etc_hosts_allow and etc_hosts_deny resources: test the content of the tcpwrappers configuration files (#2073)

* New Resource-combined etc_hosts_allow etc_hosts_deny

Signed-off-by: dromazos <dromazmj@dukes.jmu.edu>
This commit is contained in:
dromazmj 2017-09-25 13:49:04 -04:00 committed by Adam Leff
parent 67d5d167d5
commit b23a58b573
8 changed files with 358 additions and 0 deletions

View file

@ -0,0 +1,64 @@
---
title: About the etc_hosts_allow Resource
---
# etc_hosts_allow
Use the `etc_hosts_allow` InSpec audit resource to test rules set to accept daemon and client traffic set in /etc/hosts.allow file.
## Syntax
An etc/hosts.allow rule specifies one or more daemons mapped to one or more clients,
with zero or more options to use to accept traffic when found.
## Syntax
Use the where clause to match a property to one or more rules in the hosts.allow file.
describe etc_hosts_allow.where { daemon == 'value' } do
its ('client_list') { should include ['values'] }
its ('options') { should include ['values'] }
end
Use the optional constructor parameter to give an alternative path to hosts.allow
describe etc_hosts_allow(hosts_path).where { daemon == 'value' } do
its ('client_list') { should include ['values'] }
its ('options') { should include ['values'] }
end
where
* `daemon` is a daemon that will be allowed to pass traffic in.
* `client_list` is a list of clients will be allowed to pass traffic in.
* `options` is a list of tasks that to be done with the rule when traffic is found.
## Supported Properties
'daemon', 'client_list', 'options'
## Property Examples and Return Types
### daemon
`daemon` returns a string containing the daemon that is allowed in the rule.
describe etc_hosts_allow.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
its('daemon') { should eq ['vsftpd', 'sshd'] }
end
### client_list
`client_list` returns a 2d string array where each entry contains the clients specified for the rule.
describe etc_hosts_allow.where { daemon == 'sshd' } do
its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
end
### options
`options` returns a 2d string array where each entry contains any options specified for the rule.
describe etc_hosts_allow.where { daemon == 'sshd' } do
its('options') { should include ['deny', 'echo "REJECTED"'] }
end

View file

@ -0,0 +1,64 @@
---
title: About the etc_hosts_deny Resource
---
# etc_hosts_deny
Use the `etc_hosts_deny` InSpec audit resource to test rules set to reject daemon and client traffic set in /etc/hosts.deny.
## Syntax
An etc/hosts.deny rule specifies one or more daemons mapped to one or more clients,
with zero or more options to use to reject traffic when found.
## Syntax
Use the where clause to match a property to one or more rules in the hosts.deny file.
describe etc_hosts_deny.where { daemon == 'value' } do
its ('client_list') { should include ['values'] }
its ('options') { should include ['values'] }
end
Use the optional constructor parameter to give an alternative path to hosts.deny
describe etc_hosts_deny(hosts_path).where { daemon == 'value' } do
its ('client_list') { should include ['values'] }
its ('options') { should include ['values'] }
end
where
* `daemon` is a daemon that will be rejected to pass traffic in.
* `client_list` is a list of clients will be rejected to pass traffic in.
* `options` is a list of tasks that to be done with the rule when traffic is found.
## Supported Properties
'daemon', 'client_list', 'options'
## Property Examples and Return Types
### daemon
`daemon` returns a string containing the daemon that is allowed in the rule.
describe etc_hosts_deny.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] } do
its('daemon') { should eq ['vsftpd', 'sshd'] }
end
### client_list
`client_list` returns a 2d string array where each entry contains the clients specified for the rule.
describe etc_hosts_deny.where { daemon == 'sshd' } do
its('client_list') { should include ['192.168.0.0/16', '[abcd::0000:1234]'] }
end
### options
`options` returns a 2d string array where each entry contains any options specified for the rule.
describe etc_hosts_deny.where { daemon == 'sshd' } do
its('options') { should include ['deny', 'echo "REJECTED"'] }
end

View file

@ -92,6 +92,7 @@ require 'resources/docker_container'
require 'resources/docker_image'
require 'resources/etc_fstab'
require 'resources/etc_group'
require 'resources/etc_hosts_allow_deny'
require 'resources/etc_hosts'
require 'resources/file'
require 'resources/gem'

View file

@ -0,0 +1,122 @@
# encoding: utf-8
# author: Matthew Dromazos
require 'utils/parser'
module Inspec::Resources
class EtcHostsAllow < Inspec.resource(1)
name 'etc_hosts_allow'
desc 'Use the etc_hosts_allow InSpec audit resource to test the connections
the client will allow. Controlled by the /etc/hosts.allow file.'
example "
describe etc_hosts_allow.where { daemon == 'ALL' } do
its('client_list') { should include ['127.0.0.1', '[::1]'] }
its('options') { should eq [[]] }
end
"
attr_reader :params
include CommentParser
def initialize(hosts_allow_path = nil)
return skip_resource 'The `etc_hosts_allow` resource is not supported on your OS.' unless inspec.os.linux?
@conf_path = hosts_allow_path || '/etc/hosts.allow'
@content = nil
@params = nil
read_content
end
filter = FilterTable.create
filter.add_accessor(:where)
.add_accessor(:entries)
.add(:daemon, field: 'daemon')
.add(:client_list, field: 'client_list')
.add(:options, field: 'options')
filter.connect(self, :params)
private
def read_content
@content = ''
@params = {}
@content = split_daemons(read_file(@conf_path))
@params = parse_conf(@content)
end
def split_daemons(content)
split_daemons_list = []
content.each do |line|
data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
next unless data != ''
data.split(':')[0].split(',').each do |daemon|
split_daemons_list.push("#{daemon} : " + line.split(':', 2)[1])
end
end
split_daemons_list
end
def parse_conf(content)
content.map do |line|
data, = parse_comment_line(line, comment_char: '#', standalone_comments: false)
parse_line(data) unless data == ''
end.compact
end
def parse_line(line)
daemon, clients_and_options = line.split(/:\s+/, 2)
daemon = daemon.strip
clients_and_options ||= ''
clients, options = clients_and_options.split(/\s+:\s+/, 2)
client_list = clients.split(/,/).map(&:strip)
options ||= ''
options_list = options.split(/:\s+/).map(&:strip)
{
'daemon' => daemon,
'client_list' => client_list,
'options' => options_list,
}
end
def read_file(conf_path = @conf_path)
# Determine if the file exists and contains anything, if not
# then access control is turned off.
file = inspec.file(conf_path)
if !file.file?
return skip_resource "Can't find file at \"#{@conf_path}\""
end
raw_conf = file.content
if raw_conf.empty? && !file.empty?
return skip_resource("Unable to read file \"#{@conf_path}\"")
end
# If there is a file and it contains content, continue
raw_conf.lines
end
end
class EtcHostsDeny < EtcHostsAllow
name 'etc_hosts_deny'
desc 'Use the etc_hosts_deny InSpec audit resource to test the connections
the client will deny. Controlled by the /etc/hosts.deny file.'
example "
describe etc_hosts_deny.where { daemon_list == 'ALL' } do
its('client_list') { should eq [['127.0.0.1', '[::1]']] }
its('options') { should eq [] }
end
"
def initialize(path = nil)
return skip_resource '`etc_hosts_deny` is not supported on your OS' unless inspec.os.linux?
super(path || '/etc/hosts.deny')
end
def to_s
'hosts.deny Configuration'
end
end
end

View file

@ -170,6 +170,8 @@ class MockLoader
'/var/lib/fake_rpmdb' => mockdir.call(true),
'/var/lib/rpmdb_does_not_exist' => mockdir.call(false),
'/etc/init/ssh.conf' => mockfile.call('upstart_ssh_enabled.conf'),
'/etc/hosts.allow' => mockfile.call('hosts.allow'),
'/etc/hosts.deny' => mockfile.call('hosts.deny'),
}
# create all mock commands

View file

@ -0,0 +1,15 @@
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
# LOCALHOST (ALL TRAFFIC ALLOWED) DO NOT REMOVE FOLLOWING LINE
ALL: 127.0.0.1, [::1]
# Added for testing
LOCAL : [fe80::]/10 : deny
vsftpd, sshd : 127.0.1.154, [:fff:fAb0::] : deny : /etc/bin/

View file

@ -0,0 +1,17 @@
#
# hosts.deny This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
# LOCALHOST (ALL TRAFFIC ALLOWED) DO NOT REMOVE FOLLOWING LINE
ALL: 127.0.0.1, [::1]
# Allow SSH (you can limit this further using IP addresses - e.g. 192.168.0.*)
sshd: ALL
# Added for testing
LOCAL : [fe80::]/10 : deny
vsftpd , sshd : 127.0.1.154, [:fff:fAb0::] : deny : /etc/bin/

View file

@ -0,0 +1,73 @@
# encoding: utf-8
# author: Matthew Dromazos
require 'helper'
require 'inspec/resource'
describe 'Inspec::Resources::EtcHostsAllow' do
describe 'EtcHostsAllow Paramaters' do
resource = load_resource('etc_hosts_allow')
it 'Verify etc_hosts_allow filtering by `daemon`' do
entries = resource.where { daemon == 'ALL' }
_(entries.client_list).must_include ['127.0.0.1', '[::1]']
_(entries.options).must_equal [[]]
end
it 'Verify etc_hosts_allow filtering by `client_list`' do
entries = resource.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] }
_(entries.daemon).must_equal ['vsftpd', 'sshd']
_(entries.options).must_include ['deny', '/etc/bin/']
end
it 'Verify etc_hosts_allow filtering by `options`' do
entries = resource.where { options == ['deny', '/etc/bin/'] }
_(entries.daemon).must_equal ['vsftpd', 'sshd']
_(entries.client_list).must_include ['127.0.1.154', '[:fff:fAb0::]']
end
end
describe '#parse_line' do
resource = load_resource('etc_hosts_allow')
it 'parses a line with multiple clients' do
line = 'foo: client1, client2 : some_option'
attributes = resource.send(:parse_line, line)
_(attributes['daemon']).must_equal 'foo'
_(attributes['client_list']).must_equal ['client1', 'client2']
end
it 'parses a line with one option' do
line = 'foo: client1, client2 : some_option'
attributes = resource.send(:parse_line, line)
_(attributes['daemon']).must_equal 'foo'
_(attributes['client_list']).must_equal ['client1', 'client2']
_(attributes['options']).must_equal ['some_option']
end
it 'parses a line with multiple options' do
line = 'foo: client1, client2 : some_option : other_option'
attributes = resource.send(:parse_line, line)
_(attributes['daemon']).must_equal 'foo'
_(attributes['client_list']).must_equal ['client1', 'client2']
_(attributes['options']).must_equal ['some_option', 'other_option']
end
end
end
describe 'Inspec::Resources::EtcHostsDeny' do
describe 'EtcHostsDeny Paramaters' do
resource = load_resource('etc_hosts_deny')
it 'Verify etc_hosts_deny filtering by `daemon`' do
entries = resource.where { daemon == 'ALL' }
_(entries.client_list).must_include ['127.0.0.1', '[::1]']
_(entries.options).must_equal [[]]
end
it 'Verify etc_hosts_deny filtering by `client_list`' do
entries = resource.where { client_list == ['127.0.1.154', '[:fff:fAb0::]'] }
_(entries.daemon).must_equal ['vsftpd', 'sshd']
_(entries.options).must_include ['deny', '/etc/bin/']
end
it 'Verify etc_hosts_deny filtering by `options`' do
entries = resource.where { options == ['deny', '/etc/bin/'] }
_(entries.daemon).must_equal ['vsftpd', 'sshd']
_(entries.client_list).must_include ['127.0.1.154', '[:fff:fAb0::]']
end
end
end