fix(security): Add a security test recipe

CHANGELOG.md

@@ -4,7 +4,6 @@ This file is used to list changes made in each version of the haproxy cookbook.
 
 ## [12.4.11](https://github.com/sous-chefs/haproxy/compare/v12.4.10...v12.4.11) (2025-09-15)
 
-
 ### Bug Fixes
 
 * **ci:** Fix share command ([#556](https://github.com/sous-chefs/haproxy/issues/556)) ([f63a220](https://github.com/sous-chefs/haproxy/commit/f63a220b586cd8d6c54f9401f4b42769d2a0239c))
@@ -85,6 +84,7 @@ This file is used to list changes made in each version of the haproxy cookbook.
 
 ## 12.4.1 - *2025-09-04*
 
+
 ## 12.4.0 - *2024-12-09*
 
 * Add `option` property to `haproxy_listen`
@@ -169,8 +169,6 @@ Standardise files with files in sous-chefs/repo-management
 
 Standardise files with files in sous-chefs/repo-management
 
-Standardise files with files in sous-chefs/repo-management
-
 ## 12.2.8 - *2023-02-14*
 
 Standardise files with files in sous-chefs/repo-management
@@ -392,6 +390,14 @@ Standardise files with files in sous-chefs/repo-management
 * Documentation - clarify extra_options hash string => array option.
 * Clarify the supported platforms - add AmazonLinux 2, remove fedora & freebsd.
 
+### Fixed
+
+* Init script for Amazon Linux.
+
+### BREAKING CHANGES
+
+* This version removes `stats_socket`, `stats_uri` and `stats_timeout` properties from the `haproxy_global` and `haproxy_listen` resources in favour of using a hash to pass configuration options.
+
 ## [v6.2.7] (2019-01-10)
 
 ### Added
@@ -578,8 +584,16 @@ Standardise files with files in sous-chefs/repo-management
 
 ### Removed
 
+* Attributes from the metadata file as these are redundant
+* Broken tarball validation in the source recipe to prevented installs from completing
+
+### Fixed
+
+* Source installs not running if an older version was present on the node
+* Resolved all cookstyle and foodcritic warnings
 * `default_backend` as a required property on the `frontend` resource.
 
+
 ## [v4.2.0] (2017-05-04)
 
 ### Added
@@ -783,6 +797,7 @@ Standardise files with files in sous-chefs/repo-management
 
 ### Fixed
 
+* Init script for Amazon Linux.
 * CPU Tuning, corrects cpu_affinity resource triggers
 
 ## v1.6.4

README.md

@@ -15,18 +15,18 @@ This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of
 ## Requirements
 
 * HAProxy `stable` or `LTS`
-* Chef 13.9+
+* Chef 16+
 
 ### Platforms
 
 This cookbook officially supports and is tested against the following platforms:
 
-* debian: 9 & 10
-* ubuntu: 20.04 & 21.04
-* centos: 7 & 8
-* centos-stream: 8
+* debian: 11 & 12
+* ubuntu: 20.04 & 22.04
+* centos-stream: 8 & 9
+* amazonlinux: 2023
 * fedora: latest
-* amazonlinux: 2
+* opensuseleap
 
 PRs are welcome to add support for additional platforms.
 

kitchen.yml

@@ -46,6 +46,12 @@ suites:
   - name: source_openssl
     run_list:
       - recipe[test::source_openssl]
+  - name: security
+    run_list:
+      - recipe[test::package]
+    verifier:
+      inspec_tests:
+        - test/integration/security
   - name: config_2
     run_list:
       - recipe[test::config_2]

test/cookbooks/test/recipes/security.rb

@@ -0,0 +1,45 @@
+# Test recipe for security configuration
+haproxy_install 'package'
+
+# Configure global settings
+haproxy_config_global 'global' do
+  user 'haproxy'
+  group 'haproxy'
+  log '/dev/log syslog info'
+  log_tag 'haproxy'
+  daemon true
+  quiet true
+  stats_socket '/var/run/haproxy.sock user haproxy group haproxy'
+  stats_timeout '2m'
+  maxconn 1000
+  pidfile '/var/run/haproxy.pid'
+end
+
+# Configure defaults
+haproxy_config_defaults 'defaults' do
+  timeout_client '10s'
+  timeout_server '10s'
+  timeout_connect '10s'
+  log 'global'
+  mode 'http'
+  balance 'roundrobin'
+  option %w(httplog dontlognull redispatch tcplog)
+end
+
+# Configure frontend
+haproxy_frontend 'http-in' do
+  bind '0.0.0.0:80'
+  default_backend 'servers'
+end
+
+# Configure backend
+haproxy_backend 'servers' do
+  server ['server1 127.0.0.1:8000 maxconn 32']
+end
+
+# Ensure config file permissions
+file '/etc/haproxy/haproxy.cfg' do
+  owner 'haproxy'
+  group 'haproxy'
+  mode '0640'
+end

test/integration/security/controls/secure_defaults_spec.rb

@@ -0,0 +1,62 @@
+title 'HAProxy Secure Configuration Checks'
+
+# Include common HAProxy tests
+include_controls 'common'
+
+# Security Baseline for HAProxy Configuration
+describe 'HAProxy Security Defaults' do
+  # Global Security Checks
+  describe file('/etc/haproxy/haproxy.cfg') do
+    # Basic configuration
+    its('content') { should match(/^\s*user\s+haproxy/) }
+    its('content') { should match(/^\s*group\s+haproxy/) }
+    its('content') { should match(/^\s*daemon/) }
+
+    # Logging configuration
+    its('content') { should match(%r{^\s*log\s+/dev/log\s+syslog\s+info}) }
+    its('content') { should match(/^\s*log-tag\s+haproxy/) }
+    its('content') { should_not match(/^\s*log-send-hostname/) }
+
+    # Stats socket configuration
+    its('content') { should match(%r{^\s*stats\s+socket\s+/var/run/haproxy\.sock\s+user\s+haproxy\s+group\s+haproxy}) }
+    its('content') { should match(/^\s*stats\s+timeout\s+2m/) }
+
+    # Connection settings
+    its('content') { should match(/^\s*maxconn\s+1000/) }
+
+    # Default timeouts
+    its('content') { should match(/^\s*timeout\s+client\s+10s/) }
+    its('content') { should match(/^\s*timeout\s+server\s+10s/) }
+    its('content') { should match(/^\s*timeout\s+connect\s+10s/) }
+
+    # Default options
+    its('content') { should match(/^\s*option\s+httplog/) }
+    its('content') { should match(/^\s*option\s+dontlognull/) }
+    its('content') { should match(/^\s*option\s+redispatch/) }
+    its('content') { should match(/^\s*option\s+tcplog/) }
+
+    # Mode and balance
+    its('content') { should match(/^\s*mode\s+http/) }
+    its('content') { should match(/^\s*balance\s+roundrobin/) }
+
+    # File permissions
+    it { should be_owned_by 'haproxy' }
+    it { should be_grouped_into 'haproxy' }
+    its('mode') { should cmp '0640' }
+  end
+
+  # Service Configuration
+  describe service('haproxy') do
+    it { should be_enabled }
+    it { should be_running }
+  end
+end
+
+# Additional Security Recommendations
+describe 'Security Recommendations' do
+  # Validate service configuration
+  describe service('haproxy') do
+    it { should be_enabled }
+    it { should be_running }
+  end
+end

test/integration/security/inspec.yml

@@ -0,0 +1,9 @@
+---
+name: security
+title: HAProxy Security Profile
+version: 0.1.0
+supports:
+  - os-family: linux
+depends:
+  - name: common
+    path: test/integration/common