diff --git a/apache/files/server-status.conf.jinja b/apache/files/server-status.conf.jinja index 34984f8..aabddfc 100644 --- a/apache/files/server-status.conf.jinja +++ b/apache/files/server-status.conf.jinja @@ -1,3 +1,7 @@ +######################################################################## +# File managed by Salt at <{{ source }}>. +# Your changes will be overwritten. +######################################################################## SetHandler server-status {%- if apache.version == '2.4' %} diff --git a/apache/server_status.sls b/apache/server_status.sls index dc8169f..df757ce 100644 --- a/apache/server_status.sls +++ b/apache/server_status.sls @@ -18,3 +18,19 @@ include: - module: apache-restart - module: apache-reload - service: apache + +{%- if grains['os_family'] == "Debian" %} +a2enconf server-status: + cmd.run: + - unless: 'test -L /etc/apache2/conf-enabled/server-status.conf' + - order: 225 + - require: + - pkg: apache + - file: {{ apache.confdir }}/server-status.conf + - watch_in: + - module: apache-restart + - require_in: + - module: apache-restart + - module: apache-reload + - service: apache +{% endif %} diff --git a/kitchen.yml b/kitchen.yml index b06c77a..dbde110 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -157,7 +157,7 @@ suites: base: '*': - apache - - apache.mod_security + - apache.config pillars: top.sls: base: @@ -168,3 +168,21 @@ suites: verifier: inspec_tests: - path: test/integration/default + - name: modules + provisioner: + state_top: + base: + '*': + - apache + - apache.mod_security + - apache.server_status + pillars: + top.sls: + base: + '*': + - apache + pillars_from_files: + apache.sls: test/salt/pillar/modules.sls + verifier: + inspec_tests: + - path: test/integration/modules diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb new file mode 100644 index 0000000..cd291b6 --- /dev/null +++ b/test/integration/default/controls/config_spec.rb @@ -0,0 +1,39 @@ +# frozen_string_literal: true + +control 'apache configuration' do + title 'should match desired lines' + + config_file = + case platform[:family] + when 'debian' + '/etc/apache2/apache2.conf' + when 'redhat', 'fedora' + '/etc/httpd/conf/httpd.conf' + when 'suse' + '/etc/apache2/httpd.conf' + # `linux` here is sufficient for `arch` + when 'linux' + '/etc/httpd/conf/httpd.conf' + end + describe file(config_file) do + it { should be_file } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its('content') do + should include( + 'This file is managed by Salt! Do not edit by hand!' + ) + end + end +end +control 'apache configuration' do + title 'should be valid' + + describe command('apachectl -t') do + its('stdout') { should eq '' } + its('stderr') { should include 'Syntax OK' } + + its('exit_status') { should eq 0 } + end +end diff --git a/test/integration/default/controls/packages_spec.rb b/test/integration/default/controls/packages_spec.rb new file mode 100644 index 0000000..6e23746 --- /dev/null +++ b/test/integration/default/controls/packages_spec.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +control 'apache package' do + title 'should be installed' + + package_name = + case platform[:family] + when 'debian', 'suse' + 'apache2' + when 'redhat', 'fedora' + 'httpd' + # `linux` here is sufficient for `arch` + when 'linux' + 'apache' + end + + describe package(package_name) do + it { should be_installed } + end +end diff --git a/test/integration/default/controls/services_spec.rb b/test/integration/default/controls/services_spec.rb new file mode 100644 index 0000000..a8657e0 --- /dev/null +++ b/test/integration/default/controls/services_spec.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +control 'apache service' do + impact 0.5 + title 'should be running and enabled' + + service_name = + case platform[:family] + when 'debian', 'suse' + 'apache2' + when 'redhat', 'fedora', 'linux' + 'httpd' + end + + describe service(service_name) do + it { should be_enabled } + it { should be_running } + end +end diff --git a/test/integration/modules/README.md b/test/integration/modules/README.md new file mode 100644 index 0000000..2c2c282 --- /dev/null +++ b/test/integration/modules/README.md @@ -0,0 +1,50 @@ +# InSpec Profile: `modules` + +This shows the implementation of the `modules` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md). + +## Verify a profile + +InSpec ships with built-in features to verify a profile structure. + +```bash +$ inspec check modules +Summary +------- +Location: modules +Profile: profile +Controls: 4 +Timestamp: 2019-06-24T23:09:01+00:00 +Valid: true + +Errors +------ + +Warnings +-------- +``` + +## Execute a profile + +To run all **supported** controls on a local machine use `inspec exec /path/to/profile`. + +```bash +$ inspec exec modules +.. + +Finished in 0.0025 seconds (files took 0.12449 seconds to load) +8 examples, 0 failures +``` + +## Execute a specific control from a profile + +To run one control from the profile use `inspec exec /path/to/profile --controls name`. + +```bash +$ inspec exec modules --controls package +. + +Finished in 0.0025 seconds (files took 0.12449 seconds to load) +1 examples, 0 failures +``` + +See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb). diff --git a/test/integration/modules/controls/config_spec.rb b/test/integration/modules/controls/config_spec.rb new file mode 100644 index 0000000..96f6c6a --- /dev/null +++ b/test/integration/modules/controls/config_spec.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +control 'apache configuration' do + title 'should be valid' + + describe command('apachectl -t') do + its('stdout') { should eq '' } + its('stderr') { should include 'Syntax OK' } + + its('exit_status') { should eq 0 } + end +end diff --git a/test/integration/default/controls/mod_security_spec.rb b/test/integration/modules/controls/mod_security_spec.rb similarity index 90% rename from test/integration/default/controls/mod_security_spec.rb rename to test/integration/modules/controls/mod_security_spec.rb index 1e59ed2..4c0f22d 100644 --- a/test/integration/default/controls/mod_security_spec.rb +++ b/test/integration/modules/controls/mod_security_spec.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -control 'Apache mod_security configuration' do +control 'apache mod_security configuration' do title 'should match desired lines' modspec_file = @@ -9,6 +9,8 @@ control 'Apache mod_security configuration' do '/etc/httpd/conf.d/mod_security.conf' when 'debian' '/etc/modsecurity/modsecurity.conf-recommended' + when 'suse' + '/etc/apache2/conf.d/mod_security2.conf' end describe file(modspec_file) do diff --git a/test/integration/modules/controls/packages_spec.rb b/test/integration/modules/controls/packages_spec.rb new file mode 100644 index 0000000..ecea095 --- /dev/null +++ b/test/integration/modules/controls/packages_spec.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +control 'apache mod_security package' do + title 'should be installed' + + package_name = + case platform[:family] + when 'debian' + 'libapache2-mod-security2' + when 'redhat', 'fedora' + 'mod_security' + when 'suse' + 'apache2-mod_security2' + end + + describe package(package_name) do + it { should be_installed } + end +end diff --git a/test/integration/modules/controls/server_status_spec.rb b/test/integration/modules/controls/server_status_spec.rb new file mode 100644 index 0000000..51f6802 --- /dev/null +++ b/test/integration/modules/controls/server_status_spec.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +control 'apache server_status configuration' do + title 'should match desired lines' + + server_status_stanza = <<~SS_STANZA + + SetHandler server-status + Require local + Require host foo.example.com + Require ip 10.8.8.0/24 + + SS_STANZA + + confdir = + case platform[:family] + when 'debian' + '/etc/apache2/conf-available' + when 'redhat', 'fedora' + '/etc/httpd/conf.d' + when 'suse' + '/etc/apache2/conf.d' + # `linux` here is sufficient for `arch` + when 'linux' + '/etc/httpd/conf/extra' + end + + describe file("#{confdir}/server-status.conf") do + it { should be_file } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its('content') { should include '# File managed by Salt' } + its('content') { should include server_status_stanza } + end +end diff --git a/test/integration/modules/controls/services_spec.rb b/test/integration/modules/controls/services_spec.rb new file mode 100644 index 0000000..3f468e1 --- /dev/null +++ b/test/integration/modules/controls/services_spec.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +control 'apache service' do + impact 0.5 + title 'should be running and enabled' + + service_name = + case platform[:family] + when 'debian', 'suse' + 'apache2' + when 'redhat', 'fedora', 'linux' + 'httpd' + end + + describe service(service_name) do + it { should be_enabled } + it { should_not be_running } + end +end diff --git a/test/integration/modules/inspec.yml b/test/integration/modules/inspec.yml new file mode 100644 index 0000000..eaa99f2 --- /dev/null +++ b/test/integration/modules/inspec.yml @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +name: modules +title: apache formula +maintainer: SaltStack Formulas +license: Apache-2.0 +summary: Verify that the apache formula manages modules correctly +supports: + - platform-name: debian + - platform-name: ubuntu + - platform-name: centos + - platform-name: fedora + - platform-name: opensuse + - platform-name: suse + - platform-name: freebsd + - platform-name: amazon + - platform-name: arch diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls index 2701fa1..dc91e2f 100644 --- a/test/salt/pillar/default.sls +++ b/test/salt/pillar/default.sls @@ -1,17 +1,3 @@ # -*- coding: utf-8 -*- # vim: ft=yaml --- -apache: - manage_service_states: false - mod_security: - crs_install: true - manage_config: true - sec_rule_engine: 'On' - sec_request_body_access: 'On' - sec_request_body_limit: '14000000' - sec_request_body_no_files_limit: '114002' - sec_request_body_in_memory_limit: '114002' - sec_request_body_limit_action: 'Reject' - sec_pcre_match_limit: '15000' - sec_pcre_match_limit_recursion: '15000' - sec_debug_log_level: '3' diff --git a/test/salt/pillar/modules.sls b/test/salt/pillar/modules.sls new file mode 100644 index 0000000..70eb6eb --- /dev/null +++ b/test/salt/pillar/modules.sls @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +apache: + manage_service_states: false + mod_security: + crs_install: true + manage_config: true + sec_rule_engine: 'On' + sec_request_body_access: 'On' + sec_request_body_limit: '14000000' + sec_request_body_no_files_limit: '114002' + sec_request_body_in_memory_limit: '114002' + sec_request_body_limit_action: 'Reject' + sec_pcre_match_limit: '15000' + sec_pcre_match_limit_recursion: '15000' + sec_debug_log_level: '3' + server_status_require: + ip: + - 10.8.8.0/24 + host: + - foo.example.com