Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Implement Chef InSpec Parser #9329

Merged
merged 4 commits into from
Jan 19, 2024
Merged

✨ Implement Chef InSpec Parser #9329

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
34b3c25
:sparkles: implement chefinspect, #6990
manuel-sommer Jan 15, 2024
74462af
force add unittestfiles against gitignore
manuel-sommer Jan 15, 2024
0a81a65
:bug: fix according to comment
manuel-sommer Jan 16, 2024
70936e9
:bug: fix
manuel-sommer Jan 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions docs/content/en/integrations/parsers/file/chefinspect.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---

Check warning on line 1 in docs/content/en/integrations/parsers/file/chefinspect.md

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Function Check

Possible Sensitive Function 


                        Our AI-Powered Sensitive Function checker believes it has discovered
                        a sensitive function being modified in this PR. The name of the function
                        is `none`. Extra care must be taken when modifying a 
                        function that is potentially security-sensitive. The following reason was
                        provided for why this function was flagged as sensitive:
    
                        The size of the files being changed in this pull request is too large. We are working on increasing that limit. Stay tuned for more...

Check warning on line 1 in docs/content/en/integrations/parsers/file/chefinspect.md

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Files Check

Possible Sensitive File 


                    Our AI-Powered Sensitive File checker believes it has discovered
                    a sensitive file being modified in this PR. Extra care must be taken
                    when modifying a file that is potentially security-sensitive.
                    
                    The following reason was provided: Contains sensitive information about integrating ChefInspect into file parsers.
title: "Chef Inspect Log"
toc_hide: true
---
Chef Inspect outputs log from https://github.com/inspec/inspec

### File Types
DefectDojo parser accepts Chef Inspect log scan data as a .log or .txt file.

### Sample Scan Data
Sample Chef Inspect logs can be found at https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/chefinspect
1 change: 1 addition & 0 deletions dojo/tools/chefinspect/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
__author__ = "manuel_sommer"

Check warning on line 1 in dojo/tools/chefinspect/__init__.py

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Files Check

Possible Sensitive File 


                    Our AI-Powered Sensitive File checker believes it has discovered
                    a sensitive file being modified in this PR. Extra care must be taken
                    when modifying a file that is potentially security-sensitive.
                    
                    The following reason was provided: Contains sensitive information related to the initialization of ChefInspect tool in the Dojo.
58 changes: 58 additions & 0 deletions dojo/tools/chefinspect/parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
import json

Check warning on line 1 in dojo/tools/chefinspect/parser.py

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Files Check

Possible Sensitive File 


                    Our AI-Powered Sensitive File checker believes it has discovered
                    a sensitive file being modified in this PR. Extra care must be taken
                    when modifying a file that is potentially security-sensitive.
                    
                    The following reason was provided: Contains sensitive information related to the parsing functionality of ChefInspect tool in the Dojo.
from dojo.models import Finding


class ChefInspectParser(object):
def get_scan_types(self):
return ["Chef Inspect Log"]

def get_label_for_scan_types(self, scan_type):
return scan_type

def get_description_for_scan_types(self, scan_type):
return """Chef Inspect log file"""

def convert_score(self, raw_value):
manuel-sommer marked this conversation as resolved.
Show resolved Hide resolved
val = float(raw_value)
if val == 0.0:
return "Info"
elif val < 4.0:
return "Low"
elif val < 7.0:
return "Medium"
elif val < 9.0:
return "High"
else:
return "Critical"
manuel-sommer marked this conversation as resolved.
Show resolved Hide resolved

def get_findings(self, file, test):
lines = file.read()
result = []
if isinstance(lines, bytes):
lines = lines.decode("utf-8")
loglines = lines.split("\n")
for line in loglines:
if len(line) != 0:
json_object = json.loads(line)
description = str(json_object.get('description')) + "\n\n"
description += "batch_runtime: " + str(json_object.get('batch_runtime')) + "\n"
description += "application_group: " + str(json_object.get('application_group')) + "\n"
description += "zone: " + str(json_object.get('zone')) + "\n"
description += "office: " + str(json_object.get('office')) + "\n"
description += "dc: " + str(json_object.get('dc')) + "\n"
description += "environment: " + str(json_object.get('environment')) + "\n"
description += "id: " + str(json_object.get('id')) + "\n"
description += "control_tags: " + str(json_object.get('control_tags')) + "\n"
description += "platform: " + str(json_object.get('platform')) + "\n"
description += "profile: " + str(json_object.get('profile')) + "\n"
description += "group: " + str(json_object.get('group')) + "\n"
description += "results: " + str(json_object.get('results')) + "\n"
result.append(
Finding(
title=json_object.get("title"),
description=description,
severity=self.convert_score(json_object.get("impact")),
active=True,
)
)
return result
10 changes: 10 additions & 0 deletions unittests/scans/chefinspect/many_findings.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.1.1","title":"Ensure time synchronization is in use","impact":0.0,"control_tags":{"ISO27001_2013":["A.12.4.4"],"cis":"distribution-independent-linux:2.2.1.1","level":1},"description":"System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them.\n\nRationale: Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"System Package chrony is expected to be installed","run_time":0.00044244,"start_time":"2022-10-03T11:02:14+00:00"},{"status":"passed","code_desc":"Command: `chronyd` is expected to exist","run_time":0.00015116,"start_time":"2022-10-03T11:02:14+00:00"}],"control_runtime":0.0005936}

Check warning on line 1 in unittests/scans/chefinspect/many_findings.log

View check run for this annotation

DryRunSecurity / AI-powered Sensitive Files Check

Possible Sensitive File 


                    Our AI-Powered Sensitive File checker believes it has discovered
                    a sensitive file being modified in this PR. Extra care must be taken
                    when modifying a file that is potentially security-sensitive.
                    
                    The following reason was provided: Contains sensitive information related to multiple findings detected by the ChefInspect tool during scans.
{"status":"skipped","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.1.2","title":"Ensure ntp is configured","impact":1.0,"control_tags":{"ISO27001_2013":["A.12.4.4"],"cis":"distribution-independent-linux:2.2.1.2","level":1},"description":"ntp is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. ntp can be configured to be a client and/or a server.\nThis recommendation only applies if ntp is in use on the system.\n\nRationale: If ntp is in use on the system proper configuration is vital to ensuring time synchronization is working properly.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"skipped","code_desc":"No-op","run_time":7.893e-06,"start_time":"2022-10-03T11:02:14+00:00","resource":"No-op","skip_message":"Skipped control due to only_if condition."}],"control_runtime":7.893e-06}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.1.3","title":"Ensure chrony is configured","impact":1.0,"control_tags":{"ISO27001_2013":["A.12.4.4"],"cis":"distribution-independent-linux:2.2.1.3","level":1},"description":"chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. chrony can be configured to be a client and/or a server.\n\nRationale: If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.\nThis recommendation only applies if chrony is in use on the system.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"File /etc/chrony.conf content is expected to match /^server\\s+\\S+/","run_time":0.000128649,"start_time":"2022-10-03T11:02:14+00:00"},{"status":"passed","code_desc":"Processes chronyd users is expected to cmp == \"chrony\"","run_time":0.000184573,"start_time":"2022-10-03T11:02:14+00:00"}],"control_runtime":0.000313222}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.2","title":"Ensure X Window System is not installed","impact":1.0,"control_tags":{"ISO27001_2013":["A.12.5.1"],"cis":"distribution-independent-linux:2.2.2","level":1},"description":"The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.\n\nRationale: Unless your organization specifically requires graphical login access via X Windows, remove it to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Packages /^xserver-xorg.*/ names is expected to be empty","run_time":0.014531242,"start_time":"2022-10-03T11:02:14+00:00"},{"status":"passed","code_desc":"Packages /^xorg-x11-server.*/ names is expected to be empty","run_time":0.00461028,"start_time":"2022-10-03T11:02:14+00:00"}],"control_runtime":0.019141522}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.3","title":"Ensure Avahi Server is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.3","level":1},"description":"Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.\n\nRationale: Automatic discovery of network services is not normally required for system functionality. It is recommended to disable the service to reduce the potential attach surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service avahi-daemon is expected not to be enabled","run_time":0.599389271,"start_time":"2022-10-03T11:02:14+00:00"},{"status":"passed","code_desc":"Service avahi-daemon is expected not to be running","run_time":0.000153889,"start_time":"2022-10-03T11:02:15+00:00"}],"control_runtime":0.59954316}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.4","title":"Ensure CUPS is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.4","level":1},"description":"The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.\n\nRationale: If the system does not need to print jobs or accept print jobs from other systems, it is recommended that CUPS be disabled to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service cups is expected not to be enabled","run_time":0.633429634,"start_time":"2022-10-03T11:02:15+00:00"},{"status":"passed","code_desc":"Service cups is expected not to be running","run_time":0.000191051,"start_time":"2022-10-03T11:02:15+00:00"}],"control_runtime":0.633620685}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.5","title":"Ensure DHCP Server is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.5","level":1},"description":"The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses.\n\nRationale: Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service isc-dhcp-server is expected not to be enabled","run_time":0.639691591,"start_time":"2022-10-03T11:02:15+00:00"},{"status":"passed","code_desc":"Service isc-dhcp-server is expected not to be running","run_time":0.000160418,"start_time":"2022-10-03T11:02:16+00:00"},{"status":"passed","code_desc":"Service isc-dhcp-server6 is expected not to be enabled","run_time":0.644534045,"start_time":"2022-10-03T11:02:16+00:00"},{"status":"passed","code_desc":"Service isc-dhcp-server6 is expected not to be running","run_time":0.000268166,"start_time":"2022-10-03T11:02:17+00:00"},{"status":"passed","code_desc":"Service dhcpd is expected not to be enabled","run_time":0.643181648,"start_time":"2022-10-03T11:02:17+00:00"},{"status":"passed","code_desc":"Service dhcpd is expected not to be running","run_time":0.000231542,"start_time":"2022-10-03T11:02:17+00:00"}],"control_runtime":1.92806741}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.6","title":"Ensure LDAP server is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.6","level":1},"description":"The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.\n\nRationale: If the system will not need to act as an LDAP server, it is recommended that the software be disabled to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service slapd is expected not to be enabled","run_time":0.630785667,"start_time":"2022-10-03T11:02:17+00:00"},{"status":"passed","code_desc":"Service slapd is expected not to be running","run_time":0.000193827,"start_time":"2022-10-03T11:02:18+00:00"}],"control_runtime":0.6309794940000001}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.7","title":"Ensure NFS and RPC are not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.7","level":1},"description":"The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.\n\nRationale: If the system does not export NFS shares or act as an NFS client, it is recommended that these services be disabled to reduce remote attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service nfs-kernel-server is expected not to be enabled","run_time":0.632784742,"start_time":"2022-10-03T11:02:18+00:00"},{"status":"passed","code_desc":"Service nfs-kernel-server is expected not to be running","run_time":0.000166672,"start_time":"2022-10-03T11:02:19+00:00"},{"status":"passed","code_desc":"Service nfs is expected not to be enabled","run_time":0.640653182,"start_time":"2022-10-03T11:02:19+00:00"},{"status":"passed","code_desc":"Service nfs is expected not to be running","run_time":0.000215897,"start_time":"2022-10-03T11:02:19+00:00"},{"status":"passed","code_desc":"Service rpcbind is expected not to be enabled","run_time":0.643515006,"start_time":"2022-10-03T11:02:19+00:00"},{"status":"passed","code_desc":"Service rpcbind is expected not to be running","run_time":0.000154942,"start_time":"2022-10-03T11:02:20+00:00"}],"control_runtime":1.917490441}
{"status":"passed","batch_runtime":"2022-10-03","application_group":"logserver","zone":"domain","office":"officename","dc":null,"environment":"unknown","id":"cis-dil-benchmark-2.2.8","title":"Ensure DNS Server is not enabled","impact":1.0,"control_tags":{"ISO27001_2013":["A.13.1.3"],"cis":"distribution-independent-linux:2.2.8","level":1},"description":"The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network.\n\nRationale: Unless a system is specifically designated to act as a DNS server, it is recommended that the package be deleted to reduce the potential attack surface.","platform":{"name":"redhat","release":"8.5","target_id":"logsrv01.domain.dk"},"profile":{"name":"cis-dil-benchmark","title":"CIS Distribution Independent Linux Benchmark Profile","version":"0.3.0","supports":"[{\"platform-family\":\"linux\"}]"},"group":{"id":"controls/2_2_special_purpose_services.rb","title":"2.2 Special Purpose Services"},"results":[{"status":"passed","code_desc":"Service named is expected not to be enabled","run_time":0.632303089,"start_time":"2022-10-03T11:02:20+00:00"},{"status":"passed","code_desc":"Service named is expected not to be running","run_time":0.000154262,"start_time":"2022-10-03T11:02:20+00:00"},{"status":"passed","code_desc":"Service bind is expected not to be enabled","run_time":0.654657749,"start_time":"2022-10-03T11:02:20+00:00"},{"status":"passed","code_desc":"Service bind is expected not to be running","run_time":0.000212705,"start_time":"2022-10-03T11:02:21+00:00"},{"status":"passed","code_desc":"Service bind9 is expected not to be enabled","run_time":0.642811638,"start_time":"2022-10-03T11:02:21+00:00"},{"status":"passed","code_desc":"Service bind9 is expected not to be running","run_time":0.000207277,"start_time":"2022-10-03T11:02:22+00:00"}],"control_runtime":1.9303467199999997}
Empty file added unittests/scans/chefinspect/no_finding.log
View file
Open in desktop
Empty file.
Loading
Loading