From eafa4196d9495bc975c7e1e7036969bdaba1441d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Mon, 11 May 2020 16:04:40 -0300 Subject: [PATCH 1/3] fix(server-status): manage module in debian --- apache/server_status.sls | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/apache/server_status.sls b/apache/server_status.sls index dc8169f..989100f 100644 --- a/apache/server_status.sls +++ b/apache/server_status.sls @@ -18,3 +18,25 @@ include: - module: apache-restart - module: apache-reload - service: apache + +{% if grains['os_family']=="Debian" %} +a2endisconf server-status: + cmd.run: +{% if apache.get('server_status_require') is defined %} + - name: a2enconf server-status + - unless: test -L /etc/apache2/conf-enabled/server-status.conf +{% else %} + - name: a2disconf server-status + - onlyif: test -L /etc/apache2/conf-enabled/server-status.conf +{% endif %} + - order: 225 + - require: + - pkg: apache + - file: {{ apache.confdir }}/server-status.conf + - watch_in: + - module: apache-restart + - require_in: + - module: apache-restart + - module: apache-reload + - service: apache +{% endif %} From b25362535ae01dd140218b131a8e991d3a10cbe5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 18 Jul 2020 13:23:58 -0300 Subject: [PATCH 2/3] test(default+modules): add modules' tests suite --- .../default/controls/config_spec.rb | 17 +++++++ .../default/controls/packages_spec.rb | 23 +++++++++ .../default/controls/services_spec.rb | 15 ++++++ test/integration/modules/README.md | 50 +++++++++++++++++++ .../modules/controls/config_spec.rb | 12 +++++ .../controls/mod_security_spec.rb | 2 +- .../modules/controls/packages_spec.rb | 19 +++++++ .../modules/controls/server_status_spec.rb | 35 +++++++++++++ .../modules/controls/services_spec.rb | 15 ++++++ test/integration/modules/inspec.yml | 18 +++++++ test/salt/pillar/default.sls | 14 ------ test/salt/pillar/modules.sls | 22 ++++++++ 12 files changed, 227 insertions(+), 15 deletions(-) create mode 100644 test/integration/default/controls/config_spec.rb create mode 100644 test/integration/default/controls/packages_spec.rb create mode 100644 test/integration/default/controls/services_spec.rb create mode 100644 test/integration/modules/README.md create mode 100644 test/integration/modules/controls/config_spec.rb rename test/integration/{default => modules}/controls/mod_security_spec.rb (95%) create mode 100644 test/integration/modules/controls/packages_spec.rb create mode 100644 test/integration/modules/controls/server_status_spec.rb create mode 100644 test/integration/modules/controls/services_spec.rb create mode 100644 test/integration/modules/inspec.yml create mode 100644 test/salt/pillar/modules.sls diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb new file mode 100644 index 0000000..dd04579 --- /dev/null +++ b/test/integration/default/controls/config_spec.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +control 'apache configuration' do + title 'should match desired lines' + + describe file('/etc/apache2/apache2.conf') do + it { should be_file } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its('content') do + should include( + 'This file is managed by Salt! Do not edit by hand!' + ) + end + end +end diff --git a/test/integration/default/controls/packages_spec.rb b/test/integration/default/controls/packages_spec.rb new file mode 100644 index 0000000..92d7d5b --- /dev/null +++ b/test/integration/default/controls/packages_spec.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +# Overide by OS +package_name = 'bash' +package_name = 'cronie' if (os[:name] == 'centos') && os[:release].start_with?('6') + +control 'apache package' do + title 'should be installed' + + package_name = + case platform[:family] + when 'debian', 'suse' + 'apache2' + when 'redhat', 'fedora' + 'httpd' + when 'arch' + 'apache' + end + + describe package(package_name) do + it { should be_installed } + end +end diff --git a/test/integration/default/controls/services_spec.rb b/test/integration/default/controls/services_spec.rb new file mode 100644 index 0000000..11b5381 --- /dev/null +++ b/test/integration/default/controls/services_spec.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +# Overide by OS +service_name = 'apache2' +service_name = 'httpd' if (os[:name] == 'centos') + +control 'apache service' do + impact 0.5 + title 'should be running and enabled' + + describe service(service_name) do + it { should be_enabled } + it { should be_running } + end +end diff --git a/test/integration/modules/README.md b/test/integration/modules/README.md new file mode 100644 index 0000000..2c2c282 --- /dev/null +++ b/test/integration/modules/README.md @@ -0,0 +1,50 @@ +# InSpec Profile: `modules` + +This shows the implementation of the `modules` InSpec [profile](https://github.com/inspec/inspec/blob/master/docs/profiles.md). + +## Verify a profile + +InSpec ships with built-in features to verify a profile structure. + +```bash +$ inspec check modules +Summary +------- +Location: modules +Profile: profile +Controls: 4 +Timestamp: 2019-06-24T23:09:01+00:00 +Valid: true + +Errors +------ + +Warnings +-------- +``` + +## Execute a profile + +To run all **supported** controls on a local machine use `inspec exec /path/to/profile`. + +```bash +$ inspec exec modules +.. + +Finished in 0.0025 seconds (files took 0.12449 seconds to load) +8 examples, 0 failures +``` + +## Execute a specific control from a profile + +To run one control from the profile use `inspec exec /path/to/profile --controls name`. + +```bash +$ inspec exec modules --controls package +. + +Finished in 0.0025 seconds (files took 0.12449 seconds to load) +1 examples, 0 failures +``` + +See an [example control here](https://github.com/inspec/inspec/blob/master/examples/profile/controls/example.rb). diff --git a/test/integration/modules/controls/config_spec.rb b/test/integration/modules/controls/config_spec.rb new file mode 100644 index 0000000..96f6c6a --- /dev/null +++ b/test/integration/modules/controls/config_spec.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +control 'apache configuration' do + title 'should be valid' + + describe command('apachectl -t') do + its('stdout') { should eq '' } + its('stderr') { should include 'Syntax OK' } + + its('exit_status') { should eq 0 } + end +end diff --git a/test/integration/default/controls/mod_security_spec.rb b/test/integration/modules/controls/mod_security_spec.rb similarity index 95% rename from test/integration/default/controls/mod_security_spec.rb rename to test/integration/modules/controls/mod_security_spec.rb index 1e59ed2..a585fd8 100644 --- a/test/integration/default/controls/mod_security_spec.rb +++ b/test/integration/modules/controls/mod_security_spec.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -control 'Apache mod_security configuration' do +control 'apache mod_security configuration' do title 'should match desired lines' modspec_file = diff --git a/test/integration/modules/controls/packages_spec.rb b/test/integration/modules/controls/packages_spec.rb new file mode 100644 index 0000000..f73dceb --- /dev/null +++ b/test/integration/modules/controls/packages_spec.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +control 'apache mod_security package' do + title 'should be installed' + + package_name = + case platform[:family] + when 'debian', 'suse' + 'libapache2-mod-security2' + when 'redhat', 'fedora' + 'mod_security' + when 'suse' + 'apache2-mod_security2' + end + + describe package(package_name) do + it { should be_installed } + end +end diff --git a/test/integration/modules/controls/server_status_spec.rb b/test/integration/modules/controls/server_status_spec.rb new file mode 100644 index 0000000..c851f6e --- /dev/null +++ b/test/integration/modules/controls/server_status_spec.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +control 'apache server_status configuration' do + title 'should match desired lines' + + server_status_stanza = <<-SS_STANZA + + SetHandler server-status + Require local + Require host foo.example.com + Require ip 10.8.8.0/24 + +SS_STANZA + + confdir = + case platform[:family] + when 'debian' + '/etc/apache2/conf-available' + when 'redhat', 'fedora' + '/etc/httpd/conf.d' + when 'suse' + '/etc/apache2/conf.d' + when 'arch' + '/etc/httpd/conf/extra' + end + + describe file("#{confdir}/server-status.conf") do + it { should be_file } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + its('mode') { should cmp '0644' } + its('content') { should include '# File managed by Salt' } + its('content') { should include server_status_stanza } + end +end diff --git a/test/integration/modules/controls/services_spec.rb b/test/integration/modules/controls/services_spec.rb new file mode 100644 index 0000000..9a97d7f --- /dev/null +++ b/test/integration/modules/controls/services_spec.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +# Overide by OS +service_name = 'apache2' +service_name = 'httpd' if (os[:name] == 'centos') + +control 'apache service' do + impact 0.5 + title 'should be running and enabled' + + describe service(service_name) do + it { should be_enabled } + it { should_not be_running } + end +end diff --git a/test/integration/modules/inspec.yml b/test/integration/modules/inspec.yml new file mode 100644 index 0000000..eaa99f2 --- /dev/null +++ b/test/integration/modules/inspec.yml @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +name: modules +title: apache formula +maintainer: SaltStack Formulas +license: Apache-2.0 +summary: Verify that the apache formula manages modules correctly +supports: + - platform-name: debian + - platform-name: ubuntu + - platform-name: centos + - platform-name: fedora + - platform-name: opensuse + - platform-name: suse + - platform-name: freebsd + - platform-name: amazon + - platform-name: arch diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls index 2701fa1..dc91e2f 100644 --- a/test/salt/pillar/default.sls +++ b/test/salt/pillar/default.sls @@ -1,17 +1,3 @@ # -*- coding: utf-8 -*- # vim: ft=yaml --- -apache: - manage_service_states: false - mod_security: - crs_install: true - manage_config: true - sec_rule_engine: 'On' - sec_request_body_access: 'On' - sec_request_body_limit: '14000000' - sec_request_body_no_files_limit: '114002' - sec_request_body_in_memory_limit: '114002' - sec_request_body_limit_action: 'Reject' - sec_pcre_match_limit: '15000' - sec_pcre_match_limit_recursion: '15000' - sec_debug_log_level: '3' diff --git a/test/salt/pillar/modules.sls b/test/salt/pillar/modules.sls new file mode 100644 index 0000000..70eb6eb --- /dev/null +++ b/test/salt/pillar/modules.sls @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +apache: + manage_service_states: false + mod_security: + crs_install: true + manage_config: true + sec_rule_engine: 'On' + sec_request_body_access: 'On' + sec_request_body_limit: '14000000' + sec_request_body_no_files_limit: '114002' + sec_request_body_in_memory_limit: '114002' + sec_request_body_limit_action: 'Reject' + sec_pcre_match_limit: '15000' + sec_pcre_match_limit_recursion: '15000' + sec_debug_log_level: '3' + server_status_require: + ip: + - 10.8.8.0/24 + host: + - foo.example.com From 632802a5a946d2f05c40d9038d6f2ad596fafc58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 18 Jul 2020 13:26:39 -0300 Subject: [PATCH 3/3] fix(server-status): enable module in Debian family --- apache/files/server-status.conf.jinja | 4 ++++ apache/server_status.sls | 12 +++------- kitchen.yml | 20 +++++++++++++++- .../default/controls/config_spec.rb | 24 ++++++++++++++++++- .../default/controls/packages_spec.rb | 13 ++++------ .../default/controls/services_spec.rb | 12 ++++++---- .../modules/controls/mod_security_spec.rb | 2 ++ .../modules/controls/packages_spec.rb | 8 +++---- .../modules/controls/server_status_spec.rb | 19 ++++++++------- .../modules/controls/services_spec.rb | 12 ++++++---- 10 files changed, 86 insertions(+), 40 deletions(-) diff --git a/apache/files/server-status.conf.jinja b/apache/files/server-status.conf.jinja index 34984f8..aabddfc 100644 --- a/apache/files/server-status.conf.jinja +++ b/apache/files/server-status.conf.jinja @@ -1,3 +1,7 @@ +######################################################################## +# File managed by Salt at <{{ source }}>. +# Your changes will be overwritten. +######################################################################## SetHandler server-status {%- if apache.version == '2.4' %} diff --git a/apache/server_status.sls b/apache/server_status.sls index 989100f..df757ce 100644 --- a/apache/server_status.sls +++ b/apache/server_status.sls @@ -19,16 +19,10 @@ include: - module: apache-reload - service: apache -{% if grains['os_family']=="Debian" %} -a2endisconf server-status: +{%- if grains['os_family'] == "Debian" %} +a2enconf server-status: cmd.run: -{% if apache.get('server_status_require') is defined %} - - name: a2enconf server-status - - unless: test -L /etc/apache2/conf-enabled/server-status.conf -{% else %} - - name: a2disconf server-status - - onlyif: test -L /etc/apache2/conf-enabled/server-status.conf -{% endif %} + - unless: 'test -L /etc/apache2/conf-enabled/server-status.conf' - order: 225 - require: - pkg: apache diff --git a/kitchen.yml b/kitchen.yml index b06c77a..dbde110 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -157,7 +157,7 @@ suites: base: '*': - apache - - apache.mod_security + - apache.config pillars: top.sls: base: @@ -168,3 +168,21 @@ suites: verifier: inspec_tests: - path: test/integration/default + - name: modules + provisioner: + state_top: + base: + '*': + - apache + - apache.mod_security + - apache.server_status + pillars: + top.sls: + base: + '*': + - apache + pillars_from_files: + apache.sls: test/salt/pillar/modules.sls + verifier: + inspec_tests: + - path: test/integration/modules diff --git a/test/integration/default/controls/config_spec.rb b/test/integration/default/controls/config_spec.rb index dd04579..cd291b6 100644 --- a/test/integration/default/controls/config_spec.rb +++ b/test/integration/default/controls/config_spec.rb @@ -3,7 +3,19 @@ control 'apache configuration' do title 'should match desired lines' - describe file('/etc/apache2/apache2.conf') do + config_file = + case platform[:family] + when 'debian' + '/etc/apache2/apache2.conf' + when 'redhat', 'fedora' + '/etc/httpd/conf/httpd.conf' + when 'suse' + '/etc/apache2/httpd.conf' + # `linux` here is sufficient for `arch` + when 'linux' + '/etc/httpd/conf/httpd.conf' + end + describe file(config_file) do it { should be_file } it { should be_owned_by 'root' } it { should be_grouped_into 'root' } @@ -15,3 +27,13 @@ control 'apache configuration' do end end end +control 'apache configuration' do + title 'should be valid' + + describe command('apachectl -t') do + its('stdout') { should eq '' } + its('stderr') { should include 'Syntax OK' } + + its('exit_status') { should eq 0 } + end +end diff --git a/test/integration/default/controls/packages_spec.rb b/test/integration/default/controls/packages_spec.rb index 92d7d5b..6e23746 100644 --- a/test/integration/default/controls/packages_spec.rb +++ b/test/integration/default/controls/packages_spec.rb @@ -1,20 +1,17 @@ # frozen_string_literal: true -# Overide by OS -package_name = 'bash' -package_name = 'cronie' if (os[:name] == 'centos') && os[:release].start_with?('6') - control 'apache package' do title 'should be installed' package_name = case platform[:family] when 'debian', 'suse' - 'apache2' + 'apache2' when 'redhat', 'fedora' - 'httpd' - when 'arch' - 'apache' + 'httpd' + # `linux` here is sufficient for `arch` + when 'linux' + 'apache' end describe package(package_name) do diff --git a/test/integration/default/controls/services_spec.rb b/test/integration/default/controls/services_spec.rb index 11b5381..a8657e0 100644 --- a/test/integration/default/controls/services_spec.rb +++ b/test/integration/default/controls/services_spec.rb @@ -1,13 +1,17 @@ # frozen_string_literal: true -# Overide by OS -service_name = 'apache2' -service_name = 'httpd' if (os[:name] == 'centos') - control 'apache service' do impact 0.5 title 'should be running and enabled' + service_name = + case platform[:family] + when 'debian', 'suse' + 'apache2' + when 'redhat', 'fedora', 'linux' + 'httpd' + end + describe service(service_name) do it { should be_enabled } it { should be_running } diff --git a/test/integration/modules/controls/mod_security_spec.rb b/test/integration/modules/controls/mod_security_spec.rb index a585fd8..4c0f22d 100644 --- a/test/integration/modules/controls/mod_security_spec.rb +++ b/test/integration/modules/controls/mod_security_spec.rb @@ -9,6 +9,8 @@ control 'apache mod_security configuration' do '/etc/httpd/conf.d/mod_security.conf' when 'debian' '/etc/modsecurity/modsecurity.conf-recommended' + when 'suse' + '/etc/apache2/conf.d/mod_security2.conf' end describe file(modspec_file) do diff --git a/test/integration/modules/controls/packages_spec.rb b/test/integration/modules/controls/packages_spec.rb index f73dceb..ecea095 100644 --- a/test/integration/modules/controls/packages_spec.rb +++ b/test/integration/modules/controls/packages_spec.rb @@ -5,12 +5,12 @@ control 'apache mod_security package' do package_name = case platform[:family] - when 'debian', 'suse' - 'libapache2-mod-security2' + when 'debian' + 'libapache2-mod-security2' when 'redhat', 'fedora' - 'mod_security' + 'mod_security' when 'suse' - 'apache2-mod_security2' + 'apache2-mod_security2' end describe package(package_name) do diff --git a/test/integration/modules/controls/server_status_spec.rb b/test/integration/modules/controls/server_status_spec.rb index c851f6e..51f6802 100644 --- a/test/integration/modules/controls/server_status_spec.rb +++ b/test/integration/modules/controls/server_status_spec.rb @@ -3,14 +3,14 @@ control 'apache server_status configuration' do title 'should match desired lines' - server_status_stanza = <<-SS_STANZA - - SetHandler server-status - Require local - Require host foo.example.com - Require ip 10.8.8.0/24 - -SS_STANZA + server_status_stanza = <<~SS_STANZA + + SetHandler server-status + Require local + Require host foo.example.com + Require ip 10.8.8.0/24 + + SS_STANZA confdir = case platform[:family] @@ -20,7 +20,8 @@ SS_STANZA '/etc/httpd/conf.d' when 'suse' '/etc/apache2/conf.d' - when 'arch' + # `linux` here is sufficient for `arch` + when 'linux' '/etc/httpd/conf/extra' end diff --git a/test/integration/modules/controls/services_spec.rb b/test/integration/modules/controls/services_spec.rb index 9a97d7f..3f468e1 100644 --- a/test/integration/modules/controls/services_spec.rb +++ b/test/integration/modules/controls/services_spec.rb @@ -1,13 +1,17 @@ # frozen_string_literal: true -# Overide by OS -service_name = 'apache2' -service_name = 'httpd' if (os[:name] == 'centos') - control 'apache service' do impact 0.5 title 'should be running and enabled' + service_name = + case platform[:family] + when 'debian', 'suse' + 'apache2' + when 'redhat', 'fedora', 'linux' + 'httpd' + end + describe service(service_name) do it { should be_enabled } it { should_not be_running }