diff --git a/attributes/default.rb b/attributes/default.rb index 68071a2d..059a9323 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name:: os-hardening +# Cookbook:: os-hardening # Attributes:: default # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +23,7 @@ default['os-hardening'].tap do |os_hardening| # components of this cookbook - %w[packages limits login_defs minimize_access pam profile securetty].each do |cp| + %w(packages limits login_defs minimize_access pam profile securetty).each do |cp| os_hardening['components'][cp] = true end @@ -76,7 +76,7 @@ auth['timeout'] = 60 auth['allow_homeless'] = false auth['login_defs']['template_cookbook'] = 'os-hardening' - auth['root_ttys'] = %w[console tty1 tty2 tty3 tty4 tty5 tty6] + auth['root_ttys'] = %w(console tty1 tty2 tty3 tty4 tty5 tty6) auth['uid_min'] = 1000 auth['uid_max'] = 60000 auth['gid_min'] = 1000 @@ -86,8 +86,7 @@ # PAM settings auth['pam'].tap do |pam| - case node['platform_family'] - when 'rhel', 'fedora', 'amazon' + if platform_family?('rhel', 'fedora', 'amazon') if node['platform_version'].to_f < 7 pam['passwdqc']['enable'] = true pam['pwquality']['enable'] = false @@ -109,8 +108,7 @@ end # RH has a bit different defaults on some places - case node['platform_family'] - when 'rhel', 'amazon' + if platform_family?('rhel', 'amazon') os_hardening['env']['umask'] = '077' os_hardening['auth']['sys_uid_min'] = 201 os_hardening['auth']['sys_gid_min'] = 201 @@ -124,7 +122,7 @@ # may contain: change_user security['users']['allow'] = [] security['kernel']['enable_module_loading'] = true - security['kernel']['disable_filesystems'] = %w[cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat] + security['kernel']['disable_filesystems'] = %w(cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat) security['kernel']['enable_sysrq'] = false security['kernel']['enable_core_dump'] = false security['suid_sgid']['enforce'] = true @@ -145,13 +143,13 @@ # remove packages with known issues security['packages']['clean'] = true # list of packages with known issues - security['packages']['list'] = [ - 'xinetd', - 'inetd', - 'ypserv', - 'telnet-server', - 'rsh-server' - ] + security['packages']['list'] = %w( + xinetd + inetd + ypserv + telnet-server + rsh-server + ) # SELinux enforcing (enforcing, permissive, unmanaged) security['selinux_mode'] = 'unmanaged' diff --git a/attributes/sysctl.rb b/attributes/sysctl.rb index abc71aa6..1e1bf6d3 100644 --- a/attributes/sysctl.rb +++ b/attributes/sysctl.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name:: os-hardening +# Cookbook:: os-hardening # Attributes:: sysctl # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -92,10 +92,9 @@ default['sysctl']['params']['net']['ipv6']['conf']['default']['accept_ra'] = 0 # ExecShield protection against buffer overflows -case node['platform_family'] -when 'rhel', 'fedora' +if platform_family?('rhel', 'fedora') # on Oracle Linux with UEK it is not available; this helps address UEK on Oracle Linux 6 - is_oracle_uek = (node['platform'] == 'oracle' && node['kernel']['release'] =~ /^4\..*uek/) + is_oracle_uek = (platform?('oracle') && node['kernel']['release'] =~ /^4\..*uek/) # on RHEL 7 its enabled per default and can't be disabled if node['platform_version'].to_f < 7 && !is_oracle_uek diff --git a/libraries/apt_package_extras.rb b/libraries/apt_package_extras.rb index 5c208fd3..29e38edb 100644 --- a/libraries/apt_package_extras.rb +++ b/libraries/apt_package_extras.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name:: os-hardening +# Cookbook:: os-hardening # Library:: apt_package_extras # -# Copyright 2008, Chef Software, Inc. -# Copyright 2015, Hardening Framework Team +# Copyright:: 2008, Chef Software, Inc. +# Copyright:: 2015, Hardening Framework Team # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/libraries/cookbook_version.rb b/libraries/cookbook_version.rb index 20faa6e6..a3d31b22 100644 --- a/libraries/cookbook_version.rb +++ b/libraries/cookbook_version.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name:: os-hardening +# Cookbook:: os-hardening # Library:: cookbook_version # -# Copyright 2014, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/libraries/gpgcheck.rb b/libraries/gpgcheck.rb index 633b64fa..b1b80810 100644 --- a/libraries/gpgcheck.rb +++ b/libraries/gpgcheck.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name:: os-hardening +# Cookbook:: os-hardening # Library:: gpgcheck # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/libraries/helpers_param.rb b/libraries/helpers_param.rb index b75bfd18..2a48af6c 100644 --- a/libraries/helpers_param.rb +++ b/libraries/helpers_param.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name:: os-hardening +# Cookbook:: os-hardening # Library:: gpgcheck # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/libraries/suid_sgid.rb b/libraries/suid_sgid.rb index 07ce36aa..f7fd119b 100644 --- a/libraries/suid_sgid.rb +++ b/libraries/suid_sgid.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name:: os-hardening +# Cookbook:: os-hardening # Library:: suid_sgid # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -46,9 +46,9 @@ def self.find_all_suid_sgid_files(start_at = '/') end def self.remove_suid_sgid_from_blacklist(blacklist) - blacklist. - select { |file| File.exist?(file) }. - each do |file| + blacklist + .select { |file| File.exist?(file) } + .each do |file| Chef::Log.info "suid_sgid: Blacklist SUID/SGID for '#{file}', removing bit..." remove_suid_sgid_from(file) end diff --git a/metadata.rb b/metadata.rb index b8094cdf..e5971cac 100644 --- a/metadata.rb +++ b/metadata.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +21,6 @@ maintainer_email 'artem@posteo.de' license 'Apache-2.0' description 'Installs and configures operating system hardening' -long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) version '4.0.0' source_url 'https://github.com/dev-sec/chef-os-hardening' issues_url 'https://github.com/dev-sec/chef-os-hardening/issues' @@ -37,13 +36,3 @@ supports 'fedora', '>= 28.0' supports 'suse' supports 'opensuseleap', '>= 42.1' - -recipe 'os-hardening::default', 'harden the operating system (all recipes)' -recipe 'os-hardening::limits', 'prevent core dumps' -recipe 'os-hardening::login_defs', 'harden /etc/login.defs' -recipe 'os-hardening::minimize_access', 'enforce minimal file permissions' -recipe 'os-hardening::pam', 'configure sane values for PAM' -recipe 'os-hardening::profile', 'harden settings in /etc/profile.d' -recipe 'os-hardening::securetty', 'limit the allowed TTYs for root login' -recipe 'os-hardening::suid_sgid', 'reduce SUID and SGID bits in the filesystem' -recipe 'os-hardening::sysctl', 'set sane sysctl values' diff --git a/recipes/apt.rb b/recipes/apt.rb index 4b208c2d..e1c66b66 100644 --- a/recipes/apt.rb +++ b/recipes/apt.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: apt.rb # -# Copyright 2015, Hardening Framework Team +# Copyright:: 2015, Hardening Framework Team # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/recipes/auditd.rb b/recipes/auditd.rb index 4dc332e0..6013f478 100644 --- a/recipes/auditd.rb +++ b/recipes/auditd.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: auditd.rb # -# Copyright 2017, Artem Sidorenko +# Copyright:: 2017, Artem Sidorenko # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,10 +22,10 @@ package node['os-hardening']['packages']['auditd'] service 'auditd' do - supports %i[start stop restart reload status] - if (node['platform_family'] == 'rhel' && node['platform_version'].to_f >= 7) || - (node['platform_family'] == 'fedora' && node['platform_version'].to_f >= 27) || - (node['platform_family'] == 'amazon' && node['platform_version'].to_f >= 2) + supports %i(start stop restart reload status) + if (platform_family?('rhel') && node['platform_version'].to_f >= 7) || + (platform_family?('fedora') && node['platform_version'].to_f >= 27) || + (platform_family?('amazon') && node['platform_version'].to_f >= 2) restart_command 'service auditd restart' end action [:enable] diff --git a/recipes/default.rb b/recipes/default.rb index ee1a8601..6584d974 100644 --- a/recipes/default.rb +++ b/recipes/default.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: default # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,7 +36,7 @@ # selinux should be included only on RH based systems node.default['os-hardening']['components']['selinux'] = - node['platform_family'] == 'rhel' || node['platform_family'] == 'fedora' + platform_family?('rhel', 'fedora') end # include all required components diff --git a/recipes/limits.rb b/recipes/limits.rb index 1962f6d4..cd5eadf5 100644 --- a/recipes/limits.rb +++ b/recipes/limits.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: limits.rb # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/recipes/login_defs.rb b/recipes/login_defs.rb index 471368b9..0437f87e 100644 --- a/recipes/login_defs.rb +++ b/recipes/login_defs.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: login_defs.rb # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/recipes/minimize_access.rb b/recipes/minimize_access.rb index 428196e3..57c02c88 100644 --- a/recipes/minimize_access.rb +++ b/recipes/minimize_access.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: minimize_access # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +21,7 @@ # remove write permissions from path folders ($PATH) for all regular users # this prevents changing any system-wide command from normal users -paths = %w[/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin] + node['os-hardening']['env']['extra_user_paths'] +paths = %w(/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin) + node['os-hardening']['env']['extra_user_paths'] paths.each do |folder| execute "remove write permission from #{folder}" do command "chmod go-w -R #{folder}" @@ -59,7 +59,7 @@ directory '/var/log' do owner 'root' # ubuntu with containers does not have rsyslog installed and syslog group does not exist - if node['platform'] == 'ubuntu' && node['packages']['rsyslog'] + if platform?('ubuntu') && node['packages']['rsyslog'] group 'syslog' else group 'root' @@ -72,7 +72,7 @@ only_if { ::File.exist?('/etc/crontab') } end -cron_directories = %w[/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d] +cron_directories = %w(/etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly /etc/cron.d) cron_directories.each do |cron_path| next unless ::Dir.exist?(cron_path) diff --git a/recipes/packages.rb b/recipes/packages.rb index 8393f583..16a809dd 100644 --- a/recipes/packages.rb +++ b/recipes/packages.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: packages.rb # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,13 +20,7 @@ # # do package config for ubuntu -case node['platform_family'] -when 'debian' - include_recipe('os-hardening::apt') -end +include_recipe 'os-hardening::apt' if platform_family?('debian') # do package config for rhel-family -case node['platform_family'] -when 'rhel', 'fedora', 'amazon' - include_recipe('os-hardening::yum') -end +include_recipe 'os-hardening::yum' if platform_family?('rhel', 'fedora', 'amazon') diff --git a/recipes/pam.rb b/recipes/pam.rb index a0e8696d..a9593d79 100644 --- a/recipes/pam.rb +++ b/recipes/pam.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: pam.rb # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/recipes/profile.rb b/recipes/profile.rb index 35ad041b..a22c3f92 100644 --- a/recipes/profile.rb +++ b/recipes/profile.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: profile.rb # -# Copyright 2013, Deutsche Telekom AG +# Copyright:: 2013, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/recipes/securetty.rb b/recipes/securetty.rb index 47ccd2a6..df0b60df 100644 --- a/recipes/securetty.rb +++ b/recipes/securetty.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: securetty # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/recipes/selinux.rb b/recipes/selinux.rb index 5d31d040..670942b7 100644 --- a/recipes/selinux.rb +++ b/recipes/selinux.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: selinux.rv # -# Copyright 2017, Deutsche Telekom AG +# Copyright:: 2017, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,8 +21,7 @@ # SELinux enforcing support -case node['platform_family'] -when 'rhel', 'fedora', 'amazon' +if platform_family?('rhel', 'fedora', 'amazon') unless node['os-hardening']['security']['selinux_mode'] == 'unmanaged' semode = case node['os-hardening']['security']['selinux_mode'] when 'enforcing' diff --git a/recipes/suid_sgid.rb b/recipes/suid_sgid.rb index bf933cbf..29aa0941 100644 --- a/recipes/suid_sgid.rb +++ b/recipes/suid_sgid.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: suid_sgid # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/recipes/sysctl.rb b/recipes/sysctl.rb index c4974a13..d4b7fd7e 100644 --- a/recipes/sysctl.rb +++ b/recipes/sysctl.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: sysctl # -# Copyright 2012, Dominik Richter -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2012, Dominik Richter +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,7 +20,7 @@ # limitations under the License. # -::Chef::Recipe.send(:include, SysctlCookbook::SysctlHelpers::Param) +::Chef::DSL::Recipe.send(:include, SysctlCookbook::SysctlHelpers::Param) # cleanup of old sysctl related configurations. This can be removed at some point in the future # https://github.com/dev-sec/chef-os-hardening/issues/166#issuecomment-322433264 @@ -138,9 +138,9 @@ # try to determine the real cpu vendor begin - cpu_vendor = node['cpu']['0']['vendor_id']. - sub(/^.*GenuineIntel.*$/, 'intel'). - sub(/^.*AuthenticAMD.*$/, 'amd') + cpu_vendor = node['cpu']['0']['vendor_id'] + .sub(/^.*GenuineIntel.*$/, 'intel') + .sub(/^.*AuthenticAMD.*$/, 'amd') node.default['os-hardening']['security']['cpu_vendor'] = cpu_vendor rescue # rubocop:disable Style/RescueStandardError log 'WARNING: Could not properly determine the cpu vendor. Fallback to intel cpu.' do @@ -157,8 +157,7 @@ # NSA 2.2.4.1 Set Daemon umask # do config for rhel-family -case node['platform_family'] -when 'rhel', 'fedora', 'amazon' +if platform_family?('rhel', 'fedora', 'amazon') template '/etc/sysconfig/init' do source 'rhel_sysconfig_init.erb' mode '0544' @@ -173,8 +172,7 @@ end # do initramfs config for ubuntu and debian -case node['platform_family'] -when 'debian' +if platform_family?('debian') # rebuild initramfs with starting pack of modules, # if module loading at runtime is disabled diff --git a/recipes/yum.rb b/recipes/yum.rb index 4677833a..0cba02f1 100644 --- a/recipes/yum.rb +++ b/recipes/yum.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true # -# Cookbook Name: os-hardening +# Cookbook:: Name: os-hardening # Recipe: pack_yum.rb # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,7 +43,7 @@ if node['os-hardening']['security']['packages']['clean'] # remove unused repos - %w[CentOS-Debuginfo CentOS-Media CentOS-Vault].each do |repo| + %w(CentOS-Debuginfo CentOS-Media CentOS-Vault).each do |repo| yum_repository repo do action :remove end diff --git a/spec/recipes/auditd_spec.rb b/spec/recipes/auditd_spec.rb index f9d24c26..502354c6 100644 --- a/spec/recipes/auditd_spec.rb +++ b/spec/recipes/auditd_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2017, Artem Sidorenko +# Copyright:: 2017, Artem Sidorenko # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/recipes/default_spec.rb b/spec/recipes/default_spec.rb index c4586cd3..047e63b6 100644 --- a/spec/recipes/default_spec.rb +++ b/spec/recipes/default_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +27,9 @@ node.normal['cpu']['0']['vendor_id'] = 'GenuineIntel' node.normal['env']['extra_user_paths'] = [] - paths = %w[ + paths = %w( /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin - ] + node['env']['extra_user_paths'] + ) + node['env']['extra_user_paths'] paths.each do |folder| stub_command( "find #{folder} -perm -go+w -type f | wc -l | egrep '^0$'" diff --git a/spec/recipes/limits_spec.rb b/spec/recipes/limits_spec.rb index 44b892e1..3d42f270 100644 --- a/spec/recipes/limits_spec.rb +++ b/spec/recipes/limits_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/recipes/login_defs_spec.rb b/spec/recipes/login_defs_spec.rb index 0bd48f32..7b5801a4 100644 --- a/spec/recipes/login_defs_spec.rb +++ b/spec/recipes/login_defs_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -52,17 +52,17 @@ sys_uid_max: 999, sys_gid_min: 100, sys_gid_max: 999, - mail_dir: '/var/mail' + mail_dir: '/var/mail', } ) end it 'uses uid_min and gid_min in /etc/login.defs' do - is_expected.to render_file('/etc/login.defs'). - with_content(/^PASS_WARN_AGE\s+7$/). - with_content(/^UID_MIN\s+5000$/). - with_content(/^UID_MAX\s+6000$/). - with_content(/^GID_MIN\s+5000$/). - with_content(/^GID_MAX\s+6000$/) + is_expected.to render_file('/etc/login.defs') + .with_content(/^PASS_WARN_AGE\s+7$/) + .with_content(/^UID_MIN\s+5000$/) + .with_content(/^UID_MAX\s+6000$/) + .with_content(/^GID_MIN\s+5000$/) + .with_content(/^GID_MAX\s+6000$/) end end diff --git a/spec/recipes/minimize_access_spec.rb b/spec/recipes/minimize_access_spec.rb index 43d97236..f6882614 100644 --- a/spec/recipes/minimize_access_spec.rb +++ b/spec/recipes/minimize_access_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/recipes/pam_spec.rb b/spec/recipes/pam_spec.rb index 28ff39ab..fe5402c5 100644 --- a/spec/recipes/pam_spec.rb +++ b/spec/recipes/pam_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/recipes/profile_spec.rb b/spec/recipes/profile_spec.rb index ea57bd24..cf989e2f 100644 --- a/spec/recipes/profile_spec.rb +++ b/spec/recipes/profile_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/recipes/securetty_spec.rb b/spec/recipes/securetty_spec.rb index bd94163b..c89cb5a6 100644 --- a/spec/recipes/securetty_spec.rb +++ b/spec/recipes/securetty_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,7 +30,7 @@ group: 'root', mode: '0400', variables: { - ttys: "console\ntty1\ntty2\ntty3\ntty4\ntty5\ntty6" + ttys: "console\ntty1\ntty2\ntty3\ntty4\ntty5\ntty6", } ) end diff --git a/spec/recipes/suid_sgid_spec.rb b/spec/recipes/suid_sgid_spec.rb index 914926fb..ffc3244e 100644 --- a/spec/recipes/suid_sgid_spec.rb +++ b/spec/recipes/suid_sgid_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/spec/recipes/sysctl_spec.rb b/spec/recipes/sysctl_spec.rb index 5f918442..e54eec0e 100644 --- a/spec/recipes/sysctl_spec.rb +++ b/spec/recipes/sysctl_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -372,29 +372,29 @@ describe 'when unused filesystems are disabled with default values' do it 'should render the proper modprobe file' do - %w[cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat].each do |fs| - expect(chef_run).to render_file('/etc/modprobe.d/dev-sec.conf'). - with_content("install #{fs} /bin/true") + %w(cramfs freevxfs jffs2 hfs hfsplus squashfs udf vfat).each do |fs| + expect(chef_run).to render_file('/etc/modprobe.d/dev-sec.conf') + .with_content("install #{fs} /bin/true") end end end describe 'when only some filesystems are disabled' do - let(:disable_filesystems) { %w[vfat udf] } + let(:disable_filesystems) { %w(vfat udf) } it 'should render the proper modprobe file' do - %w[udf vfat].each do |fs| - expect(chef_run).to render_file('/etc/modprobe.d/dev-sec.conf'). - with_content("install #{fs} /bin/true") + %w(udf vfat).each do |fs| + expect(chef_run).to render_file('/etc/modprobe.d/dev-sec.conf') + .with_content("install #{fs} /bin/true") end - expect(chef_run).not_to render_file('/etc/modprobe.d/dev-sec.conf'). - with_content('install cramfs /bin/true') + expect(chef_run).not_to render_file('/etc/modprobe.d/dev-sec.conf') + .with_content('install cramfs /bin/true') end end describe 'when unused filesystems are not disabled' do - let(:disable_filesystems) { %w[] } + let(:disable_filesystems) { %w() } it 'should delete the modprobe file' do expect(chef_run).to delete_file('/etc/modprobe.d/dev-sec.conf') diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 0e6b3dfd..5a1b8a72 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true # -# Copyright 2014, Deutsche Telekom AG +# Copyright:: 2014, Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +22,6 @@ # coverage report Coveralls.wear! -at_exit { ChefSpec::Coverage.report! } RSpec.configure do |config| # OS and version for mocking of ohai data, needed by chefspec diff --git a/test/fixtures/cookbooks/test/metadata.rb b/test/fixtures/cookbooks/test/metadata.rb index ac1e5647..a1f860b8 100644 --- a/test/fixtures/cookbooks/test/metadata.rb +++ b/test/fixtures/cookbooks/test/metadata.rb @@ -3,5 +3,4 @@ maintainer_email 'artem@posteo.de' license 'Apache-2.0' description 'Test preparation cookbook' -long_description 'Test preparation cookbook' version '0.1.0' diff --git a/test/fixtures/cookbooks/test/recipes/default.rb b/test/fixtures/cookbooks/test/recipes/default.rb index 7856de62..eb632ad1 100644 --- a/test/fixtures/cookbooks/test/recipes/default.rb +++ b/test/fixtures/cookbooks/test/recipes/default.rb @@ -1,11 +1,11 @@ # -# Cookbook Name:: test +# Cookbook:: test # Recipe:: default # # We use this test cookbook to initialize the test environment -if node['platform_family'] == 'debian' +if platform_family?('debian') # Run apt-get update if we are on debian, some images/boxes do not have full package lists execute 'apt update' do command 'apt-get update'