From 8b36af6d077e0f85d484cd06579c63b46aa8cd6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 12 Apr 2017 21:57:02 +0200 Subject: [PATCH 1/4] add rabbitmq server tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- controls/check-messaging.rb | 147 ++++++++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) diff --git a/controls/check-messaging.rb b/controls/check-messaging.rb index 4d6d0cb..2a3d0dd 100644 --- a/controls/check-messaging.rb +++ b/controls/check-messaging.rb @@ -1,3 +1,150 @@ # encoding: utf-8 # check-messaging # http://docs.openstack.org/security-guide/messaging.html + +RABBITMQ_CONF_DIR = attribute( + 'rabbitmq_conf_dir', + description: 'Path to rabbitmq configuration folder', + default: '/etc/rabbitmq' +) + +RABBITMQ_CONF_FILE = attribute( + 'rabbitmq_conf_file', + description: 'Path to rabbitmq configuration file', + default: '/etc/rabbitmq/rabbitmq.config' +) + +TLSCACERT = attribute( + 'tlscacert', + description: 'Trust certificates which is signed only by this CA', + default: '/etc/ssl/testca/cacert.pem' +) + +TLSCERT = attribute( + 'tlscert', + description: 'Rabbitmq server certificate', + default: '/etc/ssl/server/cert.pem' +) + +TLSKEY = attribute( + 'tlskey', + description: 'Rabbitmq server key', + default: '/etc/ssl/server/key.pem' +) + +TLSPORT = attribute( + 'tlsport', + description: 'Specify rabbitmq tls server port', + default: '5671' +) + +control 'check-messaging-01' do + title 'Check Rabbitmq config folder and file owner, group and permissions.' + desc 'Rabbitmq config files should be owned by root user and root group' + ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html' + + describe file(RABBITMQ_CONF_DIR) do + it { should exist } + it { should be_directory } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + it { should be_readable.by('owner') } + it { should be_readable.by('group') } + it { should be_readable.by('other') } + it { should be_executable.by('owner') } + it { should be_executable.by('group') } + it { should be_executable.by('other') } + it { should be_writable.by('owner') } + it { should_not be_writable.by('group') } + it { should_not be_writable.by('other') } + end + + describe file(RABBITMQ_CONF_FILE) do + it { should exist } + it { should be_file } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } + it { should_not be_executable } + it { should be_readable.by('owner') } + it { should be_readable.by('group') } + it { should be_readable.by('other') } + it { should be_writable.by('owner') } + it { should_not be_writable.by('group') } + it { should_not be_writable.by('other') } + end +end + +control 'check-messaging-02' do + title 'Rabbitmq should listen only on ssl port' + desc 'The tcp_listeners option is set to [] to prevent it from listening on a non-SSL port.' + ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html' + + describe rabbitmq_config.params('rabbit', 'tcp_listeners') do + it { should be_empty } + end + describe rabbitmq_config.params('rabbit', 'ssl_listeners') do + it { should cmp TLSPORT } + end +end + +control 'check-messaging-03' do + title 'Check rabbitmq SSL certificate configuration' + desc 'Check if the correct ca and server certificate implemented and server key. The rabbitmq server should also check the client certificates.' + ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html' + + describe rabbitmq_config.params('rabbit','ssl_options','cacertfile') do + it { should cmp TLSCACERT } + end + describe rabbitmq_config.params('rabbit','ssl_options','certfile') do + it { should cmp TLSCERT } + end + describe rabbitmq_config.params('rabbit','ssl_options','keyfile') do + it { should cmp TLSKEY } + end +end + +control 'check-messaging-04' do + title 'Check rabbitmq check peer certificates' + desc 'Rabbitmq should verify the certificates from the clients and if the server does not receive a valid certificate it should not allow the connection from the client.' + ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html' + + describe rabbitmq_config.params('rabbit','ssl_options','verify') do + it { should cmp 'verify_peer' } + end + describe rabbitmq_config.params('rabbit','ssl_options','fail_if_no_peer_cert') do + it { should cmp 'true' } + end +end + +control 'check-messaging-05' do + title 'Check rabbitmq use only TLSv1.2' + desc 'Rabbitmq should only use TLSv1.2.' + ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html' + + describe rabbitmq_config.params('ssl','versions') do + it { should cmp 'tlsv1.2' } + end + describe rabbitmq_config.params('rabbit','ssl_options','versions') do + it { should cmp 'tlsv1.2' } + end +end + +control 'check-messaging-06' do + title 'Check for strong ciphers' + desc 'Use only strong ciphers for the rabbitmq TLSv1.2 connection.' + ref 'BSI recommendation', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf;jsessionid=30F658ACD2A772B0A2430C4DEC4AF7D1.1_cid341?__blob=publicationFile&v=4' + ref 'Mozilla recommendation', url: 'https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility' + + describe rabbitmq_config.params('rabbit','ssl_options','ciphers') do + it { should eq [["ecdhe_ecdsa", "aes_256_gcm", "null", "sha384"], ["ecdhe_rsa", "aes_256_gcm", "null", "sha384"], ["ecdhe_ecdsa", "aes_128_gcm", "null", "sha256"], ["ecdhe_rsa", "aes_128_gcm", "null", "sha256"]] } + end +end + +control 'check-messaging-07' do + title 'Check for tls cipher honor order' + desc 'The rabbitmq server should force the tls cipher order' + + describe rabbitmq_config.params('rabbit','ssl_options','honor_cipher_order') do + it { should eq true } + end +end From b5ccceecc2452031e41cb9f7bad08f208951a612 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 12 Apr 2017 22:01:40 +0200 Subject: [PATCH 2/4] add ref to check-messaging-07 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- controls/check-messaging.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/check-messaging.rb b/controls/check-messaging.rb index 2a3d0dd..9234942 100644 --- a/controls/check-messaging.rb +++ b/controls/check-messaging.rb @@ -143,6 +143,7 @@ control 'check-messaging-07' do title 'Check for tls cipher honor order' desc 'The rabbitmq server should force the tls cipher order' + ref 'Strong Ciphers for Apache, nginx and Lighttpd', url: 'https://cipherli.st/' describe rabbitmq_config.params('rabbit','ssl_options','honor_cipher_order') do it { should eq true } From 611159b132191b6ec4e2ca774280736b595b6de0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 12 Apr 2017 22:10:57 +0200 Subject: [PATCH 3/4] update README --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index ed9fd08..67f13e0 100644 --- a/README.md +++ b/README.md @@ -93,6 +93,16 @@ bundle exec inspec exec . \ check-image-03 check-image-04 ``` +### Messaging controls + +```shell +bundle exec inspec exec . \ + --controls check-messaging-01 check-messaging-02 \ + check-messaging-03 check-messaging-04 \ + check-messaging-05 check-messaging-06 \ + check-messaging-07 +``` + ### Orchestration controls ```shell bundle exec inspec exec . \ From a691ff30bccce091391123b985f71ec3cfc6608e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20M=C3=BCnch?= Date: Wed, 12 Apr 2017 22:28:42 +0200 Subject: [PATCH 4/4] fix lint errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Patrick Münch --- controls/check-messaging.rb | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/controls/check-messaging.rb b/controls/check-messaging.rb index 9234942..4c86cb1 100644 --- a/controls/check-messaging.rb +++ b/controls/check-messaging.rb @@ -92,13 +92,13 @@ desc 'Check if the correct ca and server certificate implemented and server key. The rabbitmq server should also check the client certificates.' ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html' - describe rabbitmq_config.params('rabbit','ssl_options','cacertfile') do + describe rabbitmq_config.params('rabbit', 'ssl_options', 'cacertfile') do it { should cmp TLSCACERT } end - describe rabbitmq_config.params('rabbit','ssl_options','certfile') do + describe rabbitmq_config.params('rabbit', 'ssl_options', 'certfile') do it { should cmp TLSCERT } end - describe rabbitmq_config.params('rabbit','ssl_options','keyfile') do + describe rabbitmq_config.params('rabbit', 'ssl_options', 'keyfile') do it { should cmp TLSKEY } end end @@ -108,10 +108,10 @@ desc 'Rabbitmq should verify the certificates from the clients and if the server does not receive a valid certificate it should not allow the connection from the client.' ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html' - describe rabbitmq_config.params('rabbit','ssl_options','verify') do + describe rabbitmq_config.params('rabbit', 'ssl_options', 'verify') do it { should cmp 'verify_peer' } end - describe rabbitmq_config.params('rabbit','ssl_options','fail_if_no_peer_cert') do + describe rabbitmq_config.params('rabbit', 'ssl_options', 'fail_if_no_peer_cert') do it { should cmp 'true' } end end @@ -121,10 +121,10 @@ desc 'Rabbitmq should only use TLSv1.2.' ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html' - describe rabbitmq_config.params('ssl','versions') do + describe rabbitmq_config.params('ssl', 'versions') do it { should cmp 'tlsv1.2' } end - describe rabbitmq_config.params('rabbit','ssl_options','versions') do + describe rabbitmq_config.params('rabbit', 'ssl_options', 'versions') do it { should cmp 'tlsv1.2' } end end @@ -135,8 +135,8 @@ ref 'BSI recommendation', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf;jsessionid=30F658ACD2A772B0A2430C4DEC4AF7D1.1_cid341?__blob=publicationFile&v=4' ref 'Mozilla recommendation', url: 'https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility' - describe rabbitmq_config.params('rabbit','ssl_options','ciphers') do - it { should eq [["ecdhe_ecdsa", "aes_256_gcm", "null", "sha384"], ["ecdhe_rsa", "aes_256_gcm", "null", "sha384"], ["ecdhe_ecdsa", "aes_128_gcm", "null", "sha256"], ["ecdhe_rsa", "aes_128_gcm", "null", "sha256"]] } + describe rabbitmq_config.params('rabbit', 'ssl_options', 'ciphers') do + it { should eq [['ecdhe_ecdsa', 'aes_256_gcm', 'null', 'sha384'], ['ecdhe_rsa', 'aes_256_gcm', 'null', 'sha384'], ['ecdhe_ecdsa', 'aes_128_gcm', 'null', 'sha256'], ['ecdhe_rsa', 'aes_128_gcm', 'null', 'sha256']] } end end @@ -145,7 +145,7 @@ desc 'The rabbitmq server should force the tls cipher order' ref 'Strong Ciphers for Apache, nginx and Lighttpd', url: 'https://cipherli.st/' - describe rabbitmq_config.params('rabbit','ssl_options','honor_cipher_order') do + describe rabbitmq_config.params('rabbit', 'ssl_options', 'honor_cipher_order') do it { should eq true } end end