mirror of
https://github.com/inspec/inspec
synced 2024-11-22 20:53:11 +00:00
etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files (#2073)
* New Resource-combined etc_hosts_allow etc_hosts_deny Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
This commit is contained in:
parent
67d5d167d5
commit
b23a58b573
8 changed files with 358 additions and 0 deletions
64
docs/resources/etc_hosts_allow.md.erb
Normal file
64
docs/resources/etc_hosts_allow.md.erb
Normal file
|
@ -0,0 +1,64 @@
|
|||
---
|
||||
title: About the etc_hosts_allow Resource
|
||||
---
|
||||
|
||||
# etc_hosts_allow
|
||||
|
||||
Use the `etc_hosts_allow` InSpec audit resource to test rules set to accept daemon and client traffic set in /etc/hosts.allow file.
|
||||
|
||||
## Syntax
|
||||
|
||||
An etc/hosts.allow rule specifies one or more daemons mapped to one or more clients,
|
||||
with zero or more options to use to accept traffic when found.
|
||||
|
||||
## Syntax
|
||||
|
||||
Use the where clause to match a property to one or more rules in the hosts.allow file.
|
||||
|
||||
describe etc_hosts_allow.where { daemon == 'value' } do
|
||||
its ('client_list') { should include ['values'] }
|
||||
its ('options') { should include ['values'] }
|
||||
end
|
||||
|
||||
Use the optional constructor parameter to give an alternative path to hosts.allow
|
||||
|
||||
describe etc_hosts_allow(hosts_path).where { daemon == 'value' } do
|
||||
its ('client_list') { should include ['values'] }
|
||||
its ('options') { should include ['values'] }
|
||||
end
|
||||
|
||||
where
|
||||
|
||||
* `daemon` is a daemon that will be allowed to pass traffic in.
|
||||
* `client_list` is a list of clients will be allowed to pass traffic in.
|
||||
* `options` is a list of tasks that to be done with the rule when traffic is found.
|
||||
|
||||
## Supported Properties
|
||||
|
||||
'daemon', 'client_list', 'options'
|
||||
|
||||
## Property Examples and Return Types
|
||||
|
||||
### daemon
|
||||
|
||||
`daemon` returns a string containing the daemon that is allowed in the rule.
|
||||
|
||||
describe etc_hosts_allow.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
|
||||
its('daemon') { should eq ['vsftpd', 'sshd'] }
|
||||
end
|
||||
|
||||
### client_list
|
||||
|
||||
`client_list` returns a 2d string array where each entry contains the clients specified for the rule.
|
||||
|
||||
describe etc_hosts_allow.where { daemon == 'sshd' } do
|
||||
its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
|
||||
end
|
||||
|
||||
### options
|
||||
|
||||
`options` returns a 2d string array where each entry contains any options specified for the rule.
|
||||
|
||||
describe etc_hosts_allow.where { daemon == 'sshd' } do
|
||||
its('options') { should include ['deny', 'echo "REJECTED"'] }
|
||||
end
|
64
docs/resources/etc_hosts_deny.md.erb
Normal file
64
docs/resources/etc_hosts_deny.md.erb
Normal file
|
@ -0,0 +1,64 @@
|
|||
---
|
||||
title: About the etc_hosts_deny Resource
|
||||
---
|
||||
|
||||
# etc_hosts_deny
|
||||
|
||||
Use the `etc_hosts_deny` InSpec audit resource to test rules set to reject daemon and client traffic set in /etc/hosts.deny.
|
||||
|
||||
## Syntax
|
||||
|
||||
An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients,
|
||||
with zero or more options to use to reject traffic when found.
|
||||
|
||||
## Syntax
|
||||
|
||||
Use the where clause to match a property to one or more rules in the hosts.deny file.
|
||||
|
||||
describe etc_hosts_deny.where { daemon == 'value' } do
|
||||
its ('client_list') { should include ['values'] }
|
||||
its ('options') { should include ['values'] }
|
||||
end
|
||||
|
||||
Use the optional constructor parameter to give an alternative path to hosts.deny
|
||||
|
||||
describe etc_hosts_deny(hosts_path).where { daemon == 'value' } do
|
||||
its ('client_list') { should include ['values'] }
|
||||
its ('options') { should include ['values'] }
|
||||
end
|
||||
|
||||
where
|
||||
|
||||
* `daemon` is a daemon that will be rejected to pass traffic in.
|
||||
* `client_list` is a list of clients will be rejected to pass traffic in.
|
||||
* `options` is a list of tasks that to be done with the rule when traffic is found.
|
||||
|
||||
## Supported Properties
|
||||
|
||||
'daemon', 'client_list', 'options'
|
||||
|
||||
## Property Examples and Return Types
|
||||
|
||||
### daemon
|
||||
|
||||
`daemon` returns a string containing the daemon that is allowed in the rule.
|
||||
|
||||
describe etc_hosts_deny.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
|
||||
its('daemon') { should eq ['vsftpd', 'sshd'] }
|
||||
end
|
||||
|
||||
### client_list
|
||||
|
||||
`client_list` returns a 2d string array where each entry contains the clients specified for the rule.
|
||||
|
||||
describe etc_hosts_deny.where { daemon == 'sshd' } do
|
||||
its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
|
||||
end
|
||||
|
||||
### options
|
||||
|
||||
`options` returns a 2d string array where each entry contains any options specified for the rule.
|
||||
|
||||
describe etc_hosts_deny.where { daemon == 'sshd' } do
|
||||
its('options') { should include ['deny', 'echo "REJECTED"'] }
|
||||
end
|
|
@ -92,6 +92,7 @@ require 'resources/docker_container'
|
|||
require 'resources/docker_image'
|
||||
require 'resources/etc_fstab'
|
||||
require 'resources/etc_group'
|
||||
require 'resources/etc_hosts_allow_deny'
|
||||
require 'resources/etc_hosts'
|
||||
require 'resources/file'
|
||||
require 'resources/gem'
|
||||
|
|
122
lib/resources/etc_hosts_allow_deny.rb
Normal file
122
lib/resources/etc_hosts_allow_deny.rb
Normal file
|
@ -0,0 +1,122 @@
|
|||
# encoding: utf-8
|
||||
# author: Matthew Dromazos
|
||||
|
||||
require 'utils/parser'
|
||||
|
||||
module Inspec::Resources
|
||||
class EtcHostsAllow < Inspec.resource(1)
|
||||
name 'etc_hosts_allow'
|
||||
desc 'Use the etc_hosts_allow InSpec audit resource to test the connections
|
||||
the client will allow. Controlled by the /etc/hosts.allow file.'
|
||||
example "
|
||||
describe etc_hosts_allow.where { daemon == 'ALL' } do
|
||||
its('client_list') { should include ['127.0.0.1', '[::1]'] }
|
||||
its('options') { should eq [[]] }
|
||||
end
|
||||
"
|
||||
|
||||
attr_reader :params
|
||||
|
||||
include CommentParser
|
||||
|
||||
def initialize(hosts_allow_path = nil)
|
||||
return skip_resource 'The `etc_hosts_allow` resource is not supported on your OS.' unless inspec.os.linux?
|
||||
@conf_path = hosts_allow_path || '/etc/hosts.allow'
|
||||
@content = nil
|
||||
@params = nil
|
||||
read_content
|
||||
end
|
||||
|
||||
filter = FilterTable.create
|
||||
filter.add_accessor(:where)
|
||||
.add_accessor(:entries)
|
||||
.add(:daemon, field: 'daemon')
|
||||
.add(:client_list, field: 'client_list')
|
||||
.add(:options, field: 'options')
|
||||
|
||||
filter.connect(self, :params)
|
||||
|
||||
private
|
||||
|
||||
def read_content
|
||||
@content = ''
|
||||
@params = {}
|
||||
@content = split_daemons(read_file(@conf_path))
|
||||
@params = parse_conf(@content)
|
||||
end
|
||||
|
||||
def split_daemons(content)
|
||||
split_daemons_list = []
|
||||
content.each do |line|
|
||||
data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
|
||||
next unless data != ''
|
||||
data.split(':')[0].split(',').each do |daemon|
|
||||
split_daemons_list.push("#{daemon} : " + line.split(':', 2)[1])
|
||||
end
|
||||
end
|
||||
split_daemons_list
|
||||
end
|
||||
|
||||
def parse_conf(content)
|
||||
content.map do |line|
|
||||
data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
|
||||
parse_line(data) unless data == ''
|
||||
end.compact
|
||||
end
|
||||
|
||||
def parse_line(line)
|
||||
daemon, clients_and_options = line.split(/:\s+/, 2)
|
||||
daemon = daemon.strip
|
||||
|
||||
clients_and_options ||= ''
|
||||
clients, options = clients_and_options.split(/\s+:\s+/, 2)
|
||||
client_list = clients.split(/,/).map(&:strip)
|
||||
|
||||
options ||= ''
|
||||
options_list = options.split(/:\s+/).map(&:strip)
|
||||
|
||||
{
|
||||
'daemon' => daemon,
|
||||
'client_list' => client_list,
|
||||
'options' => options_list,
|
||||
}
|
||||
end
|
||||
|
||||
def read_file(conf_path = @conf_path)
|
||||
# Determine if the file exists and contains anything, if not
|
||||
# then access control is turned off.
|
||||
file = inspec.file(conf_path)
|
||||
if !file.file?
|
||||
return skip_resource "Can't find file at \"#{@conf_path}\""
|
||||
end
|
||||
raw_conf = file.content
|
||||
if raw_conf.empty? && !file.empty?
|
||||
return skip_resource("Unable to read file \"#{@conf_path}\"")
|
||||
end
|
||||
|
||||
# If there is a file and it contains content, continue
|
||||
raw_conf.lines
|
||||
end
|
||||
end
|
||||
|
||||
class EtcHostsDeny < EtcHostsAllow
|
||||
name 'etc_hosts_deny'
|
||||
desc 'Use the etc_hosts_deny InSpec audit resource to test the connections
|
||||
the client will deny. Controlled by the /etc/hosts.deny file.'
|
||||
example "
|
||||
describe etc_hosts_deny.where { daemon_list == 'ALL' } do
|
||||
its('client_list') { should eq [['127.0.0.1', '[::1]']] }
|
||||
its('options') { should eq [] }
|
||||
end
|
||||
"
|
||||
|
||||
def initialize(path = nil)
|
||||
return skip_resource '`etc_hosts_deny` is not supported on your OS' unless inspec.os.linux?
|
||||
super(path || '/etc/hosts.deny')
|
||||
end
|
||||
|
||||
def to_s
|
||||
'hosts.deny Configuration'
|
||||
end
|
||||
end
|
||||
end
|
|
@ -170,6 +170,8 @@ class MockLoader
|
|||
'/var/lib/fake_rpmdb' => mockdir.call(true),
|
||||
'/var/lib/rpmdb_does_not_exist' => mockdir.call(false),
|
||||
'/etc/init/ssh.conf' => mockfile.call('upstart_ssh_enabled.conf'),
|
||||
'/etc/hosts.allow' => mockfile.call('hosts.allow'),
|
||||
'/etc/hosts.deny' => mockfile.call('hosts.deny'),
|
||||
}
|
||||
|
||||
# create all mock commands
|
||||
|
|
15
test/unit/mock/files/hosts.allow
Normal file
15
test/unit/mock/files/hosts.allow
Normal file
|
@ -0,0 +1,15 @@
|
|||
#
|
||||
# hosts.allow This file contains access rules which are used to
|
||||
# allow or deny connections to network services that
|
||||
# either use the tcp_wrappers library or that have been
|
||||
# started through a tcp_wrappers-enabled xinetd.
|
||||
#
|
||||
# See 'man 5 hosts_options' and 'man 5 hosts_access'
|
||||
# for information on rule syntax.
|
||||
# See 'man tcpd' for information on tcp_wrappers
|
||||
#
|
||||
# LOCALHOST (ALL TRAFFIC ALLOWED) DO NOT REMOVE FOLLOWING LINE
|
||||
ALL: 127.0.0.1, [::1]
|
||||
# Added for testing
|
||||
LOCAL : [fe80::]/10 : deny
|
||||
vsftpd, sshd : 127.0.1.154, [:fff:fAb0::] : deny : /etc/bin/
|
17
test/unit/mock/files/hosts.deny
Normal file
17
test/unit/mock/files/hosts.deny
Normal file
|
@ -0,0 +1,17 @@
|
|||
#
|
||||
# hosts.deny This file contains access rules which are used to
|
||||
# allow or deny connections to network services that
|
||||
# either use the tcp_wrappers library or that have been
|
||||
# started through a tcp_wrappers-enabled xinetd.
|
||||
#
|
||||
# See 'man 5 hosts_options' and 'man 5 hosts_access'
|
||||
# for information on rule syntax.
|
||||
# See 'man tcpd' for information on tcp_wrappers
|
||||
#
|
||||
# LOCALHOST (ALL TRAFFIC ALLOWED) DO NOT REMOVE FOLLOWING LINE
|
||||
ALL: 127.0.0.1, [::1]
|
||||
# Allow SSH (you can limit this further using IP addresses - e.g. 192.168.0.*)
|
||||
sshd: ALL
|
||||
# Added for testing
|
||||
LOCAL : [fe80::]/10 : deny
|
||||
vsftpd , sshd : 127.0.1.154, [:fff:fAb0::] : deny : /etc/bin/
|
73
test/unit/resources/etc_hosts_allow_deny_test.rb
Normal file
73
test/unit/resources/etc_hosts_allow_deny_test.rb
Normal file
|
@ -0,0 +1,73 @@
|
|||
# encoding: utf-8
|
||||
# author: Matthew Dromazos
|
||||
|
||||
require 'helper'
|
||||
require 'inspec/resource'
|
||||
|
||||
describe 'Inspec::Resources::EtcHostsAllow' do
|
||||
describe 'EtcHostsAllow Paramaters' do
|
||||
resource = load_resource('etc_hosts_allow')
|
||||
it 'Verify etc_hosts_allow filtering by `daemon`' do
|
||||
entries = resource.where { daemon == 'ALL' }
|
||||
_(entries.client_list).must_include ['127.0.0.1', '[::1]']
|
||||
_(entries.options).must_equal [[]]
|
||||
end
|
||||
it 'Verify etc_hosts_allow filtering by `client_list`' do
|
||||
entries = resource.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] }
|
||||
_(entries.daemon).must_equal ['vsftpd', 'sshd']
|
||||
_(entries.options).must_include ['deny', '/etc/bin/']
|
||||
end
|
||||
it 'Verify etc_hosts_allow filtering by `options`' do
|
||||
entries = resource.where { options == ['deny', '/etc/bin/'] }
|
||||
_(entries.daemon).must_equal ['vsftpd', 'sshd']
|
||||
_(entries.client_list).must_include ['127.0.1.154', '[:fff:fAb0::]']
|
||||
end
|
||||
end
|
||||
|
||||
describe '#parse_line' do
|
||||
resource = load_resource('etc_hosts_allow')
|
||||
it 'parses a line with multiple clients' do
|
||||
line = 'foo: client1, client2 : some_option'
|
||||
attributes = resource.send(:parse_line, line)
|
||||
_(attributes['daemon']).must_equal 'foo'
|
||||
_(attributes['client_list']).must_equal ['client1', 'client2']
|
||||
end
|
||||
|
||||
it 'parses a line with one option' do
|
||||
line = 'foo: client1, client2 : some_option'
|
||||
attributes = resource.send(:parse_line, line)
|
||||
_(attributes['daemon']).must_equal 'foo'
|
||||
_(attributes['client_list']).must_equal ['client1', 'client2']
|
||||
_(attributes['options']).must_equal ['some_option']
|
||||
end
|
||||
|
||||
it 'parses a line with multiple options' do
|
||||
line = 'foo: client1, client2 : some_option : other_option'
|
||||
attributes = resource.send(:parse_line, line)
|
||||
_(attributes['daemon']).must_equal 'foo'
|
||||
_(attributes['client_list']).must_equal ['client1', 'client2']
|
||||
_(attributes['options']).must_equal ['some_option', 'other_option']
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'Inspec::Resources::EtcHostsDeny' do
|
||||
describe 'EtcHostsDeny Paramaters' do
|
||||
resource = load_resource('etc_hosts_deny')
|
||||
it 'Verify etc_hosts_deny filtering by `daemon`' do
|
||||
entries = resource.where { daemon == 'ALL' }
|
||||
_(entries.client_list).must_include ['127.0.0.1', '[::1]']
|
||||
_(entries.options).must_equal [[]]
|
||||
end
|
||||
it 'Verify etc_hosts_deny filtering by `client_list`' do
|
||||
entries = resource.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] }
|
||||
_(entries.daemon).must_equal ['vsftpd', 'sshd']
|
||||
_(entries.options).must_include ['deny', '/etc/bin/']
|
||||
end
|
||||
it 'Verify etc_hosts_deny filtering by `options`' do
|
||||
entries = resource.where { options == ['deny', '/etc/bin/'] }
|
||||
_(entries.daemon).must_equal ['vsftpd', 'sshd']
|
||||
_(entries.client_list).must_include ['127.0.1.154', '[:fff:fAb0::]']
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue