inspec 1.39.1 → 1.40.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +17 -12
  3. data/docs/resources/firewalld.md.erb +98 -0
  4. data/lib/inspec/resource.rb +1 -0
  5. data/lib/inspec/version.rb +1 -1
  6. data/lib/resources/firewalld.rb +144 -0
  7. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 97699693b6d62f4d9e4c0a0bba1976a9336e45f5
4
- data.tar.gz: e63ab2af1bf3052abcac967c638ebdfb433e4ba3
3
+ metadata.gz: 48bd4f2dd3f7ca6fd9867f3c526a77d33f823cd3
4
+ data.tar.gz: 40b54c1efd38c3b50d88c58ef60652d59d9ae1e6
5
5
  SHA512:
6
- metadata.gz: c002fbc3e01f146eb0626a0848a57cb3d51e50cd10fbec05d39712f887765fd0b48fda1136ad467e84e72ec2d5c99ed64bd5899a64faeee2c801a89d762b1fbb
7
- data.tar.gz: 7bdcbd01f32a11d195fc2f84c092e6584fd8f0d0632feb981e923d96f8a7f05ccdf0c2100a1d078b5ea778bc76b605f52329e087ef830d710322e2927953f85b
6
+ metadata.gz: 549fab63987e3a8c4601d9166f3c49d8d7db92537a4358f3b83c43342ddacefcf1ba5d598e19b354414f04591f2e4a4eb5b4723358f3cbd74b717fe92659547a
7
+ data.tar.gz: bc5e8c053a1d96b4a24be5fc85b3754a71a4a20d5780be13d282a3d794e27b0f246771b19f443fb53838a3ff8d61236c26cc904b5cffa8a7d208b7e2187471f5
data/CHANGELOG.md CHANGED
@@ -1,24 +1,30 @@
1
1
  # Change Log
2
2
  <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ -->
3
- <!-- latest_release 1.39.1 -->
4
- ## [v1.39.0](https://github.com/chef/inspec/tree/v1.39.0) (2017-09-25)
3
+ <!-- latest_release 1.40.0 -->
4
+ ## [v1.40.0](https://github.com/chef/inspec/tree/v1.40.0) (2017-09-27)
5
5
 
6
- #### Merged Pull Requests
7
- - Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff))
6
+ #### New Resources
7
+ - firewalld resource: inspect the status and configuration of firewalld [#2074](https://github.com/chef/inspec/pull/2074) ([dromazmj](https://github.com/dromazmj))
8
8
  <!-- latest_release -->
9
9
 
10
- <!-- release_rollup since=1.38.8 -->
11
- ### Changes since 1.37.6 release
12
-
13
- #### Merged Pull Requests
14
- - Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff)) <!-- 1.39.1 -->
10
+ <!-- release_rollup since=1.39.1 -->
11
+ ### Changes since 1.39.1 release
15
12
 
16
13
  #### New Resources
17
- - etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files [#2073](https://github.com/chef/inspec/pull/2073) ([dromazmj](https://github.com/dromazmj)) <!-- 1.39.0 -->
18
- - windows_hotfix resource: test whether a Windows HotFix is installed [#2178](https://github.com/chef/inspec/pull/2178) ([mattray](https://github.com/mattray)) <!-- 1.38.9 -->
14
+ - firewalld resource: inspect the status and configuration of firewalld [#2074](https://github.com/chef/inspec/pull/2074) ([dromazmj](https://github.com/dromazmj)) <!-- 1.40.0 -->
19
15
  <!-- release_rollup -->
20
16
 
21
17
  <!-- latest_stable_release -->
18
+ ## [v1.39.0](https://github.com/chef/inspec/tree/v1.39.0) (2017-09-25)
19
+
20
+ #### New Resources
21
+ - windows_hotfix resource: test whether a Windows HotFix is installed [#2178](https://github.com/chef/inspec/pull/2178) ([mattray](https://github.com/mattray))
22
+ - etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files [#2073](https://github.com/chef/inspec/pull/2073) ([dromazmj](https://github.com/dromazmj))
23
+
24
+ #### Merged Pull Requests
25
+ - Bump train to 0.28 to allow for more net-ssh versions [#2185](https://github.com/chef/inspec/pull/2185) ([adamleff](https://github.com/adamleff))
26
+ <!-- latest_stable_release -->
27
+
22
28
  ## [v1.38.8](https://github.com/chef/inspec/tree/v1.38.8) (2017-09-23)
23
29
 
24
30
  #### New Resources
@@ -41,7 +47,6 @@
41
47
  #### Merged Pull Requests
42
48
  - Add deprecation warning to auditd_rules resource [#2156](https://github.com/chef/inspec/pull/2156) ([adamleff](https://github.com/adamleff))
43
49
  - Bump train to 0.27 [#2180](https://github.com/chef/inspec/pull/2180) ([adamleff](https://github.com/adamleff))
44
- <!-- latest_stable_release -->
45
50
 
46
51
  ## [v1.37.6](https://github.com/chef/inspec/tree/v1.37.6) (2017-09-14)
47
52
 
data/docs/resources/firewalld.md.erb ADDED
@@ -0,0 +1,98 @@
1
+ ---
2
+ title: About the firewalld Resource
3
+ ---
4
+
5
+ # firewalld
6
+
7
+ Use the `firewalld` InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system.
8
+
9
+ A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
10
+
11
+ ## Syntax
12
+
13
+ describe firewalld do
14
+ it { should be_running }
15
+ its('default_zone') { should eq 'public' }
16
+ it { should have_service_enabled_in_zone('ssh', 'public') }
17
+ it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
18
+ end
19
+
20
+ Use the where clause to test open interfaces, sources, and services in active zones.
21
+
22
+ describe firewalld.where { zone == 'public' } do
23
+ its('interfaces') { should cmp ['enp0s3', 'eno2'] }
24
+ its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
25
+ its('services') { should cmp ['ssh', 'icmp'] }
26
+ end
27
+
28
+ ## Supported Properties
29
+
30
+ ### interfaces
31
+
32
+ The `interfaces` property is used in conjunction with the where class to display open interfaces in an active zone.
33
+
34
+ describe firewalld.where { zone == 'public' } do
35
+ its('interfaces') { should cmp ['enp0s3', 'eno2'] }
36
+ end
37
+
38
+ ### sources
39
+
40
+ The `sources` property is used in conjunction with the where class to display open sources in an active zone.
41
+
42
+ describe firewalld.where { zone == 'public' } do
43
+ its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
44
+ end
45
+
46
+ ### services
47
+
48
+ The `services` property is used in conjunction with the where class to display open services in an active zone.
49
+
50
+ describe firewalld.where { zone == 'public' } do
51
+ its('services') { should cmp ['ssh', 'icmp'] }
52
+ end
53
+
54
+ ### default_zone
55
+
56
+ The `default_zone` property displays the default active zone to be used.
57
+
58
+ its('default_zone') { should eq 'public' }
59
+
60
+ ## Matchers
61
+
62
+ This InSpec audit resource has the following matchers:
63
+
64
+ ### `be_installed`
65
+
66
+ The `be_installed` matcher tests if the firewalld service is installed:
67
+
68
+ it { should be_installed }
69
+
70
+ ### `be_running`
71
+
72
+ The `be_running` matcher tests if the firewalld service is running:
73
+
74
+ it { should be_running }
75
+
76
+ ### have_zone
77
+
78
+ `have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active.
79
+
80
+ it { should have_zone('public') }
81
+
82
+ ### `have_service_enabled_in_zone`
83
+
84
+ `have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone.
85
+
86
+ it { should have_service_enabled_in_zone('ssh', 'public') }
87
+
88
+ ### `have_port_enabled_in_zone`
89
+
90
+ `have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone.
91
+
92
+ it { should have_port_enabled_in_zone('22/tcp', 'public') }
93
+
94
+ ### `have_rule_enabled`
95
+
96
+ `have_rule_enabled` returns true or false if the rich-rule has been specified in the zone.
97
+
98
+ it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') }
data/lib/inspec/resource.rb CHANGED
@@ -95,6 +95,7 @@ require 'resources/etc_group'
95
95
  require 'resources/etc_hosts_allow_deny'
96
96
  require 'resources/etc_hosts'
97
97
  require 'resources/file'
98
+ require 'resources/firewalld'
98
99
  require 'resources/gem'
99
100
  require 'resources/groups'
100
101
  require 'resources/grub_conf'
data/lib/inspec/version.rb CHANGED
@@ -4,5 +4,5 @@
4
4
  # author: Christoph Hartmann
5
5
 
6
6
  module Inspec
7
- VERSION = '1.39.1'.freeze
7
+ VERSION = '1.40.0'.freeze
8
8
  end
data/lib/resources/firewalld.rb ADDED
@@ -0,0 +1,144 @@
1
+ # encoding: utf-8
2
+ # author: Matthew
3
+
4
+ module Inspec::Resources
5
+ class FirewallD < Inspec.resource(1)
6
+ ###
7
+ # This recourse assumes that the file sudo vim /etc/polkit-1/rules.d/49-nopasswd_global.rules has been
8
+ # set to allow users in group "wheel" to perform any commands without authentication.
9
+ ###
10
+
11
+ name 'firewalld'
12
+ desc 'Use the firewalld resource to check and see if firewalld is configured to grand or deny access to specific hosts or services'
13
+ example "
14
+ describe firewalld do
15
+ it { should be_running }
16
+ its('default_zone') { should eq 'public' }
17
+ it { should have_service_enabled_in_zone('ssh', 'public') }
18
+ it { should have_rule_enabled('rule family=ipv4 source address=192.168.0.14 accept', 'public') }
19
+ end
20
+
21
+ describe firewalld.where { zone == 'public' } do
22
+ its('interfaces') { should cmp ['enp0s3', 'eno2'] }
23
+ its('sources') { should cmp ['ssh', 'icmp'] }
24
+ its('services') { should cmp ['192.168.1.0/24', '192.168.1.2'] }
25
+ end
26
+ "
27
+
28
+ attr_reader :params
29
+
30
+ filter = FilterTable.create
31
+ filter.add_accessor(:where)
32
+ .add_accessor(:entries)
33
+ .add(:zone, field: 'zone')
34
+ .add(:interfaces, field: 'interfaces')
35
+ .add(:sources, field: 'sources')
36
+ .add(:services, field: 'services')
37
+
38
+ filter.connect(self, :params)
39
+
40
+ def initialize
41
+ return skip_resource 'The `etc_hosts_deny` resource is not supported on your OS.' unless inspec.os.linux?
42
+ @params = parse_active_zones(active_zones)
43
+ end
44
+
45
+ def installed?
46
+ inspec.command('firewall-cmd').exist?
47
+ end
48
+
49
+ def has_zone?(query_zone)
50
+ return false unless installed?
51
+ result = firewalld_command('--get-zones').split(' ')
52
+ result.include?(query_zone)
53
+ end
54
+
55
+ def running?
56
+ return false unless installed?
57
+ result = firewalld_command('--state')
58
+ result =~ /^running/ ? true : false
59
+ end
60
+
61
+ def default_zone
62
+ # return: word associated with the name of the default zone
63
+ # example: 'public'
64
+ firewalld_command('--get-default-zone')
65
+ end
66
+
67
+ def has_service_enabled_in_zone?(query_service, query_zone = default_zone)
68
+ firewalld_command("--zone=#{query_zone} --query-service=#{query_service}") == 'yes'
69
+ end
70
+
71
+ def service_ports_enabled_in_zone(query_service, query_zone = default_zone)
72
+ # return: String of ports open
73
+ # example: ['22/tcp', '4722/tcp']
74
+ firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-ports --permanent").split(' ')
75
+ end
76
+
77
+ def service_protocols_enabled_in_zone(query_service, query_zone = default_zone)
78
+ # return: String of protocoals open
79
+ # example: ['icmp', 'ipv4', 'igmp']
80
+ firewalld_command("--zone=#{query_zone} --service=#{query_service} --get-protocols --permanent").split(' ')
81
+ end
82
+
83
+ def has_port_enabled_in_zone?(query_port, query_zone = default_zone)
84
+ firewalld_command("--zone=#{query_zone} --query-port=#{query_port}") == 'yes'
85
+ end
86
+
87
+ def has_rule_enabled?(rule, query_zone = default_zone)
88
+ rule = 'rule ' + rule
89
+ firewalld_command("--zone=#{query_zone} --query-rich-rule=#{rule}") == 'yes'
90
+ end
91
+
92
+ private
93
+
94
+ def active_zones
95
+ # return syntax:
96
+ # [default-zone-name]
97
+ # interfaces: [open interfases]
98
+ #
99
+ # example:
100
+ # public
101
+ # interfaces: enp0s3
102
+ firewalld_command('--get-active-zones')
103
+ end
104
+
105
+ def parse_active_zones(content)
106
+ # Split by every second line, which contains the zone and the interfaces.
107
+ content = content.split(/\n/).each_slice(2).map { |slice| slice.join("\n") }
108
+ content.map do |line|
109
+ parse_line(line)
110
+ end.compact
111
+ end
112
+
113
+ def parse_line(line)
114
+ zone = line.split("\n")[0]
115
+ {
116
+ 'zone' => zone,
117
+ 'interfaces' => line.split(':')[1].split(' '),
118
+ 'services' => services_bound(zone),
119
+ 'sources' => sources_bound(zone),
120
+ }
121
+ end
122
+
123
+ def sources_bound(query_zone)
124
+ # result: a list containing either an ip address or ip address with a mask, or a ipset or an ipset with the ipset prefix.
125
+ # example: ['192.168.0.4', '192.168.0.0/16', '2111:DB28:ABC:12::', '2111:db89:ab3d:0112::0/64']
126
+ firewalld_command("--zone=#{query_zone} --list-sources").split(' ')
127
+ end
128
+
129
+ def services_bound(query_zone)
130
+ # result: a list of services bound to a zone.
131
+ # example: ['ssh', 'dhcpv6-client']
132
+ firewalld_command("--zone=#{query_zone} --list-services").split(' ')
133
+ end
134
+
135
+ def firewalld_command(command)
136
+ command = "firewall-cmd #{command}"
137
+ result = inspec.command(command)
138
+ if result.stderr != ''
139
+ return "Error on command #{command}: #{result.stderr}"
140
+ end
141
+ result.stdout.strip
142
+ end
143
+ end
144
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: inspec
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.39.1
4
+ version: 1.40.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dominik Richter
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-09-25 00:00:00.000000000 Z
11
+ date: 2017-09-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: train
@@ -337,6 +337,7 @@ files:
337
337
  - docs/resources/etc_hosts_allow.md.erb
338
338
  - docs/resources/etc_hosts_deny.md.erb
339
339
  - docs/resources/file.md.erb
340
+ - docs/resources/firewalld.md.erb
340
341
  - docs/resources/gem.md.erb
341
342
  - docs/resources/group.md.erb
342
343
  - docs/resources/grub_conf.md.erb
@@ -583,6 +584,7 @@ files:
583
584
  - lib/resources/etc_hosts.rb
584
585
  - lib/resources/etc_hosts_allow_deny.rb
585
586
  - lib/resources/file.rb
587
+ - lib/resources/firewalld.rb
586
588
  - lib/resources/gem.rb
587
589
  - lib/resources/groups.rb
588
590
  - lib/resources/grub_conf.rb