inspec/lib/resources/iptables.rb

# encoding: utf-8

# Usage:
# describe iptables do
#   it { should have_rule('-P INPUT ACCEPT') }
# end
#
# The following serverspec sytax is not implemented:
# describe iptables do
#   it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') }
# end
# Please use the new sytax:
# describe iptables(table:'mangle', chain: 'input') do
#   it { should have_rule('-P INPUT ACCEPT') }
# end
#
# Note: Docker containers normally do not have iptables installed
#
# @see http://ipset.netfilter.org/iptables.man.html
# @see http://ipset.netfilter.org/iptables.man.html
# @see https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
module Inspec::Resources
  class IpTables < Inspec.resource(1)
    name 'iptables'
    supports platform: 'linux'
    desc 'Use the iptables InSpec audit resource to test rules that are defined in iptables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.'
    example <<~EXAMPLE
      describe iptables do
        it { should have_rule('-P INPUT ACCEPT') }
      end
    EXAMPLE

    def initialize(params = {})
      @table = params[:table]
      @chain = params[:chain]

      # we're done if we are on linux
      return if inspec.os.linux?

      # ensures, all calls are aborted for non-supported os
      @iptables_cache = []
      skip_resource 'The `iptables` resource is not supported on your OS yet.'
    end

    def has_rule?(rule = nil, _table = nil, _chain = nil)
      # checks if the rule is part of the ruleset
      # for now, we expect an exact match
      retrieve_rules.any? { |line| line.casecmp(rule) == 0 }
    end

    def retrieve_rules
      return @iptables_cache if defined?(@iptables_cache)

      # construct iptables command to read all rules
      bin = find_iptables_or_error
      table_cmd = "-t #{@table}" if @table
      iptables_cmd = format('%s %s -S %s', bin, table_cmd, @chain).strip

      cmd = inspec.command(iptables_cmd)
      return [] if cmd.exit_status.to_i != 0

      # split rules, returns array or rules
      @iptables_cache = cmd.stdout.split("\n").map(&:strip)
    end

    def to_s
      format('Iptables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip
    end

    private

    def find_iptables_or_error
      %w{/usr/sbin/iptables /sbin/iptables iptables}.each do |cmd|
        return cmd if inspec.command(cmd).exist?
      end

      raise Inspec::Exceptions::ResourceFailed, 'Could not find `iptables`'
    end
  end
end
simple iptables implementation 2015-10-11 22:21:11 +00:00			`# encoding: utf-8`

			`# Usage:`
			`# describe iptables do`
			`# it { should have_rule('-P INPUT ACCEPT') }`
			`# end`
			`#`
			`# The following serverspec sytax is not implemented:`
			`# describe iptables do`
			`# it { should have_rule('-P INPUT ACCEPT').with_table('mangle').with_chain('INPUT') }`
			`# end`
			`# Please use the new sytax:`
			`# describe iptables(table:'mangle', chain: 'input') do`
			`# it { should have_rule('-P INPUT ACCEPT') }`
			`# end`
			`#`
improve iptables resource 2015-10-12 08:32:46 +00:00			`# Note: Docker containers normally do not have iptables installed`
simple iptables implementation 2015-10-11 22:21:11 +00:00			`#`
			`# @see http://ipset.netfilter.org/iptables.man.html`
			`# @see http://ipset.netfilter.org/iptables.man.html`
			`# @see https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`module Inspec::Resources`
			`class IpTables < Inspec.resource(1)`
			`name 'iptables'`
Add correct `supports platform` to resources. (#2674) * Add correct `supports platform` to resources. Signed-off-by: Miah Johnson <miah@chia-pet.org> * Remove 'os_family' and update platforms to specify what they did. Signed-off-by: Miah Johnson <miah@chia-pet.org> * Add esx and cisco to generic resources. Signed-off-by: Jared Quick <jquick@chef.io> 2018-02-19 14:26:49 +00:00			`supports platform: 'linux'`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`desc 'Use the iptables InSpec audit resource to test rules that are defined in iptables, which maintains tables of IP packet filtering rules. There may be more than one table. Each table contains one (or more) chains (both built-in and custom). A chain is a list of rules that match packets. When the rule matches, the rule defines what target to assign to the packet.'`
Fixes resource examples The opening and closing mechanic varied between all the various resources. This changes them all to use a HEREDOC with a tilde to remove leading whitespace. This removes the need for the special method to trim the `#print_example` method from shell. Signed-off-by: Franklin Webber <franklin.webber@gmail.com> 2019-03-19 14:17:32 +00:00			`example <<~EXAMPLE`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`describe iptables do`
			`it { should have_rule('-P INPUT ACCEPT') }`
			`end`
Fixes resource examples The opening and closing mechanic varied between all the various resources. This changes them all to use a HEREDOC with a tilde to remove leading whitespace. This removes the need for the special method to trim the `#print_example` method from shell. Signed-off-by: Franklin Webber <franklin.webber@gmail.com> 2019-03-19 14:17:32 +00:00			`EXAMPLE`
simple iptables implementation 2015-10-11 22:21:11 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def initialize(params = {})`
			`@table = params[:table]`
			`@chain = params[:chain]`
improve iptables resource 2015-10-12 08:32:46 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# we're done if we are on linux`
			`return if inspec.os.linux?`
improve iptables resource 2015-10-12 08:32:46 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# ensures, all calls are aborted for non-supported os`
			`@iptables_cache = []`
			skip_resource 'The `iptables` resource is not supported on your OS yet.'
			`end`
simple iptables implementation 2015-10-11 22:21:11 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def has_rule?(rule = nil, _table = nil, _chain = nil)`
			`# checks if the rule is part of the ruleset`
			`# for now, we expect an exact match`
			`retrieve_rules.any? { \|line\| line.casecmp(rule) == 0 }`
			`end`
simple iptables implementation 2015-10-11 22:21:11 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def retrieve_rules`
			`return @iptables_cache if defined?(@iptables_cache)`
simple iptables implementation 2015-10-11 22:21:11 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# construct iptables command to read all rules`
iptables resource: Add support for other bin paths (#2783) * iptables resource: Add support for other bin paths * Use `%w{}` instead of `[]` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> 2018-03-06 13:56:15 +00:00			`bin = find_iptables_or_error`
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`table_cmd = "-t #{@table}" if @table`
iptables resource: Add support for other bin paths (#2783) * iptables resource: Add support for other bin paths * Use `%w{}` instead of `[]` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> 2018-03-06 13:56:15 +00:00			`iptables_cmd = format('%s %s -S %s', bin, table_cmd, @chain).strip`
iptables: some simplifications 2016-02-09 16:27:43 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`cmd = inspec.command(iptables_cmd)`
			`return [] if cmd.exit_status.to_i != 0`
simple iptables implementation 2015-10-11 22:21:11 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`# split rules, returns array or rules`
			`@iptables_cache = cmd.stdout.split("\n").map(&:strip)`
			`end`
simple iptables implementation 2015-10-11 22:21:11 +00:00
Placing all resources in the Inspec::Resources namespace Many of the resources are named as a top-level class with a fairly generic class name, such as "OS". This causes an issue specifically with kitchen-google which depends on a gem which depends on the "os" gem which itself defines an OS class with a different superclass. This prevents users from using TK, Google Compute, and Inspec without this fix. Some mocked commands had their digest changed as well due to the new indentation, specifically in the User and RegistryKey classes. I strongly recommend viewing this diff with `git diff --ignore-space-change` to see the real changes. :) 2016-03-08 18:06:55 +00:00			`def to_s`
			`format('Iptables %s %s', @table && "table: #{@table}", @chain && "chain: #{@chain}").strip`
			`end`
iptables resource: Add support for other bin paths (#2783) * iptables resource: Add support for other bin paths * Use `%w{}` instead of `[]` Signed-off-by: Jerry Aldrich <jerryaldrichiii@gmail.com> 2018-03-06 13:56:15 +00:00
			`private`

			`def find_iptables_or_error`
			`%w{/usr/sbin/iptables /sbin/iptables iptables}.each do \|cmd\|`
			`return cmd if inspec.command(cmd).exist?`
			`end`

			raise Inspec::Exceptions::ResourceFailed, 'Could not find `iptables`'
			`end`
simple iptables implementation 2015-10-11 22:21:11 +00:00			`end`
			`end`