Add a security test recipe

Adds an example recipe that can be used as a base for secur HAProxy Signed-off-by: Dan Webb <[email protected]>
sous-chefs · Dec 3, 2024 · f284cc9 · f284cc9
1 parent 13a4b7c
commit f284cc9
Show file tree

Hide file tree

Showing 6 changed files with 146 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,9 +4,9 @@ This file is used to list changes made in each version of the haproxy cookbook.
 
 ## Unreleased
 
-## 12.3.7 - *2024-11-18*
+- Added security test suite
 
-Standardise files with files in sous-chefs/repo-management
+## 12.3.7 - *2024-11-18*
 
 Standardise files with files in sous-chefs/repo-management
 
@@ -16,10 +16,6 @@ Standardise files with files in sous-chefs/repo-management
 
 Standardise files with files in sous-chefs/repo-management
 
-Standardise files with files in sous-chefs/repo-management
-
-Standardise files with files in sous-chefs/repo-management
-
 ## 12.3.4 - *2024-05-03*
 
 ## 12.3.3 - *2024-05-03*
@@ -89,8 +85,6 @@ Standardise files with files in sous-chefs/repo-management
 
 Standardise files with files in sous-chefs/repo-management
 
-Standardise files with files in sous-chefs/repo-management
-
 ## 12.2.8 - *2023-02-14*
 
 Standardise files with files in sous-chefs/repo-management
@@ -312,6 +306,14 @@ Standardise files with files in sous-chefs/repo-management
 - Documentation - clarify extra_options hash string => array option.
 - Clarify the supported platforms - add AmazonLinux 2, remove fedora & freebsd.
 
+### Fixed
+
+- Init script for Amazon Linux.
+
+### BREAKING CHANGES
+
+- This version removes `stats_socket`, `stats_uri` and `stats_timeout` properties from the `haproxy_global` and `haproxy_listen` resources in favour of using a hash to pass configuration options.
+
 ## [v6.2.7] (2019-01-10)
 
 ### Added
@@ -498,7 +500,13 @@ Standardise files with files in sous-chefs/repo-management
 
 ### Removed
 
-- `default_backend` as a required property on the `frontend` resource.
+- Attributes from the metadata file as these are redundant
+- Broken tarball validation in the source recipe to prevented installs from completing
+
+### Fixed
+
+- Source installs not running if an older version was present on the node
+- Resolved all cookstyle and foodcritic warnings
 
 ## [v4.2.0] (2017-05-04)
 
@@ -703,7 +711,7 @@ Standardise files with files in sous-chefs/repo-management
 
 ### Fixed
 
-- CPU Tuning, corrects cpu_affinity resource triggers
+- Init script for Amazon Linux.
 
 ## v1.6.4
 

diff --git a/README.md b/README.md
@@ -15,18 +15,18 @@ This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of
 ## Requirements
 
 * HAProxy `stable` or `LTS`
-* Chef 13.9+
+* Chef 16+
 
 ### Platforms
 
 This cookbook officially supports and is tested against the following platforms:
 
-* debian: 9 & 10
-* ubuntu: 20.04 & 21.04
-* centos: 7 & 8
-* centos-stream: 8
+* debian: 11 & 12
+* ubuntu: 20.04 & 22.04
+* centos-stream: 8 & 9
+* amazonlinux: 2023
 * fedora: latest
-* amazonlinux: 2
+* opensuseleap
 
 PRs are welcome to add support for additional platforms.
 

diff --git a/kitchen.yml b/kitchen.yml
@@ -49,6 +49,12 @@ suites:
   - name: source_openssl
     run_list:
       - recipe[test::source_openssl]
+  - name: security
+    run_list:
+      - recipe[test::package]
+    verifier:
+      inspec_tests:
+        - test/integration/security
   - name: config_2
     run_list:
       - recipe[test::config_2]

diff --git a/test/cookbooks/test/recipes/security.rb b/test/cookbooks/test/recipes/security.rb
@@ -0,0 +1,45 @@
+# Test recipe for security configuration
+haproxy_install 'package'
+
+# Configure global settings
+haproxy_config_global 'global' do
+  user 'haproxy'
+  group 'haproxy'
+  log '/dev/log syslog info'
+  log_tag 'haproxy'
+  daemon true
+  quiet true
+  stats_socket '/var/run/haproxy.sock user haproxy group haproxy'
+  stats_timeout '2m'
+  maxconn 1000
+  pidfile '/var/run/haproxy.pid'
+end
+
+# Configure defaults
+haproxy_config_defaults 'defaults' do
+  timeout_client '10s'
+  timeout_server '10s'
+  timeout_connect '10s'
+  log 'global'
+  mode 'http'
+  balance 'roundrobin'
+  option %w(httplog dontlognull redispatch tcplog)
+end
+
+# Configure frontend
+haproxy_frontend 'http-in' do
+  bind '0.0.0.0:80'
+  default_backend 'servers'
+end
+
+# Configure backend
+haproxy_backend 'servers' do
+  server ['server1 127.0.0.1:8000 maxconn 32']
+end
+
+# Ensure config file permissions
+file '/etc/haproxy/haproxy.cfg' do
+  owner 'haproxy'
+  group 'haproxy'
+  mode '0640'
+end
diff --git a/test/integration/security/controls/secure_defaults_spec.rb b/test/integration/security/controls/secure_defaults_spec.rb
@@ -0,0 +1,62 @@
+title 'HAProxy Secure Configuration Checks'
+
+# Include common HAProxy tests
+include_controls 'common'
+
+# Security Baseline for HAProxy Configuration
+describe 'HAProxy Security Defaults' do
+  # Global Security Checks
+  describe file('/etc/haproxy/haproxy.cfg') do
+    # Basic configuration
+    its('content') { should match(/^\s*user\s+haproxy/) }
+    its('content') { should match(/^\s*group\s+haproxy/) }
+    its('content') { should match(/^\s*daemon/) }
+
+    # Logging configuration
+    its('content') { should match(/^\s*log\s+\/dev\/log\s+syslog\s+info/) }
+    its('content') { should match(/^\s*log-tag\s+haproxy/) }
+    its('content') { should_not match(/^\s*log-send-hostname/) }
+
+    # Stats socket configuration
+    its('content') { should match(/^\s*stats\s+socket\s+\/var\/run\/haproxy\.sock\s+user\s+haproxy\s+group\s+haproxy/) }
+    its('content') { should match(/^\s*stats\s+timeout\s+2m/) }
+
+    # Connection settings
+    its('content') { should match(/^\s*maxconn\s+1000/) }
+
+    # Default timeouts
+    its('content') { should match(/^\s*timeout\s+client\s+10s/) }
+    its('content') { should match(/^\s*timeout\s+server\s+10s/) }
+    its('content') { should match(/^\s*timeout\s+connect\s+10s/) }
+
+    # Default options
+    its('content') { should match(/^\s*option\s+httplog/) }
+    its('content') { should match(/^\s*option\s+dontlognull/) }
+    its('content') { should match(/^\s*option\s+redispatch/) }
+    its('content') { should match(/^\s*option\s+tcplog/) }
+
+    # Mode and balance
+    its('content') { should match(/^\s*mode\s+http/) }
+    its('content') { should match(/^\s*balance\s+roundrobin/) }
+
+    # File permissions
+    it { should be_owned_by 'haproxy' }
+    it { should be_grouped_into 'haproxy' }
+    its('mode') { should cmp '0640' }
+  end
+
+  # Service Configuration
+  describe service('haproxy') do
+    it { should be_enabled }
+    it { should be_running }
+  end
+end
+
+# Additional Security Recommendations
+describe 'Security Recommendations' do
+  # Validate service configuration
+  describe service('haproxy') do
+    it { should be_enabled }
+    it { should be_running }
+  end
+end
diff --git a/test/integration/security/inspec.yml b/test/integration/security/inspec.yml
@@ -0,0 +1,9 @@
+---
+name: security
+title: HAProxy Security Profile
+version: 0.1.0
+supports:
+  - os-family: linux
+depends:
+  - name: common
+    path: test/integration/common