puppet-lint-security-plugins 0.1.6

Sign up to get free protection for your applications and to get access to all the features.
Files changed (61) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE +21 -0
  3. data/README.md +90 -0
  4. data/lib/puppet-lint-security-plugins.rb +2 -0
  5. data/lib/puppet-lint/plugins/check_class_or_define_parameter_in_exec.rb +36 -0
  6. data/lib/puppet-lint/plugins/check_security_apache_bad_cipher.rb +28 -0
  7. data/lib/puppet-lint/plugins/check_security_apache_no_ssl_vhost.rb +27 -0
  8. data/lib/puppet-lint/plugins/check_security_apt_no_key.rb +26 -0
  9. data/lib/puppet-lint/plugins/check_security_eval_in_erb.rb +21 -0
  10. data/lib/puppet-lint/plugins/check_security_file_with_setgid_permission.rb +25 -0
  11. data/lib/puppet-lint/plugins/check_security_file_with_setuid_permission.rb +25 -0
  12. data/lib/puppet-lint/plugins/check_security_file_with_world_permissions.rb +25 -0
  13. data/lib/puppet-lint/plugins/check_security_firewall_any_any_allow.rb +26 -0
  14. data/lib/puppet-lint/plugins/check_security_firewall_any_any_deny.rb +27 -0
  15. data/lib/puppet-lint/plugins/check_security_firewall_dns_used.rb +30 -0
  16. data/lib/puppet-lint/plugins/check_security_firewall_puppetmaster_any_deny.rb +33 -0
  17. data/lib/puppet-lint/plugins/check_security_package_pinned_version.rb +25 -0
  18. data/lib/puppet-lint/plugins/check_security_password_in_code.rb +31 -0
  19. data/lib/puppet-lint/plugins/check_security_password_variable_in_exec.rb +22 -0
  20. data/lib/puppet-lint/plugins/check_security_regex_unspecific.rb +23 -0
  21. data/lib/puppet-lint/plugins/check_security_service_mysql_disabled.rb +22 -0
  22. data/lib/puppet-lint/plugins/check_security_service_puppetmaster_disabled.rb +24 -0
  23. data/lib/puppet-lint/plugins/check_security_ssh_root_allowed.rb +26 -0
  24. data/lib/puppet-lint/plugins/check_security_sudo_with_world_nopasswd.rb +23 -0
  25. data/lib/puppet-lint/plugins/check_security_tidy_all_files.rb +20 -0
  26. data/lib/puppet-lint/plugins/check_security_tidy_matches_greedy.rb +27 -0
  27. data/lib/puppet-lint/plugins/check_security_tidy_recurse.rb +21 -0
  28. data/lib/puppet-lint/plugins/check_security_user_with_id_0_created.rb +28 -0
  29. data/lib/puppet-lint/security.rb +280 -0
  30. data/spec/puppet-lint/plugins/check_class_or_define_parameter_in_exec_spec.rb +85 -0
  31. data/spec/puppet-lint/plugins/check_security_apache_bad_cipher_spec.rb +49 -0
  32. data/spec/puppet-lint/plugins/check_security_apache_no_ssl_vhost_spec.rb +40 -0
  33. data/spec/puppet-lint/plugins/check_security_apt_absent_no_key_spec.rb +45 -0
  34. data/spec/puppet-lint/plugins/check_security_apt_no_key_spec.rb +38 -0
  35. data/spec/puppet-lint/plugins/check_security_dir_guid_permissions_spec.rb +49 -0
  36. data/spec/puppet-lint/plugins/check_security_dir_world_permissions_spec.rb +39 -0
  37. data/spec/puppet-lint/plugins/check_security_eval_in_erb_spec.rb +35 -0
  38. data/spec/puppet-lint/plugins/check_security_file_suid_permissions_spec.rb +48 -0
  39. data/spec/puppet-lint/plugins/check_security_file_with_setgid_permission_spec.rb +59 -0
  40. data/spec/puppet-lint/plugins/check_security_file_with_setuid_permission_spec.rb +59 -0
  41. data/spec/puppet-lint/plugins/check_security_file_with_world_permissions_spec.rb +62 -0
  42. data/spec/puppet-lint/plugins/check_security_file_world_and_guid_permissions_spec.rb +43 -0
  43. data/spec/puppet-lint/plugins/check_security_firewall_any_any_allow_spec.rb +36 -0
  44. data/spec/puppet-lint/plugins/check_security_firewall_any_any_deny_spec.rb +124 -0
  45. data/spec/puppet-lint/plugins/check_security_firewall_dns_used_spec.rb +77 -0
  46. data/spec/puppet-lint/plugins/check_security_firewall_puppetmaster_any_deny_spec.rb +60 -0
  47. data/spec/puppet-lint/plugins/check_security_package_pinned_version_spec.rb +43 -0
  48. data/spec/puppet-lint/plugins/check_security_password_in_code_spec.rb +55 -0
  49. data/spec/puppet-lint/plugins/check_security_password_variable_in_exec_spec.rb +45 -0
  50. data/spec/puppet-lint/plugins/check_security_regex_unspecific_spec.rb +40 -0
  51. data/spec/puppet-lint/plugins/check_security_service_mysql_disabled_spec.rb +54 -0
  52. data/spec/puppet-lint/plugins/check_security_service_puppetmaster_disabled_spec.rb +40 -0
  53. data/spec/puppet-lint/plugins/check_security_ssh_root_allowed_spec.rb +60 -0
  54. data/spec/puppet-lint/plugins/check_security_ssh_server_root_allowed_spec.rb +60 -0
  55. data/spec/puppet-lint/plugins/check_security_sudo_with_world_nopasswd_spec.rb +40 -0
  56. data/spec/puppet-lint/plugins/check_security_tidy_all_files_spec.rb +36 -0
  57. data/spec/puppet-lint/plugins/check_security_tidy_matches_greedy_spec.rb +37 -0
  58. data/spec/puppet-lint/plugins/check_security_tidy_recurse_spec.rb +37 -0
  59. data/spec/puppet-lint/plugins/check_security_user_with_id_0_created_spec.rb +47 -0
  60. data/spec/spec_helper.rb +5 -0
  61. metadata +232 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 6cb0769c9bf6c371e0b788b122d9a5dbf82bdc45
4
+ data.tar.gz: c9cb8bc14ab0cf9fd3950c09f279c44f1b79d8eb
5
+ SHA512:
6
+ metadata.gz: 6a588232ca68086cb13fab884143efad736e4e130d9f4396a01c508a684ed79d71a300ac2a32f8764e98bb9633a5dffe708220ae4594c55a988f66a1df5da6ce
7
+ data.tar.gz: 14e4843c56976cc63497573a4eced188be6aad153577aa938f9eae563f369c8ae2e5dd468e0d4ae800fe1e2178186bd40495dd8c5e1102e7eb65258ec236a822
data/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2015 Florian Freund
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,90 @@
1
+ # Puppet-lint-security-plugins
2
+
3
+ The goal of this project is to identify security issues in your Puppet code. Some basic checks
4
+ are implemented, please feel free to contribute.
5
+
6
+ ## Installation
7
+
8
+ gem install puppet-lint-security-plugins
9
+
10
+ ## Testing your manifests
11
+
12
+ Just use `puppet-lint`. After installation security checks are enabled by default.
13
+
14
+ ## Implemented tests
15
+
16
+ At the moment, the following tests have been implemented:
17
+
18
+ ### Puppet Resource Types
19
+
20
+ * Must not use `eval` in inline\_templates
21
+ * Must not use setuid bit in `file` resources when owner equals `root`
22
+ * Must not use setgid bit in `file` resources when group equals `root`
23
+ * Must not use mode `777` in `file` resources
24
+ * Should not pin packages to specific version
25
+ * Must not store plaintext passwords in the manifest
26
+ * Must not use password variables in exec
27
+ * Should use range markers (\A,\z,^,$) in regular expressions
28
+ * Must not use class or defined\_type parameters in `exec`
29
+ * Should not use `tidy`with `age` and/or `size` parameter
30
+ * Should not use `tidy` with `match` equals to `*`
31
+ * Should not use `tidy` with `recurse` enabled
32
+ * Must not create non root user with id 0
33
+ * Should not disable services (example: mysql, puppetmaster)
34
+
35
+ ### puppetlabs-apache module
36
+
37
+ * Should not use bad ciphers
38
+ * Should enable ssl on any vhost
39
+
40
+ ### puppetlabs-apt module
41
+
42
+ * Must use an GPG key in repository definition
43
+
44
+ ### puppetlabs-firewall module
45
+
46
+ * Must not use firewall allow rules with source and destination equals `any`
47
+ * Should not use firewall deny rules with source and destination equals `any` (possible deny of service)
48
+ * Must use ips or subnets in source or destination (no dns)
49
+ * Should not block puppetmaster port
50
+
51
+ ### saz/ssh module
52
+
53
+ * Must not enable `PermitRootLogin`
54
+
55
+ ### saz/sudo module
56
+
57
+ * Must not define sudo to anyone with root permissions
58
+
59
+ ## Reporting bugs or incorrect results
60
+
61
+ If you find a bug in puppet-lint or its results, please create an issue in the
62
+ [repo issues tracker](https://github.com/floek/puppet-lint-security-plugins/issues/).
63
+
64
+ ## Please contribute
65
+
66
+ Many other usefull checks may be out there, so feel free to fork and add your own.
67
+
68
+ ## License
69
+
70
+ The MIT License (MIT)
71
+
72
+ Copyright (c) 2015 Florian Freund
73
+
74
+ Permission is hereby granted, free of charge, to any person obtaining a copy
75
+ of this software and associated documentation files (the "Software"), to deal
76
+ in the Software without restriction, including without limitation the rights
77
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
78
+ copies of the Software, and to permit persons to whom the Software is
79
+ furnished to do so, subject to the following conditions:
80
+
81
+ The above copyright notice and this permission notice shall be included in all
82
+ copies or substantial portions of the Software.
83
+
84
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
85
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
86
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
87
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
88
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
89
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
90
+ SOFTWARE.
@@ -0,0 +1,2 @@
1
+ require 'puppet-lint'
2
+ require 'puppet-lint/security'
@@ -0,0 +1,36 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Matches class or defined_type parameters used in exec
4
+ PuppetLint.new_check(:security_class_or_define_parameter_in_exec) do
5
+ def check
6
+
7
+ check_resource_index(
8
+ :resource_type => 'exec',
9
+ :severity => :error,
10
+ :message => 'Class or definded_type parameter in exec used (security!)'
11
+ ) do |rule|
12
+
13
+ class_definitions=class_indexes.find_all do |cd|
14
+ resource_in_class_or_define?(rule,cd)
15
+ end
16
+
17
+ defined_types=defined_type_indexes.find_all do |dt|
18
+ resource_in_class_or_define?(rule,dt)
19
+ end
20
+
21
+ parameters=(class_definitions+defined_types).map do |h|
22
+ h[:param_tokens].map {|t|t.value} unless h[:param_tokens].nil?
23
+ end.flatten.compact
24
+
25
+ exec_tokens=rule[:tokens]
26
+ command_tokens=get_value_token_for_parameter(exec_tokens,'command')
27
+ command_tokens.find_all do |token|
28
+ token.type == :VARIABLE and (
29
+ parameters.include? token.value or
30
+ (defined_type_indexes.empty? and class_definitions.empty?)
31
+ )
32
+ end
33
+ end
34
+
35
+ end
36
+ end
@@ -0,0 +1,28 @@
1
+ require 'puppet-lint-security-plugins'
2
+ require 'openssl'
3
+
4
+ # Needed: puppetlabs-apache module (https://forge.puppetlabs.com/puppetlabs/apache)
5
+ # Matches mod_ssl cipher configuration, valid cipher list from https://cipherli.st
6
+ PuppetLint.new_check(:security_apache_bad_cipher) do
7
+
8
+ def check
9
+
10
+ ssl_context=OpenSSL::SSL::SSLContext.new
11
+ ssl_context.ciphers='EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
12
+ good_ciphers=ssl_context.ciphers.flatten
13
+
14
+ check_resource_index(
15
+ :resource_type => 'apache::mod::ssl',
16
+ :severity => :warning,
17
+ :message => 'Unsecure ciphers used (security!)'
18
+ ) do |rule|
19
+ ssl_ciphers=get_value_token_for_parameter(rule[:tokens],'ssl_cipher')
20
+ ssl_ciphers.find_all do |token|
21
+ ssl_context.ciphers=token.value
22
+ bad_ciphers=ssl_context.ciphers.flatten - good_ciphers
23
+ not bad_ciphers.empty?
24
+ end
25
+ end
26
+
27
+ end
28
+ end
@@ -0,0 +1,27 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Needed: puppetlabs-apache module (https://forge.puppetlabs.com/puppetlabs/apache)
4
+ # Matches vhosts without ssl enabled
5
+ PuppetLint.new_check(:security_apache_no_ssl_vhost) do
6
+
7
+ def check
8
+
9
+ check_resource_index(
10
+ :resource_type => 'apache::vhost',
11
+ :severity => :warning,
12
+ :message => 'Vhost without ssl detected (security!)'
13
+ ) do |rule|
14
+
15
+ ssl=get_value_token_for_parameter(rule[:tokens],'ssl')
16
+
17
+ # all ssl enable parameters
18
+ ssl_enabled=ssl.find_all do |token|
19
+ ['true','1'].include? token.value
20
+ end
21
+
22
+ rule[:tokens].first if ssl_enabled.empty?
23
+
24
+ end
25
+
26
+ end
27
+ end
@@ -0,0 +1,26 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Needed: puppetlabs-apt module (https://forge.puppetlabs.com/puppetlabs/apt)
4
+ # Matches apt::source definitions without key parameter
5
+ PuppetLint.new_check(:security_apt_no_key) do
6
+
7
+ def check
8
+
9
+ check_resource_index(
10
+ :resource_type => 'apt::source',
11
+ :severity => :error,
12
+ :message => 'APT Repository without key detected (security!)'
13
+ ) do |rule|
14
+ rule_tokens=rule[:tokens]
15
+ ensures = get_value_token_for_parameter(rule[:tokens],'ensure')
16
+ ensures.map! { |e| e.value }
17
+
18
+ key_parameters=rule_tokens.find_all do |token|
19
+ token.type == :NAME and token.value == 'key'
20
+ end
21
+
22
+ rule_tokens.first if key_parameters.empty? and not ensures.include? 'absent'
23
+ end
24
+
25
+ end
26
+ end
@@ -0,0 +1,21 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Matches inline_template usage with ruby method 'eval'
4
+ PuppetLint.new_check(:security_eval_in_erb) do
5
+
6
+ def check
7
+
8
+ inline_template_args=get_argument_token_for_function(tokens,'inline_template')
9
+ result=inline_template_args.find_all do |token|
10
+ token.value =~/eval\(/
11
+ end
12
+
13
+ bulk_notify(
14
+ :result => result,
15
+ :severity => :error,
16
+ :message => '"eval" ruby function used (security!)'
17
+
18
+ )
19
+
20
+ end
21
+ end
@@ -0,0 +1,25 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Matches file resources with setgit mode and group root
4
+ PuppetLint.new_check(:security_file_with_setgid_permission) do
5
+
6
+ def check
7
+
8
+ check_resource_index(
9
+ :resource_type => 'file',
10
+ :severity => :error,
11
+ :message => 'File or directory definition with setgid to root detected (security!)'
12
+ ) do |rule|
13
+
14
+ modes=get_value_token_for_parameter(rule[:tokens],'mode')
15
+ groups=get_value_token_for_parameter(rule[:tokens],'group')
16
+ groups.map! {|t| t.value }
17
+ modes.find_all do |token|
18
+ groups.include? 'root' and
19
+ token.value =~ /\A2\d\d\d\z/ or # Files or directories with setuid
20
+ token.value =~ /\+S/ # setuid
21
+ end
22
+ end
23
+
24
+ end
25
+ end
@@ -0,0 +1,25 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Matches file resources with setuid mode and owner root
4
+ PuppetLint.new_check(:security_file_with_setuid_permission) do
5
+
6
+ def check
7
+
8
+ check_resource_index(
9
+ :resource_type => 'file',
10
+ :severity => :error,
11
+ :message => 'File or directory definition with setuid to root detected (security!)'
12
+ ) do |rule|
13
+
14
+ modes=get_value_token_for_parameter(rule[:tokens],'mode')
15
+ owners=get_value_token_for_parameter(rule[:tokens],'owner')
16
+ owners.map! {|t| t.value}
17
+ modes.find_all do |token|
18
+ owners.include? 'root' and
19
+ token.value =~ /\A1\d\d\d\z/ or # Files or directories with setuid
20
+ token.value =~ /\+s/ # setuid
21
+ end
22
+ end
23
+
24
+ end
25
+ end
@@ -0,0 +1,25 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Matches file resources with mode defines world permissions (777)
4
+ PuppetLint.new_check(:security_file_with_world_permissions) do
5
+
6
+ def check
7
+
8
+ check_resource_index(
9
+ :resource_type => 'file',
10
+ :severity => :error,
11
+ :message => 'File or directory definition with world permissions detected (security!)'
12
+ ) do |rule|
13
+
14
+ modes=get_value_token_for_parameter(rule[:tokens],'mode')
15
+ modes.find_all do |token|
16
+ token.value =~ /\A\d?666\z/ or # Files with 666
17
+ token.value =~ /\A\d?777\z/ or # Files or directories with 777
18
+ token.value =~ /\A(a|ugo|uog|guo|gou|oug|ogu|)=rwx?\z/ or
19
+ token.value =~ /\A[ugo]=rwx?,[ugo]=rwx?,[ugo]=rwx?\z/ or
20
+ token.value =~ /\A(ug|gu)=rwx?,[ugo]=rwx?\z/
21
+ end
22
+ end
23
+
24
+ end
25
+ end
@@ -0,0 +1,26 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Needed: puppetlabs-firewall module (https://forge.puppetlabs.com/puppetlabs/firewall)
4
+ # Matches firewall resources with source and destination equals 'any'
5
+ PuppetLint.new_check(:security_firewall_any_any_allow) do
6
+
7
+ def check
8
+
9
+ check_resource_index(
10
+ :resource_type => 'firewall',
11
+ :severity => :error,
12
+ :message => 'Firewall any/any allow rule detected (security!)'
13
+ ) do |rule|
14
+
15
+ rule_tokens=rule[:tokens]
16
+ anies=rule_tokens.find_all do |token|
17
+ (token.type == :NAME or token.type == :SSTRING) and
18
+ token.value == 'any' and
19
+ token.prev_code_token.type == :FARROW
20
+ end
21
+
22
+ anies.first if anies.count >= 2
23
+ end
24
+
25
+ end
26
+ end
@@ -0,0 +1,27 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Needed: puppetlabs-firewall module (https://forge.puppetlabs.com/puppetlabs/firewall)
4
+ # Matches firewall resources with source and destination equals 'drop'
5
+ PuppetLint.new_check(:security_firewall_any_any_deny) do
6
+
7
+ def check
8
+
9
+ check_resource_index(
10
+ :resource_type => 'firewall',
11
+ :severity => :warning,
12
+ :message => 'Firewall any:all drop rule detected (security!)'
13
+ ) do |rule|
14
+
15
+ protos=get_value_token_for_parameter(rule[:tokens],'proto').map {|t| t.value}
16
+ protos_bad = ( protos.include? 'all' or protos.empty? )
17
+
18
+ sources=get_value_token_for_parameter(rule[:tokens],'source').map {|t| t.value}
19
+ sources_bad = ( sources.include? '0.0.0.0/0' or sources.include? '::' or sources.empty? )
20
+
21
+ actions=get_value_token_for_parameter(rule[:tokens],'action').map {|t| t.value}
22
+
23
+ rule[:tokens].first if protos_bad and sources_bad and actions.include? "drop"
24
+ end
25
+
26
+ end
27
+ end
@@ -0,0 +1,30 @@
1
+ require 'puppet-lint-security-plugins'
2
+ require 'resolv'
3
+
4
+ # Needed: puppetlabs-firewall module (https://forge.puppetlabs.com/puppetlabs/firewall)
5
+ # Matches firewall resources without ip or subnet in source or destination
6
+ PuppetLint.new_check(:security_firewall_dns_used) do
7
+
8
+ def check
9
+
10
+ check_resource_index(
11
+ :resource_type => 'firewall',
12
+ :severity => :error,
13
+ :message => 'DNS in firewall rule used (security!)'
14
+ ) do |rule|
15
+
16
+ source_and_destination=get_value_token_for_parameter(rule[:tokens],'source') +
17
+ get_value_token_for_parameter(rule[:tokens],'destination')
18
+
19
+ source_and_destination.find_all do |token|
20
+ if [:STRING,:SSTRING].include? token.type
21
+ host_or_network=token.value.split('/').first
22
+ host_or_network !~ Resolv::IPv4::Regex and
23
+ host_or_network !~ Resolv::IPv6::Regex
24
+ end
25
+ end
26
+
27
+ end
28
+
29
+ end
30
+ end
@@ -0,0 +1,33 @@
1
+ require 'puppet-lint-security-plugins'
2
+
3
+ # Needed: puppetlabs-firewall module (https://forge.puppetlabs.com/puppetlabs/firewall)
4
+ # Matches firewall resources with source and destination equals 'drop'
5
+ PuppetLint.new_check(:security_firewall_puppetmaster_any_deny) do
6
+
7
+ def check
8
+
9
+ check_resource_index(
10
+ :resource_type => 'firewall',
11
+ :severity => :warning,
12
+ :message => 'Firewall drops puppetmaster port (security!)'
13
+ ) do |rule|
14
+
15
+ parameter='port'
16
+
17
+ if value_is_array?(rule[:tokens],parameter)
18
+ ports=get_array_tokens_for_parameter(rule[:tokens],parameter).map{ |t| t.value}
19
+ else
20
+ ports=get_value_token_for_parameter(rule[:tokens],parameter).map {|t| t.value}
21
+ end
22
+
23
+ sources=get_value_token_for_parameter(rule[:tokens],'source').map {|t| t.value}
24
+ sources_bad = ( sources.include? '0.0.0.0/0' or sources.include? '::' or sources.empty? )
25
+
26
+ actions=get_value_token_for_parameter(rule[:tokens],'action').map {|t| t.value}
27
+ actions.include? "drop"
28
+
29
+ rule[:tokens].first if ports.include? '8140' and sources_bad and actions.include? 'drop'
30
+ end
31
+
32
+ end
33
+ end