mirror of
https://github.com/inspec/inspec
synced 2024-11-10 07:04:15 +00:00
Merge pull request #5782 from inspec/nm/kernel-params
CFINSPEC-3 Added kernel_parameters resource
This commit is contained in:
Clinton Wolfe
GitHub
commit
c065e923c3
6 changed files with 174 additions and 0 deletions
64
docs-chef-io/content/inspec/resources/kernel_parameters.md
Normal file
64
docs-chef-io/content/inspec/resources/kernel_parameters.md
Normal file
|
|
@ -0,0 +1,64 @@
|
|||
+++
|
||||
title = "kernel_parameters resource"
|
||||
draft = false
|
||||
gh_repo = "inspec"
|
||||
platform = "linux"
|
||||
|
||||
[menu]
|
||||
[menu.inspec]
|
||||
title = "kernel_parameters"
|
||||
identifier = "inspec/resources/os/kernel_parameters.md kernel_parameters resource"
|
||||
parent = "inspec/resources/os"
|
||||
+++
|
||||
|
||||
Use the `kernel_parameters` Chef InSpec audit resource to test multiple kernel parameters on Linux platforms.
|
||||
These parameters are located under `/proc/cmdline`.
|
||||
|
||||
## Availability
|
||||
|
||||
### Installation
|
||||
|
||||
This resource is distributed along with Chef InSpec itself. You can use it automatically.
|
||||
|
||||
## Syntax
|
||||
|
||||
A `kernel_parameters` resource block uses `where` to filter entries from the systems kernel parameters. If `where` is omitted, all entries are selected.
|
||||
|
||||
describe kernel_parameters do
|
||||
its('parameters') { should include "PARAMETER_NAME" }
|
||||
its('values') { should include 1 }
|
||||
end
|
||||
|
||||
describe kernel_parameters.where(parameter: "PARAMETER_NAME") do
|
||||
its('values') { should eq [1] }
|
||||
end
|
||||
|
||||
## Properties
|
||||
|
||||
### parameters
|
||||
|
||||
The kernel parameter to test.
|
||||
|
||||
### values
|
||||
|
||||
The value of a kernel parameter.
|
||||
|
||||
## Examples
|
||||
|
||||
The following examples show how to use this Chef InSpec audit resource.
|
||||
|
||||
### Test the global forwarding setting using a `where` query on the kernel parameters
|
||||
|
||||
describe kernel_parameters.where(parameter: "net.ipv4.conf.all.forwarding") do
|
||||
its('values') { should eq [1] }
|
||||
end
|
||||
|
||||
### Match a parameter using a regular expression
|
||||
|
||||
describe kernel_parameters.where(parameter: /^net./ ) do
|
||||
its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
|
||||
end
|
||||
|
||||
## Matchers
|
||||
|
||||
For a full list of available matchers, please visit our [matchers page](/inspec/matchers/).
|
||||
|
|
@ -73,6 +73,7 @@ require "inspec/resources/ip6tables"
|
|||
require "inspec/resources/iptables"
|
||||
require "inspec/resources/kernel_module"
|
||||
require "inspec/resources/kernel_parameter"
|
||||
require "inspec/resources/kernel_parameters"
|
||||
require "inspec/resources/key_rsa"
|
||||
require "inspec/resources/ksh"
|
||||
require "inspec/resources/limits_conf"
|
||||
|
|
|
|||
58
lib/inspec/resources/kernel_parameters.rb
Normal file
58
lib/inspec/resources/kernel_parameters.rb
Normal file
|
|
@ -0,0 +1,58 @@
|
|||
module Inspec::Resources
|
||||
class KernelParameters < Inspec.resource(1)
|
||||
name "kernel_parameters"
|
||||
supports platform: "unix"
|
||||
desc "Use the kernel_parameters InSpec audit resource to test kernel parameters on Linux platforms."
|
||||
example <<~EXAMPLE
|
||||
describe kernel_parameters.where(parameter: /^net./ ) do
|
||||
its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
|
||||
end
|
||||
|
||||
describe kernel_parameters.where(parameter: "net.ipv4.conf.all.forwarding") do
|
||||
its('values') { should eq [0] }
|
||||
end
|
||||
|
||||
describe kernel_parameters do
|
||||
its('parameters') { should include 'net.ipv4.conf.all.forwarding' }
|
||||
its('values') { should include 0 }
|
||||
end
|
||||
EXAMPLE
|
||||
|
||||
filter = FilterTable.create
|
||||
filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
|
||||
filter.register_column(:parameters, field: "parameter")
|
||||
.register_column(:values, field: "value")
|
||||
filter.install_filter_methods_on_resource(self, :params)
|
||||
|
||||
def initialize
|
||||
# this resource is only supported on Linux
|
||||
return skip_resource "The `kernel_parameters` resource is not supported on your OS." unless inspec.os.linux?
|
||||
end
|
||||
|
||||
def to_s
|
||||
"Kernel Parameters"
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def params
|
||||
cmd = inspec.command("/sbin/sysctl -a")
|
||||
cmd.exit_status != 0 ? [] : parse_kernel_paramater(cmd.stdout)
|
||||
end
|
||||
|
||||
def parse_kernel_paramater(stdout)
|
||||
result = []
|
||||
stdout.split("\n").each do |out|
|
||||
splitted_output = out.split("=").map(&:strip)
|
||||
result.push(
|
||||
{
|
||||
"parameter" => splitted_output[0],
|
||||
"value" => splitted_output[1].to_i,
|
||||
}
|
||||
)
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
28
test/fixtures/cmd/sbin_sysctl_all
vendored
Normal file
28
test/fixtures/cmd/sbin_sysctl_all
vendored
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
net.ipv4.conf.all.accept_local = 0
|
||||
net.ipv4.conf.all.accept_redirects = 1
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.all.arp_accept = 0
|
||||
net.ipv4.conf.all.arp_announce = 0
|
||||
net.ipv4.conf.all.arp_filter = 0
|
||||
net.ipv4.conf.all.arp_ignore = 0
|
||||
net.ipv4.conf.all.arp_notify = 0
|
||||
net.ipv4.conf.all.bootp_relay = 0
|
||||
net.ipv4.conf.all.disable_policy = 0
|
||||
net.ipv4.conf.all.disable_xfrm = 0
|
||||
net.ipv4.conf.all.force_igmp_version = 0
|
||||
net.ipv4.conf.all.forwarding = 1
|
||||
net.ipv4.conf.all.igmpv2_unsolicited_report_interval = 10000
|
||||
net.ipv4.conf.all.igmpv3_unsolicited_report_interval = 1000
|
||||
net.ipv4.conf.all.log_martians = 0
|
||||
net.ipv4.conf.all.mc_forwarding = 0
|
||||
net.ipv4.conf.all.medium_id = 0
|
||||
net.ipv4.conf.all.promote_secondaries = 1
|
||||
net.ipv4.conf.all.proxy_arp = 0
|
||||
net.ipv4.conf.all.proxy_arp_pvlan = 0
|
||||
net.ipv4.conf.all.route_localnet = 0
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.all.secure_redirects = 1
|
||||
net.ipv4.conf.all.send_redirects = 1
|
||||
net.ipv4.conf.all.shared_media = 1
|
||||
net.ipv4.conf.all.src_valid_mark = 0
|
||||
net.ipv4.conf.all.tag = 0
|
||||
|
|
@ -281,6 +281,7 @@ class MockLoader
|
|||
"dism /online /get-featureinfo /featurename:IIS-WebServer" => cmd.call("dism-iis-webserver"),
|
||||
"lsmod" => cmd.call("lsmod"),
|
||||
"/sbin/sysctl -q -n net.ipv4.conf.all.forwarding" => cmd.call("sbin_sysctl"),
|
||||
"/sbin/sysctl -a" => cmd.call("sbin_sysctl_all"),
|
||||
# ports on windows
|
||||
"Get-NetTCPConnection -state Listen | Select-Object -Property State, Caption, Description, LocalAddress, LocalPort, RemoteAddress, RemotePort, DisplayName, Status | ConvertTo-Json" => cmd.call("get-net-tcpconnection"),
|
||||
'netstat -anbo | Select-String -CaseSensitive -pattern "^\s+UDP|\s+LISTENING\s+\d+$" -context 0,1' => cmd.call("netstat-anbo-pipe-select-string-pattern.utf8"),
|
||||
|
|
|
|||
22
test/unit/resources/kernel_parameters_test.rb
Normal file
22
test/unit/resources/kernel_parameters_test.rb
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
require "helper"
|
||||
require "inspec/resource"
|
||||
require "inspec/resources/kernel_parameters"
|
||||
|
||||
describe "Inspec::Resources::KernelParameters" do
|
||||
it "verify kernel_parameters parsing" do
|
||||
resource = load_resource("kernel_parameters")
|
||||
_(resource.parameters).must_include "net.ipv4.conf.all.forwarding"
|
||||
_(resource.values).must_include 1
|
||||
end
|
||||
|
||||
it "verify kernel_parameters parsing using where query" do
|
||||
resource = load_resource("kernel_parameters")
|
||||
_(resource.where { parameter == "net.ipv4.conf.all.forwarding" }.values).must_equal [1]
|
||||
_(resource.where { value == 1 }.parameters).must_include "net.ipv4.conf.all.forwarding"
|
||||
end
|
||||
|
||||
it "verify kernel_parameters parsing using where query with regex" do
|
||||
resource = load_resource("kernel_parameters")
|
||||
_(resource.where { parameter =~ /^net./ }.entries.length).must_equal 28
|
||||
end
|
||||
end
|
||||
Loading…
Reference in a new issue