diff --git a/src/courses/profile-dev-test/02.md b/src/courses/profile-dev-test/02.md index 153136640..18d5648a1 100644 --- a/src/courses/profile-dev-test/02.md +++ b/src/courses/profile-dev-test/02.md @@ -1,42 +1,79 @@ --- order: 2 next: 03.md -title: Repository Organization +title: 2. Understanding Repository Organization author: Aaron Lippold --- -## Repository Organization +## Learning Objectives -The repository and profile are organized into two primary branches: `main` and `TBD`. The repository has a set of `tags` representing iterative releases of the STIG from one Benchmark major version to the next. It also has a set of releases for fixes and updates to the profile between STIG Benchmark Releases. +By the end of this section, you will: -## Branches +- Understand the branch strategy for STIG profiles +- Learn about semantic versioning in the context of STIG releases +- Know how to navigate tags and releases -### `main` branch +## Repository Structure Overview -The `main` branch contains the most recent code for the profile. It may include bugs and is typically aligned with the latest patch release for the profile. This branch is primarily used for development and testing workflows for the various testing targets. For production validation, use the latest stable patch release. +The InSpec profile repository should have a structured branching and tagging strategy to manage STIG profile versions and updates. This organizational strategy ensures reliable tracking of changes and stable releases for production use. -### `v{x}r{xx}` branches +## Branch Strategy -The `v{x}r{xx}` branches represent the changes between releases of the benchmark. They align with the STIG releases for the Benchmark found at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +Security developers and engineers should be putting actively developed changes and updates into feature branches. Once those feature branches have been completed and peer reviewed, they should be merged into the version branch for the respective guidance release. Once all required features, changes, bugfixes, etc. have been merged in, a release should be created - this means that the version branch should be merged into your main branch and a tag should be created. The main branch of the repository ought to be the latest, working version of the codebase. -## Releases +::: tip Branches are not releases +Sometimes code ends up merged directly to the main branch - this is fine - the main branch is not a formal release. +::: -Releases use Semantic Versioning (SemVer), aligning with the STIG Benchmark versioning system of Major Version and Release. The SemVer patch number is used for updates, bug fixes, and code changes between STIG Benchmark Releases for the given product. STIG Benchmarks use a Version and Release tagging pattern `v{x}r{xx}` - like V1R12 - and we mirror that pattern in our SemVer releases. + + + + + + + + + + + + + + + + + + + + + + + + + +
Main BranchVersion Branch (`v{x}r{xx}`)
PurposeActive development and testingWork-in-progress tracking a major STIG benchmark release
ContainsLatest code and patches

Code that is becoming aligned to an official guidance release

DISA usually releases updates to STIGs on a quarterly basis. See the [DISA STIG Document Library](https://public.cyber.mil/stigs/downloads/).

Example branch name`main` or `master``v1r12` for Version 1, Release 12
-## Tags +## Version Control and Tagging Strategy -### Current Tag +### Tags -We don't use a specific `current` or `latest` tag. The `current`/`latest` tag for the profile and repository will always be the latest major tag of the benchmark. For example, if `v1.12.3` is the latest Benchmark release from the STIG author, then the tag `v1.12` will point to the `v1.12.3` release of the code. +#### Current Tag -To use the current `main`, point directly to the GitHub repo. +We do not recommend using a `current` or `latest` tag - if someone needs the latest and greatest, they can pull directly from the main branch of the repository. -### Major Tags +#### Major Tags -Major tags point to the latest patch release of the benchmark. For example, `v1.3` and `v1.3.0` represent the first release of the Red Hat Enterprise Linux 8 STIG V1R3 Benchmark. The `v1.12.xx` tag(s) would represent the V1R12 Benchmark releases as we find bugs, fixes, or general improvements to the testing profile. This tag will point to its `v{x}r{xx}` counterpart. +Major tags point to the latest patch releases of the benchmark. For example, `v1`, `v1.3`, and `v1.3.0` all should point at the same commit representing the first release of the Red Hat Enterprise Linux 8 STIG V1R3 Benchmark. The `v1.12.xx` tag(s) would represent the V1R12 Benchmark releases as we find bugs, fixes, or general improvements to the testing profile. -## Patch Releases +#### Patch Releases The latest patch release always points to the major release for the profile. -For example, after releasing `v1.12.0`, we will point `v1.12` to that patch release: `v1.12.0`. When an issue is found, we will fix, tag, and release `v1.12.1`. We will then 'move' the `v1.12` tag so that it points to tag `v1.12.1`. This way, your pipelines can choose if they want to pin on a specific release of the InSpec profile or always run 'current'. +For example, after releasing `v1.12.0`, we will point `v1.12` to that patch release: `v1.12.0`. When an issue is found, we will fix, tag, and release `v1.12.1`. We will then 'move' the `v1.12` tag so that it points to tag `v1.12.1`. This way, your pipelines can choose if they want to pin on a specific release of the InSpec profile or always run using the latest code on the main branch. + +### Semantic Versioning (SemVer) + +Format: `MAJOR.RELEASE.PATCH` + +- MAJOR: Matches STIG version +- RELEASE: Matches STIG release +- PATCH: Profile updates between STIG releases diff --git a/src/courses/profile-dev-test/03.md b/src/courses/profile-dev-test/03.md index d06550b8c..bdb2a7602 100644 --- a/src/courses/profile-dev-test/03.md +++ b/src/courses/profile-dev-test/03.md @@ -1,31 +1,51 @@ --- order: 3 next: 04.md -title: Environment Setup +title: 3. Environment Setup Guide author: Aaron Lippold --- -## Required Software +## Prerequisite Knowledge -- RVM, or another Ruby Management Tool -- Ruby v3 or higher -- Git -- VS Code or another IDE -- Docker (if you want to test hardened and non-hardened containers) -- AWS CLI -- AWS Account +- Basic command line experience +- Familiarity with package managers +- Understanding of environment variables +- Basic Docker concepts -## Required Accounts +## Required Software Overview -1. [AWS Console Account](https://aws.amazon.com/console/ "AWS Console Account") -2. [Platform One Account](https://login.dso.mil/register "Platform One Account") (used for container testing) -3. [P1 Harbor Token](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor&redirect_uri=https%3A%2F%2Fregistry1.dso.mil%2Fc%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email+offline_access&state=WS3BsNb5JevECV4aiy3irfegFETBHfRd "DSO Harbor Login") (used for container testing) +Each tool listed below is essential for the course. We'll explain why you need each one: -## Test Suite Environment Variables +- **RVM (Ruby Version Manager)** - Manages Ruby installations +- **Ruby v3+** - Core programming language for our testing framework +- **Git** - Version control for managing code +- **VS Code/IDE** - For writing and editing code +- **Docker** - For container-based testing +- **AWS CLI** - For interacting with AWS services -1. Environment Variables used by Test Kitchen +## Required Accounts Setup -- `INSPEC_CONTROL`: Specifies which single control to run in the `bundle exec kitchen verify` phase, useful for testing and debugging a single requirement. +Create accounts with these services before proceeding: + +1. **AWS Console Account** + - Purpose: Cloud infrastructure testing + - Sign up: [AWS Console](https://aws.amazon.com/console/) + +2. **Platform One (P1) Account** + - Purpose: Access to hardened containers + - Register: [Platform One Registration](https://login.dso.mil/register) + +3. **P1 Harbor Access** + - Purpose: Container registry access + - Get CLI token from your user account page: [Harbor Login](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor) + +## Environment Configuration + +### 1. Test Kitchen Variables + +Important variables that control testing behavior: + +- `INSPEC_CONTROL`: Specifies which single control to run in the `bundle exec kitchen verify` phase - useful for testing and debugging a single requirement. - default: `none` - `KITCHEN_LOCAL_YAML`: Specifies the target testing environment you want to use to run and validate the profile. - default: `none` @@ -34,26 +54,40 @@ author: Aaron Lippold - `HARDENED_CONTAINER_IMAGE`: Specifies the Docker container image you consider 'hardened' (used by `kitchen.container.yml`). - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` -2. AWS Environment +### 2. AWS Environment Setup + +**Option 1: AWS Profiles (Recommended)** + +- Easier management of multiple environments +- More secure than environment variables +- Setup guide: [AWS CLI Profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) + +**Option 2: Environment Variables** + +- Traditional AWS environment variables +- Documentation: [AWS CLI Installation](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) + +## Step-by-Step Installation Guide -You can either use standard AWS Profiles to configure your environment or use the standard AWS Environment variables to run the test suite. See: [AWS CLI Installation & Configuration](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html "AWS CLI Install Guide") +1. **Ruby Setup** + - Install RVM or alternative Ruby manager + - Install Ruby 3.1+ + - Configure OpenSSL and certificates -- Use the `AWS_PROFILE` environment variable and AWS Credential Profiles to simplify testing on multiple AWS environments or segments. This will allow you to easily manage multiple sets of AWS secrets and access keys with adjustments to a single variable. (See: [AWS CLI and Profile Setup](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html "AWS CLI Profiles Setup")) +2. **AWS Configuration** + - Install AWS CLI + - Configure credentials + - Test connection -## Setting Up Your Environment +3. **Project Setup** + - Clone repository + - Configure Harbor CLI access + - Set up Docker registry access + - Install dependencies -1. Set up your Ruby Version Management system. -2. Install Ruby 3.1 or higher. -3. Configure OpenSSL, organization certificates, etc., for your environment and tooling. -4. Set up your AWS CLI. -5. Clone the repository. -6. Obtain your [Harbor CLI Secret](https://registry1.dso.mil/harbor/projects "DSO Harbor Projects Page"). -7. After logging in, click on your User Profile "About" to get the token. -8. Log in to the P1 Docker Registry. -9. Use the command `docker login -u {PI USER NAME} -p '{HARBOR CLI SECRET}' registry1.dso.mil`. -10. Run `bundle install` in your isolated Ruby environment. +## Verification Steps -## Post-Setup Checks +Run these commands to verify your setup: - Verify your newly installed Ruby environment by running `ruby --version`. - Confirm that InSpec was installed by running `bundle exec inspec --version`. @@ -61,4 +95,4 @@ You can either use standard AWS Profiles to configure your environment or use th - Verify that your `aws-cli` is correctly configured by running `aws s3 ls` (or your preferred test command for AWS CLI). - Confirm your bundle installation by running `bundle exec inspec --version`. - Verify you can pull from RepoOne by running `docker pull https://repo1.dso.mil/dsop/redhat/ubi/ubi8`. -- Celebrate 🎉️ if everything went well. \ No newline at end of file +- Celebrate 🎉️ if everything went well. diff --git a/src/courses/profile-dev-test/04.md b/src/courses/profile-dev-test/04.md index b94d011ae..47f44f531 100644 --- a/src/courses/profile-dev-test/04.md +++ b/src/courses/profile-dev-test/04.md @@ -1,24 +1,84 @@ --- order: 4 next: 05.md -title: Test your Test Environment +title: 4. Test your Test Environment author: Aaron Lippold --- -## Getting to know the Testing Suite +## Learning Objectives -Once you've set up the necessary tools, you're ready to run the profile. The testing environment is determined by Test Kitchen using environment variables. +- Understand the different testing environments available +- Learn how to use Test Kitchen commands +- Execute your first test run +- Troubleshoot common testing issues -There are four testing environments to choose from: +## Introduction -1. AWS VPC Testing: This environment uses an AWS VPC for testing. -2. Docker Testing: This environment uses Docker containers for testing. -3. Vagrant Testing: This environment uses Vagrant virtual machines for testing. -4. Local Testing: This environment uses your local machine for testing. +Before diving into testing your security profiles, let's understand the testing environment and tools we'll be using. This module will guide you through the Test Kitchen framework and help you run your first test. -The specifics of each environment's configuration are detailed in the following sections. +## Available Testing Environments -## Getting Your First Test Kitchen (TK) Run +You have four options for setting up your testing environment: + +📦 **Docker Testing** + +- Uses containers for lightweight, fast testing +- Perfect for local development +- Minimal resource requirements + +🌥️ **AWS VPC Testing** + +- Uses AWS infrastructure +- Ideal for production-like environments +- Requires AWS credentials + +🖥️ **Vagrant Testing** + +- Uses virtual machines locally +- Great for isolated testing +- Supports multiple OS environments + +💻 **Local Testing** + +- Uses your local machine +- Fastest to set up +- Best for initial development + +## Test Kitchen Lifecycle + +Test Kitchen follows a four-stage lifecycle: + +1. **Create** 🏗️ + - Sets up testing instance + - Prepares login credentials + - Initializes testing environment + +2. **Converge** 🔄 + - Runs configuration management + - Applies system settings + - Prepares system state + +3. **Verify** ✅ + - Executes InSpec profile + - Runs security tests + - Reports results + +4. **Destroy** 🗑️ + - Cleans up resources + - Removes test instances + - Resets environment + +## Running Your First Test + +### Prerequisites + +Before starting, ensure you have: + +- Test Kitchen installed +- Proper environment variables set +- Required credentials configured + +### Basic Commands For each of these examples, you need to update the `KITCHEN_LOCAL_YAML` environment variable to point to the correct `kitchen..yaml` file. Ensure that any required supporting environment settings, environment variables, profiles, etc., are in place. See Environment Variables and Testing Target Environments for more information. @@ -44,4 +104,4 @@ You can also isolate which of the 'target suites' - either `vanilla` or `hardene ## Useful Test Kitchen Commands - `login`: Allows you to easily log in using the credentials created when you ran `bundle exec kitchen create`. -- `test`: Runs all the Test Kitchen stages starting with create through destroy to easily allow you to go through a full clean test run. \ No newline at end of file +- `test`: Runs all the Test Kitchen stages starting with create through destroy to easily allow you to go through a full clean test run. diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index 0463d8cb5..a8bf539d3 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -1,34 +1,68 @@ --- order: 5 next: 06.md -title: AWS Testing Suite +title: 5. AWS Testing Suite author: Aaron Lippold --- ## AWS Testing Setup -1. Configure your AWS CLI and set up your AWS Credentials. -2. Test your AWS CLI access by running: `aws s3 ls`. -3. Clone the repository. -4. Navigate to the profile repository root directory. -5. Set the environment variable for the kitchen configuration file: `export KITCHEN_LOCAL_YAML=kitchen.ec2.yml`. - 1. This uses the [kitchen-ec2 driver](https://kitchen.ci/docs/drivers/aws/ "Test Kitchen AWS EC2 Driver Documentation"). -6. (Optional) Set a specific control to run: `export INSPEC_CONTROL='SV-230222'`. +:::note +This guide assumes basic familiarity with AWS. If you're new to AWS, please review the [AWS Getting Started Guide](https://aws.amazon.com/getting-started/) first. +::: + +1. Configure your AWS CLI and set up your AWS credentials + - If you haven't installed AWS CLI, [download it here](https://aws.amazon.com/cli/) + - Run `aws configure` to set up your credentials +2. Verify AWS CLI access: `aws s3 ls` + - If this fails, check your credentials and permissions +3. Clone the repository +4. Navigate to the root directory of the profile repository +5. Configure Kitchen for AWS EC2: + + ```bash + export KITCHEN_LOCAL_YAML=kitchen.ec2.yml + ``` + + > The kitchen-ec2 driver enables TestKitchen to create and manage AWS EC2 instances for testing + +6. (Optional) Target a specific control: + +```bash +export INSPEC_CONTROL='SV-230222' +``` ## Running Through the AWS Test Suite -6. List the kitchen instances with: `bundle exec kitchen list`. You should see something like this: +::: important Understanding the Test Workflow: +`vanilla` represents an unmodified baseline system while `hardened` represents a system with security controls applied. +::: + +7. List the kitchen instances: +```bash +bundle exec kitchen list +``` + +You should see something like this: ```shell - Instance Driver Provisioner Verifier Transport Last Action Last Error - vanilla-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None - hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None +Instance Driver Provisioner Verifier Transport Last Action Last Error +vanilla-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None +hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None +``` + +### Key Testing Steps Explained + +8. **Create** the test instance: + +```bash +bundle exec kitchen create vanilla ``` -7. Create a kitchen instance: `bundle exec kitchen create vanilla`. +Executing that line launches a fresh EC2 instance for testing: ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen create vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen create vanilla -----> Starting Test Kitchen (v3.5.1) -----> Creating ... < OTHER OUTPUT > @@ -36,10 +70,16 @@ author: Aaron Lippold -----> Test Kitchen is finished. (0m1.21s) ``` -8. Converge the kitchen instance: `bundle exec kitchen converge`. +9. **Converge** the instance: + +```bash +bundle exec kitchen converge vanilla +``` + +Convergence applies the necessary configurations to prepare the system for testing: ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen converge vanilla -----> Starting Test Kitchen (v3.5.1) NOTICE - Installing needed packages Updating Subscription Management repositories. @@ -54,10 +94,16 @@ author: Aaron Lippold -----> Test Kitchen is finished. (1m13.52s) ``` -9. Run InSpec on the kitchen instance: `bundle exec kitchen verify`. +10. **Verify** that the Kitchen instance meets our requirements by using InSpec: + +```bash +bundle exec kitchen verify vanilla +``` + +You'll see the same InSpec CLI output that we've gotten familiar with in our other classes: ```shell - ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen verify vanilla + ➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen verify vanilla -----> Starting Test Kitchen (v3.5.1) -----> Setting up ... Finished setting up (0m0.00s). @@ -77,7 +123,23 @@ author: Aaron Lippold -----> Test Kitchen is finished. (0m6.62s) ``` -10. Destroy the kitchen instance: `bundle exec kitchen destroy vanilla`. -11. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#18-updating-the-profile). -12. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/rhel-8_*`. -13. Use [Heimdall Lite](https://heimdall-lite.mitre.org "MITRE Heimdall Lite") to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your courner cases." +11. **Destroy** the Kitchen instance: + +```bash +bundle exec kitchen destroy vanilla +``` + +::: caution 💸 +Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges. You can do it via `kitchen` or by going into the AWS Console. +::: + +12. Repeat these steps but replace `vanilla` with `hardened`. + +### Analyzing Results + +- Results Location: `./spec/results/rhel-8_*` +- Use [Heimdall Lite](https://heimdall-lite.mitre.org) to compare results: + 1. Load both the `vanilla` and `hardened` results + 2. Use the `Comparison View` (look for the toggle underneath the files list after selecting the hamburger menu in the top left) to compare the results sets and verify expected passes and failures + 3. Review corner cases for complete coverage + diff --git a/src/courses/profile-dev-test/06.md b/src/courses/profile-dev-test/06.md index e5cc83928..a0dd4e31b 100644 --- a/src/courses/profile-dev-test/06.md +++ b/src/courses/profile-dev-test/06.md @@ -1,36 +1,68 @@ --- order: 6 next: 07.md -title: Docker Testing Suite +title: 6. Testing with Docker Containers author: Aaron Lippold --- -## Docker Suite Setup +## Learning Objectives -1. Make sure Docker or Podman is running -2. Login to your docker registry -3. Clone the repository -4. Go into the profile repository root dir -5. `bundle install` -6. `export KITCHEN_LOCAL_YAML=kitchen.container.yml` (uses the [kitchen-dokken driver](https://kitchen.ci/docs/drivers/dokken/ "Test Kitchen Dokken Driver Documentation")) -7. `export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028` -8. `export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8` -9. (optional) `export INSPEC_CONTROL='SV-230222'` +- Understand how to set up a Docker testing environment +- Learn to use Test Kitchen with Docker containers +- Execute and interpret InSpec tests in containers +- Analyze test results using Heimdall Lite + +## Prerequisites + +- Docker or Podman installed and running +- Access to required container registries +- Basic understanding of command line operations + +## Environment Setup + +Before running tests, configure your environment: + +1. Ensure Docker/Podman is running +2. Authenticate with your container registry +3. Clone the test profile repository +4. Navigate to the profile's root directory +5. Run `bundle install` to install dependencies + +## Configure Test Kitchen + +Set these environment variables: + +```shell +export KITCHEN_LOCAL_YAML=kitchen.container.yml +export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028 +export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8 +(optional) export INSPEC_CONTROL='SV-230222' +``` + +Here we will be assessing vanilla and hardened container images. While many containers are hosted by Docker themselves on their [Docker Hub](https://hub.docker.com/) platform, organizations often deploy their own container registries. Red Hat makes their registry available at [`registry.access.redhat.com`](https://registry.access.redhat.com) - we will be using their [`ubi8` image](https://developers.redhat.com/blog/2019/10/09/what-is-red-hat-universal-base-image#high_quality__the_security_and_operational_benefits_of_rhel). Iron Bank is Platform One's hardened container image repository and is available at [`registry1.dso.mil`](https://registry1.dso.mil) - they publish a version of the `ubi8` container that they claim is more hardened than Red Hat's baseline. Let's use Red Hat's `ubi8` as the vanilla container image and Iron Bank's `ubi8` as the hardened container image and validate Iron Bank's claim of having a more hardened image! ## Running Through the Docker Test Suite -10. List the kitchen instances with: `bundle exec kitchen list` +1. List the kitchen instances with: + +```bash +bundle exec kitchen list +``` ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen list +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen list Instance Driver Provisioner Verifier Transport Last Action Last Error vanilla-ubi8 Dokken Dummy Inspec Dokken hardened-ubi8 Dokken Dummy Inspec Dokken ``` -11. Create the kitchen instance: `bundle exec kitchen create vanilla` +2. Create the kitchen instance: +```bash +bundle exec kitchen create vanilla +``` ```shell +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen create vanilla -----> Starting Test Kitchen (v3.5.1) -----> Creating ... Creating kitchen sandbox at /Users/alippold/.dokken/kitchen_sandbox/de2da32d73-vanilla-ubi8 @@ -41,10 +73,13 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m1.77s) ``` -12. Converge the kitchen instance: `bundle exec kitchen converge vanilla` +3. Converge the kitchen instance: +```bash +bundle exec kitchen converge vanilla +``` ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen converge vanilla -----> Starting Test Kitchen (v3.5.1) -----> Converging ... ... @@ -52,9 +87,13 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m0.88s) ``` -13. Run InSpec on the kitchen instance: `bundle exec kitchen verify vanilla` +4. Run InSpec on the kitchen instance: +```bash +bundle exec kitchen verify vanilla +``` ```shell +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen verify vanilla -----> Starting Test Kitchen (v3.5.1) -----> Verifying ... Loaded redhat-enterprise-linux-8-stig-baseline @@ -71,9 +110,20 @@ Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 0 successful, 4 failures, 0 skipped ``` -## This is not the **Error** Your Looking For, move along... +5. Repeat these steps but replace `vanilla` with `hardened`. -The error below is just Test Kitchen telling you that not all of the Contrls in the profile passed. +### Analyzing Results + +- Results Location: `./spec/results/rhel-8_*` +- Use [Heimdall Lite](https://heimdall-lite.mitre.org) to compare results: + 1. Load both the `vanilla` and `hardened` results + 2. Use the `Comparison View` (look for the toggle underneath the files list after selecting the hamburger menu in the top left) to compare the results sets and verify expected passes and failures + 3. Review corner cases for complete coverage + + +## This isn't the error you're looking for, move along + +The error below is just Test Kitchen telling you that not all of the `controls` of the profile passed. ```shell >>>>>> ------Exception------- @@ -84,7 +134,3 @@ The error below is just Test Kitchen telling you that not all of the Contrls in >>>>>> Please see .kitchen/logs/kitchen.log for more details >>>>>> Also try running `kitchen diagnose --all` for configuration ``` - -14. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#updating-the-profile). -15. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/ubi-8_*.` -16. Use Heimdall Lite to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." diff --git a/src/courses/profile-dev-test/07.md b/src/courses/profile-dev-test/07.md index 3924ca960..dcedf2b03 100644 --- a/src/courses/profile-dev-test/07.md +++ b/src/courses/profile-dev-test/07.md @@ -1,23 +1,35 @@ --- order: 7 next: 08.md -title: Updating - Choosing Your Approach +title: 7. Pull Request Strategies - Choosing Your Approach author: Aaron Lippold --- -## Choosing Your Approach +## Learning Objectives -This project follows the [GitFlow model](https://docs.github.com/en/get-started/quickstart/github-flow "GitFlow Announcement Blog") for managing the repository, accepting pull requests (PRs), and merging changes into the profile. +By the end of this section, you will: -## Micro vs Massive Pull Requests (PRs) +- Understand the GitHub Flow workflow for repository management +- Compare micro and macro PR approaches +- Learn when to use different PR strategies -In software development, the decision between making many small pull requests (micro PRs) or fewer, larger pull requests (massive PRs) often depends on the context. Both approaches have their benefits and challenges. +## GitHub Flow Overview -### Micro PRs +This project uses the [GitHub Flow](https://docs.github.com/en/get-started/quickstart/github-flow) model for managing changes. This workflow helps maintain code quality and collaboration through systematic pull requests (PRs). -Micro PRs involve making frequent, small changes to the codebase. Each PR is focused on a single task or feature. +## Understanding Pull Request Strategies -**Benefits:** +When contributing to a project, you'll need to choose between two main PR approaches: + +### 1. Micro PRs (Small, Frequent Changes) + +**Characteristics:** + +- Single task or feature per PR +- Usually < 200 lines of code +- Frequent submissions + +**Advantages:** - **Easier to review:** Small changes are easier for reviewers to understand and provide feedback on. - **Less risk:** If a problem arises, it's easier to identify and fix because the change is isolated. @@ -28,11 +40,15 @@ Micro PRs involve making frequent, small changes to the codebase. Each PR is foc - **Overhead:** Each PR requires its own review and merge process, which can be time-consuming. - **Context switching:** Frequent changes can disrupt the flow of work, especially if developers have to switch between different tasks. -### Macro PRs +### 2. Macro PRs (Large, Comprehensive Changes) + +**Characteristics:** -Macro PRs involve making larger, more comprehensive changes to the codebase. Each PR may encompass multiple tasks or features. +- Multiple related changes +- Larger codebase modifications +- Less frequent submissions -**Benefits:** +**Advantages:** - **Efficiency:** Larger PRs can be more efficient because they require fewer reviews and merges. - **Coherence:** By grouping related changes together, it may be easier to understand how different parts of the codebase interact. @@ -43,11 +59,51 @@ Macro PRs involve making larger, more comprehensive changes to the codebase. Eac - **Higher risk:** If a problem arises, it can be more difficult to identify and fix because it could be anywhere in the large set of changes. - **Delayed feedback:** With fewer PRs, there are fewer opportunities for feedback. -### PR Strategies for Different Update Scenarios +## Practical Guidelines + +### When to Use Micro PRs + +- Bug fixes +- Small feature additions +- Documentation updates +- Performance optimizations + +### When to Use Macro PRs + +- Major version upgrades +- Complex feature implementations +- Architectural changes +- Large-scale refactoring + +## Update Scenarios The choice between micro and massive PRs can significantly impact the workflows in our `Patch Update`, `Release Update`, and `Major Version Update`. - **Patch and Release Updates:** These updates typically involve minor changes or additions, which can be easily managed with either micro or massive PRs. The choice depends on your team's preference for review speed and context switching. -- **Major Version or Large Jump Release Updates:** These updates require a thorough review of every single control and requirement. They also necessitate extensive testing, both automated (via the CI/CD testing matrix) and manual. In this scenario, the overhead of managing multiple micro or mini PRs can be substantial. However, the benefit is that it allows for more granitary control and review of changes. It's also easier to isolate and fix issues that arise during testing. -In conclusion, the choice between micro and massive PRs depends on the specific needs and circumstances of your project. It's important to strike a balance that maximizes efficiency while minimizing risk, and fosters effective collaboration within your team. +- **Major Version or Large Jump Release Updates:** These updates require a thorough review of every single control and requirement. They also necessitate extensive testing, both automated (via the CI/CD testing matrix) and manual. In this scenario, the overhead of managing multiple micro or mini PRs can be substantial. However, the benefit is that it allows for more granular control and review of changes. It's also easier to isolate and fix issues that arise during testing. + +## Practice Exercise + +Consider these scenarios and decide which PR strategy you would use: + +1. Fixing a typo in documentation +2. Implementing a new security control +3. Upgrading to a new major version + +## Summary + +- Choose micro PRs for better review quality and reduced risk +- Use macro PRs for cohesive, large-scale changes +- Consider project context and team preferences +- Balance efficiency with maintainability + +## Review Questions + +1. What are the key differences between micro and macro PRs? +2. Which PR strategy would you choose for a critical security patch? +3. How does GitHub Flow support different PR strategies? + +::: tip Why not both? +One approach is to have the small feature branches get merged into a version branch on successful review following the "Micro PR" approach. Then you can do a more holistic review of the macro PR associated with the version branch focusing more on having a consistent coding style, ensuring no duplicate `input`s got created, identifying InSpec controls that weren't modified when similar ones were, etc. Once the version branch is approved, it can be merged into the main branch and a release can be cut. +::: diff --git a/src/courses/profile-dev-test/08.md b/src/courses/profile-dev-test/08.md index 9db384a75..9e16f4f0f 100644 --- a/src/courses/profile-dev-test/08.md +++ b/src/courses/profile-dev-test/08.md @@ -1,22 +1,51 @@ --- order: 8 next: 09.md -title: Secruity Benchmarks vs Traditional Software +title: 8. Security Benchmarks vs Traditional Software author: Aaron Lippold --- -## Security Benchmark Code VS Traditional Software Applications +## Understanding Security Benchmarks -When planning your team's approach, remember that a Security Benchmark is only considered 'complete and valid' when all requirements for that specific Release or Major Version are met. This differs from traditional software projects where features and capabilities can be incrementally added. +### Key Differences from Traditional Software -## Security Benchmarks Are Release-Specific +Security benchmarks differ from traditional software development in several critical ways: -A Security Benchmark and ***its corresponding InSpec Profile*** are only applicable within the context of a specific 'Release' of that Benchmark. +1. **Completeness Requirement** + - Traditional Software: Can be released with partial features + - Security Benchmarks: Must meet ALL requirements for a specific version -The choice between a `micro` or `massive` approach depends more on your team's work style preference. +2. **Version Specificity** + - Each benchmark version is a complete, standalone entity + - InSpec profiles must match their corresponding benchmark version exactly -Regardless of the approach, the final release of the Benchmark will be the same. The deciding factors for its readiness for release are the expected thresholds, hardening, and validation results. +### Development Approaches -## 'main' is `out of scope` for a Benchmark +Two common approaches to benchmark development: -Benchmarks do not accommodate 'incremental requirements'. Therefore, your team should always work off a fork of the last release. If there is a 'main' or 'development' branch in your profile, it should be considered as a candidate for merging into the next patch or update release. \ No newline at end of file +- **Micro Approach**: Gradual, incremental development +- **Macro Approach**: Complete implementation in larger chunks + +::: tip Both approaches are valid +Choose an approach or combination thereof that is based on your team's workflow preferences. +::: + +### Version Control Best Practices + +#### Working with Branches + +- Never work directly on 'main' +- Always fork from the latest release +- Consider 'main' or 'development' branches as pre-release candidates + +### Practical Exercise + +Try answering these questions: + +1. Why can't security benchmarks be released incrementally? +2. How should you handle new requirements that arise between releases? +3. What branch strategy would you use for a new benchmark version? + +::: important Security benchmark validation is binary +The benchmark validation either meets all requirements or it doesn't. It being an accurate, representative assessment (and thereby useful to others) requires that it be the former. +::: diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index f875f0550..9cb8b3163 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -1,35 +1,303 @@ --- order: 9 next: 10.md -title: Types of Profile Updates +title: 9. What Is `Done` for a Control? author: Aaron Lippold --- -## Types of Benchmark Updates +# Understanding Control Completion in Security Automation -When updating the profile, you'll be making one of three types of changes: +## Learning Objectives -1. **Patch Update:** These frequent updates cover missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, such as going from `v1.12.4` to `v1.12.5`. We aim to release these updates on a regular schedule, either weekly, bi-weekly, or monthly. -2. **Release Update:** These updates occur when the STIG Benchmark owner releases an updated version of the STIG, for example, going from Red Hat Enterprise Linux V1R12 to V1R13. -3. **Major Version Update:** These updates occur when a software vendor releases a new major version of their product's STIG. For example, when Red Hat releases version 9 of Red Hat Enterprise Linux or Microsoft releases a new major version of Windows, such as Windows 2024 or Windows 12. +By the end of this section, you will be able to: -### Scope of the Update Patterns +- Define the criteria for a "done" security control +- Apply the MITRE SAF yardstick to evaluate controls +- Implement effective control testing strategies +- Create and maintain progress tracking systems +- Debug common control implementation issues -The STIGs and CIS Benchmarks are scoped within the Major Version of the software products they represent. +## Knowledge Check Questions -Updates or amendments to a Benchmark's requirements are tracked within the 'Releases' of the Benchmark. +Before we begin, consider these questions: -As we mentioned in the previous section, ***there is no concept of 'back-patching'***; it is a ***'forward-only'*** process. +1. What makes a security control "complete"? +2. How do you verify a control works in different environments? +3. What's the difference between "passing well" and just passing? -Each requirement is indexed from their source SRG document, aligned to a CCI, and then given a unique `Rule ID` and `STIG ID` in the respective XCCDF Benchmark document. +## Introduction -Here is an example of various indices you may recognize: +Understanding when a security control is truly "done" is crucial for security automation engineers. This section will guide you through the criteria, best practices, and practical approaches to ensure your controls are complete and effective. +## When is a Control Considered 'Done' + +You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: + +1. The security automation content and its tests are essentially an alternative definition of the 'validation' and 'remediation' guidance already established by the benchmark. +2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. +3. The tests can - and usually do - capture known corner cases and security best practices which are sometimes only indirectly addressed by the benchmark but implied by the spirit of the security requirement being addressed. +4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. + +The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. + +Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured all requirements and the spirit of the testing specified by the benchmark. + +## The MITRE SAF Testing Framework + +Our framework provides a comprehensive approach to testing controls. We call this the "SAF Yardstick": + +We consider a control effectively tested when: + +1. All aspects of the 'validation' - also known as 'check text' - have been addressed. This is usually straightforward. +2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. Sometimes guidance authors mix the type of information between the 'check' and 'fix' text areas, so we need to comprehensively read all of the guidance to ensure that we've extracted all of the 'validation' content wherever it might be. +3. Any documented conditions that are Not Applicable, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. +4. Any documented conditions that require manual review, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed such that the control is marked as Not Reviewed on execution of the profile. +5. The conditions for Not Applicable and Not Reviewed are assessed early in the control to ensure the control is as efficient as possible. +6. The control uses the `only_if` block vs 'if/else' logic when possible to ensure that the control is as clear, direct, and maintainable as possible from a coding perspective. +7. The control has been tested on both 'vanilla' and 'hardened' instances, ensuring that: + 1. The test communicates effectively and passes as expected on both the 'vanilla' and `hardened` testing targets which were correctly configured. + 2. The test communicates effectively and fails as expected on both the `vanilla` and `hardened` testing targets which were misconfigured. + 3. The test communicates effectively and fails as expected on a misconfigured `vanilla` target, but then passes as expected on a properly configured `hardened` target. + 4. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. + 5. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. + 6. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. + +## Best Practices for Test Implementation + +### Passing Tests (Passing Well) + +A well-implemented passing test should: + +- Clearly communicate success conditions +- Use simple, direct language +- Include validation of edge cases + +For example: + +```shell +✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. + ✔ All system security patches and updates are up to date and have been applied +``` + +`Passes as Expected` also encompasses: + +- The conditions for the Not Reviewed and Not Applicable states for the control, if any. + +### Failing Tests (Failing Well) + +When implementing failure scenarios, ensure: + +- Clear error messages +- Actionable feedback +- Proper error handling + +For example: + +```shell +✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. + x The following packages have security patches and need to be updated: + - package 1 + - package 2 + - package 3 + - package 4 +``` + +`Fails as Expected` also encompasses: + +- Misconfigurations, extra lines in files, extra settings, missing files, etc. + +## Hands-on Exercise 1: Creating Your First Control + +Let's practice implementing a basic control: + +::: code-tabs#ruby + +@tab Create a basic control test ```ruby -tag gtitle: 'SRG-OS-000480-GPOS-00227' -tag gid: 'V-230221' -tag rid: 'SV-230221r858734_rule' -tag stig_id: 'RHEL-08-010000' -tag fix_id: 'F-32865r567410_fix' -tag cci: ['CCI-000366'] -``` \ No newline at end of file +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' +end +``` +@tab Add passing and failing scenarios +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + tmp = mount('/tmp') + is_mounted = tmp.mounted? + describe is_mounted do + it { should cmp true } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +@tab Implement clear communication +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +@tab Test edge cases +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +::: + +## Key Takeaways + +- Control completion is more than just passing tests +- Use the SAF Yardstick as your guide +- Clear communication is essential +- Track progress consistently +- Group similar controls for efficiency + +## Tracking Your Progress + +Updating a 'Patch', 'Release', or 'Major Version' can be a challenging task. However, there are several methods a team can use to track progress. + +You might use a Spreadsheet or CSV file, a Markdown or RST Table, or even a 'checklist' on the 'Pull Request' that your team updates as progress is made. + +All these methods are acceptable. The important thing is to **choose one method and use it consistently.** + +When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what still needs work without constant direct communication. + +The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](./07.md) section. + +## Example Tracking Table + +The key to effective tracking is simplicity. This ensures: + +1) Each team member can easily understand what and how they need to document their progress, and +2) They will actually document their progress. + +### Simple Tracking Table + +| Assignee | Control | Priority | Reviewed | Tested | Text Updated | New Resource | Inputs | +| -------- | --------- | -------- | -------- | ------ | ------------ | ------------ | ----------------------- | +| John | SV-230221 | N | Y | Y | Y | N | None | +| John | SV-230222 | Y | Y | Y | Y | N | `disable_slow_controls` | +| Jane | SV-230223 | Y | Y | Y | Y | N | `use_fips` | +| Bob | SV-230224 | Y | Y | Y | Y | N | `data_at_rest_exempt` | + +In this example, we used a simple markdown table. However, an Excel Spreadsheet, Google Sheet, or CSV might work better for your team. + +Ultimately, the most important thing is to track the work. The method you choose to do so is a team decision. + +## Considerations for Grouping Work + +The MITRE SAF team has found the following best practices effective for organizing our work: + +1. **Group Similar Controls:** When working on a security guidance document, group the controls you are working on using the guidance indexes - such as the SRG ID in STIGs, and requirement major version in CIS Benchmarks. This allows for efficient reuse of repeated patterns of control implementation. + +2. **Tags, Status Columns, and State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. + +3. **Assign Priority, and Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. + +4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the primary deployment platforms that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. + +5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index e81db23fa..0f48dc35f 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -1,136 +1,59 @@ --- order: 10 next: 11.md -title: What Is Done for a Control? +title: 10. Security Benchmark Profile Management author: Aaron Lippold --- -## When is a Control Considered 'Done' +## Introduction to Profile Management -You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: +Security benchmark profiles are critical tools for maintaining system security standards. Before diving into the implementation details, let's understand the fundamental principles that guide their management. -- The security automation content and its tests are essentially a refactoring of the 'validation' and 'remediation' guidance already established by the benchmark. -- The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. -- The tests can - and usually do - capture known 'corner cases and security best practices' that are sometimes indirectly or not directly addressed by the benchmark but implied by the spirit of the security requirement being addressed. -- These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. +## Core Principles of Profile Management -The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. +### 1. Version Control and Integrity -Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured the spirit of the testing required by the Benchmark. +**Key Rule: Keep Versions Separate** -## The MITRE Security Automation Framework 'Yardstick' +- Never mix requirements from different versions +- Each version represents a distinct security baseline +- Example: Don't combine STIG v2.5 requirements with v3.0 requirements -We consider a control effectively tested when: +### 2. Completeness Principle -1. All aspects of the 'validation' - also known as 'check text' - have been addressed. -2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. -3. Any documented conditions that are Not Applicable, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. -4. Any documented conditions that have Not Been Reviewed, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. -5. The conditions for Not Applicable and Not Reviewed are early in the control to ensure the control is as efficient as possible. -6. The control uses the `only_if` block vs 'if/else' logic when possible to ensure that the control is as clear, direct, and maintainable as possible from a coding perspective. -7. The control has been tested on both 'vanilla' and 'hardened' instances, ensuring that: - 1. The test communicates effectively and fails as expected on the 'vanilla' testing target. - 2. The test communicates effectively and passes on the 'hardened' testing target. - 3. The test communicates effectively and fails on a misconfigured 'vanilla' testing target. - 4. The test communicates effectively and fails on a misconfigured 'hardened' testing target. - 5. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. - 6. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. - 7. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. +**Key Rule: All or Nothing** -## Defining 'Passes as Expected' +- Security benchmarks must include all requirements for a specific version +- Think of it like a recipe - missing ingredients affect the final result +- Focus on one requirement at a time during development +- Example: A Windows 10 STIG profile must implement all controls specified in that version -'Passing as expected' is the most straightforward concept as it directly corresponds to the test conditions. When the test asserts a condition, it validates that assertion and reports it to the end user in a clear and concise manner. +### 3. Release Management -We strive to ensure that when we report a 'pass', we do so in a language that is direct, simple, and easy to understand. +**Key Rule: Meet All Standards** -For example: +- Release readiness is determined by: + - Passing all validation tests + - Meeting security hardening requirements + - Achieving expected thresholds -```shell -✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. - ✔ All system security patches and updates are up to date and have been applied -``` +### 4. Testing Environment Standards -`Passes as Expected` also encompasses: +**Key Rule: Use Standard Baselines** -- The conditions for the Not Reviewed and Not Applicable states for the control, if any. +- Start with vendor-managed standard releases +- Test against both: + - Default ("vanilla") configurations + - Hardened configurations +- This ensures real-world applicability -## Defining `Fails as Expected` +## Best Practices for Implementation -'Failing as expected' is a less straightforward concept as it doesn't always directly correspond to the test conditions. When the test asserts a condition and it fails, the reason for that failure should be communicated to the end user in a clear and concise manner. +1. Document your testing environment +2. Maintain a changelog for each profile version +3. Use version control for tracking changes +4. Test thoroughly before releasing -However, as we all know, a test may fail for more than one reason. Sometimes, the reason for failure might be connected to human error, conditions on the system such as extra lines, files, or housekeeping on the system that was not done, etc. All these factors may need to be accounted for in your tests and perhaps captured in your output and 'reasons' for failure. +## Summary -This is where the above 'best practices' come into play. You don't just test in optional 'pass' and 'fail' conditions only, but also 'dirty things up' a bit and make sure that your 'failure' cases are robust enough to handle the real world and semi-perfect conditions. - -For example: - -```shell -✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. - x The following packages have security patches and need to be updated: - - package 1 - - package 2 - - package 3 - - package 4 -``` - -`Fails as Expected` also encompasses: - -- Misconfigurations, extra lines in files, extra settings, missing files, etc. - -## Defining `Communicates Effectively` - -Clear communication from your testing suite may require you to use a combination of approaches, but the extra time and effort is well worth it. - -Here are some methods you can employ and things to consider: - -- Use `expect` vs `describe` statements in cases where you have multi-part or multi-phase test cases. -- Break up your `describe` statements into multiple layers so that the final output to the end user is clear and concise. -- Post-process and format both 'passing' and 'failures' so that they are useful to the end user later and clear for communication to other team members. This could be in the form of lists or bulleted lists. -- Collect 'failing results' as simple, clear lists or bullets that are easy to 'copy and paste'. This makes it easier for teams to know 'what they have to fix and where'. -- Consider assisting 'Manual Review'/'Not Reviewed' tests by collecting needed information, such as users, groups, or other elements that you are asking the user or another person to review. While we may not be able to fully automate the test, if the 'automation can help collect' then it still adds value. - -## Tracking Your Progress - -Updating a 'Patch', 'Release', or 'Major Version' can be a challenging task. However, there are several methods a team can use to track progress. - -You might use a Spreadsheet or CSV file, a Markdown or RST Table, or even a 'checklist' on the 'Pull Request' that your team updates as progress is made. - -All these methods are acceptable. The important thing is to **choose one method and use it consistently.** - -When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what 'still needs work' without constant direct communication. - -The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](https://mitre.github.io/saf-training/courses/profile-dev-test/07.html#micro-vs-massive-pull-requests-prs) section. - -## Example Tracking Table - -The key to effective tracking is simplicity. This ensures: - -1) Each team member can easily understand what and how they need to document their progress, and -2) They will actually document their progress. - -### Simple Tracking Table - -| Assignee | Control | Priority | Reviewed | Tested | Text Updated | New Resource | Inputs | -| -------- | --------- | -------- | -------- | ------ | ------------ | ------------ | ----------------------- | -| John | SV-230221 | N | Y | Y | Y | N | None | -| John | SV-230222 | Y | Y | Y | Y | N | `disable_slow_controls` | -| Jane | SV-230223 | Y | Y | Y | Y | N | `use_fips` | -| Bob | SV-230224 | Y | Y | Y | Y | N | `data_at_rest_exempt` | - -In this example, we used a simple markdown table. However, an Excel Spreadsheet, Google Sheet, or CSV might work better for your team. - -Ultimately, the most important thing is to track the work. The method you choose to do so is a team decision. - -## Considerations for Grouping Work - -The MITRE SAF team has found the following best practices effective for organizing our work: - -1. **Group Similar Controls:** When working on a security guidance document, group the controls you are working on using the guidance indexes - such as the SRG ID in STIGs, and requirement major version in CIS Benchmarks. This allows for efficient reuse of repeated patterns of control implementation. - -2. **Tags, Status Columns & State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. - -3. **Assign Priority & Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. - -4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the 'primary deployment platforms' that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. - -5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. \ No newline at end of file +Remember: Security benchmarks are complete sets of requirements tied to specific versions. Success comes from methodical implementation and thorough testing against standard baselines. diff --git a/src/courses/profile-dev-test/11.md b/src/courses/profile-dev-test/11.md index 5a2421289..6928b0a96 100644 --- a/src/courses/profile-dev-test/11.md +++ b/src/courses/profile-dev-test/11.md @@ -1,20 +1,72 @@ --- order: 11 next: 12.md -title: Rules of the Road +title: 11. Understanding Profile Updates author: Aaron Lippold --- -## Best Practices for Profile Managment +## Learning Objectives -When updating Benchmark Profiles, adhere to these key principles to maintain alignment with the original Guidance Documents: +By the end of this section, you will be able to: -1. **Maintain Version Integrity:** **Never Merge** new requirements into older benchmark branches. This will create a 'mixed baseline' that doesn't align with any specific guidance document. Benchmarks, STIGs, and Guidance Documents form a 'proper subset' - they should be treated as 'all or nothing'. Mixing requirements from different versions can invalidate the concept of 'testing to a known benchmark'. +- Identify the three types of profile updates +- Understand the scope of STIG and CIS Benchmark updates +- Recognize the forward-only nature of security benchmark updates -2. **Benchmarks are a Complete Set of Requirements:** A Security Benchmark is 'complete and valid' only when all requirements for a specific Release or Major Version are met. Unlike traditional software projects, features and capabilities cannot be incrementally added. A Security Benchmark and its corresponding InSpec Profile are valid only within the scope of a specific 'Release' of that Benchmark. +## Types of Profile Updates -3. **Release Readiness Is Predefined:** A Benchmark is considered 'ready for release' when it meets the expected thresholds, hardening, and validation results. Don't be overwhelmed by the multitude of changes across the files. Instead, focus on the specific requirement you are working on. Understand its expected failure and success states on each of the target testing platforms. This approach prevents you from being overwhelmed and provides solid pivot points as you work through the implementation of the automated tests for each requirement and its 'contexts'. +Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: -4. **Use Vendor-Managed Standard Releases:** When setting up a test suite, prioritize using vendor-managed standard releases for software installations and baseline configurations. This should be the starting point for both 'vanilla' and 'hardening' workflows. This approach ensures that your initial and ongoing testing, hardening, and validation closely mirror the real-world usage scenarios of your end-users. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Patch UpdatesRelease UpdatesMajor Version Updates
ScopeMinorIntermediateIntermediate/Significant
TriggerThe validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests.Guidance author making a new release of the benchmark to address new or updated security requirements.The guidance author is significantly overhauling their nomenclature, requirement identification schema, or control alignment. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely.
ExampleAn InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5.DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0.DISA adds, removes, and modifies a substantial number of requirements due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0.
-By adhering to these principles, you ensure that your updates to Benchmark Profiles are consistent, accurate, and aligned with the original guidance documents. \ No newline at end of file +## Understanding Update Scope + +Important concepts to remember: + +- Updates are version-specific +- Changes only move forward ("forward-only" process) +- No "back-patching" to older versions +- Each requirement maps to: + - Source SRG document + - Control Correlation Identifier (CCI) + - Unique Rule and STIG IDs + +Example requirement identifiers: + +```ruby +tag gtitle: 'SRG-OS-000480-GPOS-00227' +tag gid: 'V-230221' +tag rid: 'SV-230221r858734_rule' +tag stig_id: 'RHEL-08-010000' +tag fix_id: 'F-32865r567410_fix' +tag cci: ['CCI-000366'] +``` diff --git a/src/courses/profile-dev-test/12.md b/src/courses/profile-dev-test/12.md index e8d422d8e..edd015781 100644 --- a/src/courses/profile-dev-test/12.md +++ b/src/courses/profile-dev-test/12.md @@ -1,20 +1,82 @@ --- order: 12 next: 13.md -title: Creating a `Patch Update` +title: 12. Understanding Profile Patch Updates author: Aaron Lippold --- -## The `Patch Update` Process +## Learning Objectives -A patch update involves making minor changes to a profile to fix issues or improve functionality. Here's a step-by-step guide: +- Understand what constitutes a patch update +- Learn the complete patch update workflow +- Master the testing and validation process -1. **Report the Issue:** Open an issue on our project, detailing the problem and providing examples. Do this on [our issues page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/issues). -2. **Fork and Branch:** Fork the repository on GitHub, then create a branch off the `tagged` patch release you're targeting for the update. -3. **Set Up Testing Suites:** In your forked branch, set up the AWS and Docker testing suites. -4. **Make Updates:** Update the control, `inspec.yml` inputs, thresholds, etc. Don't worry about the InSpec version in the `inspec.yml` - the release process handles that. -5. **Test Your Updates Locally:** Test your updates on all `vanilla` and `hardened` variants of the `known bad` and `known good` states of the `AWS EC2` and `Docker` test targets. Also, test your controls outside perfect conditions to ensure they handle non-optimal target environments. Verify that your update considers the `container`, `virtual machine`, and `1U machine` testing context of applicability. -6. **Lint Your Updates:** Use the `bundle exec rake lint` and `bundle exec rake lint:autocorrect` commands from the test suite to lint your updates. -7. **Commit Your Updates:** After testing and linting, commit your updates to your branch. Include `Fixes #ISSUE` in your commit messages to automatically close the issue when your PR is merged. -8. **Open a PR:** Open a PR on the project repository from your fork. -9. **Check Test Suite:** Ensure the GitHub Action test suite on the project side passes. You can check this at [our actions page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/actions). +## What is a Patch Update? + +A patch update is a minor modification to an InSpec profile that addresses specific issues, bugs, or improvements without changing core functionality. Common examples include: + +- Fixing control logic errors +- Updating threshold values +- Improving error handling +- Adding missing test cases + +## Step-by-Step Patch Update Process + +### 1. Issue Documentation + +- Create a detailed issue in the project repository +- Include specific examples of the problem +- Reference any related documentation +- Link: [Project Issues Page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/issues) + +### 2. Environment Setup + +- Fork the repository +- Create a branch from the target patch release tag +- Configure test environments: + - AWS testing suite + - Docker testing suite + +### 3. Implementation + +- Make necessary updates to: + - Control logic + - `inspec.yml` inputs + - Threshold values + +::: note Version number increments +The version attribute in `inspec.yml` is managed during releases so you shouldn't change it in every merged branch, just when you cut a new release. +::: + +### 4. Testing Protocol + +Verify your changes across multiple environments: + +- Vanilla systems +- Hardened systems +- Known bad states +- Known good states +- Edge cases and error conditions + +Test contexts to cover: + +- Container environments +- Virtual machines +- Physical hardware (1U machines) + +### 5. Quality Assurance + +Run the provided linting tools: + +- `bundle exec rake lint` +- `bundle exec rake lint:autocorrect` + +### 6. Commit and PR + +- Commit your updates with a message including `Fixes #ISSUE` +- Open a PR from your fork to the project repository + +### 7. Test Suite Verification + +- Ensure the GitHub Action test suite passes +- Link: [Project Actions Page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/actions) diff --git a/src/courses/profile-dev-test/13.md b/src/courses/profile-dev-test/13.md index 5bd26a58b..a881fc230 100644 --- a/src/courses/profile-dev-test/13.md +++ b/src/courses/profile-dev-test/13.md @@ -1,18 +1,86 @@ --- order: 13 next: 14.md -title: Creating a `Release Update` +title: 13. Understanding Release Updates author: Aaron Lippold --- -## The `Release Update` Process +## Learning Objectives -A `Release Update` involves creating a new branch, `v#{x}R#{x+1}`, from the current main or latest patch release branch. The `saf generate delta` workflow is then run, which updates the metadata of the `controls`, `inspec.yml`, `README.md`, and other profile elements, while preserving the `describe` and `ruby code logic`. This workflow is detailed in the [Inspec Delta](#2-inspec-delta) section. After the initial commit of the new release branch, follow these steps to keep your work organized: +- Understand what a Release Update is and when it's needed +- Learn the step-by-step process of creating a Release Update +- Master the key components of Release Update management -1. **Track Control IDs:** Create a table of all new `control ids` in the updated benchmark. This can be in CSV, Markdown Table, or in the PR overview information section. This helps track completed and pending work. PRs off the `v#{x}r#{x+1}` can also be linked in the table, especially if using a `micro` vs `massive` PR approach. -2. **Ensure Consistency:** Add 'check box columns' to your tracking table to ensure each requirement of the updated Benchmark receives the same level of scrutiny. -3. **Update CI/CD Process:** Update elements such as the `hardening` content (ansible, puppet, chef, hardened docker images, hardened vagrant boxes) to meet new requirements. Ensure the CI/CD process still functions with the updated elements, preferably on the PR as well. -4. **Update Labels:** Update `titles` and other labels to reflect the updated release number of the Benchmark. -5. **Commit Changes:** Commit these changes to your release branch, ensuring your CI/CD process exits cleanly. -6. **Follow Patch Update Workflow:** With the above in place, follow the 'Patch Update' process, but expect a larger number of requirements to revalidate or update. -7. **Identify Potential Code Changes:** Controls with changes to the `check text` or `fix text` are likely to require `inspec code changes`. If the `check text` and `fix text` of a control remain unchanged, it's likely only a cosmetic update, with no change in the security requirement or validation code. \ No newline at end of file +## What is a Release Update? + +A Release Update is a structured process for updating a profile to accommodate a new benchmark version. This process ensures consistent quality and maintains traceability of changes. + +## Release Update Workflow + +### Step 1: Branch Creation + +Create a new branch named `v{x}r{xx}` from either: + +- The main branch +- The tagged commit associated with the latest release + +### Step 2: Generate Delta + +Run the `saf generate delta` workflow to automatically update the InSpec profile as per the new guidance. Items that get updated include: + +- Control metadata +- inspec.yml configuration +- README.md documentation +- Other profile elements + +::: info Saved! +This process preserves existing `describe` blocks and other Ruby code logic, but you will still need to review them to ensure that what they're assessing still lines up with what the requirement says we now need to be assessing. +::: + +### Step 3: Change Management + +Follow these best practices to organize your work as you implement any new requirements and update any changed ones: + +#### 3.1 Control Tracking + +- Create a tracking table (CSV or Markdown) containing: + - New control IDs + - Status (completed/pending) + - Associated PR links + - Validation checkboxes + +#### 3.2 Quality Assurance Steps + +1. **Validation Checklist** + - [ ] Control requirements reviewed + - [ ] Code changes verified + - [ ] Tests updated + - [ ] Documentation current + +2. **Infrastructure Updates** + - Update the version of the hardening content that is used to test the InSpec profile to match the version of the benchmark: + - Ansible playbooks + - Puppet modules + - Chef cookbooks + - Docker images + - Vagrant boxes + +::: important Parallel workstreams +You might be required to update the hardening content itself to match the new or adjusted requirements coming from the benchmark instead of just consuming the newest version. However, updating the hardening and validation content lock-step is a straightforward process! +::: + +3. **Metadata Management** + - Update all version references + - Verify control titles + - Check benchmark labels + +## Tips for Success + +- Focus on controls with modified `check text` or `fix text` +- Unchanged control text typically means no code changes are needed +- Use PR links to track changes in your tracking table +- Maintain CI/CD pipeline health throughout updates + +## Next Steps + +After completing these steps, proceed with the Patch Update workflow, keeping in mind that Release Updates typically involve more extensive validation. diff --git a/src/courses/profile-dev-test/14.md b/src/courses/profile-dev-test/14.md index c9d63d32e..d3c39b559 100644 --- a/src/courses/profile-dev-test/14.md +++ b/src/courses/profile-dev-test/14.md @@ -1,22 +1,189 @@ --- order: 14 next: 15.md -title: Creating a `Major Version Update` +title: 14. Understanding Major Version Updates author: Aaron Lippold --- -## The `Major Version Update` Process +## Learning Objectives -A `Major Version Update` involves transitioning to a new STIG Benchmark, which introduces a new Rule ID index. This process is more complex than a `Release Update` due to the need for aligning old requirements (Rule IDs) with the new ones. +- Understand what constitutes a Major Version Update and why they occur +- Master the requirement alignment process using multiple identification methods +- Learn to use available tools for version transition +- Develop strategies for efficient code migration +- Implement best practices for version control and testing -For example, when transitioning from RedHat Enterprise Linux 8 v1R12 to Red Hat Enterprise Linux 9 V1R1, the alignment of InSpec tests to the new requirements must be `fuzzy matched`. This involves using common identifiers such as `SRG ID`, `CCIs`, and, if necessary, the `title` and `descriptions`. +## What is a Major Version Update? -This is crucial when a single requirement from the old benchmark is split into multiple requirements in the new benchmark, although this is usually a rare occurrence. +A Major Version Update occurs when transitioning to a new STIG Benchmark version that introduces a completely new Rule ID index. Unlike minor Release Updates, this process requires careful mapping between old and new requirements. -We use a similar process in our [MITRE Vulcan](https://vulcan.mitre.org) to align 'Related Controls' in your Vulcan project to existing published STIG documents. However, the `Delta` tool currently requires manual intervention, and improvements are needed to automate this process. +## Key Concepts -The good news is that **these improvements are within reach**. We can leverage the existing work from `Vulcan` and hopefully soon incorporate these improvements into the SAF `Delta` tool as a direct function. +### Requirement Alignment -Once the 'old controls' and 'new controls' are aligned across 'Rule IDs', you can migrate the InSpec / Ruby code into their respective places. +:::tip Create a spreadsheet to track your requirement mappings during the alignment process. +::: -Then, you follow the same setup, CI/CD organization, and control update process as in the `Release Update` process and hopfully finding that the actual InSpec code from the previous benchmark is very close to the needed InSpec code for the same 'requirement' in the new Benchmark. +When moving between major versions (e.g., RHEL 8 v1R12 to RHEL 9 V1R1), we need to align existing tests with new requirements using: + +- SRG IDs (Security Requirements Guide IDs) +- CCIs (Control Correlation Identifiers) +- Titles and descriptions when necessary + +### The Alignment Process + +1. **Initial Analysis** + - Compare old and new benchmark requirements + - Identify matching controls using common identifiers + - Note any split or merged requirements + +2. **Using Available Tools** + - MITRE Vulcan assists in alignment process + - Current Delta tool requires manual verification + - Future automation improvements are in development + +3. **Code Migration** + - Transfer InSpec/Ruby code to new requirement locations + - Verify control mappings + - Update test code as needed + +### Practical Example + +Consider this alignment scenario where we are updating from RHEL8 to RHEL9. + +The requirements are the same: the `/var/log/messages` file must be owned by root. However, despite being the same, each requirement has its own id. Consequently, we need to use alternative means to realize that these requirements are aligned. + +Attributes to consider: + - The title is almost the same aside from the operating system version. + - The description is almost exactly the same aside from inconsequential differences. + - Whitespace + - Version number + - Capitalization + - Other alignment IDs are the same. + - SRG ID / `gtitle`: SRG-OS-000206-GPOS-00084 + - CCI: CCI-001314 + - NIST: SI-11 b + - Check and fix text + - Fix text is the same + - Check text specifies a different method to do the assessment, but they're functionally equivalent + +::: code-tabs#shell +@tab RHEL8 +```ruby +control 'SV-230246' do + title 'The RHEL 8 /var/log/messages file must be owned by root.' + desc "Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc 'check', 'Verify that the /var/log/messages file is owned by root with the following +command: + + $ sudo stat -c "%U" /var/log/messages + + root + + If "root" is not returned as a result, this is a finding.' + desc 'fix', 'Change the owner of the file /var/log/messages to root by running the +following command: + + $ sudo chown root /var/log/messages' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 8' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000206-GPOS-00084' + tag gid: 'V-230246' + tag rid: 'SV-230246r627750_rule' + tag stig_id: 'RHEL-08-010220' + tag fix_id: 'F-32890r567485_fix' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe.one do + describe file('/var/log/messages') do + it { should be_owned_by 'root' } + end + describe file('/var/log/messages') do + it { should_not exist } + end + end +end +``` +@tab RHEL9 +```ruby +control 'SV-257916' do + title 'RHEL 9 /var/log/messages file must be owned by root.' + desc "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements." + desc 'check', 'Verify the "/var/log/messages" file is owned by root with the following command: + +$ ls -la /var/log/messages + +rw-------. 1 root root 564223 July 11 11:34 /var/log/messages + +If "/var/log/messages" does not have an owner of "root", this is a finding.' + desc 'fix', 'Change the owner of the "/var/log/messages" file to "root" by running the following command: + +$ sudo chown root /var/log/messages' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000206-GPOS-00084' + tag gid: 'V-257916' + tag rid: 'SV-257916r925735_rule' + tag stig_id: 'RHEL-09-232180' + tag fix_id: 'F-61581r925734_fix' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe.one do + describe file('/var/log/messages') do + it { should be_owned_by 'root' } + end + describe file('/var/log/messages') do + it { should_not exist } + end + end +end +``` +::: + +::: tip Different yet the same +Even though the check text changed, it doesn't mean that the InSpec code needs to as well! We are still correctly assessing that the `/var/log/messages` file is owned by root if it exists. +::: + +## Best Practices + +- Document all requirement mappings +- Verify control alignments thoroughly +- Test extensively after migration + +## What's Next + +After alignment is complete, follow the standard Release Update process for: + +- Setting up CI/CD +- Organizing controls +- Updating and testing requirements + +## Summary + +Major Version Updates require careful attention to requirement alignment and code migration. While tools like Vulcan help, some manual verification is still needed. Future improvements will streamline this process. diff --git a/src/courses/profile-dev-test/15.md b/src/courses/profile-dev-test/15.md index ee85de3d7..83070fb4d 100644 --- a/src/courses/profile-dev-test/15.md +++ b/src/courses/profile-dev-test/15.md @@ -1,29 +1,60 @@ --- order: 15 next: 16.md -title: Test Kitchen +title: 15. Understanding Test Kitchen author: Aaron Lippold --- -## Test Kitchen - Getting Started +## Learning Objectives -[Test Kitchen](http://kitchen.ci) is a robust tool for testing infrastructure code and software on isolated platforms. It provides a consistent, reliable environment for developing and testing infrastructure code. +By the end of this module, you will be able to: -## Workflow Defined by our Test Kitchen Files +- Understand the purpose and benefits of Test Kitchen +- Describe the Test Kitchen workflow +- Differentiate between vanilla and hardened configurations +- Execute basic Test Kitchen commands -Test Kitchen's workflow involves building out suites and platforms using its drivers and provisioners. It follows a create, converge, verify, and destroy cycle: +## What is Test Kitchen? -1. **Create:** Test Kitchen creates an instance of the platform. -2. **Converge:** It applies the infrastructure code to the instance. -3. **Verify:** It checks if the instance is in the desired state. -4. **Destroy:** It destroys the instance after testing. +Test Kitchen is a powerful testing framework that allows developers to test infrastructure code across different platforms and configurations. Think of it as a laboratory where you can safely experiment with different system configurations without affecting your production environment. -In our testing workflow, we have defined four test suites to test different deployment patterns in two configurations - `vanilla` and `hardened`. +## Test Kitchen Workflow -- `vanilla`: This represents a completely stock installation of the testing target, as provided by the product vendor, with no configuration updates beyond what is 'shipped' by the vendor. Apart from the standard Test Kitchen initialization, the system is considered 'stock'. -- `hardened`: This configuration is set up using the `driver` section of the Test Kitchen suite and is executed during the `converge` phase. The `hardened` configuration represents the final `target configuration state` of our test instance, adhering to the recommended configuration of the Benchmark we are working on. For example, it aligns as closely as possible with the Red Hat Enterprise Linux V1R12 recommendations. +The testing process follows four key stages: -For more details on Test Kitchen's workflow, refer to the [official documentation](http://kitchen.ci/docs/getting-started/). +1. **Create** 🏗️ + - Spins up a fresh instance of your target platform + - Sets up the basic environment + +2. **Converge** 🔄 + - Applies your infrastructure code + - Configures the instance according to your specifications + +3. **Verify** ✅ + - Runs your tests against the instance + - Checks if everything is configured correctly + +4. **Destroy** 🧹 + - Cleans up the test environment + - Removes the instance completely + +## Testing Configurations + +We use two main testing configurations: + +### Vanilla Configuration + +- Stock installation with default settings +- No customization or hardening +- Represents "out-of-the-box" state +- Used as a baseline for comparison + +### Hardened Configuration + +- Implements security best practices +- Follows benchmark recommendations (e.g., RHEL V1R12) +- Represents the target secure state +- Applied during the converge phase ```journey Test Kitchen Workflow section Setup @@ -46,9 +77,16 @@ For more details on Test Kitchen's workflow, refer to the [official documentatio Failed: 1: Passed: 5: ``` - -## Test Kitchen's Modifications to Targets +## Behind the Scenes: System Access + +To enable testing, Test Kitchen makes minimal system modifications: + +- Adds SSH private key authentication +- Sets up appropriate access protocols: + - SSH for Unix/Linux systems + - WinRM for Windows systems + +## Where do we put it? -Test Kitchen makes minor modifications to the system to facilitate initialization and access. It adds a 'private ssh key' for the default user and sets up primary access to the system for this user using the generated key. Test Kitchen uses the 'platform standard' for access - SSH for Unix/Linux systems and WinRM for Windows systems. \ No newline at end of file +We put our Test Kitchen code that we use to assess our InSpec code in the same repository. The example that we will be working through for the next few sections will use the [RHEL 9 InSpec repository](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline). diff --git a/src/courses/profile-dev-test/16.md b/src/courses/profile-dev-test/16.md index 543e799be..31f50c925 100644 --- a/src/courses/profile-dev-test/16.md +++ b/src/courses/profile-dev-test/16.md @@ -1,15 +1,40 @@ --- order: 16 next: 17.md -title: Test Kitchen - Create +title: 16. Test Kitchen - Create author: Aaron Lippold -index: true --- ## Test Kitchen Create Stage -The `create` stage in Test Kitchen sets up testing environments. It uses standard and patched images from AWS and Red Hat, including AMI EC2 images, Docker containers, and Vagrant boxes. +### What is the Create Stage? -Test Kitchen automatically fetches the latest images from sources like Amazon Marketplace, DockerHub, Vagrant Marketplace, and Bento Hub. You can customize this to use different images, private repositories (like Platform One's Iron Bank), or local images. +The `create` stage is a fundamental part of Test Kitchen that prepares your testing environments. Think of it as setting up your test laboratory where you'll run your security tests. -For more details on how Test Kitchen manages images, visit the [Test Kitchen website](https://kitchen.ci). You can also refer to the GitHub documentation for the `kitchen-ec2`, `kitchen-vagrant`, `kitchen-sync`, and [`kitchen-inspec`](https://github.com/inspec/kitchen-inspec) project on GitHub. \ No newline at end of file +### How it Works + +Test Kitchen handles environment creation by: + +- Fetching pre-configured system images +- Setting up virtual machines or containers +- Preparing the environment for testing + +### Supported Platforms + +Test Kitchen works with various platforms: + +- AWS EC2 instances (using AMIs) +- Docker containers +- Vagrant boxes +- Red Hat Enterprise Linux systems + +### Image Sources + +Test Kitchen automatically pulls from: + +- Amazon Marketplace +- DockerHub +- Vagrant Cloud +- Bento Box Repository +- Custom repositories (e.g., Platform One's Iron Bank) +- Local image storage diff --git a/src/courses/profile-dev-test/17.md b/src/courses/profile-dev-test/17.md index a198aed54..052859db7 100644 --- a/src/courses/profile-dev-test/17.md +++ b/src/courses/profile-dev-test/17.md @@ -1,33 +1,90 @@ --- order: 17 next: 18.md -title: Test Kitchen - Converge +title: 17. Test Kitchen - Converge author: Aaron Lippold -index: true --- +## Learning Objectives + +By the end of this section, you will understand: + +- The purpose and function of Test Kitchen's converge stage +- How to use different infrastructure configurations +- The differences between vanilla and hardened environments + ## Test Kitchen Converge Stage -The `converge` stage uses Ansible Playbooks from the Ansible Lockdown project to apply hardening configurations, specifically the RHEL8-STIG playbook, and RedHat managed containers. +The `converge` stage applies system configurations using infrastructure as code (IaC) tools. This crucial stage transforms your environment from a base state to your desired configuration. + +::: info Let 'em cook +Think of the converge stage as "applying your recipe" - it takes your raw ingredients (base system) and follows your instructions to create the final dish (configured system). +::: + +Supported configuration tools include: + +- Ansible Playbooks (used in this course) +- Puppet +- Chef +- Terraform +- Shell scripts ## EC2 and Vagrant Converge -For EC2 and Vagrant, we use 'wrapper playbooks' for the 'vanilla' and 'hardened' suites. +We implement two distinct configurations using 'wrapper playbooks': + +1. **Vanilla Environment** + - Purpose: Establishes baseline test environment + - Implementation: Basic configuration playbook + +2. **Hardened Environment** + - Purpose: Creates security-enhanced environment + - Components: + - Base vanilla configuration + - RHEL8-STIG security controls + - Ansible Galaxy dependencies + - Custom roles and requirements + +::: note While some hardening tasks are disabled for testing, this doesn't compromise our security validation goals. +::: + +## Hands-on Practice + +### Container Converge + +Our container strategy utilizes two Red Hat UBI9 (Universal Base Image) variants. Take a look at the SAF's [RHEL9 InSpec profile](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/tree/main) which also includes our Test Kitchen and Ansible code that we use to test that our InSpec tests work properly. + +1. **Vanilla Container** + +This container uses the `registry.access.redhat.com/ubi9/ubi:9.3-1610` image from RedHat's community repositories. + +It represents a standard, out-of-the-box configuration. +- Community maintained +- Standard configuration + +2. **Hardened Container** -- The 'vanilla' playbook establishes a basic test environment. -- The 'hardened' playbook applies the 'vanilla role' and the Ansible Lockdown RHEL8-STIG role to the 'hardened' target, using Ansible Galaxy, a `requirements.txt`, and Ansible Roles. +This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi9` image from Red Hat's Platform One Iron Bank project. -Some tasks in the hardening role were disabled for automated testing, but this doesn't significantly impact our security posture. We can still meet our validation and thresholds. +It represents a security-enhanced configuration. +- STIG-compliant +- Regular security updates +- Platform One certified -For more on using these playbooks, running Ansible, or modifying the playbooks, roles, and tasks, see the Ansible Project Website. -Find these roles and 'wrapper playbooks' in the [spec/](./spec/) directory. +Try these exercises: -## Container Converge +1. Compare the contents of vanilla and hardened playbooks +2. Identify key security configurations in the RHEL9-STIG role +3. Examine the wrapper playbook structure in the spec/ directory -We use RedHat vendor images for both the `vanilla` and `hardened` containers. +## Summary -- **`vanilla`:** This container uses the `registry.access.redhat.com/ubi8/ubi:8.9-1028` image from RedHat's community repositories. -- **`hardened`:** This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi8` image from Red Hat's Platform One Iron Bank project. +- Converge stage implements your desired system configurations +- Multiple implementation tools available (Ansible, Puppet, Chef, etc.) +- Two primary configurations: vanilla (baseline) and hardened (security-enhanced) +- Container implementations use different images with different security postures -The Iron Bank UBI8 image is regularly patched, updated, and hardened according to STIG requirements. +::: info Next Steps +Practice running the converge stage with both vanilla and hardened configurations to understand the differences in outcomes. +::: diff --git a/src/courses/profile-dev-test/18.md b/src/courses/profile-dev-test/18.md index 1c623eca5..867acde6e 100644 --- a/src/courses/profile-dev-test/18.md +++ b/src/courses/profile-dev-test/18.md @@ -1,17 +1,34 @@ --- order: 18 next: 19.md -title: Test Kitchen - Validate +title: 18. Test Kitchen - Verify author: Aaron Lippold -index: true --- -## Test Kitchen Validate Stage +## Test Kitchen Verify Stage -The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the profile against the test targets. +The `verify` stage is when we are able to use Test Kitchen to validate that our InSpec profile was written properly. -For this stage, the profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing false results. +The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the InSpec profile against the test targets. + +For this stage, the InSpec profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing incorrect results. + +They are located at the root of the project and are named something like `kitchen.inputs.yml`. There are also specific `threshold` files for each target environment platform (EC2, container, and Vagrant) in both the `vanilla` and `hardened` suites. -The following sections provide a detailed breakdown of these files, their structure, and the workflow organization. \ No newline at end of file +These establish the expected or allowed thresholds for vanilla and hardened configurations. Sometimes, we also have specific thresholds for hardened container or DISA EC2 vanilla configurations to allow for different hardening configurations that may be part of the test suite. + +### Key Points to Remember + +- **Input Files**: Customize tests for each target environment. +- **Threshold Files**: Define acceptable limits for different configurations. +- **Platform-Specific Settings**: Ensure accurate validation across various platforms. + +### Practical Tips + +- Always review and update input files to match the target environment. +- Verify threshold settings to ensure they align with your security requirements. +- Regularly test across different platforms to catch environment-specific issues. +- Use the `kitchen verify` command to run the tests and validate the configurations. +- Limit the control verify is running by using the `INSPEC_CONTROL` environment variable. diff --git a/src/courses/profile-dev-test/19.md b/src/courses/profile-dev-test/19.md index 7fb8a7a41..382de54a2 100644 --- a/src/courses/profile-dev-test/19.md +++ b/src/courses/profile-dev-test/19.md @@ -1,7 +1,7 @@ --- order: 19 next: 20.md -title: Test Kitchen - Destroy +title: 19. Test Kitchen - Destroy author: Aaron Lippold --- @@ -11,7 +11,14 @@ The `destroy` stage terminates the EC2 instances, Vagrant boxes, or containers t Occasionally, the `destroy` stage may encounter issues if the hosting platforms have altered the state of the provisioned instance during your writing, testing, or debugging sessions. If you face any problems with the `destroy` stage or any other Test Kitchen commands, verify the following: -- The test target's login, hostname, and IP address are still accurate. -- The test instance is still running on the hosting platforms. +- Ensure the test target's login credentials, hostname, and IP address are still accurate. +- Confirm that the test instance is still running on the hosting platform. -Sometimes, the solution can be as simple as checking if the instance is still active. \ No newline at end of file +Sometimes, the solution can be as simple as checking if the instance is still active. + +### Additional Tips for Troubleshooting + +- **Check Logs**: Review the Test Kitchen logs for any error messages or clues about what might be going wrong. +- **Manual Cleanup**: If the `destroy` command fails, you may need to manually terminate the instances through your cloud provider's console or command-line tools. +- **Update Configurations**: Ensure that your `.kitchen.yml` configuration file is up-to-date and correctly references the instances you are trying to destroy. +- **Network Issues**: Verify that there are no network issues preventing Test Kitchen from communicating with the instances. diff --git a/src/courses/profile-dev-test/20.md b/src/courses/profile-dev-test/20.md index fc22727c3..7f4af4c96 100644 --- a/src/courses/profile-dev-test/20.md +++ b/src/courses/profile-dev-test/20.md @@ -1,10 +1,117 @@ --- order: 20 next: 21.md -title: Test Kitchen - .kitchen/ directory +title: 20. Test Kitchen - `kitchen.yml` File author: Aaron Lippold --- -## The `.kitchen/` Directory +## Understanding the `kitchen.yml` File -The [`.kitchen/`](/.kitchen/) directory contains the state file for Test Kitchen, which is automatically generated when you first run Test Kitchen. Refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section to see how you can use the `.kitchen/` directory. +The [`kitchen.yml`](./kitchen.yml) file is the primary configuration file for Test Kitchen. It outlines the shared configuration for all your testing environments, platforms, and the testing framework to be used. + +Each of the subsequent Kitchen files will inherit the shared settings from this file automatically and merge them with the settings in the child Kitchen file. + +## Example `kitchen.yml` File + +```yaml +--- +verifier: + name: inspec + sudo: true + reporter: + - cli + - json:spec/results/%{platform}_%{suite}.json + inspec_tests: + - name: RedHat 9 STIG v1r2 + path: . + input_files: + - kitchen.inputs.yml + <% if ENV['INSPEC_CONTROL'] %> + controls: + - "<%= ENV['INSPEC_CONTROL'] %>" + <% end %> + load_plugins: true + env_vars: + - "CHEF_LICENSE=<%= ENV['CHEF_LICENSE'] %>" + +suites: + - name: vanilla + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + + - name: hardened + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + +transport: + max_ssh_sessions: 6 +``` + +# Breakdown of the `kitchen.yml` file + +```yaml +--- +verifier: + name: inspec + sudo: true + reporter: + - cli + - json:spec/results/%{platform}_%{suite}.json + inspec_tests: + - name: RedHat 9 STIG v1r2 + path: . + input_files: + - kitchen.inputs.yml + <% if ENV['INSPEC_CONTROL'] %> + controls: + - "<%= ENV['INSPEC_CONTROL'] %>" + <% end %> + load_plugins: true + env_vars: + - "CHEF_LICENSE=<%= ENV['CHEF_LICENSE'] %>" +``` + +This first section configures the verifier, which is the tool that checks if your system is in the desired state. Here, it's using InSpec. + +- `sudo: true` means that InSpec will run with sudo privileges. +- `reporter` specifies the formats in which the test results will be reported. Here, it's set to report in the command-line interface (`cli`) and in a JSON file (`json:spec/results/%{platform}_%{suite}.json`). Note that variables will be templated into this filename by Kitchen to help you differentiate between the different testing configurations you're iterating over. +- `inspec_tests` specifies the InSpec profiles to run. Here, it's running the "RedHat 9 STIG v1r2" profile located in the current directory (`path: .`). +- `input_files` specifies files that contain input variables for the InSpec profile. Here, it's using the `kitchen.inputs.yml` file. +- The `controls` section is dynamically set based on the `INSPEC_CONTROL` environment variable. If the variable is set, only the specified control will be run. +- `load_plugins: true` means that InSpec will load any available plugins. + +```yaml +suites: + - name: vanilla + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + + - name: hardened + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml +``` + +This section defines the test suites. Each suite represents a different configuration to test. + +- Each suite has a `name` and a `provisioner`. +- The `provisioner` section specifies the Ansible playbook to use for the suite. Here, it's using the `ansible-role-rhel-vanilla.yml` playbook for the "vanilla" suite and the `ansible-role-rhel-hardened.yml` playbook for the "hardened" suite. + +```yaml +transport: + max_ssh_sessions: 6 +``` + +The last section allows you to configure attributes of the transport. In this case, we're setting the maximum number of parallel SSH sessions. + +## Environment Variables in `kitchen.yml` + +- `INSPEC_CONTROL`: This variable allows you to specify a single control to run during the `bundle exec kitchen verify` phase. This is particularly useful for testing or debugging a specific requirement. + +# Recap on Kitchen Stages + +The workflow of Test Kitchen involves the following steps: + +1. **Create:** Test Kitchen uses the driver to create an instance of the platform. +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. In this case, it's using Ansible playbooks. +3. **Verify:** Test Kitchen uses the verifier to check if the instance is in the desired state. +4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 19075f8d7..b3ae927c3 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -1,100 +1,157 @@ --- order: 21 next: 22.md -title: Test Kitchen - `kitchen.yml` File +title: 21. Test Kitchen - `kitchen.ec2.yml` File author: Aaron Lippold --- -## Understanding the `kitchen.yml` File +## Understanding the `kitchen.ec2.yml` File -The [`kitchen.yml`](./kitchen.yml) file is the primary configuration file for Test Kitchen. It outlines the shared configuration for all your testing environments, platforms, and the testing framework to be used. +The `kitchen.ec2.yml` file is instrumental in setting up our testing targets within the AWS environment. It outlines the configuration details for these targets, including their VPC assignments and the specific settings for each VPC. -Each of the subsequent kitchen files will inherit the shared settings from this file automatlly and merge them with the setting in the child kitchen file. +This file leverages the AWS CLI and your AWS credentials, environment variables, and settings that you should have configured as described in the [Environment Setup Guide](./03.md) section. -## Example `kitchen.yml` file +## Example `kitchen.ec2.yml` File ```yaml --- -verifier: - name: inspec - sudo: true - reporter: - - cli - - json:spec/results/%{platform}_%{suite}.json - inspec_tests: - - name: RedHat 8 STIG v1r12 - path: . - input_files: - - kitchen.inputs.yml - <% if ENV['INSPEC_CONTROL'] %> - controls: - - "<%= ENV['INSPEC_CONTROL'] %>" - <% end %> - load_plugins: true +platforms: + - name: rhel-9 + +driver: + name: ec2 + subnet_id: "<%= ENV['SAF_PIPELINE_SUBNET'] %>" + security_group_ids: + - "<%= ENV['SAF_PIPELINE_SG'] %>" + metadata_options: + http_tokens: required + http_put_response_hop_limit: 1 + instance_metadata_tags: enabled + instance_type: t2.small + associate_public_ip: true + interface: public + skip_cost_warning: true + privileged: true + instance_initiated_shutdown_behavior: terminate + +provisioner: + name: ansible_playbook + hosts: all + require_chef_for_busser: false + require_ruby_for_busser: false + ansible_binary_path: /usr/local/bin + # require_pip3: true + ansible_verbose: true + roles_path: spec/ansible/roles + galaxy_ignore_certs: true + requirements_path: spec/ansible/roles/requirements.yml + requirements_collection_path: spec/ansible/roles/requirements.yml + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> suites: - name: vanilla provisioner: playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + driver: + tags: + Name: Vanilla-<%= ENV['USER'] %> + CreatedBy: test-kitchen + - name: hardened provisioner: playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + driver: + tags: + Name: Hardened-<%= ENV['USER'] %> + CreatedBy: test-kitchen + +lifecycle: + pre_converge: + - remote: | + # echo "+++ Refreshing DNF package cache +++" + # sudo dnf -y clean all + echo "" + echo "+++ Updating DNF Packages +++" + sudo dnf -y update --nogpgcheck --nobest + echo "" + echo "+++ Installing needed packages for workflow and utility +++\n\n" + sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim git wget gcc openssl-devel libffi-devel bzip2-devel + echo "" + echo "+++ Installing Python 3.9 and Ansible +++\n\n" + export PATH=/usr/local/bin:$PATH + sudo dnf -y install python3-pip + sudo python3 -m pip install ansible jmespath + echo "" + echo "+++ Updating the ec2-user to keep sudo working after hardening phase +++\n\n" + sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user + echo "" + echo "+++ updating ec2-user sudo config for hardening phase +++\n\n" + sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers + sudo dnf -y install git + echo "+++ add cinc-auditor for local shell +++\n\n" + curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-auditor + +transport: + name: ssh + #https://github.com/neillturner/kitchen-ansible/issues/295 + max_ssh_sessions: 2 ``` -# Breakdown of the `kitchen.yml` file: +# Breakdown of the `kitchen.ec2.yml` file ```yaml -verifier: - name: inspec - sudo: true - reporter: - - cli - - json:spec/results/%{platform}_%{suite}.json - inspec_tests: - - name: RedHat 8 STIG v1r12 - path: . - input_files: - - kitchen.inputs.yml - <% if ENV['INSPEC_CONTROL'] %> - controls: - - "<%= ENV['INSPEC_CONTROL'] %>" - <% end %> - load_plugins: true +platforms: + - name: rhel-9 ``` -This first section configures the verifier, which is the tool that checks if your system is in the desired state. Here, it's using InSpec. +This section defines the platforms on which your tests will run. In this case, it's Red Hat Enterprise Linux 9. -- `sudo: true` means that InSpec will run with sudo privileges. -- `reporter` specifies the formats in which the test results will be reported. Here, it's set to report in the command-line interface (`cli`) and in a JSON file (`json:spec/results/%{platform}_%{suite}.json`). -- `inspec_tests` specifies the InSpec profiles to run. Here, it's running the "RedHat 8 STIG v1r12" profile located in the current directory (`path: .`). -- `input_files` specifies files that contain input variables for the InSpec profile. Here, it's using the `kitchen.inputs.yml` file. -- The `controls` section is dynamically set based on the `INSPEC_CONTROL` environment variable. If the variable is set, only the specified control will be run. -- `load_plugins: true` means that InSpec will load any available plugins. +```yaml +driver: + name: ec2 + ... +``` + +This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use Amazon EC2 instances. The various options configure the EC2 instances, such as instance type (`t2.small`), whether to associate a public IP address (`associate_public_ip: true`), and various metadata options. + +```yaml +provisioner: + name: ansible_playbook + ... +``` + +This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using Ansible playbooks. The various options configure how Ansible is run, such as the path to the Ansible binary (`ansible_binary_path: /usr/local/bin`) and the paths to the roles and requirements files. ```yaml suites: - name: vanilla - provisioner: - playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml - - name: hardened - provisioner: - playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + ... ``` -This section defines the test suites. Each suite represents a different configuration to test. +This section configures the test suites, which are the various configurations that are being tested. Here, we outline how to spin up our vanilla and hardened containers. Each suite contains various options such as one to specify the path to the playbook that the provisioner should use. -- Each suite has a `name` and a `provisioner`. -- The `provisioner` section specifies the Ansible playbook to use for the suite. Here, it's using the `ansible-role-rhel-vanilla.yml` playbook for the "vanilla" suite and the `ansible-role-rhel-hardened.yml` playbook for the "hardened" suite. +```yaml +lifecycle: + pre_converge: + - remote: | + ... +``` -## Environment Variables in `kitchen.yml` +This section defines lifecycle hooks, which are commands that run at certain points in the Test Kitchen run. Here, it's running a series of commands before the converge phase (i.e., before applying the infrastructure code). These commands install necessary packages, update system packages, and update the `ec2-user` configuration. -- `INSPEC_CONTROL`: This variable allows you to specify a single control to run during the `bundle exec kitchen verify` phase. This is particularly useful for testing or debugging a specific requirement. +```yaml +transport: + name: ssh + max_ssh_sessions: 2 +``` -# Recap on Kitchen Stages +This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using SSH and allowing a maximum of 2 SSH sessions. The workflow of Test Kitchen involves the following steps: 1. **Create:** Test Kitchen uses the driver to create an instance of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. In this case, it's using Ansible playbooks. -3. **Verify:** Test Kitchen uses the verifier to check if the instance is in the desired state. -4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. \ No newline at end of file +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. Before this phase, it runs the commands defined in the `pre_converge` lifecycle hook. +3. **Verify:** Test Kitchen checks if the instance is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. +4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file, but it would be configured in the `driver` section. + +The `transport` is used in all these steps to communicate with the instance. diff --git a/src/courses/profile-dev-test/22.md b/src/courses/profile-dev-test/22.md index 6f5885953..c3555ebd2 100644 --- a/src/courses/profile-dev-test/22.md +++ b/src/courses/profile-dev-test/22.md @@ -1,118 +1,120 @@ --- order: 22 next: 23.md -title: Test Kitchen - `kitchen.ec2.yml` File +title: 22. Test Kitchen - `kitchen.container.yml` File author: Aaron Lippold --- -## Understanding the `kitchen.ec2.yml` File +## Understanding the `kitchen.container.yml` File -The `kitchen.ec2.yml` file is instrumental in setting up our testing targets within the AWS environment. It outlines the configuration details for these targets, including their VPC assignments and the specific settings for each VPC. +The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers: hardened and vanilla, and specifies the InSpec tests to run against them. It also configures the generation and storage of test reports. -This file leverages the ` AWS CLI and AWS Credentials` configured as described in the previous [Required Software](#13-required-software) section. +Unlike other test suites, the container suite skips the 'provisioner' stage for the vanilla and hardened targets. Instead, during the create stage, it simply downloads and starts the specified images. This is due to the use of the [dummy Test Kitchen driver](https://github.com/test-kitchen/test-kitchen/blob/main/lib/kitchen/driver/dummy.rb), which is ideal for interacting with pre-configured or immutable targets like containers. -Alternatively, if you've set up AWS Environment Variables, the file will use those for AWS interactions. +This approach allows for the evaluation of existing containers, even those created by other workflows. It can be leveraged to build a generalized workflow for validating any container against our Benchmark requirements, providing a comprehensive assessment of its security posture. -## Example `kitchen.ec2.yml` file +## Example `kitchen.container.yml` file ```yaml --- -platforms: - - name: rhel-8 - -driver: - name: ec2 - metadata_options: - http_tokens: required - http_put_response_hop_limit: 1 - instance_metadata_tags: enabled - instance_type: m5.large - associate_public_ip: true - interface: public - skip_cost_warning: true - privileged: true - tags: - CreatedBy: test-kitchen +# see: https://kitchen.ci/docs/drivers/dokken/ provisioner: - name: ansible_playbook - hosts: all - require_chef_for_busser: false - require_ruby_for_busser: false - ansible_binary_path: /usr/local/bin - require_pip3: true - ansible_verbose: true - roles_path: spec/ansible/roles - galaxy_ignore_certs: true - requirements_path: spec/ansible/roles/requirements.yml - ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> - -lifecycle: - pre_converge: - - remote: | - echo "NOTICE - Installing needed packages" - sudo dnf -y clean all - sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim - echo "updating system packages" - sudo dnf -y update --nogpgcheck --nobest - sudo dnf -y distro-sync - echo "NOTICE - Updating the ec2-user to keep sudo working" - sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user - echo "NOTICE - updating ec2-user sudo config" - sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers + name: dummy + +driver: + name: dokken + pull_platform_image: false transport: - name: ssh - max_ssh_sessions: 2 + name: dokken + +platforms: + - name: ubi9 + +suites: + - name: vanilla + driver: + image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi9/ubi:9.3-1610" %> + verifier: + input_files: + - container.vanilla.inputs.yml + - name: hardened + driver: + image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi9" %> + verifier: + input_files: + - container.hardened.inputs.yml + # creds_file: './creds.json' ``` -# Breakdown of the `kitchen.ec2.yml` file +# Breakdown of the `kitchen.container.yml` file ```yaml -platforms: - - name: rhel-8 +provisioner: + name: dummy ``` -This section defines the platforms on which your tests will run. In this case, it's Red Hat Enterprise Linux 8. +This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using the dummy provisioner, which means no provisioning will be done. ```yaml driver: - name: ec2 - ... + name: dokken + pull_platform_image: false ``` -This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use Amazon EC2 instances. The various options configure the EC2 instances, such as instance type (`m5.large`), whether to associate a public IP address (`associate_public_ip: true`), and various metadata options. +This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use the Dokken driver, which is designed for running tests in Docker containers. The `pull_platform_image: false` option means that it won't automatically pull the Docker image for the platform; it will use the image specified in the suite. ```yaml -provisioner: - name: ansible_playbook - ... +transport: + name: dokken ``` -This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using Ansible playbooks. The various options configure how Ansible is run, such as the path to the Ansible binary (`ansible_binary_path: /usr/local/bin`), whether to require pip3 (`require_pip3: true`), and the path to the roles and requirements files. +This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using the Dokken transport, which communicates with the Docker container. ```yaml -lifecycle: - pre_converge: - - remote: | - ... +platforms: + - name: ubi9 ``` -This section defines lifecycle hooks, which are commands that run at certain points in the Test Kitchen run. Here, it's running a series of commands before the converge phase (i.e., before applying the infrastructure code). These commands install necessary packages, update system packages, and update the `ec2-user` configuration. +This section defines the platforms on which your tests will run. In this case, it's UBI 9 (Red Hat's Universal Base Image 9). ```yaml -transport: - name: ssh - max_ssh_sessions: 2 +suites: + - name: vanilla + driver: + image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi9/ubi:9.3-1610" %> + verifier: + input_files: + - container.vanilla.inputs.yml + - name: hardened + driver: + image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi9" %> + verifier: + input_files: + - container.hardened.inputs.yml ``` -This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using SSH and allowing a maximum of 2 SSH sessions. +This section defines the test suites. Each suite represents a different configuration to test. + +- Each suite has a `name`, a `driver`, and a `verifier`. +- The `driver` section specifies the Docker image to use for the suite. It's dynamically set based on the `VANILLA_CONTAINER_IMAGE` or `HARDENED_CONTAINER_IMAGE` environment variable, with a default value if the variable is not set. +- The `verifier` section specifies files that contain input variables for the InSpec profile. The workflow of Test Kitchen involves the following steps: -1. **Create:** Test Kitchen uses the driver to create an instance of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. Before this phase, it runs the commands defined in the `pre_converge` lifecycle hook. -3. **Verify:** Test Kitchen checks if the instance is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. -4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file, but it would be configured in the `driver` section. +1. **Create:** Test Kitchen uses the driver to create a Docker container of the platform. +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the container. In this case, no provisioning is done. +3. **Verify:** Test Kitchen checks if the container is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. +4. **Destroy:** Test Kitchen uses the driver to destroy the container after testing. This is not shown in your file, but it would be configured in the `driver` section. + +The `transport` is used in all these steps to communicate with the container. + +## Environment Variables in `kitchen.container.yml` + +The `kitchen.container.yml` file uses the following environment variables to select the containers used during its `hardened` and `vanilla` testing runs. You can test any container using these environment variables, even though standard defaults are set. -The `transport` is used in all these steps to communicate with the instance. \ No newline at end of file +- `VANILLA_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'not hardened'. + - default: `registry.access.redhat.com/ubi9/ubi:9.3-1610` +- `HARDENED_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'hardened'. + - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi9` diff --git a/src/courses/profile-dev-test/23.md b/src/courses/profile-dev-test/23.md index e540604c4..9c244a1b8 100644 --- a/src/courses/profile-dev-test/23.md +++ b/src/courses/profile-dev-test/23.md @@ -1,120 +1,32 @@ --- order: 23 next: 24.md -title: Test Kitchen - `kitchen.container.yml` +title: 23. GitHub Actions author: Aaron Lippold --- -## Understanding the [`kitchen.container.yml`](./kitchen.container.yml) +## GitHub Actions -The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers, hardened and vanilla, and specifies the inspec_tests to run against them. It also configures the generation and storage of test reports. +Our profile utilizes GitHub Actions as its primary CI/CD process. The Actions are separated by general business or process functions, allowing for a clear distinction between the workflow stages that we are testing. -Unlike other test suites, the container suite skips the 'provisioner' stage for the vanilla and hardened targets. Instead, during the create stage, it simply downloads and starts the specified images. This is due to the use of the [dummy Test Kitchen driver](https://github.com/test-kitchen/test-kitchen/blob/main/lib/kitchen/driver/dummy.rb), which is ideal for interacting with pre-configured or immutable targets like containers. +### [`lint-profile.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/lint-profile.yml) -This approach allows for the evaluation of existing containers, even those created by other workflows. It can be leveraged to build a generalized workflow for validating any container against our Benchmark requirements, providing a comprehensive assessment of its security posture. +This action checks out the repository, installs Ruby and InSpec, then runs `bundle exec inspec check .` to validate the structure and syntax of the InSpec profile and its Ruby code. -## Example `kitchen.container.yml` file +### [`verify-ec2.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/verify-ec2.yml) -```yaml ---- -# see: https://kitchen.ci/docs/drivers/dokken/ - -provisioner: - name: dummy - -driver: - name: dokken - pull_platform_image: false - -transport: - name: dokken - -platforms: - - name: ubi8 - -suites: - - name: vanilla - driver: - image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi8/ubi:8.9-1028" %> - verifier: - input_files: - - container.vanilla.inputs.yml - - name: hardened - driver: - image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi8" %> - verifier: - input_files: - - container.hardened.inputs.yml - # creds_file: './creds.json' -``` - -# Breakdown of the `kitchen.container.yml` file: - -```yaml -provisioner: - name: dummy -``` - -This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using a dummy provisioner, which means no provisioning will be done. - -```yaml -driver: - name: dokken - pull_platform_image: false -``` - -This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use the Dokken driver, which is designed for running tests in Docker containers. The `pull_platform_image: false` option means that it won't automatically pull the Docker image for the platform; it will use the image specified in the suite. - -```yaml -transport: - name: dokken -``` - -This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using the Dokken transport, which communicates with the Docker container. - -```yaml -platforms: - - name: ubi8 -``` - -This section defines the platforms on which your tests will run. In this case, it's UBI 8 (Red Hat's Universal Base Image 8). - -```yaml -suites: - - name: vanilla - driver: - image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi8/ubi:8.9-1028" %> - verifier: - input_files: - - container.vanilla.inputs.yml - - name: hardened - driver: - image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi8" %> - verifier: - input_files: - - container.hardened.inputs.yml -``` - -This section defines the test suites. Each suite represents a different configuration to test. - -- Each suite has a `name`, a `driver`, and a `verifier`. -- The `driver` section specifies the Docker image to use for the suite. It's dynamically set based on the `VANILLA_CONTAINER_IMAGE` or `HARDENED_CONTAINER_IMAGE` environment variable, with a default value if the variable is not set. -- The `verifier` section specifies files that contain input variables for the InSpec profile. - -The workflow of Test Kitchen involves the following steps: - -1. **Create:** Test Kitchen uses the driver to create a Docker container of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the container. In this case, no provisioning is done. -3. **Verify:** Test Kitchen checks if the container is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. -4. **Destroy:** Test Kitchen uses the driver to destroy the container after testing. This is not shown in your file, but it would be configured in the `driver` section. - -The `transport` is used in all these steps to communicate with the container. +This action performs the following steps: -## Environment Variables in `kitchen.container.yml` +1. Checks out the repository. +2. Installs Ruby, InSpec, AWS CLI, and Test Kitchen along with its drivers. +3. Sets up the 'runner'. +4. Configures access to the AWS VPC environment. +5. Runs the `vanilla` and `hardened` test suites. +6. Displays a summary of the test suite results. +7. Saves the test suite results. +8. Uploads the results to our Heimdall Demo server. +9. Determines the success or failure of the test run based on the validation of the test suite results against the `threshold.yml` files for each test suite (`hardened` and `vanilla`). -The `kitchen.container.yml` file uses the following environment variables to select the containers used during its `hardened` and `vanilla` testing runs. You can test any container using these environment variables, even though standard defaults are set. +### [`verify-container.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/verify-container.yml) -- `VANILLA_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'not hardened'. - - default: `registry.access.redhat.com/ubi8/ubi:8.9-1028` -- `HARDENED_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'hardened'. - - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` \ No newline at end of file +This action performs similar steps to `verify-ec2.yml`, with a key additional step of configuring access to the required container registries - Platform One and Red Hat. diff --git a/src/courses/profile-dev-test/24.md b/src/courses/profile-dev-test/24.md index 6fda8f8c3..55cf4a2c5 100644 --- a/src/courses/profile-dev-test/24.md +++ b/src/courses/profile-dev-test/24.md @@ -1,38 +1,67 @@ --- order: 24 next: 25.md -title: GitHub Actions +title: 24. Tips, Tricks, and Troubleshooting author: Aaron Lippold --- -## GitHub Actions +## Tips, Tricks, and Troubleshooting -Our profile utilizes GitHub Actions as its primary CI/CD process. The Actions are separated by general business or process functions, allowing for a clear distinction between the workflow stages that we are testing in our workflow. +### Test Kitchen -### [`lint-profile.yml`](.github/workflows/lint-profile.yml) +#### Locating Test Target Login Details -This action checks out the repository, installs Ruby and InSpec, then runs `bundle exec inspec check .` to validate the structure and syntax of the InSpec profile and its Ruby code. +Test Kitchen stores the current host details of your provisioned test targets in the `.kitchen/` directory. Here, you'll find a `yml` file containing your target's `hostname`, `ip address`, `host details`, and login credentials, which could be an `ssh pem key` or another type of credential. -### [`verify-ec2.yml`](.github/workflows/verify-ec2.yml) +```shell +.kitchen +├── .kitchen/hardened-container.yml +├── .kitchen/hardened-rhel-8.pem +├── .kitchen/hardened-rhel-8.yml +├── .kitchen/logs +├── .kitchen/vanilla-container.yml +├── .kitchen/vanilla-rhel-8.pem +├── .kitchen/vanilla-rhel-8.yml +└── .kitchen/vanilla-ubi8.yml +``` -This action performs the following steps: +#### Restoring Access to a Halted or Restarted Test Target -1. Checks out the repository. -2. Installs Ruby, InSpec, AWS CLI, and Test Kitchen along with its drivers. -3. Sets up the 'runner'. -4. Configures access to the AWS VPC environment. -5. Runs the `vanilla` and `hardened` test suites. -6. Displays a summary of the test suite results. -7. Saves the test suite results. -8. Uploads the results to our Heimdall Demo server. -9. Determines the success or failure of the test run based on the validation of the test suite results against the `threshold.yml` files for each test suite (`hardened` and `vanilla`). +If your test target reboots or updates its network information, you don't need to execute `bundle exec kitchen destroy`. Instead, update the corresponding `.kitchen/#{suite}-#{target}.yml` file with the updated information. This will ensure that your `kitchen login`, `kitchen validate`, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. -### [`verify-container.yml`](.github/workflows/verify-container.yml) +#### AWS Console and EC2 Oddities -This action performs similar steps to `verify-ec2.yml`, but with some differences: +Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or reboot in the background if you stop interacting with them, halt them, put them in a stop state, or leave them unattended overnight. To regain access, edit the `.kitchen/#{suite}-#{target}.yml` file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. -1. It configures access to the required container registries - Platform One and Red Hat. +:::warning Auto-generated, sensitive files +Since the `.kitchen/` directory is automatically generated by Test Kitchen, you need to be careful not to accidentally mess up its internal workings when editing it by hand as suggested above. Additionally, be sure not to place this directory underneath version control since you could unintentionally leak sensitive information such as your ip addresses and credentials! +::: -### [`verify-vagrant.yml.example`](.github/workflows/verify-vagrant.yml.example) +## InSpec / Ruby -This action is similar to the `verify-ec2` workflow, but instead of using a remote AWS EC2 instance in a VPC, it uses a local Vagrant virtual machine as the test target. The user can configure whether to upload the results to our Heimdall Demo server or not by modifing the Github Action. \ No newline at end of file +### Using `pry` and `pry-byebug` for Debugging Controls + +When developing InSpec controls, it's beneficial to use the `kitchen-test` suite, the `INSPEC_CONTROL` environment variable, and `pry` or `pry-byebug`. This combination allows you to quickly debug, update, and experiment with your fixes in the context of the InSpec code, without having to run the full test suite. + +`pry` and `pry-byebug` are powerful tools for debugging Ruby code, including InSpec controls. Here's how you can use them: + +1. First, add `require 'pry'` or `require 'pry-byebug'` at the top of your control file. +2. Then, insert `binding.pry` at the point in your code where you want to start debugging. +3. When you run your tests, execution will stop at the `binding.pry` line, and you can inspect variables, step through the code, and more. + +::: tip Linter +Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. +::: + +### Streamlining Your Testing with `inspec shell` + +The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Locating Test Target Login Details](#locating-test-target-login-details) section. + +Once you have your IP address and SSH PEM key (for AWS target instances), or the container ID (for Docker test instances), you can use the following commands: + +- For AWS test targets: `bundle exec inspec shell -i #{pem-key} -t ssh://ec2-user@#{ipaddress} --sudo` +- For Docker test instances: `bundle exec inspec shell -t docker://#{container-id}` + +### Using `kitchen login` for Easy Test Review and Modification + +The `kitchen login` command provides an easy way to review and modify your test target. This tool is particularly useful for introducing test cases, exploring corner cases, and validating both positive and negative test scenarios. diff --git a/src/courses/profile-dev-test/25.md b/src/courses/profile-dev-test/25.md index 51c0cc462..d04297ed4 100644 --- a/src/courses/profile-dev-test/25.md +++ b/src/courses/profile-dev-test/25.md @@ -1,64 +1,30 @@ --- order: 25 next: 26.md -title: Tips, Tricks & Troubleshooting -shortTitle: Tips & Troubleshooting +title: 25. Background & Definitions author: Aaron Lippold --- -## Tips, Tricks and Troubleshooting +## Background and Definitions -### Test Kitchen +### Background -#### Locating Test Target Login Details +#### Evolution of STIGs and Security Benchmarks -Test Kitchen stores the current host details of your provisioned test targets in the `.kitchen/` directory. Here, you'll find a `yml` file containing your target's `hostname`, `ip address`, `host details`, and login credentials, which could be an `ssh pem key` or another type of credential. +The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. -```shell -.kitchen -├── .kitchen/hardened-container.yml -├── .kitchen/hardened-rhel-8.pem -├── .kitchen/hardened-rhel-8.yml -├── .kitchen/logs -├── .kitchen/vanilla-container.yml -├── .kitchen/vanilla-rhel-8.pem -├── .kitchen/vanilla-rhel-8.yml -└── .kitchen/vanilla-ubi8.yml -``` +Initially, the system was known as the Vulnerability Management System (VMS). -#### Restoring Access to a Halted or Restarted Test Target +In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. -If your test target reboots or updates its network information, you don't need to execute bundle exec kitchen destroy. Instead, update the corresponding .kitchen/#{suite}-#{target}.yml file with the updated information. This will ensure that your kitchen login, kitchen validate, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. +A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. -#### AWS Console and EC2 Oddities +When DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. -Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or 'reboot in the background' if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the .kitchen/#{suite}-#{target}.yml file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. +Examples of tools that still use either fully or in part the 'STIG ID' instead of the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. -## InSpec / Ruby +While these elements might seem confusing, understanding their historical context is essential. -### Using `pry` and `pry-byebug` for Debugging Controls +In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between the XCCDF Benchmark and OHDF Profile. -When developing InSpec controls, it's beneficial to use the `kitchen-test` suite, the `INSPEC_CONTROL` environment variable, and `pry` or `pry-byebug`. This combination allows you to quickly debug, update, and experiment with your fixes in the context of the InSpec code, without having to run the full test suite. - -`pry` and `pry-byebug` are powerful tools for debugging Ruby code, including InSpec controls. Here's how you can use them: - -1. First, add `require 'pry'` or `require 'pry-byebug'` at the top of your control file. -2. Then, insert `binding.pry` at the point in your code where you want to start debugging. -3. When you run your tests, execution will stop at the `binding.pry` line, and you can inspect variables, step through the code, and more. - -***!Pro Tip!*** - -- Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. - -### Streamlining Your Testing with `inspec shell` - -The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section. - -Once you have your IP address and SSH PEM key (for AWS target instances), or the container ID (for Docker test instances), you can use the following commands: - -- For AWS test targets: `bundle exec inspec shell -i #{pem-key} -t ssh://ec2-user@#{ipaddress} --sudo` -- For Docker test instances: `bundle exec inspec shell -t docker://#{container-id}` - -### Using `kitchen login` for Easy Test Review and Modification - -The `kitchen login` command provides an easy way to review and modify your test target. This tool is particularly useful for introducing test cases, exploring corner cases, and validating both positive and negative test scenarios. +It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. diff --git a/src/courses/profile-dev-test/26.md b/src/courses/profile-dev-test/26.md index 48ee12ecc..3cf3cca0f 100644 --- a/src/courses/profile-dev-test/26.md +++ b/src/courses/profile-dev-test/26.md @@ -1,30 +1,22 @@ --- order: 26 -next: 27.md -title: Background & Definitions +title: 26. Terms & Definitions author: Aaron Lippold --- -## Background and Definitions - -### Background - -#### Evolution of STIGs and Security Benchmarks - -The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. - -Initially, the system was known as the Vulnerability Management System (VMS). - -In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. - -A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. - -However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. - -Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. - -While these elements might seem confusing, understanding their historical context is essential. - -In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile. - -It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. +## Terms & Definitions + +- **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. +- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). +- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. +- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. +- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., Red Hat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. +- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. +- **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. +- **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. +- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. +- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. +- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. +- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). diff --git a/src/courses/profile-dev-test/27.md b/src/courses/profile-dev-test/27.md deleted file mode 100644 index 496c4d319..000000000 --- a/src/courses/profile-dev-test/27.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -order: 27 -title: Terms & Definitions -author: Aaron Lippold ---- - -## Terms & Definitions - -- **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. -- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). -- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. -- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. -- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., RedHat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. -- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. -- **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. -- **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. -- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. -- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. -- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. -- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). diff --git a/src/courses/profile-dev-test/README.md b/src/courses/profile-dev-test/README.md index fdb024dc2..5e17a28ab 100644 --- a/src/courses/profile-dev-test/README.md +++ b/src/courses/profile-dev-test/README.md @@ -1,26 +1,93 @@ --- order: 1 next: 02.md -title: Development & Testing InSpec Profile +title: 1. Developing & Testing InSpec Profiles author: Aaron Lippold --- +📚 **Difficulty Level**: Intermediate +⏱️ **Estimated Time**: 2-3 hours + +## Learning Objectives + +By the end of this class, you will be able to: + +- Build and validate InSpec profiles using Test Kitchen +- Configure local testing environments for security compliance +- Execute tests using Docker and AWS environments +- Implement continuous testing workflows +- Troubleshoot common profile development issues + +## Prerequisites + +Before starting this class, ensure you have: + +- Basic knowledge of Ruby ([Learn Ruby Basics](https://ruby-lang.org/en/documentation/quickstart/)) +- Docker or Podman installed ([Docker Installation Guide](https://docs.docker.com/get-docker/)) +- AWS Free Tier account (optional) ([AWS Sign Up](https://aws.amazon.com/free/)) +- Platform One account ([P1 Registration](https://login.dso.mil/)) +- Git installed ([Git Setup Guide](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)) + +## Skills Assessment + +Before proceeding, verify you can: + +- [ ] Run basic Ruby commands +- [ ] Execute Docker containers +- [ ] Use Git for version control +- [ ] Navigate command line interfaces + ## Overview -The development and testing of profiles is accomplished by a variety of tools including: Ruby, the Test Kitchen suite, InSpec compliance language, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite following the instructions provided below. +The development and testing of InSpec validation profiles can be accomplished using a variety of tools working in concert, including Ruby, the Test Kitchen suite, the InSpec compliance language itself, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite by following the instructions provided below. + +### Key Tools Explained + +- **Test Kitchen**: Integration testing framework + - Example: `kitchen test` validates your InSpec profiles + - Use case: Automated compliance testing +- **Docker/Podman**: Container runtime platforms + - Example: `docker run` creates isolated test environments + - Use case: Consistent testing across platforms +- **InSpec**: Compliance testing framework + - Example: `inspec exec` runs compliance checks + - Use case: Security automation +- **Platform One**: DoD's DevSecOps platform + - Example: Using hardened containers + - Use case: Secure development environments + +## Development Workflow Our development and testing workflow is managed by Test Kitchen. This tool is integral to our GitHub Actions CI/CD Pipelines and is also used for local development, testing, and releasing updates, patches, and full releases of the profile. +::: tip Walk before you run! +When starting out, focus on Docker-based testing before moving to AWS environments. +::: + +### Testing Environments + Test Kitchen uses Docker (or Podman, if preferred) and AWS (using free-tier resources) for testing. We provide example files for testing on a local Vagrant Red Hat (or other RHEL variant) box in the repository. -Additionally, Test Kitchen uses the Red Hat hardened `ubi8 base container` from Platform One for testing. To test the hardened container portion of the testing suite, you'll need to set up and log in to your P1 Free account, then obtain a CLI token to pull the Platform One Iron Bank Red Hat Enterprise Linux 8 Universal Base Image (P1 IB UBI8) image into the test suite. +### Platform One Integration -## Example Repository +Additionally, Test Kitchen uses images from Platform One during the hardened container test of the testing suite. In order for you to use them as well, you'll need to set up and log in to your P1 account (free but requires registration), then obtain a CLI token to pull the Platform One Iron Bank images into the test suite. + +::: important Secrets should be secret! +Ensure you keep your P1 CLI token secure and never commit it to version control. +::: + +## Getting Started with Examples This guide refers to the [MITRE RedHat Enterprise Linux 8 STIG](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/tree/metzger_dynamic_inputs) profile, which provides a working example of the workflow described here. -Upon the release of the next patch, v1.12.1, this process and workflow will be incorporated into the `main` branch. Currently, the process is active in the 'development' branch, as linked above. +::: note Development vs Releases +Development happens in the `main` branch, with stable versions available as tagged releases. +::: -## Checkout and Clone the Working Example +### Hands-on Practice If you would like to follow along, experiment with the workflows, and understand the process described here, feel free to fork or clone the repository above. Follow the setup and configuration steps in the next section to input your own credentials and accounts, and learn as you go! + +## Next Steps + +After setting up your environment, proceed to the next section to learn about specific testing patterns and workflows. diff --git a/src/courses/profile-dev-test/kitchen-workflow-dark.svg b/src/courses/profile-dev-test/kitchen-workflow-dark.svg deleted file mode 100644 index 7a552a96f..000000000 --- a/src/courses/profile-dev-test/kitchen-workflow-dark.svg +++ /dev/null @@ -1,481 +0,0 @@ -1
Setup
Setup
Checkout Repo
Checkout Repo
Install Tools
Install Tools
Setup Runner
Setup Runner
Configure
Configure
Setup Vanilla Instance
Setup Vanilla Instance
Setup Hardened Instance
Setup Hardened Instance
Run Test Suite
Run Test Suite
Run Tests on Vanilla
Run Tests on Vanilla
Run Tests on Hardened
Run Tests on Hardened
Record Results
Record Results
Save Tests in Pipeline
Save Tests in Pipeline
Upload Tests to Heimdall Server
Upload Tests to Heimdall Server
Validate Aginst Threshold
Validate Aginst Threshold
Validate the 'vanilla' threshold
Validate the 'vanilla' threshold
Validate the 'hardened' threshold
Validate the 'hardened' threshold
Pass/Fail the Run
Pass/Fail the Run
Threshold Met
Threshold Met
1
Threshold Not Met
Threshold Not Met
Test Kitchen Workflow - - - - - - - - - - - - 1 - - - - - - - - - - -
-
- Setup -
-
-
- - - Setup - - -
-
- - - - - - - - - - - - - - -
-
- Checkout Repo -
-
-
- - - Checkout Repo - - -
-
- - - - - - - - - - - - - - -
-
- Install Tools -
-
-
- - - Install Tools - - -
-
- - - - - - - - - - - - - - -
-
- Setup Runner -
-
-
- - - Setup Runner - - -
-
- - - - -
-
- Configure -
-
-
- - - Configure - - -
-
- - - - - - - - - - - - - - -
-
- Setup Vanilla Instance -
-
-
- - - Setup Vanilla Instance - - -
-
- - - - - - - - - - - - - - -
-
- Setup Hardened Instance -
-
-
- - - Setup Hardened Instance - - -
-
- - - - -
-
- Run Test Suite -
-
-
- - - Run Test Suite - - -
-
- - - - - - - - - - - - - - -
-
- Run Tests on Vanilla -
-
-
- - - Run Tests on Vanilla - - -
-
- - - - - - - - - - - - - - -
-
- Run Tests on Hardened -
-
-
- - - Run Tests on Hardened - - -
-
- - - - -
-
- Record Results -
-
-
- - - Record Results - - -
-
- - - - - - - - - - - - - - -
-
- Save Tests in Pipeline -
-
-
- - - Save Tests in Pipeline - - -
-
- - - - - - - - - - - - - - -
-
- Upload Tests to Heimdall Server -
-
-
- - - Upload Tests to Heimdall Server - - -
-
- - - - -
-
- Validate Aginst Threshold -
-
-
- - - Validate Aginst Threshold - - -
-
- - - - - - - - - - - - - - -
-
- Validate the 'vanilla' threshold -
-
-
- - - Validate the 'vanilla' threshold - - -
-
- - - - - - - - - - - - - - -
-
- Validate the 'hardened' threshold -
-
-
- - - Validate the 'hardened' threshold - - -
-
- - - - -
-
- Pass/Fail the Run -
-
-
- - - Pass/Fail the Run - - -
-
- - - - - - - - - - - - - - -
-
- Threshold Met -
-
-
- - - Threshold Met - - -
-
- - - - - - - - - - - - 1 - - - - -
-
- Threshold Not Met -
-
-
- - - Threshold Not Met - - -
-
- - Test Kitchen Workflow - - -
\ No newline at end of file