Change the parameter from apache to httpd
gadilasr opened this issue · 15 comments
Hello,
I am looking to use this profile to scan httpd installed server. The current one supports if the web server installed with apache service.
Please let me know what are the changes needed for scanning the httpd service installed web server.
From:
only_if do
command(apache.service).exist?
end
To:
only_if do
command(httpd.service).exist?
end
Normally the InSpec apache resource should detect httpd, see https://github.com/inspec/inspec/blob/master/lib/resources/apache.rb#L31-L42
Since InSpec deprecated the resource, we should make it part of this benchmark and then adapt what is required to make if work for your environment.
Step one would be to identify, why your httpd server is not detected? On which os are you running?
PRs to make this happen are welcome.
Hello Chris,
I've executed this profile on RHEL6 and RHEL7 OS where httpd is installed and configured. The scan output is showing the scan is skipped all controls specified in profile(ruby file).
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
Profile: DevSec Apache Baseline (apache-baseline)
Version: 2.0.2
Target: ssh://ec2-user@xx.xxx.xx.xxx:22
↺ apache-01: Apache should be running
↺ Skipped control due to only_if condition.
↺ apache-02: Apache should be enabled
↺ Skipped control due to only_if condition.
↺ apache-03: Apache should start max. 1 root-task
↺ Skipped control due to only_if condition.
↺ apache-04: Check Apache config folder owner, group and permissions.
↺ Skipped control due to only_if condition.
↺ apache-05: Check Apache config file owner, group and permissions.
↺ Skipped control due to only_if condition.
↺ apache-06: User and group should be set properly
↺ Skipped control due to only_if condition.
↺ apache-07: Set the apache server token
↺ Skipped control due to only_if condition.
↺ apache-08: Should not load certain modules
↺ Skipped control due to only_if condition.
↺ apache-09: Disable TRACE-methods
↺ Skipped control due to only_if condition.
↺ apache-10: Disable insecure HTTP-methods
↺ Skipped control due to only_if condition.
↺ apache-11: Disable Apache's follows Symbolic Links for directories in alias.conf
↺ Skipped control due to only_if condition.
↺ apache-12: Disable Directory Listing for directories in alias.conf
↺ Skipped control due to only_if condition.
↺ apache-13: SSL honor cipher order
↺ Skipped control due to only_if condition.
↺ apache-14: Enable Apache Logging
↺ Skipped control due to only_if condition.
Profile Summary: 0 successful controls, 0 control failures, 14 controls skipped
Test Summary: 0 successful, 0 failures, 14 skipped
That is strange. Seems like a bug in InSpec. Can you run the inspec shell to verify what is going on? I tested it againt a centos 7 with httpd installed.
inspec shell -t docker://f8840a4dc2cf
Welcome to the interactive InSpec Shell
To find out how to use it, type: help
You are currently running on:
Name: centos
Families: redhat, linux, unix, os
Release: 7.6.1810
Arch: x86_64
inspec> apache.service
[DEPRECATED] The `apache` resource is deprecated and will be removed in InSpec 4.0
=> "httpd"
inspec> command(apache.service).exist?
[DEPRECATED] The `apache` resource is deprecated and will be removed in InSpec 4.0
=> true
This is what I am getting the results for inspec shell execute commands.
inspec shell -t ssh://ec2-user@localhost
Welcome to the interactive InSpec Shell
To find out how to use it, type: help
You are currently running on:
Name: redhat
Families: redhat, linux, unix, os
Release: 7.6
Arch: x86_64
inspec> apache.service
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
=> "httpd"
inspec> command(apache.service).exist?
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
=> false
inspec shell -t ssh://ec2-user@xx.xxx.xx.xxxx
Welcome to the interactive InSpec Shell
To find out how to use it, type: help
You are currently running on:
Name: redhat
Families: redhat, linux, unix, os
Release: 6.10
Arch: x86_64
inspec> apache.service
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
=> "httpd"
inspec> command(apache.service).exist?
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
=> false
can you also check command(apache.service).exist?
inspec> command(apache.service).exist?
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
=> false
can you check why the httpd command is not available on that machine? I assume you run inspec with not enough privileges.
ok, incase of privileges issue. now I've ran with sudo and same results.
sudo inspec shell -t ssh://ec2-user@localhost
Welcome to the interactive InSpec Shell
To find out how to use it, type: help
You are currently running on:
Name: redhat
Families: redhat, linux, unix, os
Release: 7.6
Arch: x86_64
inspec> command(apache.service).exist?
[DEPRECATED] The apache resource is deprecated and will be removed in InSpec 4.0
=> false
I did simple test by executing another .rb file and it is fine.
$ cat inspec_httpd.rb
describe package 'httpd' do
it { should be_installed }
end
describe service 'httpd' do
it { should be_enabled }
it { should be_running }
end
describe port 80 do
it { should be_listening }
end
$ inspec exec inspec_httpd.rb
Profile: tests from inspec_httpd.rb (tests from inspec_httpd.rb)
Version: (not specified)
Target: local://
System Package httpd
✔ should be installed
Service httpd
✔ should be enabled
✔ should be running
Port 80
✔ should be listening
Test Summary: 4 successful, 0 failures, 0 skipped
The issue is https://github.com/dev-sec/apache-baseline/blob/master/controls/apache_spec.rb#L24-L26 and since httpd is not in your path, this baseline thinks httpd is not installed. Do you know why httpd binary is not in your path?
I think we should probably change:
only_if do
command(apache.service).exist?
end
to
only_if do
command(apache.service).exist? || file(apache.conf_dir).exist? || service(apache.service).installed?
end
Thank you, I've tested with modifying the code on my fork https://github.com/gadilasr/apache-baseline repo and it works.
Target: ssh://ec2-user@xx.xxx.xx.xxx:22
× apache-01: Apache should be running (1 failed)
✔ Service httpd should be installed
× Service httpd should be running
expected that Service httpd is running
✔ apache-02: Apache should be enabled
✔ Service httpd should be enabled
✔ apache-03: Apache should start max. 1 root-task
✔ 1 should eq 1
× apache-04: Check Apache config folder owner, group and permissions. (1 failed)
✔ File /etc/httpd/ should be owned by "root"
✔ File /etc/httpd/ should be grouped into "root"
✔ File /etc/httpd/ should be readable by owner
✔ File /etc/httpd/ should be writable by owner
✔ File /etc/httpd/ should be executable by owner
✔ File /etc/httpd/ should be readable by group
✔ File /etc/httpd/ should not be writable by group
✔ File /etc/httpd/ should be executable by group
Cool, are you going to open a PR?
Fixed via #29