puppet-lint-security-plugins 0.1.6

data/spec/puppet-lint/plugins/check_security_package_pinned_version_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe 'security_package_pinned_version' do
+  let(:msg) { 'Package version pinned (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having openssh with fixed version' do
+      let(:code) { "
+
+package { 'openssh':
+  name    => $ssh,
+  ensure  => '1:6.6p1-2ubuntu2',
+  require => Package['openssl']
+}
+
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(5).in_column(14)
+      end
+    end
+
+    context 'code having no openssh with fixed version' do
+      let(:code) { "
+
+package { 'openssh':
+  name    => $ssh,
+  ensure  => installed,
+  require => Package['openssl']
+}
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_password_in_code_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe 'security_password_in_code' do
+  let(:msg) { 'Possible password in code detected (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having cleartext passwords' do
+      let(:code) { "
+$db_password='OhBao5ho'
+$ldap_pw='Ceeghoh5'
+$application_pwd_db='aiMoi1af'
+
+" }
+
+      it 'should detect three problems' do
+        expect(problems).to have(3).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg)
+      end
+    end
+
+    context 'code having no cleartext passwords' do
+      let(:code) { "
+class myclass (
+  $param1_password,
+  $param2_password,
+  $param3_password= '',
+  $param4_password = '',
+) {
+  $db_password = hiera('db_password')
+  $ldap_pw=hiera('ldap_pw')
+  $application_pwd_db= hiera('application_pwd_db')
+}
+
+class mysql::params
+{
+
+  $packages = 'mysql-server'
+  $packages_extra = 'maatkit'
+  $service = 'mysql'
+  $password = $mysql::my_password
+
+}
+
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_password_variable_in_exec_spec.rb

@@ -0,0 +1,45 @@
+require 'spec_helper'
+
+describe 'security_password_variable_in_exec' do
+  let(:msg) { 'Possible password variable in exec used (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having password variables in execs' do
+      let(:code) { "
+exec {
+  'exec_application':
+    command => \"/usr/bin/application -p ${application_pwd_db}\";
+  'exec_ldap':
+    command => \"/usr/bin/ldapmodify -W${ldap_pw}\";
+  'exec_db':
+    command => \"/usr/bin/mysql -p ${db_password}\";
+}
+                   "}
+
+      it 'should detect three problems' do
+        expect(problems).to have(3).problem
+      end
+
+      it 'should create an error' do
+        expect(problems).to contain_error(msg)
+      end
+    end
+
+    context 'code having no variables in exec' do
+      let(:code) { "
+exec {
+  'exec_application':
+    command => \"/usr/bin/application -c /etc/app.rc\";
+  'exec_ldap':
+    command => \"/usr/bin/ldapmodify\";
+  'exec_db':
+    command => \"/usr/bin/mysql\";
+}
+                   " }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+  end
+end

data/spec/puppet-lint/plugins/check_security_regex_unspecific_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+describe 'security_regex_unspecific' do
+  let(:msg) { 'Unspecific regex used, maybe too much is matched.' }
+
+  context 'with fix disabled' do
+    context 'code having unspecific regex' do
+      let(:code) { "
+if $::kernelversion =~ /3.*/ {
+  notice ('Linux Kernel 3 used')
+}
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(2).in_column(24)
+      end
+    end
+
+    context 'code having specific regex' do
+      let(:code) { "
+if $::kernelversion =~ /\\A3.*\\z/ {
+  notice ('Linux Kernel 3 used')
+}
+
+if $::kernelversion =~ /^3.*$/ {
+  notice ('Linux Kernel 3 used')
+}
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_service_mysql_disabled_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper'
+
+describe 'security_service_mysql_disabled' do
+  let(:msg) { 'MySQL service disabled (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having service mysql disabled' do
+      let(:code) { "
+service {
+  'mysql':
+    ensure     => stopped,
+    enable     => false,
+    require    => Package['mysql'],
+    hasrestart => true;
+  'ntp':
+    ensure     => stopped,
+    enable     => false,
+    require    => Package['ntp'],
+    hasrestart => true;
+}
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(4).in_column(19)
+      end
+    end
+
+    context 'code having service mysql enabled' do
+      let(:code) { "
+
+service { 'mysql':
+   ensure     => running,
+   enable     => true,
+   hasrestart => true,
+}
+
+service {[\"cups\",\"cupsrenice\"]:
+   enable =>  false,
+   ensure => \"stopped\"
+}
+
+" }
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end
+

data/spec/puppet-lint/plugins/check_security_service_puppetmaster_disabled_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+describe 'security_service_puppetmaster_disabled' do
+  let(:msg) { 'Puppetmaster service disabled (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having service puppetmaster disabled' do
+      let(:code) { "
+    service { 'puppetmaster':
+      ensure     => stopped,
+      enable     => false,
+      hasrestart => true,
+    }
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a warning' do
+        expect(problems).to contain_warning(msg).on_line(3).in_column(21)
+      end
+    end
+
+    context 'code having service puppetmaster enabled' do
+      let(:code) { "
+    service { 'puppetmaster':
+      ensure     => running,
+      enable     => true,
+      hasrestart => true,
+    }
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_ssh_root_allowed_spec.rb

@@ -0,0 +1,60 @@
+require 'spec_helper'
+
+# saz/ssh
+describe 'security_ssh_root_allowed' do
+  let(:msg) { 'SSH root login allowed (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having ssh root login allowed' do
+      let(:code) { "
+class { 'ssh':
+  server_options => {
+    'Match User www-data' => {
+      'ChrootDirectory' => '%h',
+      'ForceCommand' => 'internal-sftp',
+      'PasswordAuthentication' => 'yes',
+      'AllowTcpForwarding' => 'no',
+      'X11Forwarding' => 'no',
+    },
+    'PasswordAuthentication' => 'no',
+    'PermitRootLogin'        => 'yes',
+    'Port'                   => [22, 2222],
+  },
+}
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(12).in_column(33)
+      end
+    end
+
+    context 'code having ssh root login disabled' do
+      let(:code) { "
+class { 'ssh':
+  server_options => {
+    'Match User www-data' => {
+      'ChrootDirectory' => '%h',
+      'ForceCommand' => 'internal-sftp',
+      'PasswordAuthentication' => 'yes',
+      'AllowTcpForwarding' => 'no',
+      'X11Forwarding' => 'no',
+    },
+    'PasswordAuthentication' => 'no',
+    'PermitRootLogin'        => 'no',
+    'Port'                   => [22, 2222],
+  },
+}
+
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_ssh_server_root_allowed_spec.rb

@@ -0,0 +1,60 @@
+require 'spec_helper'
+
+# saz/ssh
+describe 'security_ssh_root_allowed' do
+  let(:msg) { 'SSH root login allowed (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having ssh root login allowed' do
+      let(:code) { "
+class { 'ssh::server':
+  options => {
+    'Match User www-data' => {
+      'ChrootDirectory' => '%h',
+      'ForceCommand' => 'internal-sftp',
+      'PasswordAuthentication' => 'yes',
+      'AllowTcpForwarding' => 'no',
+      'X11Forwarding' => 'no',
+    },
+    'PasswordAuthentication' => 'no',
+    'PermitRootLogin'        => 'yes',
+    'Port'                   => [22, 2222],
+  },
+}
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(12).in_column(33)
+      end
+    end
+
+    context 'code having ssh root login disabled' do
+      let(:code) { "
+class { 'ssh::server':
+  options => {
+    'Match User www-data' => {
+      'ChrootDirectory' => '%h',
+      'ForceCommand' => 'internal-sftp',
+      'PasswordAuthentication' => 'yes',
+      'AllowTcpForwarding' => 'no',
+      'X11Forwarding' => 'no',
+    },
+    'PasswordAuthentication' => 'no',
+    'PermitRootLogin'        => 'no',
+    'Port'                   => [22, 2222],
+  },
+}
+
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end

data/spec/puppet-lint/plugins/check_security_sudo_with_world_nopasswd_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+
+# saz/sudo
+describe 'security_sudo_with_world_nopasswd' do
+  let(:msg) { 'Sudo access with world permissions detected (security!)' }
+
+  context 'with fix disabled' do
+    context 'code having sudo with world permissions' do
+      let(:code) { "
+sudo::conf { 'admins':
+  priority => 10,
+  content  => 'ALL ALL=(ALL) NOPASSWD: ALL',
+}
+" }
+
+      it 'should detect a single problem' do
+        expect(problems).to have(1).problem
+      end
+
+      it 'should create a error' do
+        expect(problems).to contain_error(msg).on_line(4).in_column(15)
+      end
+    end
+
+    context 'code having no sudo with world permissions' do
+      let(:code) { "
+
+sudo::conf { 'admins':
+  priority => 10,
+  content  => '%admins ALL=(ALL) NOPASSWD: ALL',
+}
+" }
+
+      it 'should not detect any problems' do
+        expect(problems).to have(0).problems
+      end
+    end
+
+  end
+end