Skip to content

Commit

Permalink
✨ Implement Chef InSpec Parser (#9329)
Browse files Browse the repository at this point in the history 
* ✨ implement chefinspect, #6990

* force add unittestfiles against gitignore

* 🐛 fix according to comment

* 🐛 fix
  • Loading branch information
@manuel-sommer
manuel-sommer authored Jan 19, 2024
1 parent 65b1ae0 commit 67f0e96
Show file tree
Hide file tree
Showing 7 changed files with 105 additions and 0 deletions.
11 changes: 11 additions & 0 deletions docs/content/en/integrations/parsers/file/chefinspect.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
title: "Chef Inspect Log"
toc_hide: true
---
Chef Inspect outputs log from https://github.com/inspec/inspec

### File Types
DefectDojo parser accepts Chef Inspect log scan data as a .log or .txt file.

### Sample Scan Data
Sample Chef Inspect logs can be found at https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/chefinspect
1 change: 1 addition & 0 deletions dojo/tools/chefinspect/__init__.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
__author__ = "manuel_sommer"
58 changes: 58 additions & 0 deletions dojo/tools/chefinspect/parser.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
import json
from dojo.models import Finding


class ChefInspectParser(object):
def get_scan_types(self):
return ["Chef Inspect Log"]

def get_label_for_scan_types(self, scan_type):
return scan_type

def get_description_for_scan_types(self, scan_type):
return """Chef Inspect log file"""

def convert_score(self, raw_value):
val = float(raw_value)
if val == 0.0:
return "Info"
elif val < 0.4:
return "Low"
elif val < 0.7:
return "Medium"
elif val < 0.9:
return "High"
else:
return "Critical"

def get_findings(self, file, test):
lines = file.read()
result = []
if isinstance(lines, bytes):
lines = lines.decode("utf-8")
loglines = lines.split("\n")
for line in loglines:
if len(line) != 0:
json_object = json.loads(line)
description = str(json_object.get('description')) + "\n\n"
description += "batch_runtime: " + str(json_object.get('batch_runtime')) + "\n"
description += "application_group: " + str(json_object.get('application_group')) + "\n"
description += "zone: " + str(json_object.get('zone')) + "\n"
description += "office: " + str(json_object.get('office')) + "\n"
description += "dc: " + str(json_object.get('dc')) + "\n"
description += "environment: " + str(json_object.get('environment')) + "\n"
description += "id: " + str(json_object.get('id')) + "\n"
description += "control_tags: " + str(json_object.get('control_tags')) + "\n"
description += "platform: " + str(json_object.get('platform')) + "\n"
description += "profile: " + str(json_object.get('profile')) + "\n"
description += "group: " + str(json_object.get('group')) + "\n"
description += "results: " + str(json_object.get('results')) + "\n"
result.append(
Finding(
title=json_object.get("title"),
description=description,
severity=self.convert_score(json_object.get("impact")),
active=True,
)
)
return result
10 changes: 10 additions & 0 deletions unittests/scans/chefinspect/many_findings.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.1.1","title":"Ensure time synchronization is in use","impact":0.0,"control_tags":{"ISO27001_2013":["A.12.4.4"],"cis":"distribution-independent-linux:2.2.1.1","level":1},"description":"System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them.\n\nRationale: Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"System Package chrony is expected to be installed","run_time":0.00044244,"start_time":"2022-10-03T11:02:14+00:00"},{"status":"passed","code_desc":"Command: `chronyd` is expected to exist","run_time":0.00015116,"start_time":"2022-10-03T11:02:14+00:00"}],"control_runtime":0.0005936}
{"status":"skipped","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.1.2","title":"Ensure ntp is configured","impact":1.0,"control_tags":{"ISO27001_2013":["A.12.4.4"],"cis":"distribution-independent-linux:2.2.1.2","level":1},"description":"ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server.\nThis recommendation only applies if ntp is in use on the system.\n\nRationale: If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"skipped","code_desc":"No-op","run_time":7.893e-06,"start_time":"2022-10-03T11:02:14+00:00","resource":"No-op","skip_message":"Skipped control due to only_if condition."}],"control_runtime":7.893e-06}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.1.3","title":"Ensure chrony is configured","impact":1.0,"control_tags":{"ISO27001_2013":["A.12.4.4"],"cis":"distribution-independent-linux:2.2.1.3","level":1},"description":"chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server.\n\nRationale: If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.\nThis recommendation only applies if chrony is in use on the system.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"File /etc/chrony.conf content is expected to match /^server\\s+\\S+/","run_time":0.000128649,"start_time":"2022-10-03T11:02:14+00:00"},{"status":"passed","code_desc":"Processes chronyd users is expected to cmp == \"chrony\"","run_time":0.000184573,"start_time":"2022-10-03T11:02:14+00:00"}],"control_runtime":0.000313222}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.2","title":"Ensure X Window System is not installed","impact":1.0,"control_tags":{"ISO27001_2013":["A.12.5.1"],"cis":"distribution-independent-linux:2.2.2","level":1},"description":"The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.\n\nRationale: Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Packages /^xserver-xorg.*/ names is expected to be empty","run_time":0.014531242,"start_time":"2022-10-03T11:02:14+00:00"},{"status":"passed","code_desc":"Packages /^xorg-x11-server.*/ names is expected to be empty","run_time":0.00461028,"start_time":"2022-10-03T11:02:14+00:00"}],"control_runtime":0.019141522}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.3","title":"Ensure Avahi Server is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.3","level":1},"description":"Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.\n\nRationale: Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service avahi-daemon is expected not to be enabled","run_time":0.599389271,"start_time":"2022-10-03T11:02:14+00:00"},{"status":"passed","code_desc":"Service avahi-daemon is expected not to be running","run_time":0.000153889,"start_time":"2022-10-03T11:02:15+00:00"}],"control_runtime":0.59954316}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.4","title":"Ensure CUPS is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.4","level":1},"description":"The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.\n\nRationale: If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service cups is expected not to be enabled","run_time":0.633429634,"start_time":"2022-10-03T11:02:15+00:00"},{"status":"passed","code_desc":"Service cups is expected not to be running","run_time":0.000191051,"start_time":"2022-10-03T11:02:15+00:00"}],"control_runtime":0.633620685}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.5","title":"Ensure DHCP Server is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.5","level":1},"description":"The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses.\n\nRationale: Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service isc-dhcp-server is expected not to be enabled","run_time":0.639691591,"start_time":"2022-10-03T11:02:15+00:00"},{"status":"passed","code_desc":"Service isc-dhcp-server is expected not to be running","run_time":0.000160418,"start_time":"2022-10-03T11:02:16+00:00"},{"status":"passed","code_desc":"Service isc-dhcp-server6 is expected not to be enabled","run_time":0.644534045,"start_time":"2022-10-03T11:02:16+00:00"},{"status":"passed","code_desc":"Service isc-dhcp-server6 is expected not to be running","run_time":0.000268166,"start_time":"2022-10-03T11:02:17+00:00"},{"status":"passed","code_desc":"Service dhcpd is expected not to be enabled","run_time":0.643181648,"start_time":"2022-10-03T11:02:17+00:00"},{"status":"passed","code_desc":"Service dhcpd is expected not to be running","run_time":0.000231542,"start_time":"2022-10-03T11:02:17+00:00"}],"control_runtime":1.92806741}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.6","title":"Ensure LDAP server is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.6","level":1},"description":"The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.\n\nRationale: If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service slapd is expected not to be enabled","run_time":0.630785667,"start_time":"2022-10-03T11:02:17+00:00"},{"status":"passed","code_desc":"Service slapd is expected not to be running","run_time":0.000193827,"start_time":"2022-10-03T11:02:18+00:00"}],"control_runtime":0.6309794940000001}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.7","title":"Ensure NFS and RPC are not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.7","level":1},"description":"The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.\n\nRationale: If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service nfs-kernel-server is expected not to be enabled","run_time":0.632784742,"start_time":"2022-10-03T11:02:18+00:00"},{"status":"passed","code_desc":"Service nfs-kernel-server is expected not to be running","run_time":0.000166672,"start_time":"2022-10-03T11:02:19+00:00"},{"status":"passed","code_desc":"Service nfs is expected not to be enabled","run_time":0.640653182,"start_time":"2022-10-03T11:02:19+00:00"},{"status":"passed","code_desc":"Service nfs is expected not to be running","run_time":0.000215897,"start_time":"2022-10-03T11:02:19+00:00"},{"status":"passed","code_desc":"Service rpcbind is expected not to be enabled","run_time":0.643515006,"start_time":"2022-10-03T11:02:19+00:00"},{"status":"passed","code_desc":"Service rpcbind is expected not to be running","run_time":0.000154942,"start_time":"2022-10-03T11:02:20+00:00"}],"control_runtime":1.917490441}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.8","title":"Ensure DNS Server is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.8","level":1},"description":"The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network.\n\nRationale: Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service named is expected not to be enabled","run_time":0.632303089,"start_time":"2022-10-03T11:02:20+00:00"},{"status":"passed","code_desc":"Service named is expected not to be running","run_time":0.000154262,"start_time":"2022-10-03T11:02:20+00:00"},{"status":"passed","code_desc":"Service bind is expected not to be enabled","run_time":0.654657749,"start_time":"2022-10-03T11:02:20+00:00"},{"status":"passed","code_desc":"Service bind is expected not to be running","run_time":0.000212705,"start_time":"2022-10-03T11:02:21+00:00"},{"status":"passed","code_desc":"Service bind9 is expected not to be enabled","run_time":0.642811638,"start_time":"2022-10-03T11:02:21+00:00"},{"status":"passed","code_desc":"Service bind9 is expected not to be running","run_time":0.000207277,"start_time":"2022-10-03T11:02:22+00:00"}],"control_runtime":1.9303467199999997}
Empty file added unittests/scans/chefinspect/no_finding.log
View file
Empty file.
Loading

0 comments on commit 67f0e96

Please sign in to comment.