puppet-lint-security-plugins 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE +21 -0
  3. data/README.md +90 -0
  4. data/lib/puppet-lint-security-plugins.rb +2 -0
  5. data/lib/puppet-lint/plugins/check_class_or_define_parameter_in_exec.rb +36 -0
  6. data/lib/puppet-lint/plugins/check_security_apache_bad_cipher.rb +28 -0
  7. data/lib/puppet-lint/plugins/check_security_apache_no_ssl_vhost.rb +27 -0
  8. data/lib/puppet-lint/plugins/check_security_apt_no_key.rb +26 -0
  9. data/lib/puppet-lint/plugins/check_security_eval_in_erb.rb +21 -0
  10. data/lib/puppet-lint/plugins/check_security_file_with_setgid_permission.rb +25 -0
  11. data/lib/puppet-lint/plugins/check_security_file_with_setuid_permission.rb +25 -0
  12. data/lib/puppet-lint/plugins/check_security_file_with_world_permissions.rb +25 -0
  13. data/lib/puppet-lint/plugins/check_security_firewall_any_any_allow.rb +26 -0
  14. data/lib/puppet-lint/plugins/check_security_firewall_any_any_deny.rb +27 -0
  15. data/lib/puppet-lint/plugins/check_security_firewall_dns_used.rb +30 -0
  16. data/lib/puppet-lint/plugins/check_security_firewall_puppetmaster_any_deny.rb +33 -0
  17. data/lib/puppet-lint/plugins/check_security_package_pinned_version.rb +25 -0
  18. data/lib/puppet-lint/plugins/check_security_password_in_code.rb +31 -0
  19. data/lib/puppet-lint/plugins/check_security_password_variable_in_exec.rb +22 -0
  20. data/lib/puppet-lint/plugins/check_security_regex_unspecific.rb +23 -0
  21. data/lib/puppet-lint/plugins/check_security_service_mysql_disabled.rb +22 -0
  22. data/lib/puppet-lint/plugins/check_security_service_puppetmaster_disabled.rb +24 -0
  23. data/lib/puppet-lint/plugins/check_security_ssh_root_allowed.rb +26 -0
  24. data/lib/puppet-lint/plugins/check_security_sudo_with_world_nopasswd.rb +23 -0
  25. data/lib/puppet-lint/plugins/check_security_tidy_all_files.rb +20 -0
  26. data/lib/puppet-lint/plugins/check_security_tidy_matches_greedy.rb +27 -0
  27. data/lib/puppet-lint/plugins/check_security_tidy_recurse.rb +21 -0
  28. data/lib/puppet-lint/plugins/check_security_user_with_id_0_created.rb +28 -0
  29. data/lib/puppet-lint/security.rb +280 -0
  30. data/spec/puppet-lint/plugins/check_class_or_define_parameter_in_exec_spec.rb +85 -0
  31. data/spec/puppet-lint/plugins/check_security_apache_bad_cipher_spec.rb +49 -0
  32. data/spec/puppet-lint/plugins/check_security_apache_no_ssl_vhost_spec.rb +40 -0
  33. data/spec/puppet-lint/plugins/check_security_apt_absent_no_key_spec.rb +45 -0
  34. data/spec/puppet-lint/plugins/check_security_apt_no_key_spec.rb +38 -0
  35. data/spec/puppet-lint/plugins/check_security_dir_guid_permissions_spec.rb +49 -0
  36. data/spec/puppet-lint/plugins/check_security_dir_world_permissions_spec.rb +39 -0
  37. data/spec/puppet-lint/plugins/check_security_eval_in_erb_spec.rb +35 -0
  38. data/spec/puppet-lint/plugins/check_security_file_suid_permissions_spec.rb +48 -0
  39. data/spec/puppet-lint/plugins/check_security_file_with_setgid_permission_spec.rb +59 -0
  40. data/spec/puppet-lint/plugins/check_security_file_with_setuid_permission_spec.rb +59 -0
  41. data/spec/puppet-lint/plugins/check_security_file_with_world_permissions_spec.rb +62 -0
  42. data/spec/puppet-lint/plugins/check_security_file_world_and_guid_permissions_spec.rb +43 -0
  43. data/spec/puppet-lint/plugins/check_security_firewall_any_any_allow_spec.rb +36 -0
  44. data/spec/puppet-lint/plugins/check_security_firewall_any_any_deny_spec.rb +124 -0
  45. data/spec/puppet-lint/plugins/check_security_firewall_dns_used_spec.rb +77 -0
  46. data/spec/puppet-lint/plugins/check_security_firewall_puppetmaster_any_deny_spec.rb +60 -0
  47. data/spec/puppet-lint/plugins/check_security_package_pinned_version_spec.rb +43 -0
  48. data/spec/puppet-lint/plugins/check_security_password_in_code_spec.rb +55 -0
  49. data/spec/puppet-lint/plugins/check_security_password_variable_in_exec_spec.rb +45 -0
  50. data/spec/puppet-lint/plugins/check_security_regex_unspecific_spec.rb +40 -0
  51. data/spec/puppet-lint/plugins/check_security_service_mysql_disabled_spec.rb +54 -0
  52. data/spec/puppet-lint/plugins/check_security_service_puppetmaster_disabled_spec.rb +40 -0
  53. data/spec/puppet-lint/plugins/check_security_ssh_root_allowed_spec.rb +60 -0
  54. data/spec/puppet-lint/plugins/check_security_ssh_server_root_allowed_spec.rb +60 -0
  55. data/spec/puppet-lint/plugins/check_security_sudo_with_world_nopasswd_spec.rb +40 -0
  56. data/spec/puppet-lint/plugins/check_security_tidy_all_files_spec.rb +36 -0
  57. data/spec/puppet-lint/plugins/check_security_tidy_matches_greedy_spec.rb +37 -0
  58. data/spec/puppet-lint/plugins/check_security_tidy_recurse_spec.rb +37 -0
  59. data/spec/puppet-lint/plugins/check_security_user_with_id_0_created_spec.rb +47 -0
  60. data/spec/spec_helper.rb +5 -0
  61. metadata +232 -0
@@ -0,0 +1,43 @@
1
+ require 'spec_helper'
2
+
3
+ describe 'security_package_pinned_version' do
4
+ let(:msg) { 'Package version pinned (security!)' }
5
+
6
+ context 'with fix disabled' do
7
+ context 'code having openssh with fixed version' do
8
+ let(:code) { "
9
+
10
+ package { 'openssh':
11
+ name => $ssh,
12
+ ensure => '1:6.6p1-2ubuntu2',
13
+ require => Package['openssl']
14
+ }
15
+
16
+ " }
17
+
18
+ it 'should detect a single problem' do
19
+ expect(problems).to have(1).problem
20
+ end
21
+
22
+ it 'should create a warning' do
23
+ expect(problems).to contain_warning(msg).on_line(5).in_column(14)
24
+ end
25
+ end
26
+
27
+ context 'code having no openssh with fixed version' do
28
+ let(:code) { "
29
+
30
+ package { 'openssh':
31
+ name => $ssh,
32
+ ensure => installed,
33
+ require => Package['openssl']
34
+ }
35
+ " }
36
+
37
+ it 'should not detect any problems' do
38
+ expect(problems).to have(0).problems
39
+ end
40
+ end
41
+
42
+ end
43
+ end
@@ -0,0 +1,55 @@
1
+ require 'spec_helper'
2
+
3
+ describe 'security_password_in_code' do
4
+ let(:msg) { 'Possible password in code detected (security!)' }
5
+
6
+ context 'with fix disabled' do
7
+ context 'code having cleartext passwords' do
8
+ let(:code) { "
9
+ $db_password='OhBao5ho'
10
+ $ldap_pw='Ceeghoh5'
11
+ $application_pwd_db='aiMoi1af'
12
+
13
+ " }
14
+
15
+ it 'should detect three problems' do
16
+ expect(problems).to have(3).problem
17
+ end
18
+
19
+ it 'should create a error' do
20
+ expect(problems).to contain_error(msg)
21
+ end
22
+ end
23
+
24
+ context 'code having no cleartext passwords' do
25
+ let(:code) { "
26
+ class myclass (
27
+ $param1_password,
28
+ $param2_password,
29
+ $param3_password= '',
30
+ $param4_password = '',
31
+ ) {
32
+ $db_password = hiera('db_password')
33
+ $ldap_pw=hiera('ldap_pw')
34
+ $application_pwd_db= hiera('application_pwd_db')
35
+ }
36
+
37
+ class mysql::params
38
+ {
39
+
40
+ $packages = 'mysql-server'
41
+ $packages_extra = 'maatkit'
42
+ $service = 'mysql'
43
+ $password = $mysql::my_password
44
+
45
+ }
46
+
47
+ " }
48
+
49
+ it 'should not detect any problems' do
50
+ expect(problems).to have(0).problems
51
+ end
52
+ end
53
+
54
+ end
55
+ end
@@ -0,0 +1,45 @@
1
+ require 'spec_helper'
2
+
3
+ describe 'security_password_variable_in_exec' do
4
+ let(:msg) { 'Possible password variable in exec used (security!)' }
5
+
6
+ context 'with fix disabled' do
7
+ context 'code having password variables in execs' do
8
+ let(:code) { "
9
+ exec {
10
+ 'exec_application':
11
+ command => \"/usr/bin/application -p ${application_pwd_db}\";
12
+ 'exec_ldap':
13
+ command => \"/usr/bin/ldapmodify -W${ldap_pw}\";
14
+ 'exec_db':
15
+ command => \"/usr/bin/mysql -p ${db_password}\";
16
+ }
17
+ "}
18
+
19
+ it 'should detect three problems' do
20
+ expect(problems).to have(3).problem
21
+ end
22
+
23
+ it 'should create an error' do
24
+ expect(problems).to contain_error(msg)
25
+ end
26
+ end
27
+
28
+ context 'code having no variables in exec' do
29
+ let(:code) { "
30
+ exec {
31
+ 'exec_application':
32
+ command => \"/usr/bin/application -c /etc/app.rc\";
33
+ 'exec_ldap':
34
+ command => \"/usr/bin/ldapmodify\";
35
+ 'exec_db':
36
+ command => \"/usr/bin/mysql\";
37
+ }
38
+ " }
39
+
40
+ it 'should not detect any problems' do
41
+ expect(problems).to have(0).problems
42
+ end
43
+ end
44
+ end
45
+ end
@@ -0,0 +1,40 @@
1
+ require 'spec_helper'
2
+
3
+ describe 'security_regex_unspecific' do
4
+ let(:msg) { 'Unspecific regex used, maybe too much is matched.' }
5
+
6
+ context 'with fix disabled' do
7
+ context 'code having unspecific regex' do
8
+ let(:code) { "
9
+ if $::kernelversion =~ /3.*/ {
10
+ notice ('Linux Kernel 3 used')
11
+ }
12
+ " }
13
+
14
+ it 'should detect a single problem' do
15
+ expect(problems).to have(1).problem
16
+ end
17
+
18
+ it 'should create a warning' do
19
+ expect(problems).to contain_warning(msg).on_line(2).in_column(24)
20
+ end
21
+ end
22
+
23
+ context 'code having specific regex' do
24
+ let(:code) { "
25
+ if $::kernelversion =~ /\\A3.*\\z/ {
26
+ notice ('Linux Kernel 3 used')
27
+ }
28
+
29
+ if $::kernelversion =~ /^3.*$/ {
30
+ notice ('Linux Kernel 3 used')
31
+ }
32
+ " }
33
+
34
+ it 'should not detect any problems' do
35
+ expect(problems).to have(0).problems
36
+ end
37
+ end
38
+
39
+ end
40
+ end
@@ -0,0 +1,54 @@
1
+ require 'spec_helper'
2
+
3
+ describe 'security_service_mysql_disabled' do
4
+ let(:msg) { 'MySQL service disabled (security!)' }
5
+
6
+ context 'with fix disabled' do
7
+ context 'code having service mysql disabled' do
8
+ let(:code) { "
9
+ service {
10
+ 'mysql':
11
+ ensure => stopped,
12
+ enable => false,
13
+ require => Package['mysql'],
14
+ hasrestart => true;
15
+ 'ntp':
16
+ ensure => stopped,
17
+ enable => false,
18
+ require => Package['ntp'],
19
+ hasrestart => true;
20
+ }
21
+ " }
22
+
23
+ it 'should detect a single problem' do
24
+ expect(problems).to have(1).problem
25
+ end
26
+
27
+ it 'should create a warning' do
28
+ expect(problems).to contain_warning(msg).on_line(4).in_column(19)
29
+ end
30
+ end
31
+
32
+ context 'code having service mysql enabled' do
33
+ let(:code) { "
34
+
35
+ service { 'mysql':
36
+ ensure => running,
37
+ enable => true,
38
+ hasrestart => true,
39
+ }
40
+
41
+ service {[\"cups\",\"cupsrenice\"]:
42
+ enable => false,
43
+ ensure => \"stopped\"
44
+ }
45
+
46
+ " }
47
+ it 'should not detect any problems' do
48
+ expect(problems).to have(0).problems
49
+ end
50
+ end
51
+
52
+ end
53
+ end
54
+
@@ -0,0 +1,40 @@
1
+ require 'spec_helper'
2
+
3
+ describe 'security_service_puppetmaster_disabled' do
4
+ let(:msg) { 'Puppetmaster service disabled (security!)' }
5
+
6
+ context 'with fix disabled' do
7
+ context 'code having service puppetmaster disabled' do
8
+ let(:code) { "
9
+ service { 'puppetmaster':
10
+ ensure => stopped,
11
+ enable => false,
12
+ hasrestart => true,
13
+ }
14
+ " }
15
+
16
+ it 'should detect a single problem' do
17
+ expect(problems).to have(1).problem
18
+ end
19
+
20
+ it 'should create a warning' do
21
+ expect(problems).to contain_warning(msg).on_line(3).in_column(21)
22
+ end
23
+ end
24
+
25
+ context 'code having service puppetmaster enabled' do
26
+ let(:code) { "
27
+ service { 'puppetmaster':
28
+ ensure => running,
29
+ enable => true,
30
+ hasrestart => true,
31
+ }
32
+ " }
33
+
34
+ it 'should not detect any problems' do
35
+ expect(problems).to have(0).problems
36
+ end
37
+ end
38
+
39
+ end
40
+ end
@@ -0,0 +1,60 @@
1
+ require 'spec_helper'
2
+
3
+ # saz/ssh
4
+ describe 'security_ssh_root_allowed' do
5
+ let(:msg) { 'SSH root login allowed (security!)' }
6
+
7
+ context 'with fix disabled' do
8
+ context 'code having ssh root login allowed' do
9
+ let(:code) { "
10
+ class { 'ssh':
11
+ server_options => {
12
+ 'Match User www-data' => {
13
+ 'ChrootDirectory' => '%h',
14
+ 'ForceCommand' => 'internal-sftp',
15
+ 'PasswordAuthentication' => 'yes',
16
+ 'AllowTcpForwarding' => 'no',
17
+ 'X11Forwarding' => 'no',
18
+ },
19
+ 'PasswordAuthentication' => 'no',
20
+ 'PermitRootLogin' => 'yes',
21
+ 'Port' => [22, 2222],
22
+ },
23
+ }
24
+ " }
25
+
26
+ it 'should detect a single problem' do
27
+ expect(problems).to have(1).problem
28
+ end
29
+
30
+ it 'should create a error' do
31
+ expect(problems).to contain_error(msg).on_line(12).in_column(33)
32
+ end
33
+ end
34
+
35
+ context 'code having ssh root login disabled' do
36
+ let(:code) { "
37
+ class { 'ssh':
38
+ server_options => {
39
+ 'Match User www-data' => {
40
+ 'ChrootDirectory' => '%h',
41
+ 'ForceCommand' => 'internal-sftp',
42
+ 'PasswordAuthentication' => 'yes',
43
+ 'AllowTcpForwarding' => 'no',
44
+ 'X11Forwarding' => 'no',
45
+ },
46
+ 'PasswordAuthentication' => 'no',
47
+ 'PermitRootLogin' => 'no',
48
+ 'Port' => [22, 2222],
49
+ },
50
+ }
51
+
52
+ " }
53
+
54
+ it 'should not detect any problems' do
55
+ expect(problems).to have(0).problems
56
+ end
57
+ end
58
+
59
+ end
60
+ end
@@ -0,0 +1,60 @@
1
+ require 'spec_helper'
2
+
3
+ # saz/ssh
4
+ describe 'security_ssh_root_allowed' do
5
+ let(:msg) { 'SSH root login allowed (security!)' }
6
+
7
+ context 'with fix disabled' do
8
+ context 'code having ssh root login allowed' do
9
+ let(:code) { "
10
+ class { 'ssh::server':
11
+ options => {
12
+ 'Match User www-data' => {
13
+ 'ChrootDirectory' => '%h',
14
+ 'ForceCommand' => 'internal-sftp',
15
+ 'PasswordAuthentication' => 'yes',
16
+ 'AllowTcpForwarding' => 'no',
17
+ 'X11Forwarding' => 'no',
18
+ },
19
+ 'PasswordAuthentication' => 'no',
20
+ 'PermitRootLogin' => 'yes',
21
+ 'Port' => [22, 2222],
22
+ },
23
+ }
24
+ " }
25
+
26
+ it 'should detect a single problem' do
27
+ expect(problems).to have(1).problem
28
+ end
29
+
30
+ it 'should create a error' do
31
+ expect(problems).to contain_error(msg).on_line(12).in_column(33)
32
+ end
33
+ end
34
+
35
+ context 'code having ssh root login disabled' do
36
+ let(:code) { "
37
+ class { 'ssh::server':
38
+ options => {
39
+ 'Match User www-data' => {
40
+ 'ChrootDirectory' => '%h',
41
+ 'ForceCommand' => 'internal-sftp',
42
+ 'PasswordAuthentication' => 'yes',
43
+ 'AllowTcpForwarding' => 'no',
44
+ 'X11Forwarding' => 'no',
45
+ },
46
+ 'PasswordAuthentication' => 'no',
47
+ 'PermitRootLogin' => 'no',
48
+ 'Port' => [22, 2222],
49
+ },
50
+ }
51
+
52
+ " }
53
+
54
+ it 'should not detect any problems' do
55
+ expect(problems).to have(0).problems
56
+ end
57
+ end
58
+
59
+ end
60
+ end
@@ -0,0 +1,40 @@
1
+ require 'spec_helper'
2
+
3
+ # saz/sudo
4
+ describe 'security_sudo_with_world_nopasswd' do
5
+ let(:msg) { 'Sudo access with world permissions detected (security!)' }
6
+
7
+ context 'with fix disabled' do
8
+ context 'code having sudo with world permissions' do
9
+ let(:code) { "
10
+ sudo::conf { 'admins':
11
+ priority => 10,
12
+ content => 'ALL ALL=(ALL) NOPASSWD: ALL',
13
+ }
14
+ " }
15
+
16
+ it 'should detect a single problem' do
17
+ expect(problems).to have(1).problem
18
+ end
19
+
20
+ it 'should create a error' do
21
+ expect(problems).to contain_error(msg).on_line(4).in_column(15)
22
+ end
23
+ end
24
+
25
+ context 'code having no sudo with world permissions' do
26
+ let(:code) { "
27
+
28
+ sudo::conf { 'admins':
29
+ priority => 10,
30
+ content => '%admins ALL=(ALL) NOPASSWD: ALL',
31
+ }
32
+ " }
33
+
34
+ it 'should not detect any problems' do
35
+ expect(problems).to have(0).problems
36
+ end
37
+ end
38
+
39
+ end
40
+ end