Skip to content

added kitchen test for secure-auth optionen and updated requirement number #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 11, 2014
Merged

added kitchen test for secure-auth optionen and updated requirement number #12

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cde9482
changed requirement numbers to actual req document
Aug 6, 2014
5b1ce76
added kitchen test for secure-auth option
Aug 6, 2014
d4e9d12
Merge branch 'master' of https://github.com/atomic111/tests-mysql-har…
Aug 6, 2014
c4d875c
FIX: secure-auth should match 1
Aug 6, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 25 additions & 20 deletions default/serverspec/mysql_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -69,49 +69,49 @@

describe 'Checking MySQL-databases for risky entries' do

# Req. 294 (keine Community-version)
# SEC: Req 3.24-1 (keine Community-version)
describe command("mysql -uroot -p#{ENV['mysql_password']} mysql -s -e 'select version();' | tail -1") do
its(:stdout) { should_not match(/Community/) }
end

# Req. 296 (version > 5)
# SEC: Req 3.24-1 (version > 5)
describe command("mysql -uroot -p#{ENV['mysql_password']} mysql -s -e 'select substring(version(),1,1);' | tail -1") do
its(:stdout) { should match(/^5/) }
end

# Req. 297 (keine default-datenbanken)
# SEC: Req 3.24-2 (keine default-datenbanken)
describe command("mysql -uroot -p#{ENV['mysql_password']} -s -e 'show databases like \"test\";'") do
its(:stdout) { should_not match(/test/) }
end

# Req. 298 (keine anonymous-benutzer)
# SEC: Req 3.24-3 (keine anonymous-benutzer)
describe command("mysql -uroot -p#{ENV['mysql_password']} mysql -s -e 'select count(*) from mysql.user where user=\"\";' | tail -1") do
its(:stdout) { should match(/^0/) }
end

# Req. 300 (keine benutzerkonten ohne kennwort)
# SEC: Req 3.24-5 (keine benutzerkonten ohne kennwort)
describe command("mysql -uroot -p#{ENV['mysql_password']} mysql -s -e 'select count(*) from mysql.user where length(password)=0 or password=\"\";' | tail -1") do
its(:stdout) { should match(/^0/) }
end

# Req. 317 (no grant privileges)
# SEC: Req 3.24-23 (no grant privileges)
describe command("mysql -uroot -p#{ENV['mysql_password']} mysql -s -e 'select count(*) from mysql.user where grant_priv=\"y\" and User!=\"root\" and User!=\"debian-sys-maint\";' | tail -1") do
its(:stdout) { should match(/^0/) }
end

# Req. 321 (keine host-wildcards)
# SEC: Req 3.24-27 (keine host-wildcards)
describe command("mysql -uroot -p#{ENV['mysql_password']} mysql -s -e 'select count(*) from mysql.user where host=\"%\"' | tail -1") do
its(:stdout) { should match(/^0/) }
end

# Req. 322 (root-login nur von localhost)
# SEC: Req 3.24-28 (root-login nur von localhost)
describe command("mysql -uroot -p#{ENV['mysql_password']} mysql -s -e 'select count(*) from mysql.user where user=\"root\" and host not in (\"localhost\",\"127.0.0.1\",\"::1\")' | tail -1") do
its(:stdout) { should match(/^0/) }
end

end

# Req. 299 (nur eine instanz pro server)
# SEC: Req 3.24-4 (nur eine instanz pro server)
describe 'Req. 299: check for multiple instances' do
describe command('ps aux | grep mysqld | egrep -v "grep|mysqld_safe|logger" | wc -l') do
its(:stdout) { should match(/^1$/) }
@@ -120,55 +120,60 @@

describe 'Parsing configfiles for unwanted entries' do

# Req. 301 (safe-user-create = 1)
# SEC: Req 3.24-6 (safe-user-create = 1)
describe file(tmp_config_file) do
its(:content) { should match_key_value('safe-user-create', '1') }
end

# Req. 302 (no old_passwords)
# SEC: Req 3.24-7 (no old_passwords)
describe file(tmp_config_file) do
its(:content) { should_not match_key_value('old_passwords', '1') }
end

# Req. 305 (user = mysql)
# SEC: Req 3.24-8 (secure-auth = 1)
describe file(tmp_config_file) do
its(:content) { should match_key_value('secure-auth', '1') }
end

# SEC: Req 3.24-11 (user = mysql)
describe file(tmp_config_file) do
its(:content) { should match_key_value('user', 'mysql') }
end

# Req. 307 (skip-symbolic-links = 1)
# SEC: Req 3.24-13 (skip-symbolic-links = 1)
describe file(tmp_config_file) do
its(:content) { should match_key_value('skip-symbolic-links', '1') }
end

# Req. 309 (secure-file-priv)
# SEC: Req 3.24-15 (secure-file-priv)
describe file(tmp_config_file) do
its(:content) { should match(/^\s*?secure-file-priv/) }
end

# Req. 310 (local-infile = 0)
# SEC: Req 3.24-16 (local-infile = 0)
describe file(tmp_config_file) do
its(:content) { should match_key_value('local-infile', '0') }
end

# Req. 315 (skip-show-database)
# SEC: Req 3.24-21 (skip-show-database)
describe file(tmp_config_file) do
its(:content) { should match(/^\s*?skip-show-database/) }
end

# Req. 316 (skip-grant-tables)
# SEC: Req 3.24-22 (skip-grant-tables)
describe file(tmp_config_file) do
its(:content) { should_not match(/^\s*?skip-grant-tables/) }
end

# Req. 320 (kein "allow-suspicious-udfs")
# SEC: Req 3.24-26 (kein "allow-suspicious-udfs")
describe file(tmp_config_file) do
its(:content) { should match_key_value('allow-suspicious-udfs', '0') }
end

end

# Req. 311, 312, 313
describe 'Req. 311, 312, 313: Mysql-data owner, group and permissions' do
# SEC: Req 3.24-17, SEC: Req 3.24-18, SEC: Req 3.24-19
describe 'SEC: Req 3.24-17, SEC: Req 3.24-18, SEC: Req 3.24-19: Mysql-data owner, group and permissions' do

describe file(mysql_data_path) do
it { should be_directory }