simp-beaker-helpers 1.23.0 → 1.23.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77288902c91655a0e3f5c7db8d5573375e3c341638a8bfc3be82b76f7753f3f6
-  data.tar.gz: ec02b6c05c5b1b69615b83b7ed5682d1e2ba9619d72752c4adfa5d48e3e3ec61
+  metadata.gz: 4a8f3a3f4dc773c215796e464031e1ab00ed025c9a3346fd4573d12a1a072fd9
+  data.tar.gz: 1d55ad88ebae56afe2e807ad1a27d3e6ee5828499ef2f3655770b71f8660d579
 SHA512:
-  metadata.gz: 6c006e7df61eaeb23dce36101ae518d88f99f34778821402973cf5c9358226572beab46c319fafee6487bbf325dbe07f72f7343c49d023e3d9949dd695092b57
-  data.tar.gz: f0535c393d9a6b6b8e3e9484fcf52e78adc4892bd0eca8255479eb06185e9865ddad9af2c6c5f3cd67d55c537632f88e178c39e6ad4a48757e2b61d7b229b826
+  metadata.gz: 10d292eb75b4bcd9d2bfc2bc5223367ea2706db88cdc29d016b37db9864530d6a923e56339d1f37a5b4e9b9cf1edeb34c179d73d5a56361416145a363c02890e
+  data.tar.gz: f877ae87cf79c64786aeaf800cb1d8b839ad251c80664e128b498a7e555d9661a7034e677d1682bcbc91fb8ce00ba504f5ed22035ad6ed877df45d0c8851b241

data/.fixtures.yml

@@ -4,4 +4,9 @@ fixtures:
     stdlib: https://github.com/simp/puppetlabs-stdlib
     simplib: https://github.com/simp/pupmod-simp-simplib
     compliance_markup: https://github.com/simp/pupmod-simp-compliance_markup
-
+    disa_stig-el7-baseline:
+      repo: https://github.com/mitre/redhat-enterprise-linux-7-stig-baseline
+      target: spec/fixtures/inspec_deps/inspec_profiles/profiles
+    disa_stig-el8-baseline:
+      repo: https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline
+      target: spec/fixtures/inspec_deps/inspec_profiles/profiles

data/.github/workflows/pr_acceptance.yml

@@ -0,0 +1,55 @@
+# Run all tests as GitHub Actions
+name: Unit Tests
+on:
+  push:
+    branches:
+      # A test branch for seeing if your tests will pass in your personal fork
+      - test_me_github
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  acceptance:
+    runs-on:
+      - ubuntu-latest
+    strategy:
+      matrix:
+        ruby:
+          - 2.6
+      fail-fast: false
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v2
+      - name: setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: ensure entropy
+        run: |
+          sudo apt-get update -y
+          sudo apt-get install -y rng-tools
+          sudo systemctl start rng-tools
+      - name: install docker
+        run: |
+          set -x
+          sudo apt-get remove -y podman ||:
+          sudo apt-get install -y docker-ce docker docker-engine docker.io containerd runc ||:
+          sudo apt-get update
+          sudo apt autoremove -y
+          sudo systemctl start docker
+      - name: install bundler
+        run: |
+          gem install bundler
+          bundle update
+      - name: beaker
+        run: |
+          bundle exec rake beaker:suites[default,docker]
+      - name: beaker puppet_collections
+        run: |
+          bundle exec rake beaker:suites[puppet_collections,docker]
+      - name: beaker ssg
+        run: |
+          bundle exec rake beaker:suites[ssg,docker]
+      - name: beaker inspec
+        run: |
+          bundle exec rake beaker:suites[inspec,docker]

data/.github/workflows/pr_tests.yml

@@ -0,0 +1,90 @@
+# Run Puppet checks and test matrix on Pull Requests
+# ------------------------------------------------------------------------------
+#             NOTICE: **This file is maintained with puppetsync**
+#
+# This file is updated automatically as part of a puppet module baseline.
+#
+# The next baseline sync will overwrite any local changes to this file!
+#
+# ==============================================================================
+#
+# The testing matrix considers ruby/puppet versions supported by SIMP and PE:
+# ------------------------------------------------------------------------------
+# Release       Puppet   Ruby    EOL
+# SIMP 6.4      5.5      2.40    TBD
+# PE 2018.1     5.5      2.40    2021-01 (LTS overlap)
+# PE 2019.8     6.18     2.5     2022-12 (LTS)
+#
+# https://puppet.com/docs/pe/2018.1/component_versions_in_recent_pe_releases.html
+# https://puppet.com/misc/puppet-enterprise-lifecycle
+# https://puppet.com/docs/pe/2018.1/overview/getting_support_for_pe.html
+# ==============================================================================
+#
+# https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+#
+
+name: PR Tests
+on:
+  push:
+    branches:
+      # A test branch for seeing if your tests will pass in your personal fork
+      - test_me_github
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+env:
+  PUPPET_VERSION: '~> 6'
+
+jobs:
+  ruby-style:
+    if: false # TODO Modules will need: rubocop in Gemfile, .rubocop.yml
+    name: 'Ruby Style (experimental)'
+    runs-on: ubuntu-18.04
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v2
+      - name: "Install Ruby ${{matrix.puppet.ruby_version}}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 2.5
+          bundler-cache: true
+      - run: |
+          bundle show
+          bundle exec rake rubocop
+
+  spec-tests:
+    name: 'Spec'
+    runs-on: ubuntu-18.04
+    strategy:
+      matrix:
+        puppet:
+          - label: 'Puppet 6.18 [SIMP 6.5/PE 2019.8]'
+            puppet_version: '~> 6.18.0'
+            ruby_version: '2.5'
+          - label: 'Puppet 5.5 [SIMP 6.4/PE 2018.1]'
+            puppet_version: '~> 5.5.22'
+            ruby_version: '2.4'
+          - label: 'Puppet 7.x'
+            puppet_version: '~> 7.0'
+            ruby_version: '2.7'
+    env:
+      PUPPET_VERSION: '${{matrix.puppet.puppet_version}}'
+    steps:
+      - uses: actions/checkout@v2
+      - name: 'Install Ruby ${{matrix.puppet.ruby_version}}'
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{matrix.puppet.ruby_version}}
+          bundler-cache: true
+      - run: 'command -v rpm || if command -v apt-get; then sudo apt-get update; sudo apt-get install -y rpm; fi ||:'
+      - run: 'bundle exec rake spec'
+
+#  dump_contexts:
+#    name: 'Examine Context contents'
+#    runs-on: ubuntu-16.04
+#    steps:
+#      - name: Dump contexts
+#        env:
+#          GITHUB_CONTEXT: ${{ toJson(github) }}
+#        run: echo "$GITHUB_CONTEXT"
+#

data/.gitlab-ci.yml

@@ -312,6 +312,18 @@ pup7.x-pkg:
 
 #=======================================================================
 # Acceptance tests
+
+# Verify a suite fails when an explicitly-specified nodeset does not exist.
+# It is significantly quicker to test here (where rvm is already installed
+# and the bundle is configured with this version of simp-beaker-helpers)
+# than in an acceptance test with a build user.
+default-bad-nodeset:
+  <<: *pup_6_x
+  <<: *acceptance_base
+  script:
+    - 'RESULT=`bundle exec rake beaker:suites[default,oops] 1>/dev/null; echo $?`; (test $RESULT == "1")'
+    - echo 'beaker:suites correctly failed with unknown nodeset'
+
 default:
   <<: *pup_6_x
   <<: *acceptance_base
@@ -348,9 +360,16 @@ puppet7_collections:
   script:
     - bundle exec rake beaker:suites[puppet_collections]
 
+oel_ssg:
+  <<: *pup_6_x
+  <<: *acceptance_base
+  script:
+    - bundle exec rake beaker:suites[ssg,oel]
+
 windows:
   <<: *pup_6_x
   <<: *acceptance_base
+  allow_failure: true
   script:
     - bundle exec rake beaker:suites[windows]
 

data/CHANGELOG.md

@@ -1,3 +1,37 @@
+### 1.23.4 / 2021-07-07
+* Fixed:
+  * Ensure that the openscap-scanner package is installed during SSG runs
+* Added:
+  * A function to fetch the available SSG profiles on a target system
+* Changed:
+  * Added OEL nodeset
+
+### 1.23.3 / 2021-06-30
+* Fixed:
+  * Removed the Streams kernel update for EL 8.3 since it now causes issues
+  * Use `pfact_on` to select the interface facts to fix Puppet 7 issues
+
+### 1.23.2 / 2021-05-29
+* Fixed:
+  * Fail an acceptance test when an explicitly-specified nodeset for an
+    acceptance test suite does not exist and the suite is configured
+    to fail fast (default behavior).
+  * The usual way of registering RHEL systems had to be changed to activate
+    immediately when called to function properly.
+
+### 1.23.1 / 2021-05-19
+* Fixed:
+  * The SSG default branch is now the latest numeric tag instead of the one
+    closest to the head of the default branch. The tag closest to the default
+    branch has drifted over time.
+  * Removed direct call to `docker` when copying out inspec results
+  * Typos in `copy_in` when running against docker
+* Added:
+  * `Simp::BeakerHelpers::Inspec.enable_repo_on(suts)` to allow users to easily
+    enable the Chef repos for inspec
+  * Beaker tests for inspec and SSG basic functionality
+  * GitHub Actions for acceptance testing where possible
+
 ### 1.23.0 / 2021-03-16
 * Added:
   * For `podman` support:

data/lib/simp/beaker_helpers.rb

@@ -193,7 +193,7 @@ module Simp::BeakerHelpers
       else
         cmd = [
           %{tar #{exclude_list.join(' ')} -hcf - -C "#{File.dirname(src)}" "#{File.basename(src)}"},
-          %{#{docker_cmd} exec -i "#{container_id}" tar -C "#{File.dirname(dest)}" -xf -)}
+          %{#{docker_cmd} exec -i "#{container_id}" tar -C "#{dest}" -xf -}
         ].join(' | ')
       end
 
@@ -248,7 +248,7 @@ module Simp::BeakerHelpers
       rescue StandardError
         # If *anything* fails, we need to fall back to `puppet facts`
 
-        facts_json = on(sut, 'puppet facts find garbage_xxx', :silent => true).stdout
+        facts_json = retry_on(sut, 'puppet facts find garbage_xxx', :silent => true, :max_retries => 4).stdout
         facts = JSON.parse(facts_json)['values']
       end
 
@@ -539,7 +539,7 @@ module Simp::BeakerHelpers
     block_on(suts, :run_in_parallel => parallel) do |sut|
       if sut['yum_repos']
         sut['yum_repos'].each_pair do |repo, metadata|
-          repo_manifest = create_yum_resource( repo, metadata)
+          repo_manifest = create_yum_resource(repo, metadata)
 
           apply_manifest_on(sut, repo_manifest, :catch_failures => true)
         end
@@ -672,6 +672,9 @@ module Simp::BeakerHelpers
   def linux_errata( suts )
     parallel = (ENV['BEAKER_SIMP_parallel'] == 'yes')
     block_on(suts, :run_in_parallel => parallel) do |sut|
+      # Set the locale if not set
+      sut.set_env_var('LANG', 'en_US.UTF-8') unless sut.get_env_var('LANG')
+
       # We need to be able to flip between server and client without issue
       on sut, 'puppet resource group puppet gid=52'
       on sut, 'puppet resource user puppet comment="Puppet" gid="52" uid="52" home="/var/lib/puppet" managehome=true'
@@ -747,11 +750,9 @@ module Simp::BeakerHelpers
       if os_info['family'] == 'RedHat'
         # OS-specific items
         if os_info['name'] == 'RedHat'
-          RSpec.configure do |c|
-            c.before(:all) do
-              rhel_rhsm_subscribe(sut)
-            end
+          rhel_rhsm_subscribe(sut)
 
+          RSpec.configure do |c|
             c.after(:all) do
               rhel_rhsm_unsubscribe(sut)
             end
@@ -770,15 +771,6 @@ module Simp::BeakerHelpers
             apply_manifest_on(sut, pp, :catch_failures => false)
           end
 
-          unless sut[:hypervisor] == 'docker'
-            if (os_info['name'] == 'CentOS') && (os_info['release']['major'].to_i >= 8)
-              if os_info['release']['minor'].to_i == 3
-                update_package_from_centos_stream(sut, 'kernel')
-                sut.reboot
-              end
-            end
-          end
-
           # Clean up YUM prior to starting our test runs.
           on(sut, 'yum clean all')
         end
@@ -1095,13 +1087,13 @@ module Simp::BeakerHelpers
         next
       end
 
-      interfaces_fact = retry_on(host,'facter interfaces', verbose: true).stdout
+      interfaces_fact = pfact_on(host, 'interfaces')
 
       interfaces = interfaces_fact.strip.split(',')
       interfaces.delete_if { |x| x =~ /^lo/ }
 
       interfaces.each do |iface|
-        if fact_on(host, "ipaddress_#{iface}").strip.empty?
+        if pfact_on(host, "ipaddress_#{iface}")
           on(host, "ifup #{iface}", :accept_all_exit_codes => true)
         end
       end

data/lib/simp/beaker_helpers/inspec.rb

@@ -10,6 +10,21 @@ module Simp::BeakerHelpers
     attr_reader :profile_dir
     attr_reader :deps_root
 
+    def self.enable_repo_on(suts)
+      parallel = (ENV['BEAKER_SIMP_parallel'] == 'yes')
+      block_on(suts, :run_in_parallel => parallel) do |sut|
+        repo_manifest = create_yum_resource(
+          'chef-current',
+          {
+            :baseurl => "https://packages.chef.io/repos/yum/current/el/#{fact_on(sut,'os.release.major')}/$basearch",
+            :gpgkeys => ['https://packages.chef.io/chef.asc']
+          }
+        )
+
+        apply_manifest_on(sut, repo_manifest, :catch_failures => true)
+      end
+    end
+
     # Create a new Inspec helper for the specified host against the specified profile
     #
     # @param sut
@@ -81,18 +96,7 @@ module Simp::BeakerHelpers
       tmpdir = Dir.mktmpdir
       begin
         Dir.chdir(tmpdir) do
-          if @sut[:hypervisor] == 'docker'
-            # Work around for breaking changes in beaker-docker
-            if @sut.host_hash[:docker_container]
-              container_id = @sut.host_hash[:docker_container].id
-            else
-              container_id = @sut.host_hash[:docker_container_id]
-            end
-
-            %x(docker cp "#{container_id}:#{sut_inspec_results}" .)
-          else
-            scp_from(@sut, sut_inspec_results, '.')
-          end
+          scp_from(@sut, sut_inspec_results, '.')
 
           local_inspec_results = File.basename(sut_inspec_results)
 

data/lib/simp/beaker_helpers/ssg.rb

@@ -12,38 +12,42 @@ module Simp::BeakerHelpers
       GIT_REPO = 'https://github.com/ComplianceAsCode/content.git'
     end
 
-    # If this is not set, the closest tag to the default branch will be used
+    # If this is not set, the highest numeric tag will be used
     GIT_BRANCH = nil
 
     if ENV['BEAKER_ssg_branch']
       GIT_BRANCH = ENV['BEAKER_ssg_branch']
     end
 
-    EL_PACKAGES = [
+    EL7_PACKAGES = [
       'PyYAML',
       'cmake',
       'git',
+      'openscap-scanner',
       'openscap-python',
       'openscap-utils',
-      'python-lxml',
-      'python-jinja2'
+      'python-jinja2',
+      'python-lxml'
     ]
 
     EL8_PACKAGES = [
-      'python3',
-      'python3-pyyaml',
       'cmake',
       'git',
+      'make',
       'openscap-python3',
       'openscap-utils',
+      'openscap-scanner',
+      'python3',
+      'python3-jinja2',
       'python3-lxml',
-      'python3-jinja2'
+      'python3-pyyaml',
+      'libarchive'
     ]
 
     OS_INFO = {
       'RedHat' => {
         '6' => {
-          'required_packages' => EL_PACKAGES,
+          'required_packages' => EL7_PACKAGES,
           'ssg' => {
             'profile_target' => 'rhel6',
             'build_target'   => 'rhel6',
@@ -51,7 +55,7 @@ module Simp::BeakerHelpers
           }
         },
         '7' => {
-          'required_packages' => EL_PACKAGES,
+          'required_packages' => EL7_PACKAGES,
           'ssg' => {
             'profile_target' => 'rhel7',
             'build_target'   => 'rhel7',
@@ -69,7 +73,7 @@ module Simp::BeakerHelpers
       },
       'CentOS' => {
         '6' => {
-          'required_packages' => EL_PACKAGES,
+          'required_packages' => EL7_PACKAGES,
           'ssg' => {
             'profile_target' => 'rhel6',
             'build_target'   => 'centos6',
@@ -77,7 +81,7 @@ module Simp::BeakerHelpers
           }
         },
         '7' => {
-          'required_packages' => EL_PACKAGES,
+          'required_packages' => EL7_PACKAGES,
           'ssg' => {
             'profile_target' => 'centos7',
             'build_target'   => 'centos7',
@@ -93,14 +97,25 @@ module Simp::BeakerHelpers
           }
         }
       },
+      'Rocky' => {
+        '8' => {
+          'required_packages' => EL8_PACKAGES,
+          'ssg' => {
+            'profile_target' => 'centos8',
+            'build_target'   => 'centos8',
+            'datastream'     => 'ssg-centos8-ds.xml'
+          }
+        }
+      },
       'OracleLinux' => {
         '7' => {
-          'required_packages' => EL_PACKAGES,
+          'required_packages' => EL7_PACKAGES,
           'ssg' => {
             'profile_target' => 'ol7',
             'build_target'   => 'ol7',
             'datastream'     => 'ssg-ol7-ds.xml'
           },
+        },
         '8' => {
           'required_packages' => EL8_PACKAGES,
           'ssg' => {
@@ -109,7 +124,6 @@ module Simp::BeakerHelpers
             'datastream'     => 'ssg-ol8-ds.xml'
           }
         }
-        }
       }
     }
 
@@ -123,8 +137,8 @@ module Simp::BeakerHelpers
     def initialize(sut)
       @sut = sut
 
-      @os = fact_on(@sut, 'operatingsystem')
-      @os_rel = fact_on(@sut, 'operatingsystemmajrelease')
+      @os = pfact_on(@sut, 'os.name')
+      @os_rel = pfact_on(@sut, 'os.release.major')
 
       sut.mkdir_p('scap_working_dir')
 
@@ -135,7 +149,7 @@ module Simp::BeakerHelpers
       end
 
       OS_INFO[@os][@os_rel]['required_packages'].each do |pkg|
-        @sut.install_package(pkg)
+        install_latest_package_on(@sut, pkg)
       end
 
       @output_dir = File.absolute_path('sec_results/ssg')
@@ -146,7 +160,6 @@ module Simp::BeakerHelpers
 
       @result_file = "#{@sut.hostname}-ssg-#{Time.now.to_i}"
 
-
       get_ssg_datastream
     end
 
@@ -154,6 +167,15 @@ module Simp::BeakerHelpers
       OS_INFO[@os][@os_rel]['ssg']['profile_target']
     end
 
+    def get_profiles
+      cmd = "cd #{@scap_working_dir}; oscap info --profiles"
+      on(@sut, "#{cmd} #{OS_INFO[@os][@os_rel]['ssg']['datastream']}")
+        .stdout
+        .strip
+        .lines
+        .map{|x| x.split(':').first}
+    end
+
     def remediate(profile)
       evaluate(profile, true)
     end
@@ -165,7 +187,7 @@ module Simp::BeakerHelpers
         cmd += ' --remediate'
       end
 
-      cmd += %( --fetch-remote-resources --profile #{profile} --results #{@result_file}.xml --report #{@result_file}.html #{OS_INFO[@os][@os_rel]['ssg']['datastream']})
+      cmd += %( --profile #{profile} --results #{@result_file}.xml --report #{@result_file}.html #{OS_INFO[@os][@os_rel]['ssg']['datastream']})
 
       # We accept all exit codes here because there have occasionally been
       # failures in the SSG content and we're not testing that.
@@ -265,7 +287,7 @@ module Simp::BeakerHelpers
             "contains(@idref,'#{exl}')"
           end.join(' or ')
 
-          xpath_query << ')' if exclusions.size > 1
+          xpath_query << ')' if exclusions.size > 0
         end
 
         xpath_query << ')]'
@@ -383,7 +405,12 @@ module Simp::BeakerHelpers
         if GIT_BRANCH
           on(@sut, %(cd scap-content; git checkout #{GIT_BRANCH}))
         else
-          on(@sut, %(cd scap-content; git checkout $(git describe --abbrev=0 --tags)))
+          tags = on(@sut, %(cd scap-content; git tag -l)).output
+          target_tag = tags.lines.map(&:strip)
+            .select{|x| x.start_with?(/v\d+\./)}
+            .sort.last
+
+          on(@sut, %(cd scap-content; git checkout #{target_tag}))
         end
 
         # Work around the issue where the profiles now strip out derivative

data/lib/simp/beaker_helpers/version.rb

@@ -1,5 +1,5 @@
 module Simp; end
 
 module Simp::BeakerHelpers
-  VERSION = '1.23.0'
+  VERSION = '1.23.4'
 end

data/lib/simp/rake/beaker.rb

@@ -226,8 +226,14 @@ module Simp::Rake
 
             nodesets.each do |nodeset_yml|
               unless File.file?(nodeset_yml)
-                $stdout.puts("=== Suite #{name} Nodeset '#{File.basename(nodeset_yml, '.yml')}' Not Found, Skipping ===")
-                next
+                # Get here if user has specified a non-existent nodeset or the
+                # implied `default` nodeset does not exist.
+                if suite_config['fail_fast']
+                  fail("*** Suite #{name} Nodeset '#{File.basename(nodeset_yml, '.yml')}' Not Found ***")
+                else
+                  $stdout.puts("=== Suite #{name} Nodeset '#{File.basename(nodeset_yml, '.yml')}' Not Found, Skipping ===")
+                  next
+                end
               end
 
               ENV['BEAKER_setfile'] = nodeset_yml

data/spec/acceptance/nodesets/default.yml

@@ -18,7 +18,7 @@ HOSTS:
     roles:
       - el8
     platform: el-8-x86_64
-    box: centos/8
+    box: generic/centos8
     hypervisor: <%= hypervisor %>
 
   el8-0:
@@ -33,6 +33,7 @@ CONFIG:
   log_level: verbose
   type: aio
   vagrant_memsize: 256
+  vagrant_cpus: 2
 <% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
   puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
 <% end -%>

data/spec/acceptance/nodesets/docker.yml

@@ -21,28 +21,6 @@ CONFIG:
   type: aio
 <% if ENV['BEAKER_PUPPET_ENVIRONMENT'] -%>
   puppet_environment: <%= ENV['BEAKER_PUPPET_ENVIRONMENT'] %>
-<% end -%>
-  # This is necessary for pretty much all containers
-  docker_cap_add:
-    - AUDIT_WRITE
-<%
-  require 'docker-api'
-  unless ::Docker.podman?
--%>
-  # All items below this point are required for systemd
-  mount_folders:
-    cgroup:
-      host_path: /sys/fs/cgroup
-      container_path: /sys/fs/cgroup
-      opts: 'ro'
-  dockeropts:
-    HostConfig:
-      Tmpfs:
-        '/run': 'rw,noexec,nosuid,nodev,size=65536k'
-        '/run/lock': 'rw,noexec,nosuid,nodev,size=65536k'
-        '/tmp': 'rw,exec,nosuid,nodev,size=65536k'
-        '/sys/fs/cgroup/systemd': 'rw,size=65536k'
-        '/var/log/journal': 'rw,noexec,nodev,nosuid,size=65536k'
 <% end -%>
   ssh:
     password: root

data/spec/acceptance/nodesets/oel.yml

@@ -0,0 +1,42 @@
+<%
+  if ENV['BEAKER_HYPERVISOR']
+    hypervisor = ENV['BEAKER_HYPERVISOR']
+  else
+    hypervisor = 'vagrant'
+  end
+-%>
+HOSTS:
+  oel7:
+    roles:
+      - el7
+      - master
+    platform: el-7-x86_64
+    box: generic/oracle7
+    hypervisor: <%= hypervisor %>
+
+  oel8:
+    roles:
+      - el8
+    platform: el-8-x86_64
+    box: generic/oracle8
+    hypervisor: <%= hypervisor %>
+
+CONFIG:
+  log_level: verbose
+  type: aio
+  vagrant_memsize: 512
+  vagrant_cpus: 2
+<% if ENV['BEAKER_PUPPET_COLLECTION'] -%>
+  puppet_collection: <%= ENV['BEAKER_PUPPET_COLLECTION'] %>
+<% end -%>
+  ssh:
+    keepalive: true
+    keepalive_interval: 10
+    host_key:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:host_key].join("\n#{' '*6}- ") %>
+    kex:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:kex].join("\n#{' '*6}- ") %>
+    encryption:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:encryption].join("\n#{' '*6}- ") %>
+    hmac:
+      - <%= Net::SSH::Transport::Algorithms::ALGORITHMS[:hmac].join("\n#{' '*6}- ") %>

data/spec/acceptance/suites/default/enable_fips_spec.rb

@@ -9,13 +9,15 @@ hosts.each do |host|
         end
 
         it 'has fips enabled' do
-          stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
-          expect(stdout).to eq('1')
+          if host[:hypervisor] == 'docker'
+            skip('Not supported on docker')
+          else
+            expect(fips_enabled(host)).to be true
+          end
         end
       else
         it 'has fips disabled' do
-          stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
-          expect(stdout).to eq('0')
+          expect(fips_enabled(host)).to be false
         end
       end
     end

data/spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb

@@ -55,12 +55,19 @@ describe 'FIPS pre-installed' do
   hosts.each do |host|
     context "on #{host}" do
       it 'does not create an alternate apply directory' do
-        on(host, 'test ! -d /root/.beaker_fips/modules')
+        if host[:hypervisor] == 'docker'
+          skip('Not supported on docker')
+        else
+          on(host, 'test ! -d /root/.beaker_fips/modules')
+        end
       end
 
       it 'has fips enabled' do
-        stdout = on(host, 'cat /proc/sys/crypto/fips_enabled').stdout.strip
-        expect(stdout).to eq('1')
+        if host[:hypervisor] == 'docker'
+          skip('Not supported on docker')
+        else
+          expect(fips_enabled(host)).to be true
+        end
       end
     end
   end

data/spec/acceptance/suites/inspec/00_default_spec.rb

@@ -0,0 +1,54 @@
+require 'spec_helper_acceptance'
+require 'json'
+
+test_name 'Inspec STIG Profile'
+
+describe 'Inspec STIG Profile' do
+
+  profiles_to_validate = ['disa_stig']
+
+  hosts.each do |host|
+    profiles_to_validate.each do |profile|
+      context "for profile #{profile}" do
+        context "on #{host}" do
+          profile_path = File.join(
+              fixtures_path,
+              'inspec_profiles',
+              "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}"
+            )
+
+          unless File.exist?(profile_path)
+            it 'should run inspec' do
+              skip("No matching profile available at #{profile_path}")
+            end
+          else
+            before(:all) do
+              Simp::BeakerHelpers::Inspec.enable_repo_on(hosts)
+              @inspec = Simp::BeakerHelpers::Inspec.new(host, profile)
+
+              # If we don't do this, the variable gets reset
+              @inspec_report = { :data => nil }
+            end
+
+            it 'should run inspec' do
+              @inspec.run
+            end
+
+            it 'should have an inspec report' do
+              @inspec_report[:data] = @inspec.process_inspec_results
+
+              expect(@inspec_report[:data]).to_not be_nil
+
+              @inspec.write_report(@inspec_report[:data])
+            end
+
+            it 'should have a report' do
+              expect(@inspec_report[:data][:report]).to_not be_nil
+              puts @inspec_report[:data][:report]
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/spec/acceptance/suites/inspec/metadata.yml

@@ -0,0 +1,2 @@
+---
+'default_run': true

data/spec/acceptance/suites/inspec/nodesets

@@ -0,0 +1 @@
+spec/acceptance/suites/inspec/../../nodesets

data/spec/acceptance/suites/puppet_collections/00_default_spec.rb

@@ -13,7 +13,7 @@ end
 hosts.each do |host|
   describe 'make sure puppet version is valid' do
     context "on #{host}" do
-      client_puppet_version = on(host, 'puppet --version').output.strip
+      client_puppet_version = on(host, 'puppet --version').output.lines.last.strip
 
       it "should be running puppet version #{target_version}" do
         expect(Gem::Version.new(client_puppet_version)).to be >= Gem::Version.new(target_version)

data/spec/acceptance/suites/ssg/00_default_spec.rb

@@ -0,0 +1,47 @@
+require 'spec_helper_acceptance'
+
+test_name 'SSG Functionality Validation'
+
+describe 'run the SSG against an SCAP profile' do
+
+  hosts.each do |host|
+    context "on #{host}" do
+      before(:all) do
+        @ssg = Simp::BeakerHelpers::SSG.new(host)
+
+        # If we don't do this, the variable gets reset
+        @ssg_report = { :data => nil }
+      end
+
+      it 'should run the SSG' do
+        profiles = @ssg.get_profiles
+
+        profile = profiles.find{|x| x =~ /_stig/} ||
+          profiles.find{|x| x =~ /_cui/} ||
+          profiles.find{|x| x =~ /_ospp/} ||
+          profiles.find{|x| x =~ /_standard/} ||
+          profiles.last
+
+        expect(profile).not_to be_nil
+        @ssg.evaluate(profile)
+      end
+
+      it 'should have an SSG report' do
+        # Validate that the filter works
+        filter = '_rule_audit'
+        host_exclusions = ['ssh_']
+
+        @ssg_report[:data] = @ssg.process_ssg_results(filter, host_exclusions)
+
+        expect(@ssg_report[:data]).to_not be_nil
+
+        @ssg.write_report(@ssg_report[:data])
+      end
+
+      it 'should have a report' do
+        expect(@ssg_report[:data][:report]).to_not be_nil
+        puts @ssg_report[:data][:report]
+      end
+    end
+  end
+end

data/spec/acceptance/suites/ssg/metadata.yml

@@ -0,0 +1,2 @@
+---
+'default_run': true

data/spec/acceptance/suites/ssg/nodesets

@@ -0,0 +1 @@
+spec/acceptance/suites/ssg/../../nodesets

data/spec/fixtures/inspec_profiles/CentOS-7-disa_stig

@@ -0,0 +1 @@
+spec/fixtures/inspec_profiles/RedHat-7-disa_stig

data/spec/fixtures/inspec_profiles/CentOS-8-disa_stig

@@ -0,0 +1 @@
+spec/fixtures/inspec_profiles/RedHat-8-disa_stig

data/spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb

@@ -0,0 +1,45 @@
+skips = {
+  'V-72209' => 'Cannot guarantee a remote syslog server during test'
+}
+overrides = [ 'V-72091' ]
+subsystems = []
+
+require_controls 'disa_stig-el7-baseline' do
+  skips.each_pair do |ctrl, reason|
+    control ctrl do
+      describe "Skip #{ctrl}" do
+        skip "Reason: #{skips[ctrl]}" do
+        end
+      end
+    end
+  end
+
+  @conf['profile'].info[:controls].each do |ctrl|
+    next if (overrides + skips.keys).include?(ctrl[:id])
+
+    if subsystems.empty?
+      control ctrl[:id]
+    else
+      tags = ctrl[:tags]
+      if tags && tags[:subsystems]
+        subsystems.each do |subsystem|
+          if tags[:subsystems].include?(subsystem)
+            control ctrl[:id]
+          end
+        end
+      end
+    end
+  end
+
+  ## Overrides ##
+
+  # There's no email server to send anything to by default so syslog is a safer
+  # default for processing.
+  control 'V-72091' do
+    overrides << self.to_s
+
+    describe auditd_conf do
+      its('space_left_action.downcase') { should cmp 'syslog' }
+    end
+  end
+end

data/spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml

@@ -0,0 +1,14 @@
+name: EL7 STIG
+title: STIG for EL 7
+supports:
+  - os-family: redhat
+maintainer: SIMP Team
+copyright: Onyx Point, Inc.
+copyright_email: simp@onyxpoint.com
+license: Apache-2.0
+summary: |
+  A collection of InSpec tests
+version: 0.0.1
+depends:
+  - name: disa_stig-el7-baseline
+    path: ../../inspec_deps/inspec_profiles/profiles/disa_stig-el7-baseline

data/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb

@@ -0,0 +1,45 @@
+skips = {
+  'V-72209' => 'Cannot guarantee a remote syslog server during test'
+}
+overrides = [ 'V-72091' ]
+subsystems = []
+
+require_controls 'disa_stig-el8-baseline' do
+  skips.each_pair do |ctrl, reason|
+    control ctrl do
+      describe "Skip #{ctrl}" do
+        skip "Reason: #{skips[ctrl]}" do
+        end
+      end
+    end
+  end
+
+  @conf['profile'].info[:controls].each do |ctrl|
+    next if (overrides + skips.keys).include?(ctrl[:id])
+
+    if subsystems.empty?
+      control ctrl[:id]
+    else
+      tags = ctrl[:tags]
+      if tags && tags[:subsystems]
+        subsystems.each do |subsystem|
+          if tags[:subsystems].include?(subsystem)
+            control ctrl[:id]
+          end
+        end
+      end
+    end
+  end
+
+  ## Overrides ##
+
+  # There's no email server to send anything to by default so syslog is a safer
+  # default for processing.
+  control 'V-72091' do
+    overrides << self.to_s
+
+    describe auditd_conf do
+      its('space_left_action.downcase') { should cmp 'syslog' }
+    end
+  end
+end

data/spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml

@@ -0,0 +1,14 @@
+name: EL8 STIG
+title: STIG for EL 8
+supports:
+  - os-family: redhat
+maintainer: SIMP Team
+copyright: Onyx Point, Inc.
+copyright_email: simp@onyxpoint.com
+license: Apache-2.0
+summary: |
+  A collection of InSpec tests
+version: 0.0.1
+depends:
+  - name: disa_stig-el8-baseline
+    path: ../../inspec_deps/inspec_profiles/profiles/disa_stig-el8-baseline

data/spec/lib/simp/beaker_helpers_spec.rb

@@ -113,10 +113,8 @@ describe 'Simp::BeakerHelpers' do
       end
       pipe_in.close
 
-      expected_version = pipe_out.gets
-      expected_major_version = expected_version.split('.').first
+      expected_major_version = pipe_out.gets.split('.').first
 
-      expect( @helper.get_puppet_install_info[:puppet_install_version] ).to match(expected_version)
       expect( @helper.get_puppet_install_info[:puppet_collection] ).to eq("puppet#{expected_major_version}")
       expect( @helper.get_puppet_install_info[:puppet_install_type] ).to eq('agent')
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: simp-beaker-helpers
 version: !ruby/object:Gem::Version
-  version: 1.23.0
+  version: 1.23.4
 platform: ruby
 authors:
 - Chris Tessmer
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-04 00:00:00.000000000 Z
+date: 2021-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: beaker
@@ -190,9 +190,11 @@ files:
 - ".fips_fixtures"
 - ".fixtures.yml"
 - ".github/workflows.local.json"
+- ".github/workflows/pr_acceptance.yml"
 - ".github/workflows/pr_glci.yml"
 - ".github/workflows/pr_glci_cleanup.yml"
 - ".github/workflows/pr_glci_manual.yml"
+- ".github/workflows/pr_tests.yml"
 - ".github/workflows/tag_deploy_rubygem.yml"
 - ".gitignore"
 - ".gitlab-ci.yml"
@@ -219,6 +221,7 @@ files:
 - simp-beaker-helpers.gemspec
 - spec/acceptance/nodesets/default.yml
 - spec/acceptance/nodesets/docker.yml
+- spec/acceptance/nodesets/oel.yml
 - spec/acceptance/nodesets/ubuntu.yml
 - spec/acceptance/suites/default/check_puppet_version_spec.rb
 - spec/acceptance/suites/default/enable_fips_spec.rb
@@ -231,6 +234,9 @@ files:
 - spec/acceptance/suites/fips_from_fixtures/00_default_spec.rb
 - spec/acceptance/suites/fips_from_fixtures/metadata.yml
 - spec/acceptance/suites/fips_from_fixtures/nodesets
+- spec/acceptance/suites/inspec/00_default_spec.rb
+- spec/acceptance/suites/inspec/metadata.yml
+- spec/acceptance/suites/inspec/nodesets
 - spec/acceptance/suites/offline/00_default_spec.rb
 - spec/acceptance/suites/offline/README
 - spec/acceptance/suites/offline/nodesets/default.yml
@@ -239,11 +245,20 @@ files:
 - spec/acceptance/suites/snapshot/00_snapshot_test_spec.rb
 - spec/acceptance/suites/snapshot/10_general_usage_spec.rb
 - spec/acceptance/suites/snapshot/nodesets
+- spec/acceptance/suites/ssg/00_default_spec.rb
+- spec/acceptance/suites/ssg/metadata.yml
+- spec/acceptance/suites/ssg/nodesets
 - spec/acceptance/suites/windows/00_default_spec.rb
 - spec/acceptance/suites/windows/metadata.yml
 - spec/acceptance/suites/windows/nodesets/default.yml
 - spec/acceptance/suites/windows/nodesets/win2016.yml
 - spec/acceptance/suites/windows/nodesets/win2019.yml
+- spec/fixtures/inspec_profiles/CentOS-7-disa_stig
+- spec/fixtures/inspec_profiles/CentOS-8-disa_stig
+- spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb
+- spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml
+- spec/fixtures/inspec_profiles/RedHat-8-disa_stig/controls/00_Control_Selector.rb
+- spec/fixtures/inspec_profiles/RedHat-8-disa_stig/inspec.yml
 - spec/lib/simp/beaker_helpers_spec.rb
 - spec/spec_helper.rb
 - spec/spec_helper_acceptance.rb