inspec 1.39.1 → 1.40.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +17 -12
- data/docs/resources/firewalld.md.erb +98 -0
- data/lib/inspec/resource.rb +1 -0
- data/lib/inspec/version.rb +1 -1
- data/lib/resources/firewalld.rb +144 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 48bd4f2dd3f7ca6fd9867f3c526a77d33f823cd3
|
4
|
+
data.tar.gz: 40b54c1efd38c3b50d88c58ef60652d59d9ae1e6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 549fab63987e3a8c4601d9166f3c49d8d7db92537a4358f3b83c43342ddacefcf1ba5d598e19b354414f04591f2e4a4eb5b4723358f3cbd74b717fe92659547a
|
7
|
+
data.tar.gz: bc5e8c053a1d96b4a24be5fc85b3754a71a4a20d5780be13d282a3d794e27b0f246771b19f443fb53838a3ff8d61236c26cc904b5cffa8a7d208b7e2187471f5
|
data/CHANGELOG.md
CHANGED
@@ -1,24 +1,30 @@
|
|
1
1
|
# Change Log
|
2
2
|
<!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
|
3
|
-
<!-- latest_release 1.
|
4
|
-
## [v1.
|
3
|
+
<!-- latest_release 1.40.0 -->
|
4
|
+
## [v1.40.0](https://github.com/chef/inspec/tree/v1.40.0) (2017-09-27)
|
5
5
|
|
6
|
-
####
|
7
|
-
-
|
6
|
+
#### New Resources
|
7
|
+
- firewalld resource: inspect the status and configuration of firewalld [#2074](https://github.com/chef/inspec/pull/2074) ([dromazmj](https://github.com/dromazmj))
|
8
8
|
<!-- latest_release -->
|
9
9
|
|
10
|
-
<!-- release_rollup since=1.
|
11
|
-
### Changes since 1.
|
12
|
-
|
13
|
-
#### Merged Pull Requests
|
14
|
-
- Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff)) <!-- 1.39.1 -->
|
10
|
+
<!-- release_rollup since=1.39.1 -->
|
11
|
+
### Changes since 1.39.1 release
|
15
12
|
|
16
13
|
#### New Resources
|
17
|
-
-
|
18
|
-
- windows_hotfix resource: test whether a Windows HotFix is installed [#2178](https://github.com/chef/inspec/pull/2178) ([mattray](https://github.com/mattray)) <!-- 1.38.9 -->
|
14
|
+
- firewalld resource: inspect the status and configuration of firewalld [#2074](https://github.com/chef/inspec/pull/2074) ([dromazmj](https://github.com/dromazmj)) <!-- 1.40.0 -->
|
19
15
|
<!-- release_rollup -->
|
20
16
|
|
21
17
|
<!-- latest_stable_release -->
|
18
|
+
## [v1.39.0](https://github.com/chef/inspec/tree/v1.39.0) (2017-09-25)
|
19
|
+
|
20
|
+
#### New Resources
|
21
|
+
- windows_hotfix resource: test whether a Windows HotFix is installed [#2178](https://github.com/chef/inspec/pull/2178) ([mattray](https://github.com/mattray))
|
22
|
+
- etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files [#2073](https://github.com/chef/inspec/pull/2073) ([dromazmj](https://github.com/dromazmj))
|
23
|
+
|
24
|
+
#### Merged Pull Requests
|
25
|
+
- Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff))
|
26
|
+
<!-- latest_stable_release -->
|
27
|
+
|
22
28
|
## [v1.38.8](https://github.com/chef/inspec/tree/v1.38.8) (2017-09-23)
|
23
29
|
|
24
30
|
#### New Resources
|
@@ -41,7 +47,6 @@
|
|
41
47
|
#### Merged Pull Requests
|
42
48
|
- Add deprecation warning to auditd_rules resource [#2156](https://github.com/chef/inspec/pull/2156) ([adamleff](https://github.com/adamleff))
|
43
49
|
- Bump train to 0.27 [#2180](https://github.com/chef/inspec/pull/2180) ([adamleff](https://github.com/adamleff))
|
44
|
-
<!-- latest_stable_release -->
|
45
50
|
|
46
51
|
## [v1.37.6](https://github.com/chef/inspec/tree/v1.37.6) (2017-09-14)
|
47
52
|
|
@@ -0,0 +1,98 @@
|
|
1
|
+
---
|
2
|
+
title: About the firewalld Resource
|
3
|
+
---
|
4
|
+
|
5
|
+
# firewalld
|
6
|
+
|
7
|
+
Use the `firewalld` InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system.
|
8
|
+
|
9
|
+
A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
|
10
|
+
|
11
|
+
## Syntax
|
12
|
+
|
13
|
+
describe firewalld do
|
14
|
+
it { should be_running }
|
15
|
+
its('default_zone') { should eq 'public' }
|
16
|
+
it { should have_service_enabled_in_zone('ssh', 'public') }
|
17
|
+
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
|
18
|
+
end
|
19
|
+
|
20
|
+
Use the where clause to test open interfaces, sources, and services in active zones.
|
21
|
+
|
22
|
+
describe firewalld.where { zone == 'public' } do
|
23
|
+
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
|
24
|
+
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
|
25
|
+
its('services') { should cmp ['ssh', 'icmp'] }
|
26
|
+
end
|
27
|
+
|
28
|
+
## Supported Properties
|
29
|
+
|
30
|
+
### interfaces
|
31
|
+
|
32
|
+
The `interfaces` property is used in conjunction with the where class to display open interfaces in an active zone.
|
33
|
+
|
34
|
+
describe firewalld.where { zone == 'public' } do
|
35
|
+
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
|
36
|
+
end
|
37
|
+
|
38
|
+
### sources
|
39
|
+
|
40
|
+
The `sources` property is used in conjunction with the where class to display open sources in an active zone.
|
41
|
+
|
42
|
+
describe firewalld.where { zone == 'public' } do
|
43
|
+
its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
|
44
|
+
end
|
45
|
+
|
46
|
+
### services
|
47
|
+
|
48
|
+
The `services` property is used in conjunction with the where class to display open services in an active zone.
|
49
|
+
|
50
|
+
describe firewalld.where { zone == 'public' } do
|
51
|
+
its('services') { should cmp ['ssh', 'icmp'] }
|
52
|
+
end
|
53
|
+
|
54
|
+
### default_zone
|
55
|
+
|
56
|
+
The `default_zone` property displays the default active zone to be used.
|
57
|
+
|
58
|
+
its('default_zone') { should eq 'public' }
|
59
|
+
|
60
|
+
## Matchers
|
61
|
+
|
62
|
+
This InSpec audit resource has the following matchers:
|
63
|
+
|
64
|
+
### `be_installed`
|
65
|
+
|
66
|
+
The `be_installed` matcher tests if the firewalld service is installed:
|
67
|
+
|
68
|
+
it { should be_installed }
|
69
|
+
|
70
|
+
### `be_running`
|
71
|
+
|
72
|
+
The `be_running` matcher tests if the firewalld service is running:
|
73
|
+
|
74
|
+
it { should be_running }
|
75
|
+
|
76
|
+
### have_zone
|
77
|
+
|
78
|
+
`have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active.
|
79
|
+
|
80
|
+
it { should have_zone('public') }
|
81
|
+
|
82
|
+
### `have_service_enabled_in_zone`
|
83
|
+
|
84
|
+
`have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone.
|
85
|
+
|
86
|
+
it { should have_service_enabled_in_zone('ssh', 'public') }
|
87
|
+
|
88
|
+
### `have_port_enabled_in_zone`
|
89
|
+
|
90
|
+
`have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone.
|
91
|
+
|
92
|
+
it { should have_port_enabled_in_zone('22/tcp', 'public') }
|
93
|
+
|
94
|
+
### `have_rule_enabled`
|
95
|
+
|
96
|
+
`have_rule_enabled` returns true or false if the rich-rule has been specified in the zone.
|
97
|
+
|
98
|
+
it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
|
data/lib/inspec/resource.rb
CHANGED
data/lib/inspec/version.rb
CHANGED
@@ -0,0 +1,144 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
# author: Matthew
|
3
|
+
|
4
|
+
module Inspec::Resources
|
5
|
+
class FirewallD < Inspec.resource(1)
|
6
|
+
###
|
7
|
+
# This recourse assumes that the file sudo vim /etc/polkit-1/rules.d/49-nopasswd_global.rules has been
|
8
|
+
# set to allow users in group "wheel" to perform any commands without authentication.
|
9
|
+
###
|
10
|
+
|
11
|
+
name 'firewalld'
|
12
|
+
desc 'Use the firewalld resource to check and see if firewalld is configured to grand or deny access to specific hosts or services'
|
13
|
+
example "
|
14
|
+
describe firewalld do
|
15
|
+
it { should be_running }
|
16
|
+
its('default_zone') { should eq 'public' }
|
17
|
+
it { should have_service_enabled_in_zone('ssh', 'public') }
|
18
|
+
it { should have_rule_enabled('rule family=ipv4 source address=192.168.0.14 accept', 'public') }
|
19
|
+
end
|
20
|
+
|
21
|
+
describe firewalld.where { zone == 'public' } do
|
22
|
+
its('interfaces') { should cmp ['enp0s3', 'eno2'] }
|
23
|
+
its('sources') { should cmp ['ssh', 'icmp'] }
|
24
|
+
its('services') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
|
25
|
+
end
|
26
|
+
"
|
27
|
+
|
28
|
+
attr_reader :params
|
29
|
+
|
30
|
+
filter = FilterTable.create
|
31
|
+
filter.add_accessor(:where)
|
32
|
+
.add_accessor(:entries)
|
33
|
+
.add(:zone, field: 'zone')
|
34
|
+
.add(:interfaces, field: 'interfaces')
|
35
|
+
.add(:sources, field: 'sources')
|
36
|
+
.add(:services, field: 'services')
|
37
|
+
|
38
|
+
filter.connect(self, :params)
|
39
|
+
|
40
|
+
def initialize
|
41
|
+
return skip_resource 'The `etc_hosts_deny` resource is not supported on your OS.' unless inspec.os.linux?
|
42
|
+
@params = parse_active_zones(active_zones)
|
43
|
+
end
|
44
|
+
|
45
|
+
def installed?
|
46
|
+
inspec.command('firewall-cmd').exist?
|
47
|
+
end
|
48
|
+
|
49
|
+
def has_zone?(query_zone)
|
50
|
+
return false unless installed?
|
51
|
+
result = firewalld_command('--get-zones').split(' ')
|
52
|
+
result.include?(query_zone)
|
53
|
+
end
|
54
|
+
|
55
|
+
def running?
|
56
|
+
return false unless installed?
|
57
|
+
result = firewalld_command('--state')
|
58
|
+
result =~ /^running/ ? true : false
|
59
|
+
end
|
60
|
+
|
61
|
+
def default_zone
|
62
|
+
# return: word associated with the name of the default zone
|
63
|
+
# example: 'public'
|
64
|
+
firewalld_command('--get-default-zone')
|
65
|
+
end
|
66
|
+
|
67
|
+
def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
|
68
|
+
firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == 'yes'
|
69
|
+
end
|
70
|
+
|
71
|
+
def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
|
72
|
+
# return: String of ports open
|
73
|
+
# example: ['22/tcp', '4722/tcp']
|
74
|
+
firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(' ')
|
75
|
+
end
|
76
|
+
|
77
|
+
def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
|
78
|
+
# return: String of protocoals open
|
79
|
+
# example: ['icmp', 'ipv4', 'igmp']
|
80
|
+
firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(' ')
|
81
|
+
end
|
82
|
+
|
83
|
+
def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
|
84
|
+
firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == 'yes'
|
85
|
+
end
|
86
|
+
|
87
|
+
def has_rule_enabled?(rule, query_zone = default_zone)
|
88
|
+
rule = 'rule ' + rule
|
89
|
+
firewalld_command("--zone=#{query_zone} --query-rich-rule=#{rule}") == 'yes'
|
90
|
+
end
|
91
|
+
|
92
|
+
private
|
93
|
+
|
94
|
+
def active_zones
|
95
|
+
# return syntax:
|
96
|
+
# [default-zone-name]
|
97
|
+
# interfaces: [open interfases]
|
98
|
+
#
|
99
|
+
# example:
|
100
|
+
# public
|
101
|
+
# interfaces: enp0s3
|
102
|
+
firewalld_command('--get-active-zones')
|
103
|
+
end
|
104
|
+
|
105
|
+
def parse_active_zones(content)
|
106
|
+
# Split by every second line, which contains the zone and the interfaces.
|
107
|
+
content = content.split(/\n/).each_slice(2).map { |slice| slice.join("\n") }
|
108
|
+
content.map do |line|
|
109
|
+
parse_line(line)
|
110
|
+
end.compact
|
111
|
+
end
|
112
|
+
|
113
|
+
def parse_line(line)
|
114
|
+
zone = line.split("\n")[0]
|
115
|
+
{
|
116
|
+
'zone' => zone,
|
117
|
+
'interfaces' => line.split(':')[1].split(' '),
|
118
|
+
'services' => services_bound(zone),
|
119
|
+
'sources' => sources_bound(zone),
|
120
|
+
}
|
121
|
+
end
|
122
|
+
|
123
|
+
def sources_bound(query_zone)
|
124
|
+
# result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
|
125
|
+
# example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
|
126
|
+
firewalld_command("--zone=#{query_zone} --list-sources").split(' ')
|
127
|
+
end
|
128
|
+
|
129
|
+
def services_bound(query_zone)
|
130
|
+
# result: a list of services bound to a zone.
|
131
|
+
# example: ['ssh', 'dhcpv6-client']
|
132
|
+
firewalld_command("--zone=#{query_zone} --list-services").split(' ')
|
133
|
+
end
|
134
|
+
|
135
|
+
def firewalld_command(command)
|
136
|
+
command = "firewall-cmd #{command}"
|
137
|
+
result = inspec.command(command)
|
138
|
+
if result.stderr != ''
|
139
|
+
return "Error on command #{command}: #{result.stderr}"
|
140
|
+
end
|
141
|
+
result.stdout.strip
|
142
|
+
end
|
143
|
+
end
|
144
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: inspec
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.40.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dominik Richter
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-09-
|
11
|
+
date: 2017-09-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: train
|
@@ -337,6 +337,7 @@ files:
|
|
337
337
|
- docs/resources/etc_hosts_allow.md.erb
|
338
338
|
- docs/resources/etc_hosts_deny.md.erb
|
339
339
|
- docs/resources/file.md.erb
|
340
|
+
- docs/resources/firewalld.md.erb
|
340
341
|
- docs/resources/gem.md.erb
|
341
342
|
- docs/resources/group.md.erb
|
342
343
|
- docs/resources/grub_conf.md.erb
|
@@ -583,6 +584,7 @@ files:
|
|
583
584
|
- lib/resources/etc_hosts.rb
|
584
585
|
- lib/resources/etc_hosts_allow_deny.rb
|
585
586
|
- lib/resources/file.rb
|
587
|
+
- lib/resources/firewalld.rb
|
586
588
|
- lib/resources/gem.rb
|
587
589
|
- lib/resources/groups.rb
|
588
590
|
- lib/resources/grub_conf.rb
|