Merge pull request #5589 from collinmcneese/cmcneese/chrony_conf

adds chrony_conf InSpec resource

docs-chef-io/content/inspec/resources/chrony_conf.md

@@ -0,0 +1,102 @@
++++
+title = "chrony_conf resource"
+draft = false
+gh_repo = "inspec"
+platform = "linux"
+
+[menu]
+  [menu.inspec]
+    title = "chrony_conf"
+    identifier = "inspec/resources/os/chrony_conf.md chrony_conf resource"
+    parent = "inspec/resources/os"
++++
+
+Use the `chrony_conf` Chef InSpec audit resource to test the synchronization settings defined in the `chrony.conf` file. This file is typically located at `/etc/chrony.conf`.
+
+## Availability
+
+### Installation
+
+This resource is distributed along with Chef InSpec itself. You can use it automatically.
+
+<!-- TODO: needs version number -->
+<!-- ### Version
+
+This resource first became available in v of InSpec. -->
+
+## Syntax
+
+An `chrony_conf` resource block declares the synchronization settings that should be tested:
+
+```ruby
+describe chrony_conf('PATH') do
+  its('setting_name') { should eq 'VALUE' }
+end
+```
+
+where:
+
+- `'setting_name'` is a synchronization setting defined in the `chrony.conf` file.
+- `('path')` is the non-default path to the `chrony.conf` file (default path is `/etc/chrony.conf`).
+- `{ should eq 'value' }` is the value that is expected.
+
+## Examples
+
+The following examples show how to use this Chef InSpec audit resource.
+
+This resource matches any service listed in the `chrony.conf` file.
+
+<<<<<<< HEAD
+### Test for clock drift against named servers
+
+```ruby
+describe chrony_conf do
+  its('driftfile') { should cmp '/var/lib/chrony/drift' }
+  its('server') do
+    should cmp [
+      '0.ubuntu.pool.ntp.org',
+      '1.ubuntu.pool.ntp.org',
+      '2.ubuntu.pool.ntp.org'
+      ]
+    end
+end
+```
+
+### Test that an NTP server exists and a specific subnet is specified from which NTP clients are accessible
+
+```ruby
+describe chrony_conf do
+  its('server') { should_not eq nil }
+  its('allow') { should include '192.168.0.0/16'}
+end
+```
+
+=======
+### Test for clock drift against named servers.
+
+```ruby
+describe chrony_conf do
+  its('driftfile') { should cmp '/var/lib/chrony/drift' }
+  its('server') do
+    should cmp [
+      '0.ubuntu.pool.ntp.org',
+      '1.ubuntu.pool.ntp.org',
+      '2.ubuntu.pool.ntp.org'
+      ]
+    end
+end
+```
+
+### Test that an NTP server exists and a specific subnet is specified from which NTP clients are allowed access.
+
+```ruby
+describe chrony_conf do
+  its('server') { should_not eq nil }
+  its('allow') { should include '192.168.0.0/16'}
+end
+```
+
+>>>>>>> daa9d77766c9283c2e0fd84dedc65263f2df2907
+## Matchers
+
+ For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).

lib/inspec/resources/chrony_conf.rb

@@ -0,0 +1,55 @@
+# chrony_conf
+
+require "inspec/utils/simpleconfig"
+require "inspec/utils/file_reader"
+
+module Inspec::Resources
+  class ChronyConf < Inspec.resource(1)
+    name "chrony_conf"
+    supports platform: "unix"
+    desc "Use the chrony_conf InSpec audit resource to test the synchronization settings defined in the chrony.conf file. This file is typically located at /etc/chrony.conf."
+    example <<~EXAMPLE
+      describe chrony_conf do
+        its('server') { should_not cmp nil }
+        its('restrict') { should include '-4 default kod notrap nomodify nopeer noquery' }
+        its('pool') { should include 'pool.ntp.org iburst' }
+        its('driftfile') { should cmp '/var/lib/ntp/drift' }
+        its('allow') { should cmp nil }
+        its('keyfile') { should cmp '/etc/chrony.keys' }
+      end
+    EXAMPLE
+
+    include FileReader
+
+    def initialize(path = nil)
+      @conf_path = path || "/etc/chrony.conf"
+      @content = read_file_content(@conf_path)
+    end
+
+    def method_missing(name)
+      param = read_params[name.to_s]
+      # extract first value if we have only one value in array
+      return param[0] if param.is_a?(Array) && (param.length == 1)
+
+      param
+    end
+
+    def to_s
+      "chrony.conf"
+    end
+
+    private
+
+    def read_params
+      return @params if defined?(@params)
+
+      # parse the file
+      conf = SimpleConfig.new(
+        @content,
+        assignment_regex: /^\s*(\S+)\s+(.*)\s*$/,
+        multiple_values: true
+      )
+      @params = conf.params
+    end
+  end
+end

test/fixtures/files/chrony.conf

@@ -0,0 +1,41 @@
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+pool 0.ubuntu.pool.ntp.org iburst
+pool 1.ubuntu.pool.ntp.org iburst
+server 127.127.1.0
+server 127.127.1.1
+
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+#minsources 2
+
+# Allow NTP client access from local network.
+#allow 192.168.0.0/16
+
+# Serve time even if not synchronized to a time source.
+#local stratum 10
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+leapsectz right/UTC
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+#log measurements statistics tracking

test/helpers/mock_loader.rb

@@ -98,6 +98,7 @@ class MockLoader
       "/etc/passwd" => mockfile.call("passwd"),
       "/etc/shadow" => mockfile.call("shadow"),
       "/etc/ntp.conf" => mockfile.call("ntp.conf"),
+      "/etc/chrony.conf" => mockfile.call("chrony.conf"),
       "/etc/login.defs" => mockfile.call("login.defs"),
       "/etc/security/limits.conf" => mockfile.call("limits.conf"),
       "/etc/inetd.conf" => mockfile.call("inetd.conf"),

test/unit/resources/chrony_conf_test.rb

@@ -0,0 +1,18 @@
+require "helper"
+require "inspec/resource"
+require "inspec/resources/chrony_conf"
+
+describe "Inspec::Resources::ChronyConf" do
+  it "verify chrony config parsing" do
+    resource = load_resource("chrony_conf")
+    _(resource.driftfile).must_equal "/var/lib/chrony/drift"
+    _(resource.pool).must_equal [
+      "0.ubuntu.pool.ntp.org iburst",
+      "1.ubuntu.pool.ntp.org iburst",
+    ]
+    _(resource.server).must_equal %w{
+      127.127.1.0 127.127.1.1
+    }
+    assert_nil resource.allow
+  end
+end