puppet-lint-security-plugins 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/LICENSE +21 -0
- data/README.md +90 -0
- data/lib/puppet-lint-security-plugins.rb +2 -0
- data/lib/puppet-lint/plugins/check_class_or_define_parameter_in_exec.rb +36 -0
- data/lib/puppet-lint/plugins/check_security_apache_bad_cipher.rb +28 -0
- data/lib/puppet-lint/plugins/check_security_apache_no_ssl_vhost.rb +27 -0
- data/lib/puppet-lint/plugins/check_security_apt_no_key.rb +26 -0
- data/lib/puppet-lint/plugins/check_security_eval_in_erb.rb +21 -0
- data/lib/puppet-lint/plugins/check_security_file_with_setgid_permission.rb +25 -0
- data/lib/puppet-lint/plugins/check_security_file_with_setuid_permission.rb +25 -0
- data/lib/puppet-lint/plugins/check_security_file_with_world_permissions.rb +25 -0
- data/lib/puppet-lint/plugins/check_security_firewall_any_any_allow.rb +26 -0
- data/lib/puppet-lint/plugins/check_security_firewall_any_any_deny.rb +27 -0
- data/lib/puppet-lint/plugins/check_security_firewall_dns_used.rb +30 -0
- data/lib/puppet-lint/plugins/check_security_firewall_puppetmaster_any_deny.rb +33 -0
- data/lib/puppet-lint/plugins/check_security_package_pinned_version.rb +25 -0
- data/lib/puppet-lint/plugins/check_security_password_in_code.rb +31 -0
- data/lib/puppet-lint/plugins/check_security_password_variable_in_exec.rb +22 -0
- data/lib/puppet-lint/plugins/check_security_regex_unspecific.rb +23 -0
- data/lib/puppet-lint/plugins/check_security_service_mysql_disabled.rb +22 -0
- data/lib/puppet-lint/plugins/check_security_service_puppetmaster_disabled.rb +24 -0
- data/lib/puppet-lint/plugins/check_security_ssh_root_allowed.rb +26 -0
- data/lib/puppet-lint/plugins/check_security_sudo_with_world_nopasswd.rb +23 -0
- data/lib/puppet-lint/plugins/check_security_tidy_all_files.rb +20 -0
- data/lib/puppet-lint/plugins/check_security_tidy_matches_greedy.rb +27 -0
- data/lib/puppet-lint/plugins/check_security_tidy_recurse.rb +21 -0
- data/lib/puppet-lint/plugins/check_security_user_with_id_0_created.rb +28 -0
- data/lib/puppet-lint/security.rb +280 -0
- data/spec/puppet-lint/plugins/check_class_or_define_parameter_in_exec_spec.rb +85 -0
- data/spec/puppet-lint/plugins/check_security_apache_bad_cipher_spec.rb +49 -0
- data/spec/puppet-lint/plugins/check_security_apache_no_ssl_vhost_spec.rb +40 -0
- data/spec/puppet-lint/plugins/check_security_apt_absent_no_key_spec.rb +45 -0
- data/spec/puppet-lint/plugins/check_security_apt_no_key_spec.rb +38 -0
- data/spec/puppet-lint/plugins/check_security_dir_guid_permissions_spec.rb +49 -0
- data/spec/puppet-lint/plugins/check_security_dir_world_permissions_spec.rb +39 -0
- data/spec/puppet-lint/plugins/check_security_eval_in_erb_spec.rb +35 -0
- data/spec/puppet-lint/plugins/check_security_file_suid_permissions_spec.rb +48 -0
- data/spec/puppet-lint/plugins/check_security_file_with_setgid_permission_spec.rb +59 -0
- data/spec/puppet-lint/plugins/check_security_file_with_setuid_permission_spec.rb +59 -0
- data/spec/puppet-lint/plugins/check_security_file_with_world_permissions_spec.rb +62 -0
- data/spec/puppet-lint/plugins/check_security_file_world_and_guid_permissions_spec.rb +43 -0
- data/spec/puppet-lint/plugins/check_security_firewall_any_any_allow_spec.rb +36 -0
- data/spec/puppet-lint/plugins/check_security_firewall_any_any_deny_spec.rb +124 -0
- data/spec/puppet-lint/plugins/check_security_firewall_dns_used_spec.rb +77 -0
- data/spec/puppet-lint/plugins/check_security_firewall_puppetmaster_any_deny_spec.rb +60 -0
- data/spec/puppet-lint/plugins/check_security_package_pinned_version_spec.rb +43 -0
- data/spec/puppet-lint/plugins/check_security_password_in_code_spec.rb +55 -0
- data/spec/puppet-lint/plugins/check_security_password_variable_in_exec_spec.rb +45 -0
- data/spec/puppet-lint/plugins/check_security_regex_unspecific_spec.rb +40 -0
- data/spec/puppet-lint/plugins/check_security_service_mysql_disabled_spec.rb +54 -0
- data/spec/puppet-lint/plugins/check_security_service_puppetmaster_disabled_spec.rb +40 -0
- data/spec/puppet-lint/plugins/check_security_ssh_root_allowed_spec.rb +60 -0
- data/spec/puppet-lint/plugins/check_security_ssh_server_root_allowed_spec.rb +60 -0
- data/spec/puppet-lint/plugins/check_security_sudo_with_world_nopasswd_spec.rb +40 -0
- data/spec/puppet-lint/plugins/check_security_tidy_all_files_spec.rb +36 -0
- data/spec/puppet-lint/plugins/check_security_tidy_matches_greedy_spec.rb +37 -0
- data/spec/puppet-lint/plugins/check_security_tidy_recurse_spec.rb +37 -0
- data/spec/puppet-lint/plugins/check_security_user_with_id_0_created_spec.rb +47 -0
- data/spec/spec_helper.rb +5 -0
- metadata +232 -0
@@ -0,0 +1,43 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'security_package_pinned_version' do
|
4
|
+
let(:msg) { 'Package version pinned (security!)' }
|
5
|
+
|
6
|
+
context 'with fix disabled' do
|
7
|
+
context 'code having openssh with fixed version' do
|
8
|
+
let(:code) { "
|
9
|
+
|
10
|
+
package { 'openssh':
|
11
|
+
name => $ssh,
|
12
|
+
ensure => '1:6.6p1-2ubuntu2',
|
13
|
+
require => Package['openssl']
|
14
|
+
}
|
15
|
+
|
16
|
+
" }
|
17
|
+
|
18
|
+
it 'should detect a single problem' do
|
19
|
+
expect(problems).to have(1).problem
|
20
|
+
end
|
21
|
+
|
22
|
+
it 'should create a warning' do
|
23
|
+
expect(problems).to contain_warning(msg).on_line(5).in_column(14)
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
context 'code having no openssh with fixed version' do
|
28
|
+
let(:code) { "
|
29
|
+
|
30
|
+
package { 'openssh':
|
31
|
+
name => $ssh,
|
32
|
+
ensure => installed,
|
33
|
+
require => Package['openssl']
|
34
|
+
}
|
35
|
+
" }
|
36
|
+
|
37
|
+
it 'should not detect any problems' do
|
38
|
+
expect(problems).to have(0).problems
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
end
|
43
|
+
end
|
@@ -0,0 +1,55 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'security_password_in_code' do
|
4
|
+
let(:msg) { 'Possible password in code detected (security!)' }
|
5
|
+
|
6
|
+
context 'with fix disabled' do
|
7
|
+
context 'code having cleartext passwords' do
|
8
|
+
let(:code) { "
|
9
|
+
$db_password='OhBao5ho'
|
10
|
+
$ldap_pw='Ceeghoh5'
|
11
|
+
$application_pwd_db='aiMoi1af'
|
12
|
+
|
13
|
+
" }
|
14
|
+
|
15
|
+
it 'should detect three problems' do
|
16
|
+
expect(problems).to have(3).problem
|
17
|
+
end
|
18
|
+
|
19
|
+
it 'should create a error' do
|
20
|
+
expect(problems).to contain_error(msg)
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
context 'code having no cleartext passwords' do
|
25
|
+
let(:code) { "
|
26
|
+
class myclass (
|
27
|
+
$param1_password,
|
28
|
+
$param2_password,
|
29
|
+
$param3_password= '',
|
30
|
+
$param4_password = '',
|
31
|
+
) {
|
32
|
+
$db_password = hiera('db_password')
|
33
|
+
$ldap_pw=hiera('ldap_pw')
|
34
|
+
$application_pwd_db= hiera('application_pwd_db')
|
35
|
+
}
|
36
|
+
|
37
|
+
class mysql::params
|
38
|
+
{
|
39
|
+
|
40
|
+
$packages = 'mysql-server'
|
41
|
+
$packages_extra = 'maatkit'
|
42
|
+
$service = 'mysql'
|
43
|
+
$password = $mysql::my_password
|
44
|
+
|
45
|
+
}
|
46
|
+
|
47
|
+
" }
|
48
|
+
|
49
|
+
it 'should not detect any problems' do
|
50
|
+
expect(problems).to have(0).problems
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
end
|
55
|
+
end
|
@@ -0,0 +1,45 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'security_password_variable_in_exec' do
|
4
|
+
let(:msg) { 'Possible password variable in exec used (security!)' }
|
5
|
+
|
6
|
+
context 'with fix disabled' do
|
7
|
+
context 'code having password variables in execs' do
|
8
|
+
let(:code) { "
|
9
|
+
exec {
|
10
|
+
'exec_application':
|
11
|
+
command => \"/usr/bin/application -p ${application_pwd_db}\";
|
12
|
+
'exec_ldap':
|
13
|
+
command => \"/usr/bin/ldapmodify -W${ldap_pw}\";
|
14
|
+
'exec_db':
|
15
|
+
command => \"/usr/bin/mysql -p ${db_password}\";
|
16
|
+
}
|
17
|
+
"}
|
18
|
+
|
19
|
+
it 'should detect three problems' do
|
20
|
+
expect(problems).to have(3).problem
|
21
|
+
end
|
22
|
+
|
23
|
+
it 'should create an error' do
|
24
|
+
expect(problems).to contain_error(msg)
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
context 'code having no variables in exec' do
|
29
|
+
let(:code) { "
|
30
|
+
exec {
|
31
|
+
'exec_application':
|
32
|
+
command => \"/usr/bin/application -c /etc/app.rc\";
|
33
|
+
'exec_ldap':
|
34
|
+
command => \"/usr/bin/ldapmodify\";
|
35
|
+
'exec_db':
|
36
|
+
command => \"/usr/bin/mysql\";
|
37
|
+
}
|
38
|
+
" }
|
39
|
+
|
40
|
+
it 'should not detect any problems' do
|
41
|
+
expect(problems).to have(0).problems
|
42
|
+
end
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'security_regex_unspecific' do
|
4
|
+
let(:msg) { 'Unspecific regex used, maybe too much is matched.' }
|
5
|
+
|
6
|
+
context 'with fix disabled' do
|
7
|
+
context 'code having unspecific regex' do
|
8
|
+
let(:code) { "
|
9
|
+
if $::kernelversion =~ /3.*/ {
|
10
|
+
notice ('Linux Kernel 3 used')
|
11
|
+
}
|
12
|
+
" }
|
13
|
+
|
14
|
+
it 'should detect a single problem' do
|
15
|
+
expect(problems).to have(1).problem
|
16
|
+
end
|
17
|
+
|
18
|
+
it 'should create a warning' do
|
19
|
+
expect(problems).to contain_warning(msg).on_line(2).in_column(24)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
context 'code having specific regex' do
|
24
|
+
let(:code) { "
|
25
|
+
if $::kernelversion =~ /\\A3.*\\z/ {
|
26
|
+
notice ('Linux Kernel 3 used')
|
27
|
+
}
|
28
|
+
|
29
|
+
if $::kernelversion =~ /^3.*$/ {
|
30
|
+
notice ('Linux Kernel 3 used')
|
31
|
+
}
|
32
|
+
" }
|
33
|
+
|
34
|
+
it 'should not detect any problems' do
|
35
|
+
expect(problems).to have(0).problems
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
end
|
40
|
+
end
|
@@ -0,0 +1,54 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'security_service_mysql_disabled' do
|
4
|
+
let(:msg) { 'MySQL service disabled (security!)' }
|
5
|
+
|
6
|
+
context 'with fix disabled' do
|
7
|
+
context 'code having service mysql disabled' do
|
8
|
+
let(:code) { "
|
9
|
+
service {
|
10
|
+
'mysql':
|
11
|
+
ensure => stopped,
|
12
|
+
enable => false,
|
13
|
+
require => Package['mysql'],
|
14
|
+
hasrestart => true;
|
15
|
+
'ntp':
|
16
|
+
ensure => stopped,
|
17
|
+
enable => false,
|
18
|
+
require => Package['ntp'],
|
19
|
+
hasrestart => true;
|
20
|
+
}
|
21
|
+
" }
|
22
|
+
|
23
|
+
it 'should detect a single problem' do
|
24
|
+
expect(problems).to have(1).problem
|
25
|
+
end
|
26
|
+
|
27
|
+
it 'should create a warning' do
|
28
|
+
expect(problems).to contain_warning(msg).on_line(4).in_column(19)
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
context 'code having service mysql enabled' do
|
33
|
+
let(:code) { "
|
34
|
+
|
35
|
+
service { 'mysql':
|
36
|
+
ensure => running,
|
37
|
+
enable => true,
|
38
|
+
hasrestart => true,
|
39
|
+
}
|
40
|
+
|
41
|
+
service {[\"cups\",\"cupsrenice\"]:
|
42
|
+
enable => false,
|
43
|
+
ensure => \"stopped\"
|
44
|
+
}
|
45
|
+
|
46
|
+
" }
|
47
|
+
it 'should not detect any problems' do
|
48
|
+
expect(problems).to have(0).problems
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
@@ -0,0 +1,40 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe 'security_service_puppetmaster_disabled' do
|
4
|
+
let(:msg) { 'Puppetmaster service disabled (security!)' }
|
5
|
+
|
6
|
+
context 'with fix disabled' do
|
7
|
+
context 'code having service puppetmaster disabled' do
|
8
|
+
let(:code) { "
|
9
|
+
service { 'puppetmaster':
|
10
|
+
ensure => stopped,
|
11
|
+
enable => false,
|
12
|
+
hasrestart => true,
|
13
|
+
}
|
14
|
+
" }
|
15
|
+
|
16
|
+
it 'should detect a single problem' do
|
17
|
+
expect(problems).to have(1).problem
|
18
|
+
end
|
19
|
+
|
20
|
+
it 'should create a warning' do
|
21
|
+
expect(problems).to contain_warning(msg).on_line(3).in_column(21)
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
context 'code having service puppetmaster enabled' do
|
26
|
+
let(:code) { "
|
27
|
+
service { 'puppetmaster':
|
28
|
+
ensure => running,
|
29
|
+
enable => true,
|
30
|
+
hasrestart => true,
|
31
|
+
}
|
32
|
+
" }
|
33
|
+
|
34
|
+
it 'should not detect any problems' do
|
35
|
+
expect(problems).to have(0).problems
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
end
|
40
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
# saz/ssh
|
4
|
+
describe 'security_ssh_root_allowed' do
|
5
|
+
let(:msg) { 'SSH root login allowed (security!)' }
|
6
|
+
|
7
|
+
context 'with fix disabled' do
|
8
|
+
context 'code having ssh root login allowed' do
|
9
|
+
let(:code) { "
|
10
|
+
class { 'ssh':
|
11
|
+
server_options => {
|
12
|
+
'Match User www-data' => {
|
13
|
+
'ChrootDirectory' => '%h',
|
14
|
+
'ForceCommand' => 'internal-sftp',
|
15
|
+
'PasswordAuthentication' => 'yes',
|
16
|
+
'AllowTcpForwarding' => 'no',
|
17
|
+
'X11Forwarding' => 'no',
|
18
|
+
},
|
19
|
+
'PasswordAuthentication' => 'no',
|
20
|
+
'PermitRootLogin' => 'yes',
|
21
|
+
'Port' => [22, 2222],
|
22
|
+
},
|
23
|
+
}
|
24
|
+
" }
|
25
|
+
|
26
|
+
it 'should detect a single problem' do
|
27
|
+
expect(problems).to have(1).problem
|
28
|
+
end
|
29
|
+
|
30
|
+
it 'should create a error' do
|
31
|
+
expect(problems).to contain_error(msg).on_line(12).in_column(33)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
context 'code having ssh root login disabled' do
|
36
|
+
let(:code) { "
|
37
|
+
class { 'ssh':
|
38
|
+
server_options => {
|
39
|
+
'Match User www-data' => {
|
40
|
+
'ChrootDirectory' => '%h',
|
41
|
+
'ForceCommand' => 'internal-sftp',
|
42
|
+
'PasswordAuthentication' => 'yes',
|
43
|
+
'AllowTcpForwarding' => 'no',
|
44
|
+
'X11Forwarding' => 'no',
|
45
|
+
},
|
46
|
+
'PasswordAuthentication' => 'no',
|
47
|
+
'PermitRootLogin' => 'no',
|
48
|
+
'Port' => [22, 2222],
|
49
|
+
},
|
50
|
+
}
|
51
|
+
|
52
|
+
" }
|
53
|
+
|
54
|
+
it 'should not detect any problems' do
|
55
|
+
expect(problems).to have(0).problems
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
end
|
60
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
# saz/ssh
|
4
|
+
describe 'security_ssh_root_allowed' do
|
5
|
+
let(:msg) { 'SSH root login allowed (security!)' }
|
6
|
+
|
7
|
+
context 'with fix disabled' do
|
8
|
+
context 'code having ssh root login allowed' do
|
9
|
+
let(:code) { "
|
10
|
+
class { 'ssh::server':
|
11
|
+
options => {
|
12
|
+
'Match User www-data' => {
|
13
|
+
'ChrootDirectory' => '%h',
|
14
|
+
'ForceCommand' => 'internal-sftp',
|
15
|
+
'PasswordAuthentication' => 'yes',
|
16
|
+
'AllowTcpForwarding' => 'no',
|
17
|
+
'X11Forwarding' => 'no',
|
18
|
+
},
|
19
|
+
'PasswordAuthentication' => 'no',
|
20
|
+
'PermitRootLogin' => 'yes',
|
21
|
+
'Port' => [22, 2222],
|
22
|
+
},
|
23
|
+
}
|
24
|
+
" }
|
25
|
+
|
26
|
+
it 'should detect a single problem' do
|
27
|
+
expect(problems).to have(1).problem
|
28
|
+
end
|
29
|
+
|
30
|
+
it 'should create a error' do
|
31
|
+
expect(problems).to contain_error(msg).on_line(12).in_column(33)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
context 'code having ssh root login disabled' do
|
36
|
+
let(:code) { "
|
37
|
+
class { 'ssh::server':
|
38
|
+
options => {
|
39
|
+
'Match User www-data' => {
|
40
|
+
'ChrootDirectory' => '%h',
|
41
|
+
'ForceCommand' => 'internal-sftp',
|
42
|
+
'PasswordAuthentication' => 'yes',
|
43
|
+
'AllowTcpForwarding' => 'no',
|
44
|
+
'X11Forwarding' => 'no',
|
45
|
+
},
|
46
|
+
'PasswordAuthentication' => 'no',
|
47
|
+
'PermitRootLogin' => 'no',
|
48
|
+
'Port' => [22, 2222],
|
49
|
+
},
|
50
|
+
}
|
51
|
+
|
52
|
+
" }
|
53
|
+
|
54
|
+
it 'should not detect any problems' do
|
55
|
+
expect(problems).to have(0).problems
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
end
|
60
|
+
end
|
@@ -0,0 +1,40 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
# saz/sudo
|
4
|
+
describe 'security_sudo_with_world_nopasswd' do
|
5
|
+
let(:msg) { 'Sudo access with world permissions detected (security!)' }
|
6
|
+
|
7
|
+
context 'with fix disabled' do
|
8
|
+
context 'code having sudo with world permissions' do
|
9
|
+
let(:code) { "
|
10
|
+
sudo::conf { 'admins':
|
11
|
+
priority => 10,
|
12
|
+
content => 'ALL ALL=(ALL) NOPASSWD: ALL',
|
13
|
+
}
|
14
|
+
" }
|
15
|
+
|
16
|
+
it 'should detect a single problem' do
|
17
|
+
expect(problems).to have(1).problem
|
18
|
+
end
|
19
|
+
|
20
|
+
it 'should create a error' do
|
21
|
+
expect(problems).to contain_error(msg).on_line(4).in_column(15)
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
context 'code having no sudo with world permissions' do
|
26
|
+
let(:code) { "
|
27
|
+
|
28
|
+
sudo::conf { 'admins':
|
29
|
+
priority => 10,
|
30
|
+
content => '%admins ALL=(ALL) NOPASSWD: ALL',
|
31
|
+
}
|
32
|
+
" }
|
33
|
+
|
34
|
+
it 'should not detect any problems' do
|
35
|
+
expect(problems).to have(0).problems
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
end
|
40
|
+
end
|