = { "assignment_regex": /^(\S+):\s*(\S+)/ }
+  options = { assignment_regex: /^(\S+):\s*(\S+)/ }
 
   describe parse_config_file('/etc/aliases', options) do
     its('postmaster') { should cmp 'root' }

controls/SV-257967.rb

@@ -43,7 +43,7 @@
     !virtualization.system.eql?('docker')
   }
 
-  parameter = 'net.ipv4.icmp_ignore_bogus_error_response'
+  parameter = 'net.ipv4.icmp_ignore_bogus_error_responses'
   value = 1
   regexp = /^\s*#{parameter}\s*=\s*#{value}\s*$/
 

controls/SV-257989.rb

@@ -39,8 +39,8 @@
 
   approved_ciphers = input('approved_openssh_server_conf')['ciphers']
 
-  options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ }
-  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
+  options = { assignment_regex: /^(\S+)\s+(\S+)$/ }
+  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
 
   actual_ciphers = opensshserver_conf['ciphers'].join(',')
 

controls/SV-257990.rb

@@ -39,8 +39,8 @@
 
   approved_macs = input('approved_openssh_server_conf')['macs']
 
-  options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ }
-  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
+  options = { assignment_regex: /^(\S+)\s+(\S+)$/ }
+  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
 
   actual_macs = opensshserver_conf['macs'].join(',')
 

controls/SV-257991.rb

@@ -41,8 +41,8 @@
 
   approved_macs = input('approved_openssh_server_conf')['macs']
 
-  options = { 'assignment_regex': /^(\S+)\s+(\S+)$/ }
-  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/opensshserver.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
+  options = { assignment_regex: /^(\S+)\s+(\S+)$/ }
+  opensshserver_conf = parse_config_file('/etc/crypto-policies/back-ends/openssh.config', options).params.map { |k, v| [k.downcase, v.split(',')] }.to_h
 
   actual_macs = opensshserver_conf['macs'].join(',')
 

controls/SV-258022.rb

@@ -52,14 +52,14 @@
     !virtualization.system.eql?('docker')
   }
 
-  if !package('gnome-desktop3').installed?
+  if package('gnome-desktop3').installed?
+    describe command('grep -i lock-enabled /etc/dconf/db/local.d/locks/*') do
+      its('stdout.split') { should include '/org/gnome/desktop/screensaver/lock-enabled' }
+    end
+  else
     impact 0.0
     describe 'The GNOME desktop is not installed, this control is Not Applicable.' do
       skip 'The GNOME desktop is not installed, this control is Not Applicable.'
     end
-  else
-    describe command('grep -i lock-enabled /etc/dconf/db/local.d/locks/*') do
-      its('stdout.split') { should include '/org/gnome/desktop/screensaver/lock-enabled' }
-    end
   end
 end

controls/SV-258038.rb

@@ -39,16 +39,16 @@
 
   peripherals_package = input('peripherals_package')
 
-  if peripherals_package != 'usbguard'
+  if peripherals_package == 'usbguard'
+    describe command('usbguard list-rules') do
+      its('stdout') { should_not be_empty }
+      its('exit_status') { should eq 0 }
+    end
+  else
     describe 'Non-standard package' do
       it 'is handling peripherals' do
         expect(peripherals_package).to exist
       end
     end
-  else
-    describe command('usbguard list-rules') do
-      its('stdout') { should_not be_empty }
-      its('exit_status') { should eq 0 }
-    end
   end
 end

controls/SV-258089.rb

@@ -38,14 +38,14 @@
     !virtualization.system.eql?('docker')
   }
 
-  if !input('use_fapolicyd')
+  if input('use_fapolicyd')
+    describe package('fapolicyd') do
+      it { should be_installed }
+    end
+  else
     impact 0.0
     describe 'The organization is not using the Fapolicyd service to manage firewall servies, this control is Not Applicable' do
       skip 'The organization is not using the Fapolicyd service to manage firewall servies, this control is Not Applicable'
     end
-  else
-    describe package('fapolicyd') do
-      it { should be_installed }
-    end
   end
 end

controls/SV-258100.rb

@@ -36,7 +36,7 @@
   expected_line = 'password sufficient pam_unix.so sha512'
   pam_auth_files = input('pam_auth_files')
 
-  describe pam(pam_auth_files['password-auth']) do
+  describe pam(pam_auth_files['system-auth']) do
     its('lines') { should match_pam_rule(expected_line).any_with_integer_arg('rounds', '>=', input('password_hash_rounds')) }
   end
 end

controls/SV-258101.rb

@@ -35,12 +35,13 @@
   tag 'host'
   tag 'container'
 
-  # TODO: use this pattern on the rest of the pwquality.conf settings (current implementation for the other ones dont account for multiple conmf files)
+  # TODO: use this pattern on the rest of the pwquality.conf settings (current implementation for the other ones dont account for multiple conf files)
 
   setting = 'enforce_for_root'
 
-  setting_check = command("grep #{setting} /etc/security/pwquality.conf /etc/security/pwquality.conf/*.conf").stdout.strip.match(/^:+#{setting}$/)
-
+  # NOTE: -s to supress if no files
+  # Note: -h to just have occurances and ignore filename
+  setting_check = command("grep -sh #{setting} /etc/security/pwquality.conf /etc/security/pwquality.conf/*").stdout.strip.match(/^#{setting}$/)
   describe 'The root account' do
     it 'should enforce password complexity rules' do
       expect(setting_check).to_not be_nil, "'#{setting}' not found (or commented out) in conf file(s)"

controls/SV-258116.rb

@@ -29,7 +29,7 @@
   tag nist: ['IA-5 (1) (c)']
   tag 'host', 'container'
 
-  describe parse_config_file('/etc/libuser.conf') do
-    its('crypt_style') { should cmp 'sha512' }
+  describe file('/etc/libuser.conf') do
+    its('content') { should match(/^crypt_style\s*=\s*sha512/) }
   end
 end

controls/SV-258136.rb

@@ -35,7 +35,7 @@
 
   if file_integrity_tool == 'aide'
     describe parse_config_file('/etc/aide.conf') do
-      its('ALL') { should match(/sha512/) }
+      its('All') { should match(/sha512/) }
     end
   else
     describe 'Manual Review' do

controls/SV-258140.rb

@@ -29,13 +29,13 @@
     !virtualization.system.eql?('docker')
   }
 
-  if input('alternative_logging_method') != ''
-    describe 'manual check' do
-      skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'
-    end
-  else
+  if input('alternative_logging_method') == ''
     describe package('rsyslog') do
       it { should be_installed }
     end
+  else
+    describe 'manual check' do
+      skip 'Manual check required. Ask the administrator to indicate how logging is done for this system.'
+    end
   end
 end