(SIMP-6708) Create and ensure inspec tests work by module (simp#96)

SIMP-6708 #comment simp-rsyslog updated

.fixtures.yml

@@ -19,5 +19,9 @@ fixtures:
     stunnel: https://github.com/simp/pupmod-simp-stunnel
     systemd: https://github.com/simp/puppet-systemd
     tcpwrappers: https://github.com/simp/pupmod-simp-tcpwrappers
+    disa_stig-el7-baseline:
+      repo: https://github.com/simp/inspec-profile-disa_stig-el7
+      branch:  master
+      target: spec/fixtures/inspec_deps/inspec_profiles/profiles
   symlinks:
     rsyslog: "#{source_dir}"

.gitignore

@@ -2,15 +2,16 @@
 .yardoc
 dist/
 pkg/
-spec/fixtures/
 spec/rp_env/
-!/spec/hieradata/default.yaml
-!/spec/fixtures/site.pp
+spec/fixtures/**
+!spec/fixtures/site.pp
+!spec/fixtures/inspec_profiles
+.bundle/
 .rspec_system
 .vagrant/
-.bundle/
 Gemfile.lock
-vendor/
+doc/
 junit/
 log/
-doc/
+sec_results/
+vendor/

.gitlab-ci.yml

@@ -227,3 +227,9 @@ pup6-fips:
   <<: *acceptance_base
   script:
     - 'BEAKER_fips=yes bundle exec rake beaker:suites[default]'
+
+pup6-compliance:
+  <<: *pup_6
+  <<: *compliance_base
+  script:
+    - 'BEAKER_fips=yes bundle exec rake beaker:suites[compliance]'

spec/acceptance/nodesets/default.yml

@@ -14,24 +14,44 @@ HOSTS:
     platform: el-7-x86_64
     box: centos/7
     hypervisor: <%= hypervisor %>
+    yum_repos:
+      chef-current:
+        baseurl: 'https://packages.chef.io/repos/yum/current/el/7/$basearch'
+        gpgkeys:
+          - https://packages.chef.io/chef.asc
   server-1:
     roles:
       - server
     platform: el-7-x86_64
     box: centos/7
     hypervisor: <%= hypervisor %>
+    yum_repos:
+      chef-current:
+        baseurl: 'https://packages.chef.io/repos/yum/current/el/7/$basearch'
+        gpgkeys:
+          - https://packages.chef.io/chef.asc
   server-2:
     roles:
       - server
     platform: el-6-x86_64
     box: centos/6
     hypervisor: <%= hypervisor %>
+    yum_repos:
+      chef-current:
+        baseurl: 'https://packages.chef.io/repos/yum/current/el/6/$basearch'
+        gpgkeys:
+          - https://packages.chef.io/chef.asc
   server-3:
     roles:
       - failover_server
     platform: el-7-x86_64
     box: centos/7
     hypervisor: <%= hypervisor %>
+    yum_repos:
+      chef-current:
+        baseurl: 'https://packages.chef.io/repos/yum/current/el/7/$basearch'
+        gpgkeys:
+          - https://packages.chef.io/chef.asc
 CONFIG:
   log_level: verbose
   type: aio

spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper_acceptance'
+
+test_name 'rsyslog STIG enforcement of simp profile'
+
+describe 'rsyslog STIG enforcement of simp profile' do
+
+  let(:manifest) {
+    <<-EOS
+      include 'rsyslog'
+    EOS
+  }
+
+  let(:hieradata) { <<-EOF
+---
+simp_options::pki: true
+simp_options::pki::source: '/etc/pki/simp-testing/pki'
+
+compliance_markup::enforcement:
+  - disa_stig
+  EOF
+  }
+
+  hosts.each do |host|
+
+    let(:hiera_yaml) { <<-EOM
+---
+version: 5
+hierarchy:
+  - name: Common
+    path: common.yaml
+  - name: Compliance
+    lookup_key: compliance_markup::enforcement
+defaults:
+  data_hash: yaml_data
+  datadir: "#{hiera_datadir(host)}"
+      EOM
+    }
+
+    context 'when enforcing the STIG' do
+      it 'should work with no errors' do
+        create_remote_file(host, host.puppet['hiera_config'], hiera_yaml)
+        write_hieradata_to(host, hieradata)
+
+        apply_manifest_on(host, manifest, :catch_failures => true)
+      end
+
+      it 'should reboot for audit updates' do
+        host.reboot
+
+        apply_manifest_on(host, manifest, :catch_failures => true)
+      end
+
+      it 'should be idempotent' do
+        apply_manifest_on(host, manifest, :catch_changes => true)
+      end
+    end
+  end
+end

spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper_acceptance'
+require 'json'
+
+test_name 'Check Inspec for simp profile'
+
+describe 'run inspec against the appropriate fixtures' do
+
+  profiles_to_validate = ['disa_stig']
+
+  hosts.each do |host|
+    profiles_to_validate.each do |profile|
+      context "for profile #{profile}" do
+        context "on #{host}" do
+          profile_path = File.join(
+                fixtures_path,
+                'inspec_profiles',
+                "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}"
+              )
+
+          unless File.exist?(profile_path)
+            it 'should run inspec' do
+              skip("No matching profile available at #{profile_path}")
+            end
+          else
+            before(:all) do
+              @inspec = Simp::BeakerHelpers::Inspec.new(host, profile)
+              @inspec_report = {:data => nil}
+            end
+
+            it 'should run inspec' do
+              @inspec.run
+            end
+
+            it 'should have an inspec report' do
+              @inspec_report[:data] = @inspec.process_inspec_results
+
+              info = [
+                'Results:',
+                "  * Passed: #{@inspec_report[:data][:passed]}",
+                "  * Failed: #{@inspec_report[:data][:failed]}",
+                "  * Skipped: #{@inspec_report[:data][:skipped]}"
+              ]
+
+              puts info.join("\n")
+
+              @inspec.write_report(@inspec_report[:data])
+            end
+
+            it 'should have run some tests' do
+              expect(@inspec_report[:data][:failed] + @inspec_report[:data][:passed]).to be > 0
+            end
+
+            it 'should not have any failing tests' do
+              if @inspec_report[:data][:failed] > 0
+                puts @inspec_report[:data][:report]
+              end
+
+              expect( @inspec_report[:data][:failed] ).to eq(0)
+            end
+          end
+        end
+      end
+    end
+  end
+end

spec/acceptance/suites/compliance/nodesets

@@ -0,0 +1 @@
+../../nodesets

spec/fixtures/inspec_profiles/CentOS-7-disa_stig

@@ -0,0 +1 @@
+RedHat-7-disa_stig

spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb

@@ -0,0 +1,38 @@
+skips = {}
+overrides = []
+subsystems = [ 'rsyslog' ]
+
+
+require_controls 'disa_stig-el7-baseline' do
+  skips.each_pair do |ctrl, reason|
+    control ctrl do
+      describe "Skip #{ctrl}" do
+        skip "Reason: #{skips[ctrl]}" do
+        end
+      end
+    end
+  end
+
+  @conf['profile'].info[:controls].each do |ctrl|
+    next if (overrides + skips.keys).include?(ctrl[:id])
+
+    tags = ctrl[:tags]
+    if tags && tags[:subsystems]
+      subsystems.each do |subsystem|
+        if tags[:subsystems].include?(subsystem)
+          control ctrl[:id]
+        end
+      end
+    end
+  end
+
+  ## Overrides ##
+
+# # USEFUL DESCRIPTION
+# control 'V-IDENTIFIER' do
+#   # Enhancement, leave this out if you just want to add a different test
+#   overrides << self.to_s
+#
+#   only_if { file('whatever').exist? }
+# end
+end

spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml

@@ -0,0 +1,15 @@
+name: EL7 rsyslog STIG
+title: rsyslog STIG for EL 7
+supports:
+  - os-family: redhat
+maintainer: SIMP Team
+copyright: Onyx Point, Inc.
+copyright_email: [email protected]
+license: Apache-2.0
+summary: |
+  A collection of InSpec tests for the rsyslog subsystem
+version: 0.0.1
+depends:
+  - name: disa_stig-el7-baseline
+    path: ../../inspec_deps/inspec_profiles/profiles/disa_stig-el7-baseline
+