-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathcheck-messaging.rb
More file actions
151 lines (130 loc) · 5.38 KB
/
Copy pathcheck-messaging.rb
File metadata and controls
151 lines (130 loc) · 5.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# encoding: utf-8
# check-messaging
# http://docs.openstack.org/security-guide/messaging.html
RABBITMQ_CONF_DIR = attribute(
'rabbitmq_conf_dir',
description: 'Path to rabbitmq configuration folder',
default: '/etc/rabbitmq'
)
RABBITMQ_CONF_FILE = attribute(
'rabbitmq_conf_file',
description: 'Path to rabbitmq configuration file',
default: '/etc/rabbitmq/rabbitmq.config'
)
TLSCACERT = attribute(
'tlscacert',
description: 'Trust certificates which is signed only by this CA',
default: '/etc/ssl/testca/cacert.pem'
)
TLSCERT = attribute(
'tlscert',
description: 'Rabbitmq server certificate',
default: '/etc/ssl/server/cert.pem'
)
TLSKEY = attribute(
'tlskey',
description: 'Rabbitmq server key',
default: '/etc/ssl/server/key.pem'
)
TLSPORT = attribute(
'tlsport',
description: 'Specify rabbitmq tls server port',
default: '5671'
)
control 'check-messaging-01' do
title 'Check Rabbitmq config folder and file owner, group and permissions.'
desc 'Rabbitmq config files should be owned by root user and root group'
ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html'
describe file(RABBITMQ_CONF_DIR) do
it { should exist }
it { should be_directory }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
it { should be_readable.by('owner') }
it { should be_readable.by('group') }
it { should be_readable.by('other') }
it { should be_executable.by('owner') }
it { should be_executable.by('group') }
it { should be_executable.by('other') }
it { should be_writable.by('owner') }
it { should_not be_writable.by('group') }
it { should_not be_writable.by('other') }
end
describe file(RABBITMQ_CONF_FILE) do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
it { should_not be_executable }
it { should be_readable.by('owner') }
it { should be_readable.by('group') }
it { should be_readable.by('other') }
it { should be_writable.by('owner') }
it { should_not be_writable.by('group') }
it { should_not be_writable.by('other') }
end
end
control 'check-messaging-02' do
title 'Rabbitmq should listen only on ssl port'
desc 'The tcp_listeners option is set to [] to prevent it from listening on a non-SSL port.'
ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html'
describe rabbitmq_config.params('rabbit', 'tcp_listeners') do
it { should be_empty }
end
describe rabbitmq_config.params('rabbit', 'ssl_listeners') do
it { should cmp TLSPORT }
end
end
control 'check-messaging-03' do
title 'Check rabbitmq SSL certificate configuration'
desc 'Check if the correct ca and server certificate implemented and server key. The rabbitmq server should also check the client certificates.'
ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html'
describe rabbitmq_config.params('rabbit', 'ssl_options', 'cacertfile') do
it { should cmp TLSCACERT }
end
describe rabbitmq_config.params('rabbit', 'ssl_options', 'certfile') do
it { should cmp TLSCERT }
end
describe rabbitmq_config.params('rabbit', 'ssl_options', 'keyfile') do
it { should cmp TLSKEY }
end
end
control 'check-messaging-04' do
title 'Check rabbitmq check peer certificates'
desc 'Rabbitmq should verify the certificates from the clients and if the server does not receive a valid certificate it should not allow the connection from the client.'
ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html'
describe rabbitmq_config.params('rabbit', 'ssl_options', 'verify') do
it { should cmp 'verify_peer' }
end
describe rabbitmq_config.params('rabbit', 'ssl_options', 'fail_if_no_peer_cert') do
it { should cmp 'true' }
end
end
control 'check-messaging-05' do
title 'Check rabbitmq use only TLSv1.2'
desc 'Rabbitmq should only use TLSv1.2.'
ref 'Rabbitmq Security', url: 'https://docs.openstack.org/security-guide/messaging/security.html'
describe rabbitmq_config.params('ssl', 'versions') do
it { should cmp 'tlsv1.2' }
end
describe rabbitmq_config.params('rabbit', 'ssl_options', 'versions') do
it { should cmp 'tlsv1.2' }
end
end
control 'check-messaging-06' do
title 'Check for strong ciphers'
desc 'Use only strong ciphers for the rabbitmq TLSv1.2 connection.'
ref 'BSI recommendation', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102-2.pdf;jsessionid=30F658ACD2A772B0A2430C4DEC4AF7D1.1_cid341?__blob=publicationFile&v=4'
ref 'Mozilla recommendation', url: 'https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility'
describe rabbitmq_config.params('rabbit', 'ssl_options', 'ciphers') do
it { should eq [['ecdhe_ecdsa', 'aes_256_gcm', 'null', 'sha384'], ['ecdhe_rsa', 'aes_256_gcm', 'null', 'sha384'], ['ecdhe_ecdsa', 'aes_128_gcm', 'null', 'sha256'], ['ecdhe_rsa', 'aes_128_gcm', 'null', 'sha256']] }
end
end
control 'check-messaging-07' do
title 'Check for tls cipher honor order'
desc 'The rabbitmq server should force the tls cipher order'
ref 'Strong Ciphers for Apache, nginx and Lighttpd', url: 'https://cipherli.st/'
describe rabbitmq_config.params('rabbit', 'ssl_options', 'honor_cipher_order') do
it { should eq true }
end
end