diff --git a/.fixtures.yml b/.fixtures.yml index 3ed5707..234fff1 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -19,5 +19,9 @@ fixtures: stunnel: https://github.com/simp/pupmod-simp-stunnel systemd: https://github.com/simp/puppet-systemd tcpwrappers: https://github.com/simp/pupmod-simp-tcpwrappers + disa_stig-el7-baseline: + repo: https://github.com/simp/inspec-profile-disa_stig-el7 + branch: master + target: spec/fixtures/inspec_deps/inspec_profiles/profiles symlinks: rsyslog: "#{source_dir}" diff --git a/.gitignore b/.gitignore index 3ee72d0..1edd356 100644 --- a/.gitignore +++ b/.gitignore @@ -2,15 +2,16 @@ .yardoc dist/ pkg/ -spec/fixtures/ spec/rp_env/ -!/spec/hieradata/default.yaml -!/spec/fixtures/site.pp +spec/fixtures/** +!spec/fixtures/site.pp +!spec/fixtures/inspec_profiles +.bundle/ .rspec_system .vagrant/ -.bundle/ Gemfile.lock -vendor/ +doc/ junit/ log/ -doc/ +sec_results/ +vendor/ diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d5131a6..02b7341 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -227,3 +227,9 @@ pup6-fips: <<: *acceptance_base script: - 'BEAKER_fips=yes bundle exec rake beaker:suites[default]' + +pup6-compliance: + <<: *pup_6 + <<: *compliance_base + script: + - 'BEAKER_fips=yes bundle exec rake beaker:suites[compliance]' diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml index 2961355..2a5da1b 100644 --- a/spec/acceptance/nodesets/default.yml +++ b/spec/acceptance/nodesets/default.yml @@ -14,24 +14,44 @@ HOSTS: platform: el-7-x86_64 box: centos/7 hypervisor: <%= hypervisor %> + yum_repos: + chef-current: + baseurl: 'https://packages.chef.io/repos/yum/current/el/7/$basearch' + gpgkeys: + - https://packages.chef.io/chef.asc server-1: roles: - server platform: el-7-x86_64 box: centos/7 hypervisor: <%= hypervisor %> + yum_repos: + chef-current: + baseurl: 'https://packages.chef.io/repos/yum/current/el/7/$basearch' + gpgkeys: + - https://packages.chef.io/chef.asc server-2: roles: - server platform: el-6-x86_64 box: centos/6 hypervisor: <%= hypervisor %> + yum_repos: + chef-current: + baseurl: 'https://packages.chef.io/repos/yum/current/el/6/$basearch' + gpgkeys: + - https://packages.chef.io/chef.asc server-3: roles: - failover_server platform: el-7-x86_64 box: centos/7 hypervisor: <%= hypervisor %> + yum_repos: + chef-current: + baseurl: 'https://packages.chef.io/repos/yum/current/el/7/$basearch' + gpgkeys: + - https://packages.chef.io/chef.asc CONFIG: log_level: verbose type: aio diff --git a/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb b/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb new file mode 100644 index 0000000..3d2dc67 --- /dev/null +++ b/spec/acceptance/suites/compliance/00_simp_profile_install_spec.rb @@ -0,0 +1,58 @@ +require 'spec_helper_acceptance' + +test_name 'rsyslog STIG enforcement of simp profile' + +describe 'rsyslog STIG enforcement of simp profile' do + + let(:manifest) { + <<-EOS + include 'rsyslog' + EOS + } + + let(:hieradata) { <<-EOF +--- +simp_options::pki: true +simp_options::pki::source: '/etc/pki/simp-testing/pki' + +compliance_markup::enforcement: + - disa_stig + EOF + } + + hosts.each do |host| + + let(:hiera_yaml) { <<-EOM +--- +version: 5 +hierarchy: + - name: Common + path: common.yaml + - name: Compliance + lookup_key: compliance_markup::enforcement +defaults: + data_hash: yaml_data + datadir: "#{hiera_datadir(host)}" + EOM + } + + context 'when enforcing the STIG' do + it 'should work with no errors' do + create_remote_file(host, host.puppet['hiera_config'], hiera_yaml) + write_hieradata_to(host, hieradata) + + apply_manifest_on(host, manifest, :catch_failures => true) + end + + it 'should reboot for audit updates' do + host.reboot + + apply_manifest_on(host, manifest, :catch_failures => true) + end + + it 'should be idempotent' do + apply_manifest_on(host, manifest, :catch_changes => true) + end + end + end +end diff --git a/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb b/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb new file mode 100644 index 0000000..f5553a3 --- /dev/null +++ b/spec/acceptance/suites/compliance/01_simp_profile_inspec_spec.rb @@ -0,0 +1,65 @@ +require 'spec_helper_acceptance' +require 'json' + +test_name 'Check Inspec for simp profile' + +describe 'run inspec against the appropriate fixtures' do + + profiles_to_validate = ['disa_stig'] + + hosts.each do |host| + profiles_to_validate.each do |profile| + context "for profile #{profile}" do + context "on #{host}" do + profile_path = File.join( + fixtures_path, + 'inspec_profiles', + "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}" + ) + + unless File.exist?(profile_path) + it 'should run inspec' do + skip("No matching profile available at #{profile_path}") + end + else + before(:all) do + @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) + @inspec_report = {:data => nil} + end + + it 'should run inspec' do + @inspec.run + end + + it 'should have an inspec report' do + @inspec_report[:data] = @inspec.process_inspec_results + + info = [ + 'Results:', + " * Passed: #{@inspec_report[:data][:passed]}", + " * Failed: #{@inspec_report[:data][:failed]}", + " * Skipped: #{@inspec_report[:data][:skipped]}" + ] + + puts info.join("\n") + + @inspec.write_report(@inspec_report[:data]) + end + + it 'should have run some tests' do + expect(@inspec_report[:data][:failed] + @inspec_report[:data][:passed]).to be > 0 + end + + it 'should not have any failing tests' do + if @inspec_report[:data][:failed] > 0 + puts @inspec_report[:data][:report] + end + + expect( @inspec_report[:data][:failed] ).to eq(0) + end + end + end + end + end + end +end diff --git a/spec/acceptance/suites/compliance/nodesets b/spec/acceptance/suites/compliance/nodesets new file mode 120000 index 0000000..aa8eb08 --- /dev/null +++ b/spec/acceptance/suites/compliance/nodesets @@ -0,0 +1 @@ +../../nodesets \ No newline at end of file diff --git a/spec/fixtures/inspec_profiles/CentOS-7-disa_stig b/spec/fixtures/inspec_profiles/CentOS-7-disa_stig new file mode 120000 index 0000000..16461f8 --- /dev/null +++ b/spec/fixtures/inspec_profiles/CentOS-7-disa_stig @@ -0,0 +1 @@ +RedHat-7-disa_stig \ No newline at end of file diff --git a/spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb b/spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb new file mode 100644 index 0000000..491a2eb --- /dev/null +++ b/spec/fixtures/inspec_profiles/RedHat-7-disa_stig/controls/00_Control_Selector.rb @@ -0,0 +1,38 @@ +skips = {} +overrides = [] +subsystems = [ 'rsyslog' ] + + +require_controls 'disa_stig-el7-baseline' do + skips.each_pair do |ctrl, reason| + control ctrl do + describe "Skip #{ctrl}" do + skip "Reason: #{skips[ctrl]}" do + end + end + end + end + + @conf['profile'].info[:controls].each do |ctrl| + next if (overrides + skips.keys).include?(ctrl[:id]) + + tags = ctrl[:tags] + if tags && tags[:subsystems] + subsystems.each do |subsystem| + if tags[:subsystems].include?(subsystem) + control ctrl[:id] + end + end + end + end + + ## Overrides ## + +# # USEFUL DESCRIPTION +# control 'V-IDENTIFIER' do +# # Enhancement, leave this out if you just want to add a different test +# overrides << self.to_s +# +# only_if { file('whatever').exist? } +# end +end diff --git a/spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml b/spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml new file mode 100644 index 0000000..8f323f9 --- /dev/null +++ b/spec/fixtures/inspec_profiles/RedHat-7-disa_stig/inspec.yml @@ -0,0 +1,15 @@ +name: EL7 rsyslog STIG +title: rsyslog STIG for EL 7 +supports: + - os-family: redhat +maintainer: SIMP Team +copyright: Onyx Point, Inc. +copyright_email: simp@onyxpoint.com +license: Apache-2.0 +summary: | + A collection of InSpec tests for the rsyslog subsystem +version: 0.0.1 +depends: + - name: disa_stig-el7-baseline + path: ../../inspec_deps/inspec_profiles/profiles/disa_stig-el7-baseline +