project start

arlimus · arlimus · commit f0de42996b32 · 2015-05-13T22:43:45.000+02:00
Signed-off-by: Dominik Richter &lt;dominik.richter@gmail.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,5 @@
+**/.librarian
+**/.tmp
+**/Puppetfile.lock
+Gemfile.lock
+Berksfile.lock
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -0,0 +1,28 @@
+---
+AllCops:
+  Exclude:
+  - vendor/**/*
+  - "*/puppet/Puppetfile"
+  - "*/puppet/.tmp/**/*"
+Documentation:
+  Enabled: false
+AlignParameters:
+  Enabled: true
+Encoding:
+  Enabled: true
+HashSyntax:
+  Enabled: true
+LineLength:
+  Enabled: false
+EmptyLinesAroundBlockBody:
+  Enabled: false
+MethodLength:
+  Max: 40
+NumericLiterals:
+  MinDigits: 10
+Metrics/CyclomaticComplexity:
+  Max: 10
+Metrics/PerceivedComplexity:
+  Max: 10
+Metrics/AbcSize:
+  Max: 29
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,4 @@
+rvm:
+  - 1.9.3
+  - 2.0.0
+language: ruby
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1 @@
+# Changelog
diff --git a/Gemfile b/Gemfile
@@ -0,0 +1,8 @@
+# encoding: utf-8
+
+source 'https://rubygems.org'
+
+gem 'rake'
+gem 'serverspec', '~> 2.17.0'
+gem 'rubocop',    '~> 0.31'
+gem 'highline', '~> 1.7.0'
diff --git a/README.md b/README.md
@@ -0,0 +1,47 @@
+# Tests for PHP hardening
+
+This is currently in development! Please come back later.
+
+
+## Standalone Usage
+
+You can target the integration tests to any host were you have ssh access
+
+rake -T gives you a list of suites you can run (well ignore directories which are obviously not suites for now)
+
+```
+± rake -T
+rake serverspec:data_bags  # Run serverspec suite data_bags
+rake serverspec:default    # Run serverspec suite default
+```
+
+run it with:
+
+```
+bundle install
+
+# default user and ssh-key
+
+bundle exec rake serverspec:default target_host=<name-or-ip-of-target-server>
+
+# or with user, host, password
+
+ASK_LOGIN_PASSWORD=true bundle exec rake serverspec:default target_host=192.168.1.222 user=stack
+```
+
+add `format=html|json` to get a report.html or report.json document
+
+
+## License
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/Rakefile b/Rakefile
@@ -0,0 +1,46 @@
+# encoding: utf-8
+
+require 'rake'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+# Rubocop
+desc 'Run Rubocop lint checks'
+task :rubocop do
+  RuboCop::RakeTask.new
+end
+
+# Lint the cookbook
+desc 'Run linters'
+task :run_all_linters => [:rubocop] # rubocop:disable Style/HashSyntax
+task :default => :run_all_linters # rubocop:disable Style/HashSyntax
+
+# Serverspec tests
+suites = Dir.glob('*').select { |entry| File.directory?(entry) }
+
+class ServerspecTask < RSpec::Core::RakeTask
+  attr_accessor :target
+
+  def spec_command
+    if target.nil?
+      puts 'specify either env TARGET_HOST or target_host='
+      exit 1
+    end
+
+    cmd = super
+    "env TARGET_HOST=#{target} STANDALONE_SPEC=true #{cmd}  --format documentation --no-profile"
+  end
+end
+
+namespace :serverspec do
+  suites.each do |suite|
+    desc "Run serverspec suite #{suite}"
+    ServerspecTask.new(suite.to_sym) do |t|
+      t.rspec_opts = '--no-color --format html --out report.html' if ENV['format'] == 'html'
+      t.rspec_opts = '--no-color --format json --out report.json' if ENV['format'] == 'json'
+      t.target = ENV['TARGET_HOST'] || ENV['target_host']
+      t.ruby_opts = "-I #{suite}/serverspec"
+      t.pattern = "#{suite}/serverspec/*_spec.rb"
+    end
+  end
+end
diff --git a/default/serverspec/phpconf_spec.rb b/default/serverspec/phpconf_spec.rb
@@ -0,0 +1,131 @@
+# encoding: utf-8
+# Copyright 2015, Dominik Richter
+# License: Apache v2
+
+require 'spec_helper'
+
+describe 'PHP config parameters' do
+  # Some things we don't do:
+  # * safe_mode
+  #   reason: deprecated
+  #   see: http://php.net/manual/de/features.safe-mode.php
+
+  # Base configuration
+
+  context php_config('open_basedir') do
+    its(:value) { should eq '/srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/' }
+  end
+
+  # Time / Memory Quota
+
+  context php_config('max_execution_time') do
+    its(:value) { should eq 30 }
+  end
+
+  context php_config('max_input_nesting_level') do
+    its(:value) { should eq 64 }
+  end
+
+  context php_config('memory_limit') do
+    its(:value) { should eq '128M' }
+  end
+
+  context php_config('post_max_size') do
+    its(:value) { should eq '8M' }
+  end
+
+  # PHP Capabilities
+
+  # TODO: do we have a recommended minimum-set?
+  context php_config('disable_functions') do
+    its(:value) { should eq 'php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo' }
+  end
+
+  # TODO: do we have a recommended minimum-set?
+  context php_config('disable_classes') do
+    its(:value) { should eq '...' }
+  end
+
+  context php_config('register_globals') do
+    its(:value) { should eq 'Off' }
+  end
+
+  context php_config('expose_php') do
+    its(:value) { should eq 'Off' }
+  end
+
+  context php_config('enable_dl') do
+    its(:value) { should eq 'Off' }
+  end
+
+  context php_config('default_charset') do
+    its(:value) { should eq 'utf-8' }
+  end
+
+  context php_config('default_mimetype') do
+    its(:value) { should eq 'text/html' }
+  end
+
+  # removed as of PHP5.4, so...
+  # remove these test?
+  context php_config('magic_quotes_gpc') do
+    its(:value) { should eq nil}
+  end
+  context php_config('magic_quotes_sybase') do
+    its(:value) { should eq nil}
+  end
+
+  # # removed // how to test this?
+  # context php_config('magic_quotes_runtime') do
+  #   its(:value) { should eq 'Off'}
+  # end
+
+  # Upload / Open
+
+  context php_config('allow_url_fopen') do
+    its(:value) { should eq 'Off' }
+  end
+
+  context php_config('allow_url_include') do
+    its(:value) { should eq 'Off' }
+  end
+
+  context php_config('file_uploads') do
+    its(:value) { should eq 'Off' }
+  end
+
+  # Alternative: restrict upload maximum to prevent
+  # system overload:
+  # upload_tmp_dir = /var/php_tmp
+  # upload_max_filezize = 10M
+
+  # Log // Information Disclosure
+
+  context php_config('display_errors') do
+    its(:value) { should eq 'Off' }
+  end
+
+  context php_config('display_startup_errors') do
+    its(:value) { should eq 'Off' }
+  end
+
+  context php_config('log_errors') do
+    its(:value) { should eq 'On' }
+  end
+
+  # Session Handling
+
+  context php_config('session.save_path') do
+    its(:value) { should eq '/var/lib/php' }
+  end
+
+  context php_config('session.cookie_httponly') do
+    its(:value) { should eq 1 }
+  end
+
+  # Mail
+
+  context php_config('mail.add_x_header') do
+    its(:value) { should eq 'Off' }
+
+end
diff --git a/default/serverspec/spec_helper.rb b/default/serverspec/spec_helper.rb
@@ -0,0 +1,63 @@
+# encoding: utf-8
+#
+# Copyright 2014, Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+if ENV['STANDALONE_SPEC']
+
+  require 'serverspec'
+  require 'pathname'
+  require 'net/ssh'
+  require 'highline/import'
+
+  set :backend, :ssh
+
+  RSpec.configure do |c|
+
+    if ENV['ASK_SUDO_PASSWORD']
+      c.sudo_password = ask('Enter sudo password: ') { |q| q.echo = false }
+    else
+      c.sudo_password = ENV['SUDO_PASSWORD']
+    end
+
+    options = {}
+
+    if ENV['ASK_LOGIN_PASSWORD']
+      options[:password] = ask("\nEnter login password: ") { |q| q.echo = false }
+    else
+      options[:password] = ENV['LOGIN_PASSWORD']
+    end
+
+    if ENV['ASK_LOGIN_USERNAME']
+      options[:user] = ask("\nEnter login username: ") { |q| q.echo = false }
+    else
+      options[:user] = ENV['LOGIN_USERNAME'] || ENV['user'] || Etc.getlogin
+    end
+
+    if options[:user].nil?
+      puts 'specify login user env LOGIN_USERNAME= or user='
+      exit 1
+    end
+
+    c.host = ENV['TARGET_HOST']
+    c.ssh_options = options.merge(Net::SSH::Config.for(c.host))
+
+  end
+
+else
+  require 'serverspec'
+
+  set :backend, :exec
+end

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +rvm:
 +  - 1.9.3
 +  - 2.0.0
 +language: ruby