inspec reports static systemd services as enabled

[mschmitt]

Steps to reproduce

Identify any static service, for example one that is started by a timer: systemctl list-units --type=timer

This example shall use apt-daily.service.

apt-daily.service is a static service:

$ systemctl status apt-daily.service
○ apt-daily.service - Daily apt download activities
     Loaded: loaded (/lib/systemd/system/apt-daily.service; static)
     Active: inactive (dead)
TriggeredBy: ● apt-daily.timer
       Docs: man:apt(8)

The unit does not contain an Install section:

$ systemctl cat apt-daily.service
# /lib/systemd/system/apt-daily.service
[Unit]
Description=Daily apt download activities
Documentation=man:apt(8)
ConditionACPower=true
After=network.target network-online.target systemd-networkd.service NetworkManager.service connman.service

[Service]
Type=oneshot
ExecStartPre=-/usr/lib/apt/apt-helper wait-online
ExecStart=/usr/lib/apt/apt.systemd.daily update

As the unit does not contain an Install section, it can not be enabled:

$ sudo systemctl enable apt-daily.service
The unit files have no installation config (WantedBy=, RequiredBy=, Also=,
Alias= settings in the [Install] section, and DefaultInstance= for template
units). This means they are not meant to be enabled using systemctl.
 
Possible reasons for having this kind of units are:
• A unit may be statically enabled by being symlinked from another unit's
  .wants/ or .requires/ directory.
• A unit's purpose may be to act as a helper for some other unit which has
  a requirement dependency on it.
• A unit may be started when needed via activation (socket, path, timer,
  D-Bus, udev, scripted systemctl call, ...).
• In case of template units, the unit is meant to be enabled with some
  instance name specified.

Now let's use inspec to test the unit. We want it to NOT be enabled:

$ cat demo.rb
control 'demo' do
  service_name = 'apt-daily.service'
  describe service(service_name) do
    it { should_not be_enabled }
  end
end

$ inspec exec demo.rb

Profile:   tests from demo.rb (tests from demo.rb)
Version:   (not specified)
Target:    local://
Target ID: 72956cf0-a832-5101-bfc5-4fb32d972065

  ×  demo: Service apt-daily.service
     ×  Service apt-daily.service is expected not to be enabled
     expected Service apt-daily.service not to be enabled


Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 1 failure, 0 skipped

In lib/inspec/resources/service.rb, inspec invokes systemctl is-enabled apt-daily.services to test if the service is enabled:

    result = inspec.command("#{service_ctl} is-enabled #{service_name} --quiet")
    return true if result.exit_status == 0

Exit code 0 from systemctl is-enabled does however not mean that the service is enabled:

$ systemctl is-enabled apt-daily.service
static
$ echo $?
0

Compared to services that are actually disabled or enabled:

$ systemctl is-enabled ssh.service
disabled
$ echo $?
1
$ systemctl is-enabled NetworkManager.service
enabled
$ echo $?
0

This behaviour is documented in the table of exit codes for systemctl is-enabled:

• https://www.freedesktop.org/software/systemd/man/latest/systemctl.html#is-enabled%20UNIT%E2%80%A6

Environment

$ inspec version
6.6.0
$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Possible Solution

A possible fix would be to check output from the command above for the string "enabled".