Merge branch 'master' into optional_tests

chris-rock · web-flow · commit fc4323712a9b · 2018-11-21T11:24:38.000+01:00
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,42 @@
+---
+name: Bug report
+about: Create a report to help us improve
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Actual behavior**
+<!--- Paste verbatim command output between quotes -->
+```paste below
+
+```
+
+**Example code**
+<!--- Paste an example code that can be used to reproduce the problem between quotes -->
+```paste below
+
+```
+
+**OS / Environment**
+
+<!--- Provide all relevant information below, e.g. target OS versions, network device firmware, etc. -->
+
+**Inspec Version**
+<!--- Paste verbatim output from "inspec --version" between quotes -->
+```paste below
+
+```
+
+**Baseline Version**
+<!--- Paste version or git commit of the baseline between quotes -->
+```paste below
+
+```
+
+**Additional context**
+Add any other context about the problem here.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/controls/nginx_spec.rb b/controls/nginx_spec.rb
@@ -92,12 +92,11 @@
 end
 
 # determine all required paths
-nginx_path      = '/etc/nginx'
-nginx_conf      = File.join(nginx_path, 'nginx.conf')
-nginx_confd     = File.join(nginx_path, 'conf.d')
-nginx_enabled   = File.join(nginx_path, 'sites-enabled')
-nginx_hardening = File.join(nginx_confd, '90.hardening.conf')
-conf_paths      = [nginx_conf, nginx_hardening]
+nginx_path          = '/etc/nginx'
+nginx_conf          = File.join(nginx_path, 'nginx.conf')
+nginx_confd         = File.join(nginx_path, 'conf.d')
+nginx_enabled       = File.join(nginx_path, 'sites-enabled')
+nginx_parsed_config = command('nginx -T').stdout
 
 options = {
   assignment_regex: /^\s*([^:]*?)\s*\ \s*(.*?)\s*;$/
@@ -148,12 +147,6 @@
   describe file(File.join(nginx_enabled, 'default')) do
     it { should_not be_file }
   end
-
-  conf_paths.each do |conf_path|
-    describe file(conf_path) do
-      it { should be_file }
-    end
-  end
 end
 
 control 'nginx-04' do
@@ -169,7 +162,7 @@
   impact 1.0
   title 'Disable server_tokens directive'
   desc 'Disables emitting nginx version in error messages and in the “Server” response header field.'
-  describe parse_config_file(nginx_conf, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('server_tokens') { should eq 'off' }
   end
 end
@@ -178,16 +171,16 @@
   impact 1.0
   title 'Prevent buffer overflow attacks'
   desc 'Buffer overflow attacks are made possible by writing data to a buffer and exceeding that buffer boundary and overwriting memory fragments of a process. To prevent this in nginx we can set buffer size limitations for all clients.'
-  describe parse_config_file(nginx_conf, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('client_body_buffer_size') { should eq CLIENT_BODY_BUFFER_SIZE }
   end
-  describe parse_config_file(nginx_conf, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('client_max_body_size') { should eq CLIENT_MAX_BODY_SIZE }
   end
-  describe parse_config_file(nginx_hardening, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('client_header_buffer_size') { should eq CLIENT_HEADER_BUFFER_SIZE }
   end
-  describe parse_config_file(nginx_hardening, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('large_client_header_buffers') { should eq LARGE_CLIENT_HEADER_BUFFER }
   end
 end
@@ -196,10 +189,10 @@
   impact 1.0
   title 'Control simultaneous connections'
   desc 'NginxHttpLimitZone module to limit the number of simultaneous connections for the assigned session or as a special case, from one IP address.'
-  describe parse_config_file(nginx_hardening, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('limit_conn_zone') { should eq '$binary_remote_addr zone=default:10m' }
   end
-  describe parse_config_file(nginx_hardening, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('limit_conn') { should eq 'default 5' }
   end
 end
@@ -208,7 +201,7 @@
   impact 1.0
   title 'Prevent clickjacking'
   desc 'Do not allow the browser to render the page inside an frame or iframe.'
-  describe parse_config_file(nginx_hardening, options_add_header) do
+  describe parse_config(nginx_parsed_config, options_add_header) do
     its('add_header') { should include 'X-Frame-Options SAMEORIGIN' }
   end
 end
@@ -217,7 +210,7 @@
   impact 1.0
   title 'Enable Cross-site scripting filter'
   desc 'This header is used to configure the built in reflective XSS protection. This tells the browser to block the response if it detects an attack rather than sanitising the script.'
-  describe parse_config_file(nginx_hardening, options_add_header) do
+  describe parse_config(nginx_parsed_config, options_add_header) do
     its('add_header') { should include 'X-XSS-Protection "1; mode=block"' }
   end
 end
@@ -226,7 +219,7 @@
   impact 1.0
   title 'Disable content-type sniffing'
   desc 'It prevents browser from trying to mime-sniff the content-type of a response away from the one being declared by the server. It reduces exposure to drive-by downloads and the risks of user uploaded content that, with clever naming, could be treated as a different content-type, like an executable.'
-  describe parse_config_file(nginx_hardening, options_add_header) do
+  describe parse_config(nginx_parsed_config, options_add_header) do
     its('add_header') { should include 'X-Content-Type-Options nosniff' }
   end
 end
@@ -236,22 +229,21 @@
   title 'TLS Protocols'
   desc 'When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client\'s preference is used. If this directive is enabled, the server\'s preference will be used instead.'
   ref 'SSL Hardening config', url: 'https://mozilla.github.io/server-side-tls/ssl-config-generator/'
-  describe file(nginx_hardening) do
-    its('content') { should match(/^\s*ssl_protocols TLSv1.2;$/) }
-    its('content') { should match(/^\s*ssl_session_tickets off;$/) }
-    its('content') { should match(/^\s*ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';$/) }
-    its('content') { should match(/^\s*ssl_prefer_server_ciphers on;$/) }
-    its('content') { should match(%r{^\s*ssl_dhparam /etc/nginx/dh2048.pem;$}) }
-    # its('content') { should match(/^\s*ssl on;$/) }
+  describe parse_config(nginx_parsed_config, options) do
+    its('ssl_protocols') { should eq 'TLSv1.2' }
+    its('ssl_session_tickets') { should eq 'off' }
+    its('ssl_ciphers') { should eq '\'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256\'' }
+    its('ssl_prefer_server_ciphers') { should eq 'on' }
+    its('ssl_dhparam') { should eq '/etc/nginx/dh2048.pem' }
   end
 end
 
 control 'nginx-13' do
   impact 1.0
   title 'Add HSTS Header'
   desc 'HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.'
-  describe file(nginx_hardening) do
-    its('content') { should match(/^\s*add_header Strict-Transport-Security max-age=15768000;$/) }
+  describe parse_config(nginx_parsed_config, options_add_header) do
+    its('add_header') { should include 'Strict-Transport-Security max-age=15768000' }
   end
 end
 
@@ -271,8 +263,8 @@
   impact 1.0
   title 'Content-Security-Policy'
   desc 'The Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring what dynamic resources are allowed to load via a HTTP Header'
-  describe parse_config_file(nginx_hardening, options_add_header) do
-    its('content') { should match(/^\s*add_header Content-Security-Policy "script-src 'self'; object-src 'self'";$/) }
+  describe parse_config(nginx_parsed_config, options_add_header) do
+    its('add_header') { should include 'Content-Security-Policy "script-src \'self\'; object-src \'self\'"' }
   end
 end
 
@@ -281,25 +273,25 @@
   title 'Set cookie with HttpOnly and Secure flag'
   desc 'You can mitigate most of the common Cross Site Scripting attack using HttpOnly and Secure flag in a cookie. Without having HttpOnly and Secure, it is possible to steal or manipulate web application session and cookies and it’s dangerous.'
   only_if { NGINX_COOKIE_FLAG_MODULE != false }
-  describe parse_config_file(nginx_hardening, options_add_header) do
-    its('content') { should match(/^\s*set_cookie_flag * HttpOnly secure;$/) }
+  describe parse_config(nginx_parsed_config, options_add_header) do
+    its('set_cookie_flag') { should include '* HttpOnly secure' }
   end
 end
 
 control 'nginx-17' do
   impact 1.0
   title 'Control timeouts to improve performance'
   desc 'Control timeouts to improve server performance and cut clients.'
-  describe parse_config_file(nginx_conf, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('keepalive_timeout') { should eq KEEPALIVE_TIMEOUT }
   end
-  describe parse_config_file(nginx_hardening, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('client_body_timeout') { should eq CLIENT_BODY_TIMEOUT }
   end
-  describe parse_config_file(nginx_hardening, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('client_header_timeout') { should eq CLIENT_HEADER_TIMEOUT }
   end
-  describe parse_config_file(nginx_hardening, options) do
+  describe parse_config(nginx_parsed_config, options) do
     its('send_timeout') { should eq SEND_TIMEOUT }
   end
 end
