improve testing (dev-sec#287)

* fix problem with package_facts on SuSE SuSE Linux does not work with ansibel module packet_facts, so we need to exclude this task there. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix local docker tests for all distributions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix local vagrant tests for all distributions Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * simplify travis tests Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * fix opensuse in travis Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add fixes for suse Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add special case for suse docker Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
divialth · Aug 3, 2020 · e66c2d2 · e66c2d2
1 parent 784e9db
commit e66c2d2
Show file tree

Hide file tree

Showing 7 changed files with 98 additions and 78 deletions.
diff --git a/.kitchen.vagrant.yml b/.kitchen.vagrant.yml
@@ -33,6 +33,9 @@ platforms:
 - name: centos-6
   driver_config:
     box: bento/centos-6.7
+    provision: true
+    vagrantfiles:
+      - rhel6_provision.rb
 - name: centos-7
   driver_config:
     box: bento/centos-7
@@ -42,6 +45,9 @@ platforms:
 - name: oracle-6
   driver_config:
     box: bento/oracle-6
+    provision: true
+    vagrantfiles:
+      - rhel6_provision.rb
 - name: oracle-7
   driver_config:
     box: bento/oracle-7
@@ -57,6 +63,11 @@ platforms:
 - name: opensuse_tumbleweed
   driver_config:
     box: opensuse/Tumbleweed.x86_64
+    provision: true
+    vagrantfiles:
+      - suse_provision.rb
+  provisioner:
+    ansible_binary_path: "/usr/local/bin"
 
 verifier:
   name: inspec

diff --git a/.kitchen.yml b/.kitchen.yml
@@ -2,7 +2,16 @@
 driver:
   name: docker
   use_sudo: false
-  privileged: true
+  cap_add:
+    - SYS_ADMIN
+  volume:
+    - /sys/fs/cgroup:/sys/fs/cgroup:ro
+  run_options:
+    tmpfs:
+      - /tmp
+      - /run
+      - /run/lock
+  run_command: /sbin/init
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
 
@@ -28,95 +37,108 @@ platforms:
   driver:
     image: rndmh3ro/docker-centos6-ansible:latest
     platform: centos
+    provision_command:
+      - sed -i '/loginuid/d' /etc/pam.d/sshd
+
 - name: centos7-ansible-latest
   driver:
     image: rndmh3ro/docker-centos7-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: centos8-ansible-latest
   driver:
     image: rndmh3ro/docker-centos8-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+  provisioner:
+    ansible_binary_path: "/usr/local/bin"
+
 - name: oracle6-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle6-ansible:latest
     platform: centos
+    provision_command:
+      - sed -i '/loginuid/d' /etc/pam.d/sshd
+
 - name: oracle7-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle7-ansible:latest
-    run_command: /sbin/init
     platform: centos
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - yum -y install initscripts
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: ubuntu1604-ansible-latest
   driver:
     image: rndmh3ro/docker-ubuntu1604-ansible:latest
     platform: ubuntu
-    run_command: /sbin/init
     provision_command:
       - systemctl enable ssh.service
+
 - name: ubuntu1804-ansible-latest
   driver:
     image: rndmh3ro/docker-ubuntu1804-ansible:latest
     platform: ubuntu
-    run_command: /sbin/init
     provision_command:
       - systemctl enable ssh.service
+
 - name: debian9-ansible-latest
   driver:
     image: rndmh3ro/docker-debian9-ansible:latest
     platform: debian
-    run_command: /sbin/init
     provision_command:
       - apt install -y systemd-sysv
       - systemctl enable ssh.service
+
 - name: debian10-ansible-latest
   driver:
     image: rndmh3ro/docker-debian10-ansible:latest
     platform: debian
-    run_command: /sbin/init
     provision_command:
       - apt install -y systemd-sysv
       - systemctl enable ssh.service
+
 - name: amazon-ansible-latest
   driver:
     image: rndmh3ro/docker-amazon-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: fedora-ansible-latest
   driver:
     image: rndmh3ro/docker-fedora-ansible:latest
     platform: centos
-    run_command: /sbin/init
     provision_command:
       - dnf install -y python
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - sed -i '/nologin/d' /etc/pam.d/sshd
       - systemctl enable sshd.service
+
 - name: opensuse_tumbleweed-ansible-latest
   driver:
     image: rndmh3ro/docker-opensuse_tumbleweed-ansible
     platform: opensuse
     provision_command:
-      - zypper -n install python-xml rpm-python
-      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - zypper -n install python-xml
+      - sed -i '/nologin/d' /etc/pam.d/sshd
+      - sed -i '/systemd/d' /etc/pam.d/common-session
       - systemctl enable sshd.service
 
 verifier:
   name: inspec
   sudo: true
   inspec_tests:
-    - https://github.com/dev-sec/tests-os-hardening
+    - https://github.com/dev-sec/linux-baseline
+  controls:
+    # skip sysctl checks, since they make no sense in docker
+    - /^(?!sysctl-|package-07).+/
 
 suites:
 - name: os
diff --git a/.travis.yml b/.travis.yml
@@ -2,63 +2,30 @@
 services: docker
 
 env:
-  - distro: centos6
-    version: latest
-    init: /sbin/init
-
-  - distro: centos7
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
-
-  - distro: centos8
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
-
-  - distro: fedora
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
-
-  - distro: oracle6
-    version: latest
-    init: /sbin/init
-
-#  - distro: oracle7
-#    init: /lib/systemd/systemd
-#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-#    version: latest
-
-  - distro: ubuntu1604
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: ubuntu1804
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: debian9
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: debian10
-    version: latest
-    init: /lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  - distro: amazon
-    init: /lib/systemd/systemd
-    version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-
-  # - distro: opensuse_tumbleweed
-  #   init: /usr/lib/systemd/systemd
-  #   version: latest
-  #   run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro --volume=/run:/run:ro"
+  global:
+    - version=latest
+    - init=/sbin/init
+    - run_opts="--cap-add SYS_ADMIN"
+    - volume="/sys/fs/cgroup:/sys/fs/cgroup:ro"
+  jobs:
+    - distro=centos6
+      volume=":"
+      run_opts=""
+    - distro=centos7
+    - distro=centos8
+    - distro=oracle6
+      volume=":"
+      run_opts=""
+#    - distro=oracle7
+    - distro=ubuntu1604
+    - distro=ubuntu1804
+    - distro=debian9
+      init=/lib/systemd/systemd
+    - distro=debian10
+    - distro=amazon
+    - distro=fedora
+    - distro=opensuse_tumbleweed
+      run_opts="--privileged"
 
 before_install:
   # Pull container
@@ -70,7 +37,7 @@ script:
 
   - container_id=$(mktemp)
   # Run container in detached state.
-  - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
+  - 'docker run --detach --volume="${volume}" --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Output Ansible version from docker image
   - 'docker exec "$(cat ${container_id})" ansible-playbook --version'
@@ -79,7 +46,7 @@ script:
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/tests/test.yml --diff'
 
    # Verify role
-  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-05b os-06 os-07 os-09 os-10 os-11 package-01 package-02 package-03 package-05 package-06 package-08 package-09 --no-distinct-exit'
+  - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --no-distinct-exit'
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/
diff --git a/rhel6_provision.rb b/rhel6_provision.rb
@@ -0,0 +1,7 @@
+Vagrant.configure(2) do |config|
+  config.vm.provision "shell", inline: <<-SHELL
+    rpm -i http://mirror.de.leaseweb.net/epel/6/x86_64/epel-release-6-8.noarch.rpm
+    sed -i 's/\\(mirrorlist=http\\)s/\\1/' /etc/yum.repos.d/epel.repo
+    yum install -y ansible libselinux-python
+  SHELL
+end
diff --git a/suse_provision.rb b/suse_provision.rb
@@ -0,0 +1,7 @@
+Vagrant.configure(2) do |config|
+  config.vm.provision "shell", inline: <<-SHELL
+      zypper -n install python2-setuptools
+      mkdir -p /usr/local/lib/python2.7/site-packages/
+      ln -s /usr/local/bin/pip /usr/bin/
+  SHELL
+end
diff --git a/tasks/pam.yml b/tasks/pam.yml
@@ -121,6 +121,7 @@
 - name: Gather package facts
   package_facts:
     manager: auto
+  when: ansible_facts.os_family != 'Suse'
 
 - name: NSA 2.3.3.5 Upgrade Password Hashing Algorithm to SHA-512
   template:
@@ -129,4 +130,6 @@
     mode: '0640'
     owner: 'root'
     group: 'root'
-  when: "'libuser' in ansible_facts.packages"
+  when:
+    - ansible_facts.os_family != 'Suse'
+    - "'libuser' in ansible_facts.packages"
diff --git a/tests/test.yml b/tests/test.yml
@@ -24,6 +24,9 @@
           - findutils
           - procps-ng
       when: ansible_facts.distribution == 'Fedora'
+    - name: install required tools on SuSE
+      shell: "zypper -n install python-xml"
+      when: ansible_facts.os_family == 'Suse'
     - name: create recursing symlink to test minimize access
       shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
   vars: