simp-beaker-helpers 1.7.3 → 1.7.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +31 -7
- data/files/puppet-agent-versions.yaml +5 -0
- data/lib/simp/beaker_helpers.rb +8 -2
- data/lib/simp/beaker_helpers/inspec.rb +169 -0
- data/lib/simp/beaker_helpers/ssg.rb +133 -0
- data/lib/simp/beaker_helpers/version.rb +1 -1
- data/lib/simp/rake/beaker.rb +1 -0
- metadata +6 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6a1a9c3f3df01d3c9a497cb8eb9d0172405fdc6c
|
4
|
+
data.tar.gz: b9466a65c5077ccacc5777c6ae45779450496fa2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3c860415c95d94cc9cade8a86d4c44bedd99c8290f048cba7abb398ee3ab07aae9d7aec03b161ad9bfb509e322cbeee721533abdb8e8658fb75f026201adcfed
|
7
|
+
data.tar.gz: 0a4253533c535ac4959ba68a317e8695a165a116d72f2a3c1c33abc42d4cd4d322408b76c261d983ea4c8a46b943d3e62d0aab1160abed36baa16f3b5be1555b
|
data/.travis.yml
CHANGED
@@ -1,15 +1,39 @@
|
|
1
1
|
---
|
2
2
|
language: ruby
|
3
3
|
cache: bundler
|
4
|
-
|
4
|
+
sudo: false
|
5
|
+
before_install:
|
6
|
+
- rm Gemfile.lock || true
|
7
|
+
bundler_args: "--without development --path .vendor"
|
8
|
+
notifications:
|
9
|
+
email: false
|
5
10
|
rvm:
|
6
11
|
- 2.1.9
|
7
|
-
|
12
|
+
- 2.3.3
|
8
13
|
env:
|
9
14
|
- SIMP_SKIP_NON_SIMPOS_TESTS=1
|
10
|
-
|
11
|
-
|
12
15
|
script:
|
13
|
-
-
|
14
|
-
|
15
|
-
|
16
|
+
- bundle exec rake spec
|
17
|
+
matrix:
|
18
|
+
fast_finish: true
|
19
|
+
before_deploy:
|
20
|
+
- bundle exec rake clobber
|
21
|
+
- "export GEM_VERSION=`ruby -r ./lib/simp/beaker_helpers/version.rb -e 'puts Simp::BeakerHelpers::VERSION'`"
|
22
|
+
- '[[ $TRAVIS_TAG =~ ^${GEM_VERSION}$ ]]'
|
23
|
+
deploy:
|
24
|
+
- provider: rubygems
|
25
|
+
gemspec: simp-beaker-helpers.gemspec
|
26
|
+
gem: simp-beaker-helpers
|
27
|
+
api_key:
|
28
|
+
secure: "AlnBx0dBSxn+S97n0h14ltKUOA+6v0bc7QZPIcwGJV9nnf1hKH3pf9La1TVknEx7XgpAcM9jusQJ7hBlqvSq8z8SFF0bZk1EgSRIKc1cuYPLiGyUM2O7+AFHyCy3iCnPvKeoQmE/BJb5O1dGnbmSbf4A0fqLxA7jiHG1j7z+cnmJB1i67wovDfl13TsOXyBfbespWBMMc0BKAw56FPs9XggAk2cNusS3hd5tqW1AZPT2/xwt+d8ngkmO96u8QcichYRFQ+w+XW4H0w935wNg/dWiskJlt7TIYVAh4Ko5s2DZKf52Tne8TugALSn0LhRatpp7sw1FTTpteCW8UqK8uwGC2hM4pZViAOv4P1YObz2IPOZPriBl+cCayJdMKnotkUJliAMnw5TLiSWKLou+S0Pdj2h3fJZWdOEwRPMzIVoJtsOHG3GdNcPL6f7iU0vP/wr6FeR3uWa+fA7NHRi2Du955O8JpogjdrW08ahcAEwhtI3A4mrA08wN09axsrwr093uDRm/5h4FHyAhExJ0YiA/6kcPpUvILcLStyHe0RQDICQMdsQo2DSbnL65w3QjFa2fML2Shf9cRwX06+ia2BxozWzFD/6p3RiRtPxphnbFiUdjYSGWcwCcUgbJx9SW04lSSxOhpyItuXgxZqiybkzstXd6riu5zwg1R8TWk34="
|
29
|
+
on:
|
30
|
+
tags: true
|
31
|
+
rvm: 2.1.9
|
32
|
+
condition: "($SKIP_PUBLISH != true)"
|
33
|
+
- provider: releases
|
34
|
+
api_key:
|
35
|
+
secure: "RoQepMSpEzpTLgSYP1apB8AcKNMoumqe/emNg9lIu4T55t7fCPVZFmoTL2/VCjpGpBY3SL6PijSRelY6B1bri+6SFz/hlWhCQ8t1hodrEX23ieFBwWyLI7TFvrCjVejkJwaj7N2nYUQBv8YxScbRp4daFaDhrPJMrfqKZUlBBQ2KEUvqienOn7Tdt4OQ7/ThRXlhBm8OGjZfaKyWDyJykef+yC1scJrl8HA71XRHxho/iojTRPqJJCKW1QNmomVWAwK6ZEvb2WrD27yZN60wEcygdbmzKxlAXrfp13Ho+ir2GjRXJr1VKNPecFTDe21fDFMLZ5VxZgOJ7TWnhz2UAQIPjDTLzEMuJci7DDvRCWMJ17pYurm0OGAeKPWZbtf5PLYouKvnjNsfY8vy+Ip6MqmhiXqqLSO9XN/jgEVFPHj8pOj0DDq6PtTB8dNJj7g60Ak0Uj5iole4/ef1DHv803/t9J6IVqULmYZREqeTg24KkZLfTSEbkhYMGjbCZGaSAGhAFLAAjEDTM19/k50TXnNt5smn31Mqt45PULcrHP4+t6hM+IsX9w05aOlcvfwWiBm9nPlBPeRn59wZ64+T729i5wgkhFcHmYE/2Ql1Hvz5FebyxJQziyw6eRvCVASTtFEkuT+Noy3v4u3G4fQl/S2OeCP4v6Fs0wlImzFE1lA="
|
36
|
+
on:
|
37
|
+
tags: true
|
38
|
+
rvm: 2.1.9
|
39
|
+
condition: "($SKIP_PUBLISH != true)"
|
data/lib/simp/beaker_helpers.rb
CHANGED
@@ -2,7 +2,14 @@ module Simp; end
|
|
2
2
|
|
3
3
|
module Simp::BeakerHelpers
|
4
4
|
require 'simp/beaker_helpers/version'
|
5
|
-
|
5
|
+
require 'simp/beaker_helpers/inspec'
|
6
|
+
require 'simp/beaker_helpers/ssg'
|
7
|
+
|
8
|
+
# This is the *oldest* version that the latest release of SIMP supports
|
9
|
+
#
|
10
|
+
# This is done so that we know if some new thing that we're using breaks the
|
11
|
+
# oldest system that we support.
|
12
|
+
DEFAULT_PUPPET_AGENT_VERSION = '1.7.1'
|
6
13
|
|
7
14
|
# use the `puppet fact` face to look up facts on an SUT
|
8
15
|
def pfact_on(sut, fact_name)
|
@@ -596,5 +603,4 @@ done
|
|
596
603
|
require 'beaker/puppet_install_helper'
|
597
604
|
run_puppet_install_helper(puppet_install_type, puppet_agent_version)
|
598
605
|
end
|
599
|
-
|
600
606
|
end
|
@@ -0,0 +1,169 @@
|
|
1
|
+
module Simp::BeakerHelpers
|
2
|
+
|
3
|
+
# Helpers for working with Inspec
|
4
|
+
class Inspec
|
5
|
+
# Create a new Inspec helper for the specified host against the specified profile
|
6
|
+
#
|
7
|
+
# @param sut
|
8
|
+
# The SUT against which to run
|
9
|
+
#
|
10
|
+
# @param profile
|
11
|
+
# The name of the profile against which to run
|
12
|
+
#
|
13
|
+
def initialize(sut, profile)
|
14
|
+
@sut = sut
|
15
|
+
|
16
|
+
@sut.install_package('inspec')
|
17
|
+
|
18
|
+
@sut_profile_dir = '/tmp/inspec_tests'
|
19
|
+
|
20
|
+
output_dir = File.absolute_path('sec_results/inspec')
|
21
|
+
|
22
|
+
unless File.directory?(output_dir)
|
23
|
+
FileUtils.mkdir_p(output_dir)
|
24
|
+
end
|
25
|
+
|
26
|
+
inspec_fixtures = File.join(fixtures_path, 'inspec_profiles')
|
27
|
+
os = fact_on(@sut, 'operatingsystem')
|
28
|
+
os_rel = fact_on(@sut, 'operatingsystemmajrelease')
|
29
|
+
|
30
|
+
@inspec_result_file = File.join(output_dir, "#{@sut.hostname}-inspec-#{Time.now.to_i}")
|
31
|
+
|
32
|
+
scp_to(@sut, File.join(inspec_fixtures, "#{os}-#{os_rel}-#{profile}"), @sut_profile_dir)
|
33
|
+
|
34
|
+
# The results of the inspec scan in Hash form
|
35
|
+
@inspec_results = {}
|
36
|
+
end
|
37
|
+
|
38
|
+
# Run the inspec tests and record the results
|
39
|
+
def run
|
40
|
+
sut_inspec_results = '/tmp/inspec_results.json'
|
41
|
+
|
42
|
+
inspec_cmd = "inspec exec --format json #{@sut_profile_dir} > #{sut_inspec_results}"
|
43
|
+
result = on(@sut, inspec_cmd, :accept_all_exit_codes => true)
|
44
|
+
|
45
|
+
tmpdir = Dir.mktmpdir
|
46
|
+
begin
|
47
|
+
Dir.chdir(tmpdir) do
|
48
|
+
scp_from(@sut, sut_inspec_results, '.')
|
49
|
+
|
50
|
+
local_inspec_results = File.basename(sut_inspec_results)
|
51
|
+
|
52
|
+
if File.exist?(local_inspec_results)
|
53
|
+
begin
|
54
|
+
@inspec_results = JSON.load(File.read(local_inspec_results))
|
55
|
+
rescue JSON::ParserError, JSON::GeneratorError
|
56
|
+
@inspec_results = nil
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
ensure
|
61
|
+
FileUtils.remove_entry_secure tmpdir
|
62
|
+
end
|
63
|
+
|
64
|
+
unless @inspec_results
|
65
|
+
File.open(@inspec_result_file + '.err', 'w') do |fh|
|
66
|
+
fh.puts(result.stderr.strip)
|
67
|
+
end
|
68
|
+
|
69
|
+
err_msg = ["Error running inspec command #{inspec_cmd}"]
|
70
|
+
err_msg << "Error captured in #{@inspec_result_file}" + '.err'
|
71
|
+
|
72
|
+
fail(err_msg.join("\n"))
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
# Output the report
|
77
|
+
#
|
78
|
+
# @param report
|
79
|
+
# The inspec results Hash
|
80
|
+
#
|
81
|
+
def write_report(report)
|
82
|
+
File.open(@inspec_result_file + '.json', 'w') do |fh|
|
83
|
+
fh.puts(JSON.pretty_generate(@inspec_results))
|
84
|
+
end
|
85
|
+
|
86
|
+
File.open(@inspec_result_file + '.report', 'w') do |fh|
|
87
|
+
fh.puts(report[:report].uncolor)
|
88
|
+
end
|
89
|
+
end
|
90
|
+
|
91
|
+
# Process the results of an InSpec run
|
92
|
+
#
|
93
|
+
# @return [Hash] A Hash of statistics and a formatted report
|
94
|
+
#
|
95
|
+
def process_inspec_results
|
96
|
+
require 'highline'
|
97
|
+
|
98
|
+
HighLine.colorize_strings
|
99
|
+
|
100
|
+
stats = {
|
101
|
+
:passed => 0,
|
102
|
+
:failed => 0,
|
103
|
+
:skipped => 0,
|
104
|
+
:report => []
|
105
|
+
}
|
106
|
+
|
107
|
+
profiles = @inspec_results['profiles']
|
108
|
+
|
109
|
+
profiles.each do |profile|
|
110
|
+
stats[:report] << "Name: #{profile['name']}"
|
111
|
+
|
112
|
+
profile['controls'].each do |control|
|
113
|
+
title = control['title']
|
114
|
+
|
115
|
+
if title.length > 72
|
116
|
+
title = title[0..71] + '(...)'
|
117
|
+
end
|
118
|
+
|
119
|
+
title_chunks = control['title'].scan(/.{1,72}\W|.{1,72}/).map(&:strip)
|
120
|
+
|
121
|
+
stats[:report] << "\n Control: #{title_chunks.shift}"
|
122
|
+
unless title_chunks.empty?
|
123
|
+
title_chunks.map!{|x| x = " #{x}"}
|
124
|
+
stats[:report] << title_chunks.join("\n")
|
125
|
+
end
|
126
|
+
|
127
|
+
if control['results']
|
128
|
+
status = control['results'].first['status']
|
129
|
+
else
|
130
|
+
status = 'skipped'
|
131
|
+
end
|
132
|
+
|
133
|
+
status_str = " Status: "
|
134
|
+
if status == 'skipped'
|
135
|
+
stats[:skipped] += 1
|
136
|
+
|
137
|
+
stats[:report] << status_str + status.yellow
|
138
|
+
stats[:report] << " File: #{control['source_location']['ref']}"
|
139
|
+
elsif status =~ /^fail/
|
140
|
+
stats[:failed] += 1
|
141
|
+
|
142
|
+
stats[:report] << status_str + status.red
|
143
|
+
stats[:report] << " File: #{control['source_location']['ref']}"
|
144
|
+
else
|
145
|
+
stats[:passed] += 1
|
146
|
+
|
147
|
+
stats[:report] << status_str + status.green
|
148
|
+
end
|
149
|
+
end
|
150
|
+
|
151
|
+
stats[:report] << "\n Statistics:"
|
152
|
+
stats[:report] << " * Passed: #{stats[:passed].to_s.green}"
|
153
|
+
stats[:report] << " * Failed: #{stats[:failed].to_s.red}"
|
154
|
+
stats[:report] << " * Skipped: #{stats[:skipped].to_s.yellow}"
|
155
|
+
|
156
|
+
score = 0
|
157
|
+
if (stats[:passed] + stats[:failed]) > 0
|
158
|
+
score = ((stats[:passed].to_f/(stats[:passed] + stats[:failed])) * 100.0).round(0)
|
159
|
+
end
|
160
|
+
|
161
|
+
stats[:report] << " * Score: #{score}%"
|
162
|
+
end
|
163
|
+
|
164
|
+
stats[:report] = stats[:report].join("\n")
|
165
|
+
|
166
|
+
return stats
|
167
|
+
end
|
168
|
+
end
|
169
|
+
end
|
@@ -0,0 +1,133 @@
|
|
1
|
+
module Simp::BeakerHelpers
|
2
|
+
# Helpers for working with the SCAP Security Guide
|
3
|
+
class SSG
|
4
|
+
|
5
|
+
if ENV['BEAKER_ssg_repo']
|
6
|
+
GIT_REPO = ENV['BEAKER_ssg_repo']
|
7
|
+
else
|
8
|
+
GIT_REPO = 'https://github.com/OpenSCAP/scap-security-guide.git'
|
9
|
+
end
|
10
|
+
|
11
|
+
EL_PACKAGES = [
|
12
|
+
'git',
|
13
|
+
'cmake',
|
14
|
+
'openscap-utils',
|
15
|
+
'openscap-python',
|
16
|
+
'python-lxml'
|
17
|
+
]
|
18
|
+
|
19
|
+
OS_INFO = {
|
20
|
+
'RedHat' => {
|
21
|
+
'6' => {
|
22
|
+
'required_packages' => EL_PACKAGES,
|
23
|
+
'ssg' => {
|
24
|
+
'target' => 'rhel6',
|
25
|
+
'datastream' => 'ssg-rhel6-ds.xml'
|
26
|
+
}
|
27
|
+
},
|
28
|
+
'7' => {
|
29
|
+
'required_packages' => EL_PACKAGES,
|
30
|
+
'ssg' => {
|
31
|
+
'target' => 'rhel7',
|
32
|
+
'datastream' => 'ssg-rhel7-ds.xml'
|
33
|
+
}
|
34
|
+
}
|
35
|
+
},
|
36
|
+
'CentOS' => {
|
37
|
+
'6' => {
|
38
|
+
'required_packages' => EL_PACKAGES,
|
39
|
+
'ssg' => {
|
40
|
+
'target' => 'rhel6',
|
41
|
+
'datastream' => 'ssg-rhel6-ds.xml'
|
42
|
+
}
|
43
|
+
},
|
44
|
+
'7' => {
|
45
|
+
'required_packages' => EL_PACKAGES,
|
46
|
+
'ssg' => {
|
47
|
+
'target' => 'centos7',
|
48
|
+
'datastream' => 'ssg-centos7-ds.xml'
|
49
|
+
}
|
50
|
+
}
|
51
|
+
}
|
52
|
+
}
|
53
|
+
|
54
|
+
# Create a new SSG helper for the specified host
|
55
|
+
#
|
56
|
+
# @param sut
|
57
|
+
# The SUT against which to run
|
58
|
+
#
|
59
|
+
def initialize(sut)
|
60
|
+
@sut = sut
|
61
|
+
|
62
|
+
@os = fact_on(@sut, 'operatingsystem')
|
63
|
+
@os_rel = fact_on(@sut, 'operatingsystemmajrelease')
|
64
|
+
|
65
|
+
unless OS_INFO[@os]
|
66
|
+
fail("Error: The '#{@os}' Operating System is not supported")
|
67
|
+
end
|
68
|
+
|
69
|
+
OS_INFO[@os][@os_rel]['required_packages'].each do |pkg|
|
70
|
+
@sut.install_package(pkg)
|
71
|
+
end
|
72
|
+
|
73
|
+
@output_dir = File.absolute_path('sec_results/ssg')
|
74
|
+
|
75
|
+
unless File.directory?(@output_dir)
|
76
|
+
FileUtils.mkdir_p(@output_dir)
|
77
|
+
end
|
78
|
+
|
79
|
+
@result_file = "#{@sut.hostname}-ssg-#{Time.now.to_i}"
|
80
|
+
|
81
|
+
get_ssg_datastream
|
82
|
+
end
|
83
|
+
|
84
|
+
def target
|
85
|
+
OS_INFO[@os][@os_rel]['ssg']['target']
|
86
|
+
end
|
87
|
+
|
88
|
+
def remediate(profile)
|
89
|
+
evaluate(profile, true)
|
90
|
+
end
|
91
|
+
|
92
|
+
def evaluate(profile, remediate=false)
|
93
|
+
cmd = 'cd scap-security-guide && oscap xccdf eval'
|
94
|
+
|
95
|
+
if remediate
|
96
|
+
cmd += ' --remediate'
|
97
|
+
end
|
98
|
+
|
99
|
+
cmd += %( --profile #{profile} --results #{@result_file}.xml --report #{@result_file}.html #{OS_INFO[@os][@os_rel]['ssg']['datastream']})
|
100
|
+
|
101
|
+
# We accept all exit codes here because there have occasionally been
|
102
|
+
# failures in the SSG content and we're not testing that.
|
103
|
+
|
104
|
+
on(@sut, cmd, :accept_all_exit_codes => true)
|
105
|
+
|
106
|
+
['xml', 'html'].each do |ext|
|
107
|
+
path = "scap-security-guide/#{@result_file}.#{ext}"
|
108
|
+
scp_from(@sut, path, @output_dir)
|
109
|
+
|
110
|
+
fail("Could not retrieve #{path} from #{@sut}") unless File.exist?(File.join(@output_dir, "#{@result_file}.#{ext}"))
|
111
|
+
end
|
112
|
+
end
|
113
|
+
|
114
|
+
private
|
115
|
+
|
116
|
+
def get_ssg_datastream
|
117
|
+
# Allow users to point at a specific SSG release 'tar.bz2' file
|
118
|
+
ssg_release = ENV['BEAKER_ssg_release']
|
119
|
+
|
120
|
+
# Grab the latest SSG release in fixtures if it exists
|
121
|
+
ssg_release ||= Dir.glob('spec/fixtures/ssg_releases/*.bz2').last
|
122
|
+
|
123
|
+
if ssg_release
|
124
|
+
scp_to(@sut, ssg_release)
|
125
|
+
|
126
|
+
on(@sut, %(mkdir -p scap-security-guide && tar -xj -C scap-security-guide --strip-components 1 -f #{ssg_release} && cp scap-security-guide/*ds.xml ~))
|
127
|
+
else
|
128
|
+
on(@sut, %(git clone #{GIT_REPO}))
|
129
|
+
on(@sut, %(cd scap-security-guide/build; cmake ../; make -j4 #{OS_INFO[@os][@os_rel]['ssg']['target']}-content && cp *ds.xml ~))
|
130
|
+
end
|
131
|
+
end
|
132
|
+
end
|
133
|
+
end
|
data/lib/simp/rake/beaker.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: simp-beaker-helpers
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.7.
|
4
|
+
version: 1.7.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Chris Tessmer
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2017-
|
12
|
+
date: 2017-07-11 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: beaker
|
@@ -60,6 +60,8 @@ files:
|
|
60
60
|
- files/pki/template_host.cnf
|
61
61
|
- files/puppet-agent-versions.yaml
|
62
62
|
- lib/simp/beaker_helpers.rb
|
63
|
+
- lib/simp/beaker_helpers/inspec.rb
|
64
|
+
- lib/simp/beaker_helpers/ssg.rb
|
63
65
|
- lib/simp/beaker_helpers/version.rb
|
64
66
|
- lib/simp/rake/beaker.rb
|
65
67
|
- simp-beaker-helpers.gemspec
|
@@ -91,15 +93,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
91
93
|
version: '0'
|
92
94
|
requirements: []
|
93
95
|
rubyforge_project:
|
94
|
-
rubygems_version: 2.4.
|
96
|
+
rubygems_version: 2.4.5
|
95
97
|
signing_key:
|
96
98
|
specification_version: 4
|
97
99
|
summary: beaker helper methods for SIMP
|
98
|
-
test_files:
|
99
|
-
- spec/acceptance/enable_fips_spec.rb
|
100
|
-
- spec/acceptance/fixture_modules_spec.rb
|
101
|
-
- spec/acceptance/nodesets/default.yml
|
102
|
-
- spec/acceptance/pki_tests_spec.rb
|
103
|
-
- spec/acceptance/set_hieradata_on_spec.rb
|
104
|
-
- spec/acceptance/write_hieradata_to_spec.rb
|
105
|
-
- spec/spec_helper_acceptance.rb
|
100
|
+
test_files: []
|