inspec 1.39.1 → 1.40.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 97699693b6d62f4d9e4c0a0bba1976a9336e45f5
-  data.tar.gz: e63ab2af1bf3052abcac967c638ebdfb433e4ba3
+  metadata.gz: 48bd4f2dd3f7ca6fd9867f3c526a77d33f823cd3
+  data.tar.gz: 40b54c1efd38c3b50d88c58ef60652d59d9ae1e6
 SHA512:
-  metadata.gz: c002fbc3e01f146eb0626a0848a57cb3d51e50cd10fbec05d39712f887765fd0b48fda1136ad467e84e72ec2d5c99ed64bd5899a64faeee2c801a89d762b1fbb
-  data.tar.gz: 7bdcbd01f32a11d195fc2f84c092e6584fd8f0d0632feb981e923d96f8a7f05ccdf0c2100a1d078b5ea778bc76b605f52329e087ef830d710322e2927953f85b
+  metadata.gz: 549fab63987e3a8c4601d9166f3c49d8d7db92537a4358f3b83c43342ddacefcf1ba5d598e19b354414f04591f2e4a4eb5b4723358f3cbd74b717fe92659547a
+  data.tar.gz: bc5e8c053a1d96b4a24be5fc85b3754a71a4a20d5780be13d282a3d794e27b0f246771b19f443fb53838a3ff8d61236c26cc904b5cffa8a7d208b7e2187471f5

data/CHANGELOG.md

@@ -1,24 +1,30 @@
 # Change Log
 <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
-<!-- latest_release 1.39.1 -->
-## [v1.39.0](https://github.com/chef/inspec/tree/v1.39.0) (2017-09-25)
+<!-- latest_release 1.40.0 -->
+## [v1.40.0](https://github.com/chef/inspec/tree/v1.40.0) (2017-09-27)
 
-#### Merged Pull Requests
-- Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff))
+#### New Resources
+- firewalld resource: inspect the status and configuration of firewalld [#2074](https://github.com/chef/inspec/pull/2074) ([dromazmj](https://github.com/dromazmj))
 <!-- latest_release -->
 
-<!-- release_rollup since=1.38.8 -->
-### Changes since 1.37.6 release
-
-#### Merged Pull Requests
-- Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff)) <!-- 1.39.1 -->
+<!-- release_rollup since=1.39.1 -->
+### Changes since 1.39.1 release
 
 #### New Resources
-- etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files [#2073](https://github.com/chef/inspec/pull/2073) ([dromazmj](https://github.com/dromazmj)) <!-- 1.39.0 -->
-- windows_hotfix resource: test whether a Windows HotFix is installed [#2178](https://github.com/chef/inspec/pull/2178) ([mattray](https://github.com/mattray)) <!-- 1.38.9 -->
+- firewalld resource: inspect the status and configuration of firewalld [#2074](https://github.com/chef/inspec/pull/2074) ([dromazmj](https://github.com/dromazmj)) <!-- 1.40.0 -->
 <!-- release_rollup -->
 
 <!-- latest_stable_release -->
+## [v1.39.0](https://github.com/chef/inspec/tree/v1.39.0) (2017-09-25)
+
+#### New Resources
+- windows_hotfix resource: test whether a Windows HotFix is installed [#2178](https://github.com/chef/inspec/pull/2178) ([mattray](https://github.com/mattray))
+- etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files [#2073](https://github.com/chef/inspec/pull/2073) ([dromazmj](https://github.com/dromazmj))
+
+#### Merged Pull Requests
+- Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff))
+<!-- latest_stable_release -->
+
 ## [v1.38.8](https://github.com/chef/inspec/tree/v1.38.8) (2017-09-23)
 
 #### New Resources
@@ -41,7 +47,6 @@
 #### Merged Pull Requests
 - Add deprecation warning to auditd_rules resource [#2156](https://github.com/chef/inspec/pull/2156) ([adamleff](https://github.com/adamleff))
 - Bump train to 0.27 [#2180](https://github.com/chef/inspec/pull/2180) ([adamleff](https://github.com/adamleff))
-<!-- latest_stable_release -->
 
 ## [v1.37.6](https://github.com/chef/inspec/tree/v1.37.6) (2017-09-14)
 

data/docs/resources/firewalld.md.erb

@@ -0,0 +1,98 @@
+---
+title: About the firewalld Resource
+---
+
+# firewalld
+
+Use the `firewalld` InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system.
+
+A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
+
+## Syntax
+
+    describe firewalld do
+      it { should be_running }
+      its('default_zone') { should eq 'public' }
+      it { should have_service_enabled_in_zone('ssh', 'public') }
+      it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
+    end
+
+Use the where clause to test open interfaces, sources, and services in active zones.
+
+    describe firewalld.where { zone == 'public' } do
+      its('interfaces') { should cmp ['enp0s3', 'eno2'] }
+      its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
+      its('services') { should cmp ['ssh', 'icmp'] }
+    end
+
+## Supported Properties
+
+### interfaces
+
+The `interfaces` property is used in conjunction with the where class to display open interfaces in an active zone.
+
+    describe firewalld.where { zone == 'public' } do
+      its('interfaces') { should cmp ['enp0s3', 'eno2'] }
+    end
+
+### sources
+
+The `sources` property is used in conjunction with the where class to display open sources in an active zone.
+
+    describe firewalld.where { zone == 'public' } do
+      its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
+    end
+
+### services
+
+The `services` property is used in conjunction with the where class to display open services in an active zone.
+
+    describe firewalld.where { zone == 'public' } do
+      its('services') { should cmp ['ssh', 'icmp'] }
+    end
+
+### default_zone
+
+The `default_zone` property displays the default active zone to be used.
+
+    its('default_zone') { should eq 'public' }
+
+## Matchers
+
+This InSpec audit resource has the following matchers:
+
+### `be_installed`
+
+The `be_installed` matcher tests if the firewalld service is installed:
+
+    it { should be_installed }
+
+### `be_running`
+
+The `be_running` matcher tests if the firewalld service is running:
+
+    it { should be_running }
+
+### have_zone
+
+`have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active.
+
+    it { should have_zone('public') }
+
+### `have_service_enabled_in_zone`
+
+`have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone.
+
+    it { should have_service_enabled_in_zone('ssh', 'public') }
+
+### `have_port_enabled_in_zone`
+
+`have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone.
+
+    it { should have_port_enabled_in_zone('22/tcp', 'public') }
+
+### `have_rule_enabled`
+
+`have_rule_enabled` returns true or false if the rich-rule has been specified in the zone.
+
+    it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }

data/lib/inspec/resource.rb

@@ -95,6 +95,7 @@ require 'resources/etc_group'
 require 'resources/etc_hosts_allow_deny'
 require 'resources/etc_hosts'
 require 'resources/file'
+require 'resources/firewalld'
 require 'resources/gem'
 require 'resources/groups'
 require 'resources/grub_conf'

data/lib/inspec/version.rb

@@ -4,5 +4,5 @@
 # author: Christoph Hartmann
 
 module Inspec
-  VERSION = '1.39.1'.freeze
+  VERSION = '1.40.0'.freeze
 end

data/lib/resources/firewalld.rb

@@ -0,0 +1,144 @@
+# encoding: utf-8
+# author: Matthew
+
+module Inspec::Resources
+  class FirewallD < Inspec.resource(1)
+    ###
+    #  This recourse assumes that the file sudo vim /etc/polkit-1/rules.d/49-nopasswd_global.rules has been
+    #  set to allow users in group "wheel" to perform any commands without authentication.
+    ###
+
+    name 'firewalld'
+    desc 'Use the firewalld resource to check and see if firewalld is configured to grand or deny access to specific hosts or services'
+    example "
+      describe firewalld do
+        it { should be_running }
+        its('default_zone') { should eq 'public' }
+        it { should have_service_enabled_in_zone('ssh', 'public') }
+        it { should have_rule_enabled('rule family=ipv4 source address=192.168.0.14 accept', 'public') }
+      end
+
+      describe firewalld.where { zone == 'public' } do
+        its('interfaces') { should cmp ['enp0s3', 'eno2'] }
+        its('sources') { should cmp ['ssh', 'icmp'] }
+        its('services') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
+      end
+    "
+
+    attr_reader :params
+
+    filter = FilterTable.create
+    filter.add_accessor(:where)
+          .add_accessor(:entries)
+          .add(:zone,       field: 'zone')
+          .add(:interfaces, field: 'interfaces')
+          .add(:sources,    field: 'sources')
+          .add(:services,   field: 'services')
+
+    filter.connect(self, :params)
+
+    def initialize
+      return skip_resource 'The `etc_hosts_deny` resource is not supported on your OS.' unless inspec.os.linux?
+      @params = parse_active_zones(active_zones)
+    end
+
+    def installed?
+      inspec.command('firewall-cmd').exist?
+    end
+
+    def has_zone?(query_zone)
+      return false unless installed?
+      result = firewalld_command('--get-zones').split(' ')
+      result.include?(query_zone)
+    end
+
+    def running?
+      return false unless installed?
+      result = firewalld_command('--state')
+      result =~ /^running/ ? true : false
+    end
+
+    def default_zone
+      # return: word associated with the name of the default zone
+      # example: 'public'
+      firewalld_command('--get-default-zone')
+    end
+
+    def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
+      firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == 'yes'
+    end
+
+    def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
+      # return: String of ports open
+      # example: ['22/tcp', '4722/tcp']
+      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(' ')
+    end
+
+    def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
+      # return: String of protocoals open
+      # example: ['icmp', 'ipv4', 'igmp']
+      firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(' ')
+    end
+
+    def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
+      firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == 'yes'
+    end
+
+    def has_rule_enabled?(rule, query_zone = default_zone)
+      rule = 'rule ' + rule
+      firewalld_command("--zone=#{query_zone} --query-rich-rule=#{rule}") == 'yes'
+    end
+
+    private
+
+    def active_zones
+      # return syntax:
+      #   [default-zone-name]
+      #       interfaces: [open interfases]
+      #
+      # example:
+      #   public
+      #       interfaces: enp0s3
+      firewalld_command('--get-active-zones')
+    end
+
+    def parse_active_zones(content)
+      # Split by every second line, which contains the zone and the interfaces.
+      content = content.split(/\n/).each_slice(2).map { |slice| slice.join("\n") }
+      content.map do |line|
+        parse_line(line)
+      end.compact
+    end
+
+    def parse_line(line)
+      zone = line.split("\n")[0]
+      {
+        'zone' => zone,
+        'interfaces' => line.split(':')[1].split(' '),
+        'services' =>   services_bound(zone),
+        'sources' =>    sources_bound(zone),
+      }
+    end
+
+    def sources_bound(query_zone)
+      # result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
+      # example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
+      firewalld_command("--zone=#{query_zone} --list-sources").split(' ')
+    end
+
+    def services_bound(query_zone)
+      # result: a list of services bound to a zone.
+      # example: ['ssh', 'dhcpv6-client']
+      firewalld_command("--zone=#{query_zone} --list-services").split(' ')
+    end
+
+    def firewalld_command(command)
+      command = "firewall-cmd #{command}"
+      result = inspec.command(command)
+      if result.stderr != ''
+        return "Error on command #{command}: #{result.stderr}"
+      end
+      result.stdout.strip
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inspec
 version: !ruby/object:Gem::Version
-  version: 1.39.1
+  version: 1.40.0
 platform: ruby
 authors:
 - Dominik Richter
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-09-25 00:00:00.000000000 Z
+date: 2017-09-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: train
@@ -337,6 +337,7 @@ files:
 - docs/resources/etc_hosts_allow.md.erb
 - docs/resources/etc_hosts_deny.md.erb
 - docs/resources/file.md.erb
+- docs/resources/firewalld.md.erb
 - docs/resources/gem.md.erb
 - docs/resources/group.md.erb
 - docs/resources/grub_conf.md.erb
@@ -583,6 +584,7 @@ files:
 - lib/resources/etc_hosts.rb
 - lib/resources/etc_hosts_allow_deny.rb
 - lib/resources/file.rb
+- lib/resources/firewalld.rb
 - lib/resources/gem.rb
 - lib/resources/groups.rb
 - lib/resources/grub_conf.rb