Merge pull request #5458 from inspec/vasundhara/add_selinux_resource

Add selinux resource with basic feature support
2024-09-20 14:31:58 +00:00 · 2021-04-21 19:30:46 -04:00 · 2021-04-21 19:30:46 -04:00 · 8f4e69abec
commit 8f4e69abec
parent 8773dfaedd 6f06669561
7 changed files with 207 additions and 0 deletions
--- a/docs-chef-io/content/inspec/resources/selinux.md
+++ b/docs-chef-io/content/inspec/resources/selinux.md
@ -0,0 +1,81 @@
+++
+title = "selinux resource"
+draft = false
+gh_repo = "inspec"
+platform = "linux"
+
+[menu]
+  [menu.inspec]
+    title = "selinux"
+    identifier = "inspec/resources/os/selinux.md selinux resource"
+    parent = "inspec/resources/os"
+++
+
+Use the `selinux` Chef InSpec audit resource to test the state and mode of SELinux policy.
+
+The `selinux` resource extracts and exposes data reported by the `sestatus` command.
+
+## Availability
+
+### Installation
+
+This resource is distributed along with Chef InSpec itself. You can use it automatically.
+
+### Version
+
+## Syntax
+
+The `selinux` Chef InSpec resource block tests the state and mode of SELinux policy.
+
+    describe selinux do
+      it { should be_installed }
+      it { should_not be_disabled }
+      it { should be_enforcing }
+      it { should_not be_permissive }
+    end
+
+## Examples
+
+The following examples show how to use this Chef InSpec selinux resource.
+
+### Test if SELinux is installed and enabled
+
+describe selinux do
+  it { should be_installed }
+  it { should_not be_disabled }
+end
+
+### Test if SELinux is enabled and running in enforcing mode
+
+describe selinux do
+  it { should_not be_disabled }
+  it { should be_enforcing }
+end
+
+## Matchers
+
+For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
+
+### be_installed
+
+The `be_installed` matcher tests if the SELinux is installed on the system:
+
+    it { should be_installed }
+
+### be_disabled
+
+The `be_disabled` matcher tests if the SELinux is disabled on the system:
+
+    it { should be_disabled }
+
+### be_enforcing
+
+The `be_enforcing` matcher tests if the SELinux mode is set to enforcing:
+
+    it { should be_enforcing }
+
+### be_permissive
+
+The `be_permissive` matcher tests if the SELinux mode is set to permissive:
+
+    it { should be_permissive }
--- a/lib/inspec/resources.rb
+++ b/lib/inspec/resources.rb
@ -103,6 +103,7 @@ require "inspec/resources/rabbitmq_config"
 require "inspec/resources/registry_key"
 require "inspec/resources/security_identifier"
 require "inspec/resources/security_policy"
+require "inspec/resources/selinux"
 require "inspec/resources/service"
 require "inspec/resources/shadow"
 require "inspec/resources/ssh_config"
--- a/lib/inspec/resources/selinux.rb
+++ b/lib/inspec/resources/selinux.rb
@ -0,0 +1,53 @@
+require "inspec/resources/command"
+
+module Inspec::Resources
+  class Selinux < Inspec.resource(1)
+    name "selinux"
+    supports platform: "linux"
+
+    desc "Use selinux Inspec resource to test state/mode of the selinux policy."
+
+    example <<~EXAMPLE
+      describe selinux do
+        it { should be_installed }
+        it { should be_disabled }
+        it { should be_permissive }
+        it { should be_enforcing }
+      end
+    EXAMPLE
+
+    def initialize(selinux_path = "/etc/selinux/config")
+      @path = selinux_path
+      cmd = inspec.command("sestatus")
+
+      if cmd.exit_status != 0
+        # `sestatus` command not found error message comes in stdout so handling both here
+        out = cmd.stdout + "\n" + cmd.stderr
+        return skip_resource "Skipping resource: #{out}"
+      end
+
+      result = cmd.stdout.delete(" ").gsub(/\n/, ",").gsub(/\r/, "").downcase
+      @data = Hash[result.scan(/([^:]+):([^,]+)[,$]/)]
+    end
+
+    def installed?
+      inspec.file(@path).exist?
+    end
+
+    def disabled?
+      @data["selinuxstatus"] == "disabled"
+    end
+
+    def enforcing?
+      @data["currentmode"] == "enforcing"
+    end
+
+    def permissive?
+      @data["currentmode"] == "permissive"
+    end
+
+    def to_s
+      "SELinux"
+    end
+  end
+end
--- a/test/fixtures/cmd/sestatus
+++ b/test/fixtures/cmd/sestatus
@ -0,0 +1,9 @@
+SELinux status:                 enabled
+SELinuxfs mount:                /sys/fs/selinux
+SELinux root directory:         /etc/selinux
+Loaded policy name:             targeted
+Current mode:                   enforcing
+Mode from config file:          enforcing
+Policy MLS status:              enabled
+Policy deny_unknown status:     allowed
+Max kernel policy version:      31
--- a/test/fixtures/files/selinux_conf
+++ b/test/fixtures/files/selinux_conf
@ -0,0 +1,11 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=enforcing
+# SELINUXTYPE= can take one of three values:
+#     targeted - Targeted processes are protected,
+#     minimum - Modification of targeted policy. Only selected processes are protected.
+#     mls - Multi Level Security protection.
+SELINUXTYPE=targeted
--- a/test/helpers/mock_loader.rb
+++ b/test/helpers/mock_loader.rb
@ -171,6 +171,7 @@ class MockLoader
      "/etc/cron.d/crondotd" => mockfile.call("crondotd"),
      "/etc/postfix/main.cf" => mockfile.call("main.cf"),
      "/etc/postfix/other.cf" => mockfile.call("other.cf"),
+      "/etc/selinux/selinux_conf" => mockfile.call("selinux_conf"),
    }

    # create all mock commands
@ -556,8 +557,15 @@ class MockLoader

      # filesystem command
      "2e7e0d4546342cee799748ec7e2b1c87ca00afbe590fa422a7c27371eefa88f0" => cmd.call("get-wmiobject-filesystem"),
+      "sestatus" => cmd.call("sestatus"),
    }

+    if @platform && (@platform[:name] == "windows" || @platform[:name] == "freebsd")
+      mock_cmds.merge!(
+          "sestatus" => empty.call
+        )
+    end
+
    # ports on linux
    # allow the ss and/or netstat commands to exist so the later mock is called
    if @platform && @platform[:name] == "alpine"
--- a/test/unit/resources/selinux_test.rb
+++ b/test/unit/resources/selinux_test.rb
@ -0,0 +1,44 @@
+require "helper"
+require "inspec/resource"
+require "inspec/resources/selinux"
+
+describe "Inspec::Resources::Selinux" do
+  it "verify selinux is installed" do
+    resource = load_resource("selinux", "/etc/selinux/selinux_conf")
+    _(resource.installed?).must_equal true
+  end
+
+  it "verify selinux state - enforcing" do
+    resource = load_resource("selinux")
+    _(resource.enforcing?).must_equal true
+  end
+
+  it "verify selinux state - permissive" do
+    resource = load_resource("selinux")
+    _(resource.permissive?).must_equal false
+  end
+
+  it "verify selinux disabled " do
+    resource = load_resource("selinux")
+    _(resource.disabled?).must_equal false
+  end
+
+  it "verify selinux on linux" do
+    resource = MockLoader.new(:linux).load_resource("selinux")
+    _(resource.enforcing?).must_equal true
+    _(resource.permissive?).must_equal false
+    _(resource.disabled?).must_equal false
+  end
+
+  it "verify selinux on windows" do
+    resource = MockLoader.new(:windows).load_resource("selinux")
+    _(resource.installed?).must_equal false
+    _(resource.enforcing?).must_equal false
+  end
+
+  it "verify selinux on freebsd" do
+    resource = MockLoader.new(:freebsd12).load_resource("selinux")
+    _(resource.installed?).must_equal false
+    _(resource.enforcing?).must_equal false
+  end
+end