puppet-lint-security-plugins 0.1.6

data/spec/puppet-lint/plugins/check_class_or_define_parameter_in_exec_spec.rb

@@ -0,0 +1,85 @@
+require 'spec_helper'
+
+describe 'security_class_or_define_parameter_in_exec' do
+  let(:msg) { 'Class or definded_type parameter in exec used (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having variables in execs' do
+      let(:code) { "
+class test ($command_var){
+  exec { 'exec_echo_name':
+    command => \"${command_var}\";
+  }
+}
+                   "}
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(4).in_column(18)
+      end
+    end
+
+    context 'code having variable only in exec' do
+      let(:code) { "
+class test ($command_var){
+  exec { 'exec_echo_name':
+    command => $command_var;
+  }
+}
+                   "}
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(4).in_column(16)
+      end
+    end
+
+
+    context 'code having four variables in execs' do
+      let(:code) { "exec { 'exec_echo_name': command => \"/bin/echo ${name} jonoin ${name} hiohoi ${name} ihoiphoi${name}\"; }" }
+      it 'should detect a single problem' do
+        expect(problems).to have(4).problem
+      end
+
+    end
+
+    context 'code having no variables in exec' do
+      let(:code) { "
+class test {
+
+  exec { 'exec_command': command => \"${command_var}\"; }
+
+  exec { 'exec_echo_name': command => \"/bin/echo hello\"; }
+
+  exec { 'killall_puppet_user':
+    command => \"/usr/bin/killall -9 -u puppet\",
+    onlyif  => \"/usr/bin/pgrep -u puppet >/dev/null 2>&1\",
+  }
+
+  exec { 'del_puppet_user':
+    command => '/usr/sbin/deluser --system -q puppet && /bin/sed -i \"/puppet/d\" /var/lib/dpkg/statoverride',
+    onlyif  => \"/bin/grep '^puppet:' /etc/passwd\",
+    require => Exec['killall_puppet_user'],
+    before  => Class['http'],
+  }
+
+  # Notwendig, damit die ca_crl erzeugt wird. Sonst startet der Apache nicht
+  exec { \"/usr/bin/puppet cert list\":
+    creates => [\"/var/lib/puppet/ssl/ca/ca_crl.pem\"],
+    require => Package[\"puppetmaster\"],
+  }
+}
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_apache_bad_cipher_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe 'security_apache_bad_cipher' do
+  let(:msg) { 'Unsecure ciphers used (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having unsecure ciphers' do
+      let(:code) { "
+
+class { 'apache::mod::ssl':
+  ssl_compression        => false,
+  ssl_options            => [ 'StdEnvVars' ],
+  ssl_cipher             => 'HIGH:MEDIUM:!aNULL:!MD5',
+  ssl_protocol           => [ 'all', '-SSLv2', '-SSLv3' ],
+  ssl_pass_phrase_dialog => 'builtin',
+  ssl_random_seed_bytes  => '512',
+}
+
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(6).in_column(29)
+      end
+    end
+
+    context 'code having no unsecure ciphers' do
+      let(:code) { "
+# from https://cipherli.st/
+class { 'apache::mod::ssl':
+  ssl_compression        => false,
+  ssl_options            => [ 'StdEnvVars' ],
+  ssl_cipher             => 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4',
+  ssl_protocol           => [ 'all', '-SSLv2', '-SSLv3' ],
+  ssl_pass_phrase_dialog => 'builtin',
+  ssl_random_seed_bytes  => '512',
+}
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_apache_no_ssl_vhost_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+describe 'security_apache_no_ssl_vhost' do
+  let(:msg) { 'Vhost without ssl detected (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having vhost wihtout ssl' do
+      let(:code) { "
+apache::vhost { 'fourth.example.com':
+  docroot  => '/var/www/fourth',
+}
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(38)
+      end
+    end
+
+    context 'code having vhost with ssl' do
+      let(:code) { "
+apache::vhost { 'fourth.example.com':
+  port     => '443',
+  docroot  => '/var/www/fourth',
+  ssl      => true,
+  ssl_cert => '/etc/ssl/fourth.example.com.cert',
+  ssl_key  => '/etc/ssl/fourth.example.com.key',
+}
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_apt_absent_no_key_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+describe 'security_apt_no_key' do
+  let(:msg) { 'APT Repository without key detected (security!)' }
+
+  context 'with fix disabled' do
+
+
+    context 'code having no key parameter in apt' do
+      let(:code) { "
+
+apt::source {
+  'apt.postgresql.org':
+    ensure => absent;
+  'puppetlabs':
+    location => 'http://apt.puppetlabs.com',
+    repos    => 'main',
+}
+
+      " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(6).in_column(16)
+      end
+    end
+
+
+
+    context 'code deleting apt repo' do
+      let(:code) { "
+    apt::source { 'apt.postgresql.org':
+      ensure => absent,
+    }
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_apt_no_key_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+describe 'security_apt_no_key' do
+  let(:msg) { 'APT Repository without key detected (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having no key parameter in apt' do
+      let(:code) { "apt::source { 'puppetlabs':
+  location => 'http://apt.puppetlabs.com',
+  repos    => 'main',
+}
+      " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(1).in_column(28)
+      end
+    end
+
+    context 'code having key parameter in apt' do
+      let(:code) { "apt::source { 'puppetlabs':
+  location => 'http://apt.puppetlabs.com',
+  repos    => 'main',
+  key      => {
+    'id'     => '47B320EB4C7C375AA9DAE1A01054B7A24BD6EC30',
+    'server' => 'pgp.mit.edu',
+  },
+}," }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_dir_guid_permissions_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe 'security_file_with_setgid_permission' do
+
+  let(:msg) { 'File or directory definition with setgid to root detected (security!)'}
+
+  context 'with fix disabled' do
+
+    context 'code having directory with setgid permissions' do
+      let(:code) { "
+
+file { '/usr/local/bin':
+  ensure => present,
+  mode => '2755',
+  owner => 'root',
+  group => 'root',
+  source => 'puppet:///modules/myscript/usr_local_bin_myscript',
+}
+
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_error(msg).on_line(5).in_column(11)
+      end
+    end
+
+    context 'code having no directory with setgid permissions' do
+      let(:code) { "
+
+file { '/usr/local/bin':
+  ensure => present,
+  mode => '755',
+  owner => 'root',
+  group => 'root',
+  source => 'puppet:///modules/myscript/usr_local_bin_myscript',
+}
+                   " }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_dir_world_permissions_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+
+describe 'security_file_with_world_permissions' do
+  let(:msg) { 'File or directory definition with world permissions detected (security!)' }
+
+  context 'with fix disabled' do
+
+    context 'code having directory with world permissions' do
+      let(:code) { "file { '/var/log':
+  ensure => directory,
+  mode => '0777',
+  owner => 'root',
+  group => 'root',
+}" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(3).in_column(11)
+      end
+    end
+
+    context 'code having no directory with world permissions' do
+      let(:code) { "file { '/var/log':
+  ensure => directory,
+  mode => '0755',
+  owner => 'root',
+  group => 'root',
+}" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_eval_in_erb_spec.rb

@@ -0,0 +1,35 @@
+require 'spec_helper'
+
+describe 'security_eval_in_erb' do
+  let(:msg) { '"eval" ruby function used (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having eval in inline_template' do
+      let(:code) { "
+$test='p Dir.entries(\"/etc\")'
+$variable = inline_template('<% eval(@test) %>')
+notice($variable)
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(3).in_column(29)
+      end
+    end
+
+    context 'code having no eval in inline_template' do
+      let(:code) { "
+$variable = inline_template('<%= Dir.entries(\"/etc\") %>')
+notice($variable)
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_file_suid_permissions_spec.rb

@@ -0,0 +1,48 @@
+require 'spec_helper'
+
+describe 'security_file_with_setuid_permission' do
+  let(:msg) { 'File or directory definition with setuid to root detected (security!)'}
+
+  context 'with fix disabled' do
+
+    context 'code having file with suid permissions' do
+      let(:code) { "
+
+file { '/usr/local/bin/myscript':
+  ensure => present,
+  mode => '1755',
+  owner => 'root',
+  group => 'root',
+  source => 'puppet:///modules/myscript/usr_local_bin_myscript',
+}
+
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_error(msg).on_line(5).in_column(11)
+      end
+    end
+
+    context 'code having no file with suid permissions' do
+      let(:code) { "
+
+file { '/usr/local/bin/myscript':
+  ensure => present,
+  mode => '755',
+  owner => 'root',
+  group => 'root',
+  source => 'puppet:///modules/myscript/usr_local_bin_myscript',
+}
+                   " }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_file_with_setgid_permission_spec.rb

@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+describe 'security_file_with_setgid_permission' do
+  let(:msg) { 'File or directory definition with setgid to root detected (security!)'}
+
+  context 'with fix disabled' do
+    context 'code having file with setgid permissions' do
+      let(:code) { "
+
+file { '/bin/bash':
+  mode => '2755',
+  owner => 'root',
+  group => 'root',
+}
+
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(4).in_column(11)
+      end
+    end
+
+    context 'code having no file with setgid permissions' do
+      let(:code) { "
+
+file { '/bin/bash':
+  mode => '0755',
+  owner => 'root',
+  group => 'root',
+}
+
+file {
+  '/etc/icinga/commands.cfg':
+    content => template('icinga/etc_icinga_commands.cfg'),
+    notify  => Exec['icinga'],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    require => Package['icinga'];
+  '/usr/local/bin/icinga2ticket.rb':
+    content  => template('icinga/usr_local_bin_icinga2ticket.rb'),
+    notify  => Exec['icinga'],
+    owner  => 'nagios',
+    group  => 'nagios',
+    mode   => '0750';
+}
+                   " }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end