openstack_taster 1.0.1 → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/openstack_taster.rb +2 -1
- data/tests/controls/security_test.rb +28 -6
- data/tests/inspec.yml +2 -2
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 847cb5a20b108d188a612e254b26c30d553efd90
|
|
4
|
+
data.tar.gz: 36527d054338e59a9a6410541a3e532b1b096caa
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 94623399b8a7d779b9db8e96410dcaffb4c144c2c41d0b2ba6ecbbdd6d5da1e100ac55b67be4efe9fb959a4b1f6ca7926928715e8bd56c1f60fbedb83b68f975
|
|
7
|
+
data.tar.gz: ab0ae7a389592b96ae43e5a712c2ed5af1a438cd277dae8ee6126d3bd6492aaa5ade5713d1b7db3ace62aab69cb590e5ff7b22961a3366ce6f0d9c7caa361d67
|
data/lib/openstack_taster.rb
CHANGED
|
@@ -9,7 +9,7 @@ require 'inspec'
|
|
|
9
9
|
|
|
10
10
|
# @author Andrew Tolvstad, Samarendra Hedaoo, Cody Holliday
|
|
11
11
|
class OpenStackTaster
|
|
12
|
-
INSTANCE_FLAVOR_NAME = 'm1.
|
|
12
|
+
INSTANCE_FLAVOR_NAME = 'm1.tiny'
|
|
13
13
|
INSTANCE_NETWORK_NAME = 'public'
|
|
14
14
|
INSTANCE_NAME_PREFIX = 'taster'
|
|
15
15
|
INSTANCE_VOLUME_MOUNT_POINT = '/mnt/taster_volume'
|
|
@@ -155,6 +155,7 @@ class OpenStackTaster
|
|
|
155
155
|
'host' => instance.addresses['public'].first['addr'],
|
|
156
156
|
'port' => 22,
|
|
157
157
|
'user' => username,
|
|
158
|
+
'sudo' => true,
|
|
158
159
|
'keys_only' => true,
|
|
159
160
|
'key_files' => @ssh_private_key,
|
|
160
161
|
'logger' => instance.logger
|
|
@@ -4,13 +4,25 @@ control 'security-1.0' do
|
|
|
4
4
|
title 'Openstack Image Security Test'
|
|
5
5
|
desc 'Tests the security of images used for Openstack.'
|
|
6
6
|
|
|
7
|
-
username =
|
|
7
|
+
username = os.name
|
|
8
8
|
|
|
9
|
-
describe
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
9
|
+
describe 'saved sshd config' do
|
|
10
|
+
let(:resource) { command('sudo cat /etc/ssh/sshd_config') }
|
|
11
|
+
|
|
12
|
+
it 'should not permit root login' do
|
|
13
|
+
expect(resource.stdout).to cmp(/^PermitRootLogin no/i)
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
it 'should not permit password authentication' do
|
|
17
|
+
expect(resource.stdout).to cmp(/^PasswordAuthentication no/i)
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
it 'should not permit challenge response authentication' do
|
|
21
|
+
expect(resource.stdout).to cmp(/^ChallengeResponseAuthentication no/i)
|
|
22
|
+
end
|
|
23
|
+
it 'should not permit keyboard interactive authentication' do
|
|
24
|
+
expect(resource.stdout).to cmp(/^KbdInteractiveAuthentication no/i)
|
|
25
|
+
end
|
|
14
26
|
end
|
|
15
27
|
|
|
16
28
|
describe 'running sshd config' do
|
|
@@ -48,4 +60,14 @@ control 'security-1.0' do
|
|
|
48
60
|
its('stdout') { should cmp(/\(ALL\) ((NO)*PASSWD)*: ALL/) }
|
|
49
61
|
end
|
|
50
62
|
end
|
|
63
|
+
|
|
64
|
+
# ssh should be the only thing listening
|
|
65
|
+
describe port.where { protocol =~ /tcp/ && port != 22 } do
|
|
66
|
+
it { should_not be_listening }
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
# It's OK if dhclient is listening
|
|
70
|
+
describe port.where { protocol =~ /udp/ && port != 68 && process != 'dhclient' } do
|
|
71
|
+
it { should_not be_listening }
|
|
72
|
+
end
|
|
51
73
|
end
|
data/tests/inspec.yml
CHANGED
|
@@ -3,5 +3,5 @@ title: OpenPower Security Test Suite
|
|
|
3
3
|
maintainer: OSU Open Source Lab
|
|
4
4
|
copyright: Oregon State University
|
|
5
5
|
license: Apache License, Version 2.0
|
|
6
|
-
summary: Verify that an image has correctly configured security settings.
|
|
7
|
-
version: 1.0.
|
|
6
|
+
summary: Verify that an image has correctly configured security settings.
|
|
7
|
+
version: 1.0.2
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: openstack_taster
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- OSU Open Source Lab
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-12-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: inspec
|
|
@@ -115,7 +115,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
115
115
|
version: '0'
|
|
116
116
|
requirements: []
|
|
117
117
|
rubyforge_project:
|
|
118
|
-
rubygems_version: 2.
|
|
118
|
+
rubygems_version: 2.5.1
|
|
119
119
|
signing_key:
|
|
120
120
|
specification_version: 4
|
|
121
121
|
summary: Taste all of the OpenStack's basic functionality for an image
|