goss-org / goss

Quick and Easy server testing/validation
https://goss.rocks
Apache License 2.0
5.6k stars 473 forks source link

Add getcap "capabilities" for posix files. #971

Open buckeye43210 opened 1 month ago

buckeye43210 commented 1 month ago

Describe the feature:

Describe the solution you'd like

Describe alternatives you've considered

buckeye43210 commented 1 month ago

Please add getcap "capabilities" command for posix files.

aelsabbahy commented 1 month ago

Hello, thanks for filing this. Can you provide more context in what you're looking for. Perhapse some example test filesband what you're looking to test.

Also, where does the command fall short for you?

buckeye43210 commented 1 month ago

We have a requirement to run the Nessus Scanner on Linux as an non-privileged user.

I have a named Ansible task to apply the setcap capabilities.

- name: Applying Setcap attributes
  community.general.capabilities:
    path "{{ item }}"
    capability: "{{ setcap_value }}"
    state: present
  loop:
    - /opt/nessus/sbin/nessusd
    - /opt/nessus/sbin/nessus-service
  changed_when: false

To create the validation test I'd like to run the following:

goss add file /opt/nessus/sbin/nessusd
goss add file /opt/nessus/sbin/nessus-service

The resulting config.yaml should look something like this:

file:
  /opt/nessus/sbin/nessusd:
    exists: true
    mode: "0750"
    owner: foo
    group: bar
    filetype: file
    contains:
    capabilities:
      - "cap_net_admin,cap_net_raw,cap_sys_resource+eip"
  /opt/nessus/sbin/nessus-service:
    exists: true
    mode: "0750"
    owner: foo
    group: bar
    filetype: file
    contains:
    capabilities:
      - "cap_net_admin,cap_net_raw,cap_sys_resource+eip"

Here are the suggested changes recommended by ChatGPT:

  1. Modify the File Addition Code Once you've identified the file addition code, you'll want to modify it to fetch capabilities using the getcaps function (likely involving interaction with the system's capabilities system). Example:

In Unix-based systems, capabilities are managed using tools like libcap. You might need to add a dependency for handling capabilities in Go, such as using golang.org/x/sys/unix to retrieve and add them. Example addition using Go:

import (
    "golang.org/x/sys/unix"
)

func getFileCapabilities(filePath string) (map[string]bool, error) {
    caps := make(map[string]bool)

    // Use unix getxattr or similar to retrieve capabilities
    // For example, `getcap` could be run as a system call

    err := unix.Getxattr(filePath, "security.capability", caps)
    if err != nil {
        return nil, err
    }
    return caps, nil
}
  1. Add the Capabilities Check to the goss add file Command Modify the goss add file logic to incorporate this new capability check:
func addFileWithCapabilities(filePath string) error {
    // Original file addition logic
    err := addFile(filePath)
    if err != nil {
        return err
    }

    // Fetch file capabilities
    caps, err := getFileCapabilities(filePath)
    if err != nil {
        return err
    }

    // Add capabilities to the configuration or output
    fmt.Printf("capabilities: %v\n", caps)
    return nil
}
  1. Testing the Implementation Write unit tests to ensure that the capabilities fetching and addition work correctly. You can use Go’s testing framework to add tests for this new functionality:
func TestGetFileCapabilities(t *testing.T) {
    caps, err := getFileCapabilities("/path/to/file")
    if err != nil {
        t.Errorf("Error retrieving capabilities: %v", err)
    }

    if len(caps) == 0 {
        t.Errorf("Expected capabilities, got none")
    }
}
  1. Rebuild and Test GOSS Once the code is updated, rebuild GOSS:
go build

Run your modified version of goss and test that the new getcaps functionality works:

./goss add file /path/to/file

Hope this helps.