Merge pull request #1 from chen-keinan/feat/add-command-eval-pkg

test: update test to fit command-eval

go.mod

@@ -5,23 +5,31 @@ go 1.16
 require (
 	github.com/Knetic/govaluate v3.0.0+incompatible
 	github.com/cheggaaa/pb v1.0.29
+	github.com/chen-keinan/go-command-eval v0.0.2
 	github.com/gobuffalo/envy v1.9.0 // indirect
+	github.com/gobuffalo/logger v1.0.4 // indirect
 	github.com/gobuffalo/packd v1.0.0 // indirect
 	github.com/gobuffalo/packr v1.30.1
+	github.com/gobuffalo/packr/v2 v2.8.1 // indirect
 	github.com/golang/mock v1.6.0
 	github.com/gosuri/uitable v0.0.4
+	github.com/karrick/godirwalk v1.16.1 // indirect
+	github.com/konsorten/go-windows-terminal-sequences v1.0.3 // indirect
 	github.com/magiconair/properties v1.8.5
 	github.com/mitchellh/cli v1.1.2
 	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db
 	github.com/mitchellh/mapstructure v1.4.1
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	github.com/spf13/cobra v1.2.1 // indirect
 	github.com/stretchr/testify v1.7.0
 	go.uber.org/fx v1.13.1
-	go.uber.org/zap v1.17.0
-	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97 // indirect
+	go.uber.org/zap v1.18.1
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
 	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
-	golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e // indirect
+	golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf // indirect
+	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
 	golang.org/x/tools v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0
 )

internal/benchmark/lxd/v1.0.0/1.1_filesystem_configuration.yml

@@ -27,7 +27,7 @@ categories:
           impact: 'Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition.
               Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a default installation a disk-based /tmp will essentially have the whole disk available, as it only creates a single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily.
               /tmp utilizing tmpfs can be resized using the size={size} parameter on the Options line on the tmp.mount file'
-          eval_expr: "'$0' == 'tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)'; || '$1' == 'tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0'; || '$2' == 'enabled'"
+          eval_expr: "'${0}' == 'tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)'; || '${1}' == 'tmpfs /tmp tmpfs defaults,noexec,nosuid,nodev 0 0'; || '${2}' == 'enabled'"
           additional_info: If an entry for /tmp exists in /etc/fstab it will take precedence over entries in the tmp.mount file
           references:
             - AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/
@@ -40,5 +40,5 @@ categories:
             - df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' 2>/dev/null -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
           remediation:
           check_type: multi_param
-          eval_expr: "'$0' == '';"
+          eval_expr: "'${0}' == '';"
           additional_info: Some distributions may not support the --local option to df.

internal/benchmark/lxd/v1.0.0/1.3_configure_sudo.yml

@@ -19,7 +19,7 @@ categories:
                         OR
                         # apt install sudo-ldap'
           check_type: multi_param
-          eval_expr: "'$0' == 'install ok installed'; || '$1' == 'install ok installed';"
+          eval_expr: "'${0}' == 'install ok installed'; || '${1}' == 'install ok installed';"
           additional_info: Use the sudo-ldap package if you need LDAP support for sudoers.
           references:
             - SUDO(8)
@@ -33,7 +33,7 @@ categories:
           remediation: 'edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo -f and add the following line:
                         Defaults use_pty'
           check_type: multi_param
-          eval_expr: "'$0' != '';"
+          eval_expr: "'${0}' != '';"
           additional_info: isudo edits the sudoers file in a safe fashion, analogous to vipw(8).
                           visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks or parse errors.
                           If the sudoers file is currently being edited you will receive a message to try again later.
@@ -50,7 +50,7 @@ categories:
                         Example
                         Defaults logfile="/var/log/sudo.log"'
           check_type: multi_param
-          eval_expr: "'$0' != '';"
+          eval_expr: "'${0}' != '';"
           additional_info: visudo edits the sudoers file in a safe fashion, analogous to vipw(8).
                            visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks or parse errors.
                            If the sudoers file is currently being edited you will receive a message to try again later.

internal/benchmark/lxd/v1.0.0/1.4_filesystem_integrity_checking.yml

@@ -20,7 +20,7 @@ categories:
                         Initialize AIDE:
                         # aideinit'
           check_type: multi_param
-          eval_expr: "'$0' == 'install ok installed';"
+          eval_expr: "'${0}' == 'install ok installed';"
           additional_info: The prelinking feature can interfere with AIDE because it alters binaries to speed up their start up times.
                             Run prelink -ua to restore the binaries to their prelinked state, thus avoiding false positives from AIDE.
         -
@@ -61,7 +61,7 @@ categories:
                                # systemctl enable aidecheck.service
                                # systemctl --now enable aidecheck.timer'
           check_type: multi_param
-          eval_expr: "('$0' != ''; && '$1' != '';) || ('$2' != ''; && '$3' != ''; && '$4' != 'Unit aidecheck.timer could not be found.';) "
+          eval_expr: "('${0}' != ''; && '${1}' != '';) || ('${2}' != ''; && '${3}' != ''; && '${4}' != 'Unit aidecheck.timer could not be found.';) "
           additional_info: The checking in this recommendation occurs every day at 5am. Alter the frequency and time of the checks in compliance with site policy.
             Note that Debian advises using /usr/bin/aide.wrapper rather than calling /usr/bin/aide directly in order to protect the database and prevent conflicts.
           references:

internal/benchmark/lxd/v1.0.0/1.5_additional_process_hardening.yml

@@ -16,4 +16,4 @@ categories:
           remediation: 'Run the following command to restore binaries to normal: # prelink -ua
                         Uninstall prelink using the appropriate package manager or manual installation: # apt purge prelink'
           check_type: multi_param
-          eval_expr: "'$0' != 'install ok installed';"
+          eval_expr: "'${0}' != 'install ok installed';"

internal/benchmark/lxd/v1.0.0/1.6_mandatory_access_control.yml

@@ -15,7 +15,7 @@ categories:
           remediation: 'Install Apparmor.
                         # apt install apparmor'
           check_type: multi_param
-          eval_expr: "'$0' == 'install ok installed';"
+          eval_expr: "'${0}' == 'install ok installed';"
         -
           name: '1.6.1.2 Ensure all AppArmor Profiles are in enforce or complain mode (Automated)'
           description: AppArmor profiles define what resources applications are able to access.
@@ -31,7 +31,7 @@ categories:
                                # aa-complain /etc/apparmor.d/*
                                Any unconfined processes may need to have a profile created or activated for them and then be restarted.'
           check_type: multi_param
-          eval_expr: "$0 > 0; && $0 == $1; && $2 == 0;"
+          eval_expr: "${0} > 0; && ${0} == ${1}; && ${2} == 0;"
         -
           name: '1.6.1.3 Ensure all AppArmor Profiles are enforcing (Automated)'
           description: AppArmor profiles define what resources applications are able to access.
@@ -43,4 +43,4 @@ categories:
                         # aa-enforce /etc/apparmor.d/*
                         Any unconfined processes may need to have a profile created or activated for them and then be restarted.'
           check_type: multi_param
-          eval_expr: "$0 == 0; && $1 == 0;"
+          eval_expr: "${0} == 0; && ${1} == 0;"

internal/benchmark/lxd/v1.0.0/1.7_warning_banners.yml

@@ -23,7 +23,7 @@ categories:
                         Run the following command to remove the motd file:
                         # rm /etc/motd'
           check_type: multi_param
-          eval_expr: "'$0' == '';"
+          eval_expr: "'${0}' == '';"
         -
           name: '1.7.1.2 Ensure local login warning banner is configured properly (Automated)'
           description: 'The contents of the /etc/issue file are displayed to users prior to login for local terminals.
@@ -38,7 +38,7 @@ categories:
                         remove any instances of \m , \r , \s , \v or references to the OS platform
                         # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue'
           check_type: multi_param
-          eval_expr: "'$0' == '';"
+          eval_expr: "'${0}' == '';"
         -
           name: '1.7.1.3 Ensure remote login warning banner is configured properly (Automated)'
           description: 'The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services.
@@ -53,7 +53,7 @@ categories:
                         remove any instances of \m , \r , \s , \v or references to the OS platform
                         # echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue.net'
           check_type: multi_param
-          eval_expr: "'$0' == '';"
+          eval_expr: "'${0}' == '';"
         -
           name: '1.7.1.4 Ensure permissions on /etc/motd are configured (Automated)'
           description: 'The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.'
@@ -64,7 +64,7 @@ categories:
                          # chown root:root /etc/motd
                         # chmod u-x,go-wx /etc/motd'
           check_type: multi_param
-          eval_expr: "'$0' == 'Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)';"
+          eval_expr: "'${0}' == 'Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)';"
         -
           name: '1.7.1.5 Ensure permissions on /etc/issue are configured (Automated)'
           description: 'The contents of the /etc/issue file are displayed to users prior to login for local terminals.'
@@ -75,7 +75,7 @@ categories:
                                # chown root:root /etc/issue
                               # chmod u-x,go-wx /etc/issue'
           check_type: multi_param
-          eval_expr: "'$0' == 'Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)';"
+          eval_expr: "'${0}' == 'Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)';"
         -
           name: '1.7.1.6 Ensure permissions on /etc/issue.net are configured (Automated)'
           description: 'The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services.'
@@ -86,4 +86,4 @@ categories:
                                      # chown root:root /etc/issue.net
                                     # chmod u-x,go-wx /etc/issue.net'
           check_type: multi_param
-          eval_expr: "'$0' == 'Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)';"
+          eval_expr: "'${0}' == 'Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)';"

internal/benchmark/lxd/v1.0.0/1.8_ensure_updates.yml

@@ -18,7 +18,7 @@ categories:
                         OR
                         # apt dist-upgrade'
           check_type: multi_param
-          eval_expr: "'$0' != 'install ok installed';"
+          eval_expr: "'${0}' != 'install ok installed';"
           additional_info: 'Site policy may mandate a testing period before install onto production systems for available updates.
                             upgrade: upgrade is used to install the newest versions of all packages currently installed on the system from the sources enumerated in /etc/apt/sources.list.
                              Packages currently installed with new versions available are retrieved and upgraded;

internal/benchmark/lxd/v1.0.0/2.1_inetd_services.yml

@@ -16,7 +16,7 @@ categories:
           remediation: 'Run the following commands to remove xinetd:
                         # apt purge xinetd'
           check_type: multi_param
-          eval_expr: "'$0' != 'install ok installed';"
+          eval_expr: "'${0}' != 'install ok installed';"
           additional_info: Additional methods of disabling a service exist. Consult your distribution documentation for appropriate methods.
         -
           name: '2.1.2 Ensure openbsd-inetd is not installed (Automated)'
@@ -27,4 +27,4 @@ categories:
           remediation: 'Run the following command to uninstall openbsd-inetd:
                         apt purge openbsd-inetd'
           check_type: multi_param
-          eval_expr: "'$0' != 'install ok installed';"
+          eval_expr: "'${0}' != 'install ok installed';"