puppet-lint-security-plugins 0.1.6

data/spec/puppet-lint/plugins/check_security_file_with_setuid_permission_spec.rb

@@ -0,0 +1,59 @@
+require 'spec_helper'
+
+describe 'security_file_with_setuid_permission' do
+  let(:msg) { 'File or directory definition with setuid to root detected (security!)'}
+
+  context 'with fix disabled' do
+    context 'code having file with setuid permissions' do
+      let(:code) { "
+
+file { '/bin/bash':
+  mode => '1755',
+  owner => 'root',
+  group => 'root',
+}
+
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(4).in_column(11)
+      end
+    end
+
+    context 'code having no file with setuid permissions' do
+      let(:code) { "
+
+file { '/bin/bash':
+  mode => '0755',
+  owner => 'root',
+  group => 'root',
+}
+
+file {
+  '/etc/icinga/commands.cfg':
+    content => template('icinga/etc_icinga_commands.cfg'),
+    notify  => Exec['icinga'],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    require => Package['icinga'];
+  '/usr/local/bin/icinga2ticket.rb':
+    content  => template('icinga/usr_local_bin_icinga2ticket.rb'),
+    notify  => Exec['icinga'],
+    owner  => 'nagios',
+    group  => 'nagios',
+    mode   => '0750';
+}
+                   " }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_file_with_world_permissions_spec.rb

@@ -0,0 +1,62 @@
+require 'spec_helper'
+
+describe 'security_file_with_world_permissions' do
+  let(:msg) { 'File or directory definition with world permissions detected (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having file with world permissions' do
+      let(:code) { "
+
+file { '/etc/passwd':
+  ensure => present,
+  mode => '0666',
+  owner => 'root',
+  group => 'root',
+  source => 'puppet:///modules/passwd/etc_passwd',
+}
+
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(5).in_column(11)
+      end
+    end
+
+    context 'code having file with no world permissions' do
+      let(:code) { "
+file { '/etc/passwd':
+  ensure => present,
+  mode => '0644',
+  owner => 'root',
+  group => 'root',
+  source => 'puppet:///modules/passwd/etc_passwd',
+}
+
+file {
+  '/etc/icinga/commands.cfg':
+    content => template('icinga/etc_icinga_commands.cfg'),
+    notify  => Exec['icinga'],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    require => Package['icinga'];
+  '/usr/local/bin/icinga2ticket.rb':
+    content  => template('icinga/usr_local_bin_icinga2ticket.rb'),
+    notify  => Exec['icinga'],
+    owner  => 'nagios',
+    group  => 'nagios',
+    mode   => '0750';
+}
+                   " }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_file_world_and_guid_permissions_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe 'security_file_with_world_permissions' do
+  let(:msg) { 'File or directory definition with world permissions detected (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having file with world permissions' do
+      let(:code) { "
+
+      file { \"/nfs/${targetpath}/foobar\":
+        group   => 'roots',
+        mode    => 2777,
+        require => Autofs::Mount[$targetpath];
+      }
+
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(5).in_column(20)
+      end
+    end
+
+    context 'code having file with no world permissions' do
+      let(:code) { "
+
+      file { \"/nfs/${targetpath}/foobar\":
+        group   => 'roots',
+        mode    => 0755,
+        require => Autofs::Mount[$targetpath];
+      }
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_firewall_any_any_allow_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+
+describe 'security_firewall_any_any_allow' do
+  let(:msg) { 'Firewall any/any allow rule detected (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having any/any allow rule in firewall' do
+      let(:code) { "firewall { 'allow_any':
+    port    => 'any',
+    source  => 'any',
+    proto   => tcp,
+    action  => 'accept',
+      }" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(2).in_column(16)
+      end
+    end
+
+    context 'code having no any/any allow rule in firewall' do
+      let(:code) { "firewall { 'allow_ssh':
+    port    => [22],
+    proto   => tcp,
+    action  => 'accept',
+      }" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_firewall_any_any_deny_spec.rb

@@ -0,0 +1,124 @@
+require 'spec_helper'
+
+describe 'security_firewall_any_any_deny' do
+  let(:msg) { 'Firewall any:all drop rule detected (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having any:all drop rule in firewall with proto and ipv4 source given' do
+      let(:code) { "
+  firewall { '000_deny_any':
+    proto   => 'all',
+    source  => '0.0.0.0/0',
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(29)
+      end
+    end
+
+    context 'code having any:all drop rule in firewall with proto and ipv6 source given' do
+      let(:code) { "
+  firewall { '000_deny_any':
+    proto   => 'all',
+    source  => '::',
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(29)
+      end
+    end
+
+     context 'code having drop rule in firewall without proto and source given' do
+      let(:code) { "
+  firewall { '000_deny_any':
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(29)
+      end
+    end
+
+     context 'code having drop rule in firewall without proto and source "::"' do
+      let(:code) { "
+  firewall { '000_deny_any':
+    source  => '::',
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(29)
+      end
+    end
+
+     context 'code having drop rule in firewall without proto and source "0.0.0.0/0"' do
+      let(:code) { "
+  firewall { '000_deny_any':
+    source  => '0.0.0.0/0',
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(29)
+      end
+    end
+
+     context 'code having drop rule in firewall without source and prot "all"' do
+      let(:code) { "
+  firewall { '000_deny_any':
+    proto   => 'all',
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(29)
+      end
+    end
+
+    context 'code having no any/any deny in firewall' do
+      let(:code) { "
+  firewall { 'deny_ssh':
+    port    => [22],
+    proto   => tcp,
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_firewall_dns_used_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper'
+
+ describe 'security_firewall_dns_used' do
+   let(:msg) { 'DNS in firewall rule used (security!)' }
+
+   context 'with fix disabled' do
+     context 'code having DNS hostname in firewall' do
+       let(:code) { "
+
+firewall { 'allow_ssh_from_dns_host':
+    port    => 'ssh',
+    source  => 'server.example.tld',
+    proto   => tcp,
+    action  => 'accept',
+      }
+
+" }
+
+       it 'should detect a single problem' do
+         expect(problems).to have(1).problem
+       end
+
+       it 'should create a error' do
+         expect(problems).to contain_error(msg).on_line(5).in_column(16)
+       end
+     end
+
+     context 'code having no DNS hostname in firewall' do
+       let(:code) { "
+
+  firewall { 'allow_ssh_from_host':
+    port    => 'ssh',
+    source  => '192.168.10.22',
+    proto   => tcp,
+    action  => 'accept',
+      }
+
+  firewall { '100 syslog server relp':
+    proto  => 'tcp',
+    dport  => [\"20514\"],
+    source => \"10.0.0.0/16\",
+    action => \"accept\",
+  }
+
+  firewall {
+    '100 rpc 111/tcp':
+      dport  => '111',
+      proto  => 'tcp',
+      source => $filer,
+      action => 'accept';
+    '101 statd/tcp':
+      dport  => $nfs_statd_port,
+      proto  => 'tcp',
+      source => $filer,
+      action => 'accept';
+    '100 rpc 111/udp':
+      dport  => '111',
+      proto  => 'udp',
+      source => $filer,
+      action => 'accept';
+    '101 statd/udp':
+      dport  => $nfs_statd_port,
+      proto  => 'udp',
+      source => $filer,
+      action => 'accept';
+
+  }
+
+" }
+
+       it 'should not detect any problems' do
+         expect(problems).to have(0).problems
+       end
+     end
+
+   end
+ end

data/spec/puppet-lint/plugins/check_security_firewall_puppetmaster_any_deny_spec.rb

@@ -0,0 +1,60 @@
+require 'spec_helper'
+
+describe 'security_firewall_puppetmaster_any_deny' do
+  let(:msg) { 'Firewall drops puppetmaster port (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having rule droping puppetmaster port as array in firewall' do
+      let(:code) { "
+  firewall { '000_deny_puppetmaster':
+    port    => [8140],
+    proto   => tcp,
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(38)
+      end
+    end
+
+    context 'code having rule droping puppetmaster port in firewall' do
+      let(:code) { "
+  firewall { '000_deny_puppetmaster':
+    port    => 8140,
+    proto   => tcp,
+    source  => '::',
+    action  => 'drop',
+  }
+                   " }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(38)
+      end
+    end
+
+
+    context 'code having no rule droping puppetmaster port in firewall' do
+      let(:code) { "
+  firewall { '000_allow_puppetmaster':
+    port    => [8140],
+    source  => 'any',
+    proto   => tcp,
+    action  => 'accept',
+  }
+                   " }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end