RubyGems - puppet-lint-security-plugins - Versions diffs - 0.1.6 - Mend

puppet-lint-security-plugins 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

data/spec/puppet-lint/plugins/check_security_package_pinned_version_spec.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'spec_helper'
+describe 'security_package_pinned_version' do
+  let(:msg) { 'Package version pinned (security!)' }
+  context 'with fix disabled' do
+    context 'code having openssh with fixed version' do
+      let(:code) { "
+package { 'openssh':
+  name    => $ssh,
+  ensure  => '1:6.6p1-2ubuntu2',
+  require => Package['openssl']
+}
+" }
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(5).in_column(14)
+      end
+    end
+    context 'code having no openssh with fixed version' do
+      let(:code) { "
+package { 'openssh':
+  name    => $ssh,
+  ensure  => installed,
+  require => Package['openssl']
+}
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_password_in_code_spec.rb ADDED Viewed

@@ -0,0 +1,55 @@
+require 'spec_helper'
+describe 'security_password_in_code' do
+  let(:msg) { 'Possible password in code detected (security!)' }
+  context 'with fix disabled' do
+    context 'code having cleartext passwords' do
+      let(:code) { "
+$db_password='OhBao5ho'
+$ldap_pw='Ceeghoh5'
+$application_pwd_db='aiMoi1af'
+" }
+      it 'should detect three problems' do
+        expect(problems).to have(3).problem
+      end
+      it 'should create a error' do
+        expect(problems).to contain_error(msg)
+      end
+    end
+    context 'code having no cleartext passwords' do
+      let(:code) { "
+class myclass (
+  $param1_password,
+  $param2_password,
+  $param3_password= '',
+  $param4_password = '',
+) {
+  $db_password = hiera('db_password')
+  $ldap_pw=hiera('ldap_pw')
+  $application_pwd_db= hiera('application_pwd_db')
+}
+class mysql::params
+{
+  $packages = 'mysql-server'
+  $packages_extra = 'maatkit'
+  $service = 'mysql'
+  $password = $mysql::my_password
+}
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_password_variable_in_exec_spec.rb ADDED Viewed

@@ -0,0 +1,45 @@
+require 'spec_helper'
+describe 'security_password_variable_in_exec' do
+  let(:msg) { 'Possible password variable in exec used (security!)' }
+  context 'with fix disabled' do
+    context 'code having password variables in execs' do
+      let(:code) { "
+exec {
+  'exec_application':
+    command => \"/usr/bin/application -p ${application_pwd_db}\";
+  'exec_ldap':
+    command => \"/usr/bin/ldapmodify -W${ldap_pw}\";
+  'exec_db':
+    command => \"/usr/bin/mysql -p ${db_password}\";
+}
+                   "}
+      it 'should detect three problems' do
+        expect(problems).to have(3).problem
+      end
+      it 'should create an error' do
+        expect(problems).to contain_error(msg)
+      end
+    end
+    context 'code having no variables in exec' do
+      let(:code) { "
+exec {
+  'exec_application':
+    command => \"/usr/bin/application -c /etc/app.rc\";
+  'exec_ldap':
+    command => \"/usr/bin/ldapmodify\";
+  'exec_db':
+    command => \"/usr/bin/mysql\";
+}
+                   " }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_regex_unspecific_spec.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'spec_helper'
+describe 'security_regex_unspecific' do
+  let(:msg) { 'Unspecific regex used, maybe too much is matched.' }
+  context 'with fix disabled' do
+    context 'code having unspecific regex' do
+      let(:code) { "
+if $::kernelversion =~ /3.*/ {
+  notice ('Linux Kernel 3 used')
+}
+" }
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(24)
+      end
+    end
+    context 'code having specific regex' do
+      let(:code) { "
+if $::kernelversion =~ /\\A3.*\\z/ {
+  notice ('Linux Kernel 3 used')
+}
+if $::kernelversion =~ /^3.*$/ {
+  notice ('Linux Kernel 3 used')
+}
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_service_mysql_disabled_spec.rb ADDED Viewed

@@ -0,0 +1,54 @@
+require 'spec_helper'
+describe 'security_service_mysql_disabled' do
+  let(:msg) { 'MySQL service disabled (security!)' }
+  context 'with fix disabled' do
+    context 'code having service mysql disabled' do
+      let(:code) { "
+service {
+  'mysql':
+    ensure     => stopped,
+    enable     => false,
+    require    => Package['mysql'],
+    hasrestart => true;
+  'ntp':
+    ensure     => stopped,
+    enable     => false,
+    require    => Package['ntp'],
+    hasrestart => true;
+}
+" }
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(4).in_column(19)
+      end
+    end
+    context 'code having service mysql enabled' do
+      let(:code) { "
+service { 'mysql':
+   ensure     => running,
+   enable     => true,
+   hasrestart => true,
+}
+service {[\"cups\",\"cupsrenice\"]:
+   enable =>  false,
+   ensure => \"stopped\"
+}
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_service_puppetmaster_disabled_spec.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'spec_helper'
+describe 'security_service_puppetmaster_disabled' do
+  let(:msg) { 'Puppetmaster service disabled (security!)' }
+  context 'with fix disabled' do
+    context 'code having service puppetmaster disabled' do
+      let(:code) { "
+    service { 'puppetmaster':
+      ensure     => stopped,
+      enable     => false,
+      hasrestart => true,
+    }
+" }
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(3).in_column(21)
+      end
+    end
+    context 'code having service puppetmaster enabled' do
+      let(:code) { "
+    service { 'puppetmaster':
+      ensure     => running,
+      enable     => true,
+      hasrestart => true,
+    }
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_ssh_root_allowed_spec.rb ADDED Viewed

@@ -0,0 +1,60 @@
+require 'spec_helper'
+# saz/ssh
+describe 'security_ssh_root_allowed' do
+  let(:msg) { 'SSH root login allowed (security!)' }
+  context 'with fix disabled' do
+    context 'code having ssh root login allowed' do
+      let(:code) { "
+class { 'ssh':
+  server_options => {
+    'Match User www-data' => {
+      'ChrootDirectory' => '%h',
+      'ForceCommand' => 'internal-sftp',
+      'PasswordAuthentication' => 'yes',
+      'AllowTcpForwarding' => 'no',
+      'X11Forwarding' => 'no',
+    },
+    'PasswordAuthentication' => 'no',
+    'PermitRootLogin'        => 'yes',
+    'Port'                   => [22, 2222],
+  },
+}
+" }
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(12).in_column(33)
+      end
+    end
+    context 'code having ssh root login disabled' do
+      let(:code) { "
+class { 'ssh':
+  server_options => {
+    'Match User www-data' => {
+      'ChrootDirectory' => '%h',
+      'ForceCommand' => 'internal-sftp',
+      'PasswordAuthentication' => 'yes',
+      'AllowTcpForwarding' => 'no',
+      'X11Forwarding' => 'no',
+    },
+    'PasswordAuthentication' => 'no',
+    'PermitRootLogin'        => 'no',
+    'Port'                   => [22, 2222],
+  },
+}
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_ssh_server_root_allowed_spec.rb ADDED Viewed

@@ -0,0 +1,60 @@
+require 'spec_helper'
+# saz/ssh
+describe 'security_ssh_root_allowed' do
+  let(:msg) { 'SSH root login allowed (security!)' }
+  context 'with fix disabled' do
+    context 'code having ssh root login allowed' do
+      let(:code) { "
+class { 'ssh::server':
+  options => {
+    'Match User www-data' => {
+      'ChrootDirectory' => '%h',
+      'ForceCommand' => 'internal-sftp',
+      'PasswordAuthentication' => 'yes',
+      'AllowTcpForwarding' => 'no',
+      'X11Forwarding' => 'no',
+    },
+    'PasswordAuthentication' => 'no',
+    'PermitRootLogin'        => 'yes',
+    'Port'                   => [22, 2222],
+  },
+}
+" }
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(12).in_column(33)
+      end
+    end
+    context 'code having ssh root login disabled' do
+      let(:code) { "
+class { 'ssh::server':
+  options => {
+    'Match User www-data' => {
+      'ChrootDirectory' => '%h',
+      'ForceCommand' => 'internal-sftp',
+      'PasswordAuthentication' => 'yes',
+      'AllowTcpForwarding' => 'no',
+      'X11Forwarding' => 'no',
+    },
+    'PasswordAuthentication' => 'no',
+    'PermitRootLogin'        => 'no',
+    'Port'                   => [22, 2222],
+  },
+}
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_sudo_with_world_nopasswd_spec.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'spec_helper'
+# saz/sudo
+describe 'security_sudo_with_world_nopasswd' do
+  let(:msg) { 'Sudo access with world permissions detected (security!)' }
+  context 'with fix disabled' do
+    context 'code having sudo with world permissions' do
+      let(:code) { "
+sudo::conf { 'admins':
+  priority => 10,
+  content  => 'ALL ALL=(ALL) NOPASSWD: ALL',
+}
+" }
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(4).in_column(15)
+      end
+    end
+    context 'code having no sudo with world permissions' do
+      let(:code) { "
+sudo::conf { 'admins':
+  priority => 10,
+  content  => '%admins ALL=(ALL) NOPASSWD: ALL',
+}
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end