In order to ensure the quality of these files (avoiding syntax errors and insecure configurations alike), we had the idea of writing a system to unit test the configuration files. Being involved in Augeas, I thought it would make a great parsing backend to write the tests.
This gave birth to what is currently a Perl module called Config::Augeas::Validator, which comes with a Perl script and an SVN wrapper (this is what we used, but wrappers for other VCS are welcome) to plug it to pre- and post-commit hooks.
The module relies on Augeas (and its lenses) to parse the configuration files. On top of that, you need to specify rules (which are essentially unit test scenarii), at least one for each type of file you wish to test. A minimal rule might look like this:
[DEFAULT]
lens=Fstab
pattern=.*/fstab
This rule will tell augeas-validator to test all files whose full path matches .*/fstab against the Fstab.lns Augeas lens. If the file contains syntax errors (that is, the lens fails to parse it), the program will report it and exit with a status of 1.
Here is another simple example adding two unit tests with warnings:
[DEFAULT]
lens=PHP
pattern=.*/(php\.ini|php[45]/conf\.d/.*\.ini)
[file_uploads]
name=file_uploads
explanation=file_uploads should be set to 'Off'
type=count
expr=$file//file_uploads[. != 'Off']
value=0
level=warning
tags=security
[expose_php]
name=expose_php
explanation=expose_php should be set to 'Off'
type=count
expr=$file//expose_php[. != 'Off']
value=0
level=warning
tags=security
This test checks for php.ini files. Not only does it fail with status 1 if there is a syntax error, it also applies two unit tests called file_uploads and expose_php, which will make the program output a warning and exit with status 2 if they are not met. The essential part of the rules is the expr parameter, which is an Augeas XPath expression. In this case, the expressions must not match any nodes in order to pass the tests (hence value=0).
These are just simple examples of what this module can do. You can find more examples shipped with the module itself. As a last example, here is one for Apache configuration files (in Debian/Ubuntu):
[DEFAULT]
lens=Httpd
pattern=.*/(sites-available/.*)|(apache2/.*\.conf)
[one_servername]
name=One ServerName per VirtualHost *
explanation=There should be only one ServerName per VirtualHost * entry
type=count
expr=$file[label() != "default"]/VirtualHost[arg =~ regexp("\*(:80)?")][count(directive[. = "ServerName"]) != 1]
value=0
level=warning
[bufferedlogs]
name=BufferedLogs
explanation=BufferedLogs must be set to Off
type=count
expr=$file//directive[. = "BufferedLogs"][arg = "On"]
value=0
level=warning
tags=security
[timeout]
name=Timeout
explanation=Timeout must be at least 45
type=count
expr=$file//directive[. = "Timeout"][int(arg) < 45]
value=0
level=warning
tags=security
0 commentaires:
Post a Comment