puppet-lint-security-plugins 0.1.6

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6cb0769c9bf6c371e0b788b122d9a5dbf82bdc45
+  data.tar.gz: c9cb8bc14ab0cf9fd3950c09f279c44f1b79d8eb
+SHA512:
+  metadata.gz: 6a588232ca68086cb13fab884143efad736e4e130d9f4396a01c508a684ed79d71a300ac2a32f8764e98bb9633a5dffe708220ae4594c55a988f66a1df5da6ce
+  data.tar.gz: 14e4843c56976cc63497573a4eced188be6aad153577aa938f9eae563f369c8ae2e5dd468e0d4ae800fe1e2178186bd40495dd8c5e1102e7eb65258ec236a822

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Florian Freund
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,90 @@
+# Puppet-lint-security-plugins
+
+The goal of this project is to identify security issues in your Puppet code. Some basic checks
+are implemented, please feel free to contribute.
+
+## Installation
+
+    gem install puppet-lint-security-plugins
+
+## Testing your manifests
+
+Just use `puppet-lint`. After installation security checks are enabled by default.
+
+## Implemented tests
+
+At the moment, the following tests have been implemented:
+
+### Puppet Resource Types
+
+ * Must not use `eval` in inline\_templates
+ * Must not use setuid bit in `file` resources when owner equals `root`
+ * Must not use setgid bit in `file` resources when group equals `root`
+ * Must not use mode `777` in `file` resources
+ * Should not pin packages to specific version
+ * Must not store plaintext passwords in the manifest
+ * Must not use password variables in exec
+ * Should use range markers (\A,\z,^,$) in regular expressions
+ * Must not use class or defined\_type parameters in `exec`
+ * Should not use `tidy`with `age` and/or `size` parameter
+ * Should not use `tidy` with `match` equals to `*`
+ * Should not use `tidy` with `recurse` enabled
+ * Must not create non root user with id 0
+ * Should not disable services (example: mysql, puppetmaster)
+
+### puppetlabs-apache module
+
+ * Should not use bad ciphers
+ * Should enable ssl on any vhost
+
+### puppetlabs-apt module
+
+ * Must use an GPG key in repository definition
+
+### puppetlabs-firewall module
+
+ * Must not use firewall allow rules with source and destination equals `any`
+ * Should not use firewall deny rules with source and destination equals `any` (possible deny of service)
+ * Must use ips or subnets in source or destination (no dns)
+ * Should not block puppetmaster port
+
+### saz/ssh module
+
+ * Must not enable `PermitRootLogin`
+
+### saz/sudo module
+
+ * Must not define sudo to anyone with root permissions
+
+## Reporting bugs or incorrect results
+
+If you find a bug in puppet-lint or its results, please create an issue in the
+[repo issues tracker](https://github.com/floek/puppet-lint-security-plugins/issues/).
+
+## Please contribute
+
+Many other usefull checks may be out there, so feel free to fork and add your own.
+
+## License
+
+The MIT License (MIT)
+
+Copyright (c) 2015 Florian Freund
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/lib/puppet-lint-security-plugins.rb

@@ -0,0 +1,2 @@
+require 'puppet-lint'
+require 'puppet-lint/security'

data/lib/puppet-lint/plugins/check_class_or_define_parameter_in_exec.rb

@@ -0,0 +1,36 @@
+require 'puppet-lint-security-plugins'
+
+# Matches class or defined_type parameters used in exec
+PuppetLint.new_check(:security_class_or_define_parameter_in_exec) do
+  def check
+
+    check_resource_index(
+      :resource_type => 'exec',
+      :severity => :error,
+      :message => 'Class or definded_type parameter in exec used (security!)'
+    ) do |rule|
+
+      class_definitions=class_indexes.find_all do |cd|
+        resource_in_class_or_define?(rule,cd) 
+      end
+
+      defined_types=defined_type_indexes.find_all do |dt|
+        resource_in_class_or_define?(rule,dt)
+      end
+
+      parameters=(class_definitions+defined_types).map do |h|
+        h[:param_tokens].map {|t|t.value} unless h[:param_tokens].nil?
+      end.flatten.compact
+
+      exec_tokens=rule[:tokens]
+      command_tokens=get_value_token_for_parameter(exec_tokens,'command')
+      command_tokens.find_all do |token|
+        token.type == :VARIABLE and (
+          parameters.include? token.value or
+          (defined_type_indexes.empty? and class_definitions.empty?)
+        )
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_apache_bad_cipher.rb

@@ -0,0 +1,28 @@
+require 'puppet-lint-security-plugins'
+require 'openssl'
+
+# Needed: puppetlabs-apache module (https://forge.puppetlabs.com/puppetlabs/apache)
+# Matches mod_ssl cipher configuration, valid cipher list from https://cipherli.st
+PuppetLint.new_check(:security_apache_bad_cipher) do
+
+  def check
+
+    ssl_context=OpenSSL::SSL::SSLContext.new
+    ssl_context.ciphers='EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
+    good_ciphers=ssl_context.ciphers.flatten
+
+    check_resource_index(
+      :resource_type => 'apache::mod::ssl',
+      :severity => :warning,
+      :message => 'Unsecure ciphers used (security!)'
+    ) do |rule|
+      ssl_ciphers=get_value_token_for_parameter(rule[:tokens],'ssl_cipher')
+      ssl_ciphers.find_all do |token|
+        ssl_context.ciphers=token.value
+        bad_ciphers=ssl_context.ciphers.flatten - good_ciphers
+        not bad_ciphers.empty?
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_apache_no_ssl_vhost.rb

@@ -0,0 +1,27 @@
+require 'puppet-lint-security-plugins'
+
+# Needed: puppetlabs-apache module (https://forge.puppetlabs.com/puppetlabs/apache)
+# Matches vhosts without ssl enabled
+PuppetLint.new_check(:security_apache_no_ssl_vhost) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'apache::vhost',
+      :severity => :warning,
+      :message => 'Vhost without ssl detected (security!)'
+    ) do |rule|
+
+      ssl=get_value_token_for_parameter(rule[:tokens],'ssl')
+
+      # all ssl enable parameters
+      ssl_enabled=ssl.find_all do |token|
+        ['true','1'].include? token.value
+      end
+
+      rule[:tokens].first if ssl_enabled.empty?
+
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_apt_no_key.rb

@@ -0,0 +1,26 @@
+require 'puppet-lint-security-plugins'
+
+# Needed: puppetlabs-apt module (https://forge.puppetlabs.com/puppetlabs/apt)
+# Matches apt::source definitions without key parameter
+PuppetLint.new_check(:security_apt_no_key) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'apt::source',
+      :severity => :error,
+      :message => 'APT Repository without key detected (security!)'
+    ) do |rule|
+      rule_tokens=rule[:tokens]
+      ensures = get_value_token_for_parameter(rule[:tokens],'ensure')
+      ensures.map! { |e| e.value }
+
+      key_parameters=rule_tokens.find_all do |token|
+        token.type == :NAME and token.value == 'key'
+      end
+
+      rule_tokens.first if key_parameters.empty? and not ensures.include? 'absent'
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_eval_in_erb.rb

@@ -0,0 +1,21 @@
+require 'puppet-lint-security-plugins'
+
+# Matches inline_template usage with ruby method 'eval'
+PuppetLint.new_check(:security_eval_in_erb) do
+
+  def check
+
+    inline_template_args=get_argument_token_for_function(tokens,'inline_template')
+    result=inline_template_args.find_all do |token|
+      token.value =~/eval\(/
+    end
+
+    bulk_notify(
+      :result => result,
+      :severity => :error,
+      :message => '"eval" ruby function used (security!)'
+
+    )
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_file_with_setgid_permission.rb

@@ -0,0 +1,25 @@
+require 'puppet-lint-security-plugins'
+
+# Matches file resources with setgit mode and group root
+PuppetLint.new_check(:security_file_with_setgid_permission) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'file',
+      :severity => :error,
+      :message => 'File or directory definition with setgid to root detected (security!)'
+    ) do |rule|
+
+      modes=get_value_token_for_parameter(rule[:tokens],'mode')
+      groups=get_value_token_for_parameter(rule[:tokens],'group')
+      groups.map! {|t| t.value }
+      modes.find_all do |token|
+        groups.include? 'root' and
+        token.value =~ /\A2\d\d\d\z/ or # Files or directories with setuid
+        token.value =~ /\+S/ # setuid
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_file_with_setuid_permission.rb

@@ -0,0 +1,25 @@
+require 'puppet-lint-security-plugins'
+
+# Matches file resources with setuid mode and owner root
+PuppetLint.new_check(:security_file_with_setuid_permission) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'file',
+      :severity => :error,
+      :message => 'File or directory definition with setuid to root detected (security!)'
+    ) do |rule|
+
+      modes=get_value_token_for_parameter(rule[:tokens],'mode')
+      owners=get_value_token_for_parameter(rule[:tokens],'owner')
+      owners.map! {|t| t.value}
+      modes.find_all do |token|
+        owners.include? 'root' and
+        token.value =~ /\A1\d\d\d\z/ or # Files or directories with setuid
+        token.value =~ /\+s/ # setuid
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_file_with_world_permissions.rb

@@ -0,0 +1,25 @@
+require 'puppet-lint-security-plugins'
+
+# Matches file resources with mode defines world permissions (777)
+PuppetLint.new_check(:security_file_with_world_permissions) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'file',
+      :severity => :error,
+      :message => 'File or directory definition with world permissions detected (security!)'
+    ) do |rule|
+
+      modes=get_value_token_for_parameter(rule[:tokens],'mode')
+      modes.find_all do |token|
+        token.value =~ /\A\d?666\z/ or # Files with 666
+        token.value =~ /\A\d?777\z/ or # Files or directories with 777
+        token.value =~ /\A(a|ugo|uog|guo|gou|oug|ogu|)=rwx?\z/ or
+        token.value =~ /\A[ugo]=rwx?,[ugo]=rwx?,[ugo]=rwx?\z/ or
+        token.value =~ /\A(ug|gu)=rwx?,[ugo]=rwx?\z/
+      end
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_firewall_any_any_allow.rb

@@ -0,0 +1,26 @@
+require 'puppet-lint-security-plugins'
+
+# Needed: puppetlabs-firewall module (https://forge.puppetlabs.com/puppetlabs/firewall)
+# Matches firewall resources with source and destination equals 'any'
+PuppetLint.new_check(:security_firewall_any_any_allow) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'firewall',
+      :severity => :error,
+      :message => 'Firewall any/any allow rule detected (security!)'
+    ) do |rule|
+
+      rule_tokens=rule[:tokens]
+      anies=rule_tokens.find_all do |token|
+        (token.type == :NAME or token.type == :SSTRING) and
+          token.value == 'any' and
+          token.prev_code_token.type == :FARROW
+      end
+
+      anies.first if anies.count >= 2
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_firewall_any_any_deny.rb

@@ -0,0 +1,27 @@
+require 'puppet-lint-security-plugins'
+
+# Needed: puppetlabs-firewall module (https://forge.puppetlabs.com/puppetlabs/firewall)
+# Matches firewall resources with source and destination equals 'drop'
+PuppetLint.new_check(:security_firewall_any_any_deny) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'firewall',
+      :severity => :warning,
+      :message => 'Firewall any:all drop rule detected (security!)'
+    ) do |rule|
+
+      protos=get_value_token_for_parameter(rule[:tokens],'proto').map {|t| t.value}
+      protos_bad = ( protos.include? 'all' or protos.empty? )
+
+      sources=get_value_token_for_parameter(rule[:tokens],'source').map {|t| t.value}
+      sources_bad = ( sources.include? '0.0.0.0/0' or sources.include? '::' or sources.empty? )
+
+      actions=get_value_token_for_parameter(rule[:tokens],'action').map {|t| t.value}
+
+      rule[:tokens].first if protos_bad and sources_bad and actions.include? "drop"
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_firewall_dns_used.rb

@@ -0,0 +1,30 @@
+require 'puppet-lint-security-plugins'
+require 'resolv'
+
+# Needed: puppetlabs-firewall module (https://forge.puppetlabs.com/puppetlabs/firewall)
+# Matches firewall resources without ip or subnet in source or destination
+PuppetLint.new_check(:security_firewall_dns_used) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'firewall',
+      :severity => :error,
+      :message => 'DNS in firewall rule used (security!)'
+    ) do |rule|
+
+      source_and_destination=get_value_token_for_parameter(rule[:tokens],'source') +
+        get_value_token_for_parameter(rule[:tokens],'destination')
+
+      source_and_destination.find_all do |token|
+        if [:STRING,:SSTRING].include? token.type
+          host_or_network=token.value.split('/').first
+          host_or_network !~ Resolv::IPv4::Regex and
+            host_or_network !~ Resolv::IPv6::Regex
+        end
+      end
+
+    end
+
+  end
+end

data/lib/puppet-lint/plugins/check_security_firewall_puppetmaster_any_deny.rb

@@ -0,0 +1,33 @@
+require 'puppet-lint-security-plugins'
+
+# Needed: puppetlabs-firewall module (https://forge.puppetlabs.com/puppetlabs/firewall)
+# Matches firewall resources with source and destination equals 'drop'
+PuppetLint.new_check(:security_firewall_puppetmaster_any_deny) do
+
+  def check
+
+    check_resource_index(
+      :resource_type => 'firewall',
+      :severity => :warning,
+      :message => 'Firewall drops puppetmaster port (security!)'
+    ) do |rule|
+
+      parameter='port'
+
+      if value_is_array?(rule[:tokens],parameter)
+        ports=get_array_tokens_for_parameter(rule[:tokens],parameter).map{ |t| t.value}
+      else
+        ports=get_value_token_for_parameter(rule[:tokens],parameter).map {|t| t.value}
+      end
+
+      sources=get_value_token_for_parameter(rule[:tokens],'source').map {|t| t.value}
+      sources_bad = ( sources.include? '0.0.0.0/0' or sources.include? '::' or sources.empty? )
+
+      actions=get_value_token_for_parameter(rule[:tokens],'action').map {|t| t.value}
+      actions.include? "drop"
+
+      rule[:tokens].first if ports.include? '8140' and sources_bad and actions.include? 'drop'
+    end
+
+  end
+end