migrate from Serverspec to InSpec

.rubocop.yml

@@ -4,12 +4,11 @@ AllCops:
   - vendor/**/*
   - "*/puppet/Puppetfile"
   - "*/puppet/.tmp/**/*"
+  TargetRubyVersion: 1.9
 Documentation:
   Enabled: false
 AlignParameters:
   Enabled: true
-Encoding:
-  Enabled: true
 HashSyntax:
   Enabled: true
 LineLength:
@@ -20,9 +19,11 @@ MethodLength:
   Max: 40
 NumericLiterals:
   MinDigits: 10
+Metrics/BlockLength:
+  Max: 35
 Metrics/CyclomaticComplexity:
   Max: 10
 Metrics/PerceivedComplexity:
   Max: 10
 Metrics/AbcSize:
-  Max: 29
+  Max: 30

.travis.yml

@@ -1,5 +1,10 @@
-rvm:
-  - 1.9.3
-  - 2.0.0
+---
 language: ruby
-script: bundle exec rake run_all_linters
+cache: bundler
+rvm:
+  - 2.0
+  - 2.2
+  - 2.3.1
+
+bundler_args: --without integration
+script: bundle exec rake

Gemfile

@@ -1,8 +1,11 @@
-# encoding: utf-8
-
 source 'https://rubygems.org'
 
 gem 'rake'
-gem 'serverspec', '~> 2.3.0'
-gem 'rubocop',    '~> 0.23'
+gem 'rack', '1.6.4'
+gem 'inspec', '~> 1'
+gem 'rubocop', '~> 0.44.0'
 gem 'highline', '~> 1.6.0'
+
+group :tools do
+  gem 'github_changelog_generator', '~> 1.12.0'
+end

README.md

@@ -1,43 +1,45 @@
-tests-mysql-hardening
+DevSec MySQl Baseline
 =====================
 
-This are the integration tests for the projects
+This Compliance Profile ensures, that all hardening projects keep the same quality.
 
-- https://github.com/hardening-io/puppet-mysql-hardening
-- https://github.com/hardening-io/chef-mysql-hardening
-
-they start at `integration` level
-
-you can use the gem `kitchen-sharedtests`
-
-- https://github.com/ehaselwanter/kitchen-sharedtests/
-
-to make them available to your project. Use `thor kitchen:fetch-remote-tests` to put the repo into `test/integration`
+- https://github.com/dev-sec/ansible-mysql-hardening
+- https://github.com/dev-sec/chef-mysql-hardening
+- https://github.com/dev-sec/puppet-mysql-hardening
 
 ## Standalone Usage
 
-you can target the integration tests to any host were you have ssh access
-
-rake -T gives you a list of suites you can run (well ignore directories which are obviously not suites for now)
+This Compliance Profile requires [InSpec](https://github.com/chef/inspec) for execution:
 
 ```
-± rake -T
-rake serverspec:default    # Run serverspec suite default
+$ git clone https://github.com/dev-sec/mysql-baseline
+$ inspec exec mysql-baseline
 ```
 
-run it with:
+You can also execute the profile directly from Github:
 
 ```
-bundle install
+$ inspec exec https://github.com/dev-sec/mysql-baseline
+```
 
-# default user and ssh-key
+## License and Author
 
-bundle exec rake serverspec:default target_host=<name-or-ip-of-target-server>
+* Author:: Edmund Haselwanter <me@ehaselwanter.com>
+* Author:: Dominik Richter <dominik.richter@googlemail.com>
+* Author:: Patrick Muench <patrick.muench1111@googlemail.com>
+* Author:: Christoph Hartmann <chris@lollyrock.com>
 
-# or with user, host, password
+* Copyright 2014, Deutsche Telekom AG
+* Copyright 2014-2016, The Hardening Framework Team
 
-ASK_LOGIN_PASSWORD=true bundle exec rake serverspec:default target_host=192.168.1.222 user=stack
-```
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-add `format=html|json` to get a report.html or report.json document
+    http://www.apache.org/licenses/LICENSE-2.0
 
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

Rakefile

@@ -1,7 +1,7 @@
+#!/usr/bin/env rake
 # encoding: utf-8
 
-require 'rake'
-require 'rspec/core/rake_task'
+require 'rake/testtask'
 require 'rubocop/rake_task'
 
 # Rubocop
@@ -10,37 +10,33 @@ task :rubocop do
   RuboCop::RakeTask.new
 end
 
-# Lint the cookbook
-desc 'Run linters'
-task :run_all_linters => [:rubocop] # rubocop:disable Style/HashSyntax
-task :default => :run_all_linters # rubocop:disable Style/HashSyntax
+# lint the project
+desc 'Run robocop linter'
+task lint: [:rubocop]
 
-# Serverspec tests
-suites = Dir.glob('*').select { |entry| File.directory?(entry) }
+# run tests
+task default: [:lint, 'test:check']
 
-class ServerspecTask < RSpec::Core::RakeTask
-  attr_accessor :target
-
-  def spec_command
-    if target.nil?
-      puts 'specify either env TARGET_HOST or target_host='
-      exit 1
-    end
-
-    cmd = super
-    "env TARGET_HOST=#{target} STANDALONE_SPEC=true #{cmd}  --format documentation --no-profile"
+namespace :test do
+  # run inspec check to verify that the profile is properly configured
+  task :check do
+    dir = File.join(File.dirname(__FILE__))
+    sh("bundle exec inspec check #{dir}")
   end
 end
 
-namespace :serverspec do
-  suites.each do |suite|
-    desc "Run serverspec suite #{suite}"
-    ServerspecTask.new(suite.to_sym) do |t|
-      t.rspec_opts = '--no-color --format html --out report.html' if ENV['format'] == 'html'
-      t.rspec_opts = '--no-color --format json --out report.json' if ENV['format'] == 'json'
-      t.target = ENV['TARGET_HOST'] || ENV['target_host']
-      t.ruby_opts = "-I #{suite}/serverspec"
-      t.pattern = "#{suite}/serverspec/*_spec.rb"
-    end
+# Automatically generate a changelog for this project. Only loaded if
+# the necessary gem is installed. By default its picking up the version from
+# inspec.yml. You can override that behavior with s`rake changelog to=1.2.0`
+begin
+  require 'yaml'
+  metadata = YAML.load_file('inspec.yml')
+  v = ENV['to'] || metadata['version']
+  puts "Generate changelog for version #{v}"
+  require 'github_changelog_generator/task'
+  GitHubChangelogGenerator::RakeTask.new :changelog do |config|
+    config.future_release = v
   end
+rescue LoadError
+  puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks'
 end

controls/mysql_spec.rb

@@ -0,0 +1,155 @@
+# encoding: utf-8
+#
+# Copyright 2014, Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+user = attribute('User', description: 'MySQL database user', default: 'root', required: true)
+pass = attribute('Password', description: 'MySQL database password', default: 'iloverandompasswordsbutthiswilldo', required: true)
+
+mysql_hardening_file = '/etc/mysql/conf.d/hardening.cnf'
+
+# set OS-dependent filenames and paths
+case os[:family]
+when 'ubuntu', 'debian'
+  mysql_config_file = '/etc/mysql/my.cnf' # rubocop:disable Lint/UselessAssignment
+  mysql_config_path = '/etc/mysql/'
+  mysql_data_path = '/var/lib/mysql/'
+  mysql_log_path = '/var/log/'
+  mysql_log_file = 'mysql.log'
+  mysql_log_group = 'adm'
+  mysql_log_dir_group = 'root'
+  mysql_log_dir_group = 'syslog' if os[:release] == '14.04'
+  service_name = 'mysql'
+when 'redhat', 'fedora'
+  mysql_config_file = '/etc/my.cnf' # rubocop:disable Lint/UselessAssignment
+  mysql_config_path = '/etc/'
+  mysql_data_path = '/var/lib/mysql/'
+  mysql_log_path = '/var/log/'
+  mysql_log_file = 'mysqld.log'
+  mysql_log_group = 'mysql'
+  mysql_log_dir_group = 'root'
+  service_name = 'mysqld'
+end
+
+describe service(service_name) do
+  it { should be_enabled }
+  it { should be_running }
+end
+
+# Checking MySQL-databases for risky entries
+describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select version();' | tail -1") do
+  its(:stdout) { should_not match(/Community/) }
+end
+
+describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select substring(version(),1,1);' | tail -1") do
+  its(:stdout) { should match(/^5/) }
+end
+
+describe command("mysql -u#{user} -p#{pass} -s -e 'show databases like \"test\";'") do
+  its(:stdout) { should_not match(/test/) }
+end
+
+describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where user=\"\";' | tail -1") do
+  its(:stdout) { should match(/^0/) }
+end
+
+describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where length(password)=0 or password=\"\";' | tail -1") do
+  its(:stdout) { should match(/^0/) }
+end
+
+describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where grant_priv=\"y\" and User!=\"root\" and User!=\"debian-sys-maint\";' | tail -1") do
+  its(:stdout) { should match(/^0/) }
+end
+
+describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where host=\"%\"' | tail -1") do
+  its(:stdout) { should match(/^0/) }
+end
+
+describe command("mysql -u#{user} -p#{pass} mysql -s -e 'select count(*) from mysql.user where user=\"root\" and host not in (\"localhost\",\"127.0.0.1\",\"::1\")' | tail -1") do
+  its(:stdout) { should match(/^0/) }
+end
+
+# 'Check for multiple instances' do
+describe command('ps aux | grep mysqld | egrep -v "grep|mysqld_safe|logger" | wc -l') do
+  its(:stdout) { should match(/^1$/) }
+end
+
+# Parsing configfiles for unwanted entries
+describe mysql_conf.params('mysqld') do
+  its('safe-user-create') { should cmp 1 }
+  its('old_passwords') { should_not cmp 1 }
+  its('secure-auth') { should cmp 1 }
+  its('user') { should cmp 'mysql' }
+  its('skip-symbolic-links') { should cmp 1 }
+  its('secure-file-priv') { should_not eq nil }
+  its('local-infile') { should cmp 0 }
+  its('skip-show-database') { should eq '' }
+  its('skip-grant-tables') { should eq nil }
+  its('allow-suspicious-udfs') { should cmp 0 }
+end
+
+# binding.pry
+
+# 'Mysql-config: owner, group and permissions'
+describe file(mysql_data_path) do
+  it { should be_directory }
+  it { should be_owned_by 'mysql' }
+  it { should be_grouped_into 'mysql' }
+end
+
+describe file("#{mysql_data_path}/ibdata1") do
+  it { should be_owned_by 'mysql' }
+  it { should be_grouped_into 'mysql' }
+  it { should_not be_readable.by('others') }
+  it { should_not be_writable.by('others') }
+  it { should_not be_executable.by('others') }
+end
+
+describe file(mysql_log_path) do
+  it { should be_directory }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into mysql_log_dir_group }
+end
+
+describe file("#{mysql_log_path}/#{mysql_log_file}") do
+  it { should be_owned_by 'mysql' }
+  it { should be_grouped_into mysql_log_group }
+  it { should_not be_readable.by('others') }
+  it { should_not be_writable.by('others') }
+  it { should_not be_executable.by('others') }
+end
+
+describe file(mysql_config_path) do
+  it { should be_directory }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should_not be_readable.by('others') }
+end
+
+# test this only if we have a mysql_hardening_file
+if command("ls #{mysql_hardening_file}").exit_status.zero?
+  describe file(mysql_hardening_file) do
+    it { should be_owned_by 'mysql' }
+    it { should be_grouped_into 'root' }
+    it { should_not be_readable.by('others') }
+  end
+end
+
+# 'Mysql environment'
+describe command('env') do
+  its(:stdout) { should_not match(/^MYSQL_PWD=/) }
+end