From e30efbbada65d07b613684481c082e44f9b7e7c5 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 21:05:36 -0600 Subject: [PATCH 01/24] profile dev updates Signed-off-by: Aaron Lippold --- src/courses/profile-dev-test/02.md | 42 ++++++++--- src/courses/profile-dev-test/03.md | 96 +++++++++++++++++--------- src/courses/profile-dev-test/04.md | 80 ++++++++++++++++++--- src/courses/profile-dev-test/05.md | 84 ++++++++++++++++++---- src/courses/profile-dev-test/06.md | 64 +++++++++++------ src/courses/profile-dev-test/07.md | 78 +++++++++++++++++---- src/courses/profile-dev-test/08.md | 44 +++++++++--- src/courses/profile-dev-test/09.md | 52 ++++++++++---- src/courses/profile-dev-test/README.md | 69 ++++++++++++++++-- 9 files changed, 484 insertions(+), 125 deletions(-) diff --git a/src/courses/profile-dev-test/02.md b/src/courses/profile-dev-test/02.md index 153136640..edc4efad7 100644 --- a/src/courses/profile-dev-test/02.md +++ b/src/courses/profile-dev-test/02.md @@ -1,27 +1,49 @@ --- order: 2 next: 03.md -title: Repository Organization +title: Understanding Repository Organization author: Aaron Lippold --- -## Repository Organization +## Learning Objectives -The repository and profile are organized into two primary branches: `main` and `TBD`. The repository has a set of `tags` representing iterative releases of the STIG from one Benchmark major version to the next. It also has a set of releases for fixes and updates to the profile between STIG Benchmark Releases. +By the end of this section, you will: -## Branches +- Understand the branch strategy for STIG profiles +- Learn about semantic versioning in the context of STIG releases +- Know how to navigate tags and releases -### `main` branch +## Repository Structure Overview -The `main` branch contains the most recent code for the profile. It may include bugs and is typically aligned with the latest patch release for the profile. This branch is primarily used for development and testing workflows for the various testing targets. For production validation, use the latest stable patch release. +The repository uses a structured branching and tagging strategy to manage STIG profile versions and updates. This organization ensures reliable tracking of changes and stable releases for production use. -### `v{x}r{xx}` branches +## Branch Strategy -The `v{x}r{xx}` branches represent the changes between releases of the benchmark. They align with the STIG releases for the Benchmark found at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +### Main Branch -## Releases +- Purpose: Active development and testing +- Contains: Latest code and patches +- Best for: Development and testing workflows +- Note: For production, use stable releases instead -Releases use Semantic Versioning (SemVer), aligning with the STIG Benchmark versioning system of Major Version and Release. The SemVer patch number is used for updates, bug fixes, and code changes between STIG Benchmark Releases for the given product. STIG Benchmarks use a Version and Release tagging pattern `v{x}r{xx}` - like V1R12 - and we mirror that pattern in our SemVer releases. +### Version Branches (`v{x}r{xx}`) + +- Purpose: Track major STIG benchmark releases +- Example: `v1r12` for Version 1, Release 12 +- Aligns with: Official DISA STIG releases +- Reference: [DISA STIG Document Library](https://public.cyber.mil/stigs/downloads/) + +## Version Control Strategy + +### Semantic Versioning (SemVer) + +Format: `MAJOR.RELEASE.PATCH` + +- MAJOR: Matches STIG version +- RELEASE: Matches STIG release +- PATCH: Profile updates between STIG releases + +Example timeline: ## Tags diff --git a/src/courses/profile-dev-test/03.md b/src/courses/profile-dev-test/03.md index d06550b8c..d1177be71 100644 --- a/src/courses/profile-dev-test/03.md +++ b/src/courses/profile-dev-test/03.md @@ -1,29 +1,49 @@ --- order: 3 next: 04.md -title: Environment Setup +title: Environment Setup Guide author: Aaron Lippold --- -## Required Software +## Prerequisites Knowledge -- RVM, or another Ruby Management Tool -- Ruby v3 or higher -- Git -- VS Code or another IDE -- Docker (if you want to test hardened and non-hardened containers) -- AWS CLI -- AWS Account +- Basic command line experience +- Familiarity with package managers +- Understanding of environment variables +- Basic Docker concepts -## Required Accounts +## Required Software Overview -1. [AWS Console Account](https://aws.amazon.com/console/ "AWS Console Account") -2. [Platform One Account](https://login.dso.mil/register "Platform One Account") (used for container testing) -3. [P1 Harbor Token](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor&redirect_uri=https%3A%2F%2Fregistry1.dso.mil%2Fc%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email+offline_access&state=WS3BsNb5JevECV4aiy3irfegFETBHfRd "DSO Harbor Login") (used for container testing) +Each tool listed below is essential for the course. We'll explain why you need each one: -## Test Suite Environment Variables +- **RVM (Ruby Version Manager)** - Manages Ruby installations +- **Ruby v3+** - Core programming language for our testing framework +- **Git** - Version control for managing code +- **VS Code/IDE** - For writing and editing code +- **Docker** - For container-based testing +- **AWS CLI** - For interacting with AWS services -1. Environment Variables used by Test Kitchen +## Required Accounts Setup + +Create accounts with these services before proceeding: + +1. **AWS Console Account** + - Purpose: Cloud infrastructure testing + - Sign up: [AWS Console](https://aws.amazon.com/console/) + +2. **Platform One (P1) Account** + - Purpose: Access to hardened containers + - Register: [Platform One Registration](https://login.dso.mil/register) + +3. **P1 Harbor Access** + - Purpose: Container registry access + - Get token: [Harbor Login](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor) + +## Environment Configuration + +### 1. Test Kitchen Variables + +Important variables that control testing behavior: - `INSPEC_CONTROL`: Specifies which single control to run in the `bundle exec kitchen verify` phase, useful for testing and debugging a single requirement. - default: `none` @@ -34,26 +54,40 @@ author: Aaron Lippold - `HARDENED_CONTAINER_IMAGE`: Specifies the Docker container image you consider 'hardened' (used by `kitchen.container.yml`). - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` -2. AWS Environment +### 2. AWS Environment Setup + +**Option 1: AWS Profiles (Recommended)** + +- Easier management of multiple environments +- More secure than environment variables +- Setup guide: [AWS CLI Profiles](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) + +**Option 2: Environment Variables** + +- Traditional AWS environment variables +- Documentation: [AWS CLI Installation](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) + +## Step-by-Step Installation Guide -You can either use standard AWS Profiles to configure your environment or use the standard AWS Environment variables to run the test suite. See: [AWS CLI Installation & Configuration](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html "AWS CLI Install Guide") +1. **Ruby Setup** + - Install RVM or alternative Ruby manager + - Install Ruby 3.1+ + - Configure OpenSSL and certificates -- Use the `AWS_PROFILE` environment variable and AWS Credential Profiles to simplify testing on multiple AWS environments or segments. This will allow you to easily manage multiple sets of AWS secrets and access keys with adjustments to a single variable. (See: [AWS CLI and Profile Setup](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html "AWS CLI Profiles Setup")) +2. **AWS Configuration** + - Install AWS CLI + - Configure credentials + - Test connection -## Setting Up Your Environment +3. **Project Setup** + - Clone repository + - Configure Harbor CLI access + - Set up Docker registry access + - Install dependencies -1. Set up your Ruby Version Management system. -2. Install Ruby 3.1 or higher. -3. Configure OpenSSL, organization certificates, etc., for your environment and tooling. -4. Set up your AWS CLI. -5. Clone the repository. -6. Obtain your [Harbor CLI Secret](https://registry1.dso.mil/harbor/projects "DSO Harbor Projects Page"). -7. After logging in, click on your User Profile "About" to get the token. -8. Log in to the P1 Docker Registry. -9. Use the command `docker login -u {PI USER NAME} -p '{HARBOR CLI SECRET}' registry1.dso.mil`. -10. Run `bundle install` in your isolated Ruby environment. +## Verification Steps -## Post-Setup Checks +Run these commands to verify your setup: - Verify your newly installed Ruby environment by running `ruby --version`. - Confirm that InSpec was installed by running `bundle exec inspec --version`. @@ -61,4 +95,4 @@ You can either use standard AWS Profiles to configure your environment or use th - Verify that your `aws-cli` is correctly configured by running `aws s3 ls` (or your preferred test command for AWS CLI). - Confirm your bundle installation by running `bundle exec inspec --version`. - Verify you can pull from RepoOne by running `docker pull https://repo1.dso.mil/dsop/redhat/ubi/ubi8`. -- Celebrate 🎉️ if everything went well. \ No newline at end of file +- Celebrate 🎉️ if everything went well. diff --git a/src/courses/profile-dev-test/04.md b/src/courses/profile-dev-test/04.md index b94d011ae..e203b5e0b 100644 --- a/src/courses/profile-dev-test/04.md +++ b/src/courses/profile-dev-test/04.md @@ -5,20 +5,80 @@ title: Test your Test Environment author: Aaron Lippold --- -## Getting to know the Testing Suite +## Learning Objectives -Once you've set up the necessary tools, you're ready to run the profile. The testing environment is determined by Test Kitchen using environment variables. +- Understand the different testing environments available +- Learn how to use Test Kitchen commands +- Execute your first test run +- Troubleshoot common testing issues -There are four testing environments to choose from: +## Introduction -1. AWS VPC Testing: This environment uses an AWS VPC for testing. -2. Docker Testing: This environment uses Docker containers for testing. -3. Vagrant Testing: This environment uses Vagrant virtual machines for testing. -4. Local Testing: This environment uses your local machine for testing. +Before diving into testing your security profiles, let's understand the testing environment and tools we'll be using. This module will guide you through the Test Kitchen framework and help you run your first test. -The specifics of each environment's configuration are detailed in the following sections. +## Available Testing Environments -## Getting Your First Test Kitchen (TK) Run +You have four options for setting up your testing environment: + +📦 **Docker Testing** + +- Uses containers for lightweight, fast testing +- Perfect for local development +- Minimal resource requirements + +🌥️ **AWS VPC Testing** + +- Uses AWS infrastructure +- Ideal for production-like environments +- Requires AWS credentials + +🖥️ **Vagrant Testing** + +- Uses virtual machines locally +- Great for isolated testing +- Supports multiple OS environments + +💻 **Local Testing** + +- Uses your local machine +- Fastest to set up +- Best for initial development + +## Test Kitchen Lifecycle + +Test Kitchen follows a four-stage lifecycle: + +1. **Create** 🏗️ + - Sets up testing instance + - Prepares login credentials + - Initializes testing environment + +2. **Converge** 🔄 + - Runs configuration management + - Applies system settings + - Prepares system state + +3. **Verify** ✅ + - Executes InSpec profile + - Runs security tests + - Reports results + +4. **Destroy** 🗑️ + - Cleans up resources + - Removes test instances + - Resets environment + +## Running Your First Test + +### Prerequisites + +Before starting, ensure you have: + +- Test Kitchen installed +- Proper environment variables set +- Required credentials configured + +### Basic Commands For each of these examples, you need to update the `KITCHEN_LOCAL_YAML` environment variable to point to the correct `kitchen..yaml` file. Ensure that any required supporting environment settings, environment variables, profiles, etc., are in place. See Environment Variables and Testing Target Environments for more information. @@ -44,4 +104,4 @@ You can also isolate which of the 'target suites' - either `vanilla` or `hardene ## Useful Test Kitchen Commands - `login`: Allows you to easily log in using the credentials created when you ran `bundle exec kitchen create`. -- `test`: Runs all the Test Kitchen stages starting with create through destroy to easily allow you to go through a full clean test run. \ No newline at end of file +- `test`: Runs all the Test Kitchen stages starting with create through destroy to easily allow you to go through a full clean test run. diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index 0463d8cb5..ab96b28ff 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -6,18 +6,38 @@ author: Aaron Lippold --- ## AWS Testing Setup +> +> Note: This guide assumes basic familiarity with AWS. If you're new to AWS, please review the [AWS Getting Started Guide](https://aws.amazon.com/getting-started/) first. -1. Configure your AWS CLI and set up your AWS Credentials. -2. Test your AWS CLI access by running: `aws s3 ls`. -3. Clone the repository. -4. Navigate to the profile repository root directory. -5. Set the environment variable for the kitchen configuration file: `export KITCHEN_LOCAL_YAML=kitchen.ec2.yml`. - 1. This uses the [kitchen-ec2 driver](https://kitchen.ci/docs/drivers/aws/ "Test Kitchen AWS EC2 Driver Documentation"). -6. (Optional) Set a specific control to run: `export INSPEC_CONTROL='SV-230222'`. +1. Configure your AWS CLI and set up your AWS credentials + - If you haven't installed AWS CLI, [download it here](https://aws.amazon.com/cli/) + - Run `aws configure` to set up your credentials +2. Verify AWS CLI access: `aws s3 ls` + - If this fails, check your credentials and permissions +3. Clone the repository +4. Navigate to the root directory of the profile repository +5. Configure Kitchen for AWS EC2: + + ```bash + export KITCHEN_LOCAL_YAML=kitchen.ec2.yml + ``` + + > The kitchen-ec2 driver enables TestKitchen to create and manage AWS EC2 instances for testing + +6. (Optional) Target a specific control: + + ```bash + export INSPEC_CONTROL='SV-230222' + ``` ## Running Through the AWS Test Suite +> +> Understanding the Test Workflow: +> +> - **Vanilla**: Represents an unmodified baseline system +> - **Hardened**: Represents a system with security controls applied -6. List the kitchen instances with: `bundle exec kitchen list`. You should see something like this: +7. List the kitchen instances with: `bundle exec kitchen list`. You should see something like this: ```shell Instance Driver Provisioner Verifier Transport Last Action Last Error @@ -25,7 +45,15 @@ author: Aaron Lippold hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None ``` -7. Create a kitchen instance: `bundle exec kitchen create vanilla`. +### Key Testing Steps Explained + +8. **Create** the test instance: + + ```bash + bundle exec kitchen create vanilla + ``` + + > This step launches a fresh EC2 instance for testing ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen create vanilla @@ -36,7 +64,13 @@ author: Aaron Lippold -----> Test Kitchen is finished. (0m1.21s) ``` -8. Converge the kitchen instance: `bundle exec kitchen converge`. +9. **Converge** the instance: + + ```bash + bundle exec kitchen converge vanilla + ``` + + > Convergence applies the necessary configurations to prepare the system for testing ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla @@ -54,7 +88,7 @@ author: Aaron Lippold -----> Test Kitchen is finished. (1m13.52s) ``` -9. Run InSpec on the kitchen instance: `bundle exec kitchen verify`. +10. Run InSpec on the kitchen instance: `bundle exec kitchen verify`. ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen verify vanilla @@ -77,7 +111,27 @@ author: Aaron Lippold -----> Test Kitchen is finished. (0m6.62s) ``` -10. Destroy the kitchen instance: `bundle exec kitchen destroy vanilla`. -11. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#18-updating-the-profile). -12. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/rhel-8_*`. -13. Use [Heimdall Lite](https://heimdall-lite.mitre.org "MITRE Heimdall Lite") to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your courner cases." +### Analyzing Results + +- Results Location: `./spec/results/rhel-8_*` +- Use [Heimdall Lite](https://heimdall-lite.mitre.org) to compare results: + 1. Load both `hardened` and `vanilla` results + 2. Compare to verify expected failures and passes + 3. Review corner cases for complete coverage + +::: tip Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges: +> +> ```bash +> bundle exec kitchen destroy vanilla +> ``` +> +> ```sh +> Pause your instance in the AWS Console +> ``` +> +::: + +1. Destroy the kitchen instance: `bundle exec kitchen destroy vanilla`. +2. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#18-updating-the-profile). +3. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/rhel-8_*`. +4. Use [Heimdall Lite](https://heimdall-lite.mitre.org "MITRE Heimdall Lite") to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." diff --git a/src/courses/profile-dev-test/06.md b/src/courses/profile-dev-test/06.md index e5cc83928..e46d84fd6 100644 --- a/src/courses/profile-dev-test/06.md +++ b/src/courses/profile-dev-test/06.md @@ -1,25 +1,47 @@ --- order: 6 next: 07.md -title: Docker Testing Suite +title: Testing with Docker Containers author: Aaron Lippold --- -## Docker Suite Setup +## Learning Objectives -1. Make sure Docker or Podman is running -2. Login to your docker registry -3. Clone the repository -4. Go into the profile repository root dir -5. `bundle install` -6. `export KITCHEN_LOCAL_YAML=kitchen.container.yml` (uses the [kitchen-dokken driver](https://kitchen.ci/docs/drivers/dokken/ "Test Kitchen Dokken Driver Documentation")) -7. `export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028` -8. `export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8` -9. (optional) `export INSPEC_CONTROL='SV-230222'` +- Understand how to set up a Docker testing environment +- Learn to use Test Kitchen with Docker containers +- Execute and interpret InSpec tests in containers +- Analyze test results using Heimdall Lite + +## Prerequisites + +- Docker or Podman installed and running +- Access to required container registries +- Basic understanding of command line operations + +## Environment Setup + +Before running tests, configure your environment: + +1. Ensure Docker/Podman is running +2. Authenticate with your container registry +3. Clone the test profile repository +4. Navigate to the profile's root directory +5. Run `bundle install` to install dependencies + +## Configure Test Kitchen + +Set these environment variables: + +```shell +> export KITCHEN_LOCAL_YAML=kitchen.container.yml +> export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028 +> export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8 +> (optional) export INSPEC_CONTROL='SV-230222' +``` ## Running Through the Docker Test Suite -10. List the kitchen instances with: `bundle exec kitchen list` +1. List the kitchen instances with: `bundle exec kitchen list` ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen list @@ -28,7 +50,7 @@ vanilla-ubi8 Dokken Dummy Inspec Dokken hardened-ubi8 Dokken Dummy Inspec Dokken ``` -11. Create the kitchen instance: `bundle exec kitchen create vanilla` +2. Create the kitchen instance: `bundle exec kitchen create vanilla` ```shell -----> Starting Test Kitchen (v3.5.1) @@ -41,7 +63,7 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m1.77s) ``` -12. Converge the kitchen instance: `bundle exec kitchen converge vanilla` +3. Converge the kitchen instance: `bundle exec kitchen converge vanilla` ```shell ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla @@ -52,7 +74,7 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m0.88s) ``` -13. Run InSpec on the kitchen instance: `bundle exec kitchen verify vanilla` +4. Run InSpec on the kitchen instance: `bundle exec kitchen verify vanilla` ```shell -----> Starting Test Kitchen (v3.5.1) @@ -71,9 +93,9 @@ Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 0 successful, 4 failures, 0 skipped ``` -## This is not the **Error** Your Looking For, move along... +## This is not the **Error** Your Looking For, move along -The error below is just Test Kitchen telling you that not all of the Contrls in the profile passed. +The error below is just Test Kitchen telling you that not all of the `controls` of the profile passed. ```shell >>>>>> ------Exception------- @@ -85,6 +107,8 @@ The error below is just Test Kitchen telling you that not all of the Contrls in >>>>>> Also try running `kitchen diagnose --all` for configuration ``` -14. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#updating-the-profile). -15. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/ubi-8_*.` -16. Use Heimdall Lite to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." +## Next Steps + +1. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#updating-the-profile). +2. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/ubi-8_*.` +3. Use Heimdall Lite to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." diff --git a/src/courses/profile-dev-test/07.md b/src/courses/profile-dev-test/07.md index 3924ca960..819aee9c4 100644 --- a/src/courses/profile-dev-test/07.md +++ b/src/courses/profile-dev-test/07.md @@ -1,23 +1,35 @@ --- order: 7 next: 08.md -title: Updating - Choosing Your Approach +title: Pull Request Strategies - Choosing Your Approach author: Aaron Lippold --- -## Choosing Your Approach +## Learning Objectives -This project follows the [GitFlow model](https://docs.github.com/en/get-started/quickstart/github-flow "GitFlow Announcement Blog") for managing the repository, accepting pull requests (PRs), and merging changes into the profile. +By the end of this section, you will: -## Micro vs Massive Pull Requests (PRs) +- Understand GitFlow workflow for repository management +- Compare micro and macro PR approaches +- Learn when to use different PR strategies -In software development, the decision between making many small pull requests (micro PRs) or fewer, larger pull requests (massive PRs) often depends on the context. Both approaches have their benefits and challenges. +## GitFlow Overview -### Micro PRs +This project uses the [GitHub Flow](https://docs.github.com/en/get-started/quickstart/github-flow) model for managing changes. This workflow helps maintain code quality and collaboration through systematic pull requests (PRs). -Micro PRs involve making frequent, small changes to the codebase. Each PR is focused on a single task or feature. +## Understanding Pull Request Strategies -**Benefits:** +When contributing to a project, you'll need to choose between two main PR approaches: + +### 1. Micro PRs (Small, Frequent Changes) + +**Characteristics:** + +- Single task or feature per PR +- Usually < 200 lines of code +- Frequent submissions + +**Advantages:** - **Easier to review:** Small changes are easier for reviewers to understand and provide feedback on. - **Less risk:** If a problem arises, it's easier to identify and fix because the change is isolated. @@ -28,11 +40,15 @@ Micro PRs involve making frequent, small changes to the codebase. Each PR is foc - **Overhead:** Each PR requires its own review and merge process, which can be time-consuming. - **Context switching:** Frequent changes can disrupt the flow of work, especially if developers have to switch between different tasks. -### Macro PRs +### 2. Macro PRs (Large, Comprehensive Changes) + +**Characteristics:** -Macro PRs involve making larger, more comprehensive changes to the codebase. Each PR may encompass multiple tasks or features. +- Multiple related changes +- Larger codebase modifications +- Less frequent submissions -**Benefits:** +**Advantages:** - **Efficiency:** Larger PRs can be more efficient because they require fewer reviews and merges. - **Coherence:** By grouping related changes together, it may be easier to understand how different parts of the codebase interact. @@ -43,11 +59,47 @@ Macro PRs involve making larger, more comprehensive changes to the codebase. Eac - **Higher risk:** If a problem arises, it can be more difficult to identify and fix because it could be anywhere in the large set of changes. - **Delayed feedback:** With fewer PRs, there are fewer opportunities for feedback. -### PR Strategies for Different Update Scenarios +## Practical Guidelines + +### When to Use Micro PRs + +- Bug fixes +- Small feature additions +- Documentation updates +- Performance optimizations + +### When to Use Macro PRs + +- Major version upgrades +- Complex feature implementations +- Architectural changes +- Large-scale refactoring + +## Update Scenarios The choice between micro and massive PRs can significantly impact the workflows in our `Patch Update`, `Release Update`, and `Major Version Update`. - **Patch and Release Updates:** These updates typically involve minor changes or additions, which can be easily managed with either micro or massive PRs. The choice depends on your team's preference for review speed and context switching. + - **Major Version or Large Jump Release Updates:** These updates require a thorough review of every single control and requirement. They also necessitate extensive testing, both automated (via the CI/CD testing matrix) and manual. In this scenario, the overhead of managing multiple micro or mini PRs can be substantial. However, the benefit is that it allows for more granitary control and review of changes. It's also easier to isolate and fix issues that arise during testing. -In conclusion, the choice between micro and massive PRs depends on the specific needs and circumstances of your project. It's important to strike a balance that maximizes efficiency while minimizing risk, and fosters effective collaboration within your team. +## Practice Exercise + +Consider these scenarios and decide which PR strategy you would use: + +1. Fixing a typo in documentation +2. Implementing a new security control +3. Upgrading to a new major version + +## Summary + +- Choose micro PRs for better review quality and reduced risk +- Use macro PRs for cohesive, large-scale changes +- Consider project context and team preferences +- Balance efficiency with maintainability + +## Review Questions + +1. What are the key differences between micro and macro PRs? +2. Which PR strategy would you choose for a critical security patch? +3. How does GitFlow support different PR strategies? diff --git a/src/courses/profile-dev-test/08.md b/src/courses/profile-dev-test/08.md index 9db384a75..e26f9135a 100644 --- a/src/courses/profile-dev-test/08.md +++ b/src/courses/profile-dev-test/08.md @@ -1,22 +1,48 @@ --- order: 8 next: 09.md -title: Secruity Benchmarks vs Traditional Software +title: Security Benchmarks vs Traditional Software author: Aaron Lippold --- -## Security Benchmark Code VS Traditional Software Applications +## Understanding Security Benchmarks -When planning your team's approach, remember that a Security Benchmark is only considered 'complete and valid' when all requirements for that specific Release or Major Version are met. This differs from traditional software projects where features and capabilities can be incrementally added. +## Key Differences from Traditional Software -## Security Benchmarks Are Release-Specific +Security benchmarks differ from traditional software development in several critical ways: -A Security Benchmark and ***its corresponding InSpec Profile*** are only applicable within the context of a specific 'Release' of that Benchmark. +1. **Completeness Requirement** + - Traditional Software: Can be released with partial features + - Security Benchmarks: Must meet ALL requirements for a specific version -The choice between a `micro` or `massive` approach depends more on your team's work style preference. +2. **Version Specificity** + - Each benchmark version is a complete, standalone entity + - InSpec profiles must match their corresponding benchmark version exactly -Regardless of the approach, the final release of the Benchmark will be the same. The deciding factors for its readiness for release are the expected thresholds, hardening, and validation results. +## Development Approaches -## 'main' is `out of scope` for a Benchmark +Two common approaches to benchmark development: -Benchmarks do not accommodate 'incremental requirements'. Therefore, your team should always work off a fork of the last release. If there is a 'main' or 'development' branch in your profile, it should be considered as a candidate for merging into the next patch or update release. \ No newline at end of file +- **Micro Approach**: Gradual, incremental development +- **Massive Approach**: Complete implementation in larger chunks + +> 💡 **Key Point**: Both approaches are valid - choose based on your team's workflow preferences. + +## Version Control Best Practices + +### Working with Branches + +- ⚠️ Never work directly on 'main' +- Always fork from the latest release +- Consider 'main' or 'development' branches as pre-release candidates + +## Practical Exercise + +Try answering these questions: + +1. Why can't security benchmarks be released incrementally? +2. How should you handle new requirements that arise between releases? +3. What branch strategy would you use for a new benchmark version? + +--- +**Remember**: Security benchmark validation is binary - it either meets all requirements or it doesn't. diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index f875f0550..d4d4e2942 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -1,29 +1,55 @@ --- order: 9 next: 10.md -title: Types of Profile Updates +title: Understanding Profile Updates author: Aaron Lippold --- -## Types of Benchmark Updates +## Learning Objectives -When updating the profile, you'll be making one of three types of changes: +By the end of this section, you will be able to: -1. **Patch Update:** These frequent updates cover missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, such as going from `v1.12.4` to `v1.12.5`. We aim to release these updates on a regular schedule, either weekly, bi-weekly, or monthly. -2. **Release Update:** These updates occur when the STIG Benchmark owner releases an updated version of the STIG, for example, going from Red Hat Enterprise Linux V1R12 to V1R13. -3. **Major Version Update:** These updates occur when a software vendor releases a new major version of their product's STIG. For example, when Red Hat releases version 9 of Red Hat Enterprise Linux or Microsoft releases a new major version of Windows, such as Windows 2024 or Windows 12. +- Identify the three types of profile updates +- Understand the scope of STIG and CIS Benchmark updates +- Recognize the forward-only nature of security benchmark updates -### Scope of the Update Patterns +## Types of Profile Updates -The STIGs and CIS Benchmarks are scoped within the Major Version of the software products they represent. +Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: -Updates or amendments to a Benchmark's requirements are tracked within the 'Releases' of the Benchmark. +### 1. Patch Updates (Minor Changes) -As we mentioned in the previous section, ***there is no concept of 'back-patching'***; it is a ***'forward-only'*** process. +- Frequency: Weekly to monthly +- Purpose: Address corner cases and improve testing code +- Version Change Example: v1.12.4 → v1.12.5 +- Typical Changes: Bug fixes, code improvements, test coverage expansion -Each requirement is indexed from their source SRG document, aligned to a CCI, and then given a unique `Rule ID` and `STIG ID` in the respective XCCDF Benchmark document. +### 2. Release Updates (Intermediate Changes) -Here is an example of various indices you may recognize: +- Triggered by: STIG Benchmark owner releases +- Example: RHEL STIG V1R12 → V1R13 +- Includes: New security requirements, updated controls + +### 3. Major Version Updates + +- Triggered by: New product versions +- Examples: + - RHEL 8 → RHEL 9 + - Windows Server 2019 → Windows Server 2022 + +## Understanding Update Scope + +Important concepts to remember: + +- Updates are version-specific +- Changes only move forward ("forward-only" process) +- No "back-patching" to older versions +- Each requirement maps to: + - Source SRG document + - Control Correlation Identifier (CCI) + - Unique Rule and STIG IDs + +Example requirement identifiers: ```ruby tag gtitle: 'SRG-OS-000480-GPOS-00227' @@ -32,4 +58,4 @@ tag rid: 'SV-230221r858734_rule' tag stig_id: 'RHEL-08-010000' tag fix_id: 'F-32865r567410_fix' tag cci: ['CCI-000366'] -``` \ No newline at end of file +``` diff --git a/src/courses/profile-dev-test/README.md b/src/courses/profile-dev-test/README.md index fdb024dc2..348b20072 100644 --- a/src/courses/profile-dev-test/README.md +++ b/src/courses/profile-dev-test/README.md @@ -5,22 +5,83 @@ title: Development & Testing InSpec Profile author: Aaron Lippold --- +📚 **Difficulty Level**: Intermediate +⏱️ **Estimated Time**: 2-3 hours + +## Learning Objectives + +By completing this module, you will be able to: + +- Build and validate InSpec profiles using Test Kitchen +- Configure local testing environments for security compliance +- Execute tests using Docker and AWS environments +- Implement continuous testing workflows +- Troubleshoot common profile development issues + +## Prerequisites + +Before starting this module, ensure you have: + +- Basic knowledge of Ruby ([Learn Ruby Basics](https://ruby-lang.org/en/documentation/quickstart/)) +- Docker or Podman installed ([Docker Installation Guide](https://docs.docker.com/get-docker/)) +- AWS Free Tier account (optional) ([AWS Sign Up](https://aws.amazon.com/free/)) +- Platform One account ([P1 Registration](https://login.dso.mil/)) +- Git installed ([Git Setup Guide](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)) + +## Skills Assessment + +Before proceeding, verify you can: + +- [ ] Run basic Ruby commands +- [ ] Execute Docker containers +- [ ] Use Git for version control +- [ ] Navigate command line interfaces + ## Overview -The development and testing of profiles is accomplished by a variety of tools including: Ruby, the Test Kitchen suite, InSpec compliance language, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite following the instructions provided below. +The development and testing of profiles are accomplished using a variety of tools, including Ruby, the Test Kitchen suite, InSpec compliance language, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite by following the instructions provided below. + +### Key Tools Explained + +- **Test Kitchen**: Integration testing framework + - Example: `kitchen test` validates your InSpec profiles + - Use case: Automated compliance testing +- **Docker/Podman**: Container platforms + - Example: `docker run` creates isolated test environments + - Use case: Consistent testing across platforms +- **InSpec**: Compliance testing framework + - Example: `inspec exec` runs compliance checks + - Use case: Security automation +- **Platform One**: DoD's DevSecOps platform + - Example: Using hardened containers + - Use case: Secure development environments + +## Development Workflow Our development and testing workflow is managed by Test Kitchen. This tool is integral to our GitHub Actions CI/CD Pipelines and is also used for local development, testing, and releasing updates, patches, and full releases of the profile. +> 💡 **Pro Tip**: When starting out, focus on Docker-based testing before moving to AWS environments. + +### Testing Environments + Test Kitchen uses Docker (or Podman, if preferred) and AWS (using free-tier resources) for testing. We provide example files for testing on a local Vagrant Red Hat (or other RHEL variant) box in the repository. +### Platform One Integration + Additionally, Test Kitchen uses the Red Hat hardened `ubi8 base container` from Platform One for testing. To test the hardened container portion of the testing suite, you'll need to set up and log in to your P1 Free account, then obtain a CLI token to pull the Platform One Iron Bank Red Hat Enterprise Linux 8 Universal Base Image (P1 IB UBI8) image into the test suite. -## Example Repository +> ⚠️ **Important**: Ensure you keep your P1 CLI token secure and never commit it to version control. + +## Getting Started with Examples This guide refers to the [MITRE RedHat Enterprise Linux 8 STIG](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/tree/metzger_dynamic_inputs) profile, which provides a working example of the workflow described here. -Upon the release of the next patch, v1.12.1, this process and workflow will be incorporated into the `main` branch. Currently, the process is active in the 'development' branch, as linked above. +> 🔍 **Note**: Development happens in the `main` branch, with stable versions available as tagged releases. -## Checkout and Clone the Working Example +### Hands-on Practice If you would like to follow along, experiment with the workflows, and understand the process described here, feel free to fork or clone the repository above. Follow the setup and configuration steps in the next section to input your own credentials and accounts, and learn as you go! + +## Next Steps + +After setting up your environment, proceed to the next section to learn about specific testing patterns and workflows. From 5f0e7273976656b73a1e2557c3381c090f22fd0c Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Dec 2024 22:48:00 -0600 Subject: [PATCH 02/24] profile dev updates Signed-off-by: Aaron Lippold --- src/courses/profile-dev-test/10.md | 81 ++++++++++++++++++++--------- src/courses/profile-dev-test/11.md | 55 +++++++++++++++++--- src/courses/profile-dev-test/12.md | 83 +++++++++++++++++++++++++----- src/courses/profile-dev-test/13.md | 82 +++++++++++++++++++++++++---- src/courses/profile-dev-test/14.md | 71 +++++++++++++++++++++---- src/courses/profile-dev-test/15.md | 66 ++++++++++++++++++------ src/courses/profile-dev-test/16.md | 34 ++++++++++-- src/courses/profile-dev-test/17.md | 78 +++++++++++++++++++++++----- src/courses/profile-dev-test/18.md | 22 ++++++-- src/courses/profile-dev-test/19.md | 13 +++-- src/courses/profile-dev-test/20.md | 18 ++++++- src/courses/profile-dev-test/21.md | 8 +-- src/courses/profile-dev-test/22.md | 6 +-- src/courses/profile-dev-test/23.md | 6 +-- src/courses/profile-dev-test/24.md | 8 +-- src/courses/profile-dev-test/25.md | 11 +++- src/courses/profile-dev-test/26.md | 15 +++--- src/courses/profile-dev-test/27.md | 18 +++---- src/courses/profile-dev-test/28.md | 16 +++--- src/courses/profile-dev-test/29.md | 20 +++---- 20 files changed, 559 insertions(+), 152 deletions(-) diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index e81db23fa..a3a19a342 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -1,24 +1,50 @@ --- order: 10 next: 11.md -title: What Is Done for a Control? +title: What Is `Done` for a Control? author: Aaron Lippold --- +# Understanding Control Completion in Security Automation + +## Learning Objectives + +By the end of this section, you will be able to: + +- Define the criteria for a "done" security control +- Apply the MITRE SAF yardstick to evaluate controls +- Implement effective control testing strategies +- Create and maintain progress tracking systems +- Debug common control implementation issues + +## Knowledge Check Questions + +Before we begin, consider these questions: + +1. What makes a security control "complete"? +2. How do you verify a control works in different environments? +3. What's the difference between "passing well" and just passing? + +## Introduction + +Understanding when a security control is truly "done" is crucial for security automation engineers. This section will guide you through the criteria, best practices, and practical approaches to ensure your controls are complete and effective. + ## When is a Control Considered 'Done' You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: -- The security automation content and its tests are essentially a refactoring of the 'validation' and 'remediation' guidance already established by the benchmark. -- The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. -- The tests can - and usually do - capture known 'corner cases and security best practices' that are sometimes indirectly or not directly addressed by the benchmark but implied by the spirit of the security requirement being addressed. -- These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. +1. The security automation content and its tests are essentially a refactoring of the 'validation' and 'remediation' guidance already established by the benchmark. +2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. +3. The tests can - and usually do - capture known 'corner cases and security best practices' that are sometimes indirectly or not directly addressed by the benchmark but implied by the spirit of the security requirement being addressed. +4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured the spirit of the testing required by the Benchmark. -## The MITRE Security Automation Framework 'Yardstick' +## The MITRE SAF Testing Framework + +Our framework provides a comprehensive approach to testing controls. We call this the "SAF Yardstick": We consider a control effectively tested when: @@ -37,11 +63,15 @@ We consider a control effectively tested when: 6. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. 7. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. -## Defining 'Passes as Expected' +## Best Practices for Test Implementation -'Passing as expected' is the most straightforward concept as it directly corresponds to the test conditions. When the test asserts a condition, it validates that assertion and reports it to the end user in a clear and concise manner. +### Passing Tests (Passing Well) -We strive to ensure that when we report a 'pass', we do so in a language that is direct, simple, and easy to understand. +A well-implemented passing test should: + +- Clearly communicate success conditions +- Use simple, direct language +- Include validation of edge cases For example: @@ -54,13 +84,13 @@ For example: - The conditions for the Not Reviewed and Not Applicable states for the control, if any. -## Defining `Fails as Expected` - -'Failing as expected' is a less straightforward concept as it doesn't always directly correspond to the test conditions. When the test asserts a condition and it fails, the reason for that failure should be communicated to the end user in a clear and concise manner. +### Failing Tests (Failing Well) -However, as we all know, a test may fail for more than one reason. Sometimes, the reason for failure might be connected to human error, conditions on the system such as extra lines, files, or housekeeping on the system that was not done, etc. All these factors may need to be accounted for in your tests and perhaps captured in your output and 'reasons' for failure. +When implementing failure scenarios, ensure: -This is where the above 'best practices' come into play. You don't just test in optional 'pass' and 'fail' conditions only, but also 'dirty things up' a bit and make sure that your 'failure' cases are robust enough to handle the real world and semi-perfect conditions. +- Clear error messages +- Actionable feedback +- Proper error handling For example: @@ -77,17 +107,22 @@ For example: - Misconfigurations, extra lines in files, extra settings, missing files, etc. -## Defining `Communicates Effectively` +## Hands-on Exercise 1: Creating Your First Control + +Let's practice implementing a basic control: -Clear communication from your testing suite may require you to use a combination of approaches, but the extra time and effort is well worth it. +1. Create a basic control test +2. Add passing and failing scenarios +3. Implement clear communication +4. Test edge cases -Here are some methods you can employ and things to consider: +## Key Takeaways -- Use `expect` vs `describe` statements in cases where you have multi-part or multi-phase test cases. -- Break up your `describe` statements into multiple layers so that the final output to the end user is clear and concise. -- Post-process and format both 'passing' and 'failures' so that they are useful to the end user later and clear for communication to other team members. This could be in the form of lists or bulleted lists. -- Collect 'failing results' as simple, clear lists or bullets that are easy to 'copy and paste'. This makes it easier for teams to know 'what they have to fix and where'. -- Consider assisting 'Manual Review'/'Not Reviewed' tests by collecting needed information, such as users, groups, or other elements that you are asking the user or another person to review. While we may not be able to fully automate the test, if the 'automation can help collect' then it still adds value. +- Control completion is more than just passing tests +- Use the SAF Yardstick as your guide +- Clear communication is essential +- Track progress consistently +- Group similar controls for efficiency ## Tracking Your Progress @@ -133,4 +168,4 @@ The MITRE SAF team has found the following best practices effective for organizi 4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the 'primary deployment platforms' that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. -5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. \ No newline at end of file +5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. diff --git a/src/courses/profile-dev-test/11.md b/src/courses/profile-dev-test/11.md index 5a2421289..b94741697 100644 --- a/src/courses/profile-dev-test/11.md +++ b/src/courses/profile-dev-test/11.md @@ -1,20 +1,59 @@ --- order: 11 next: 12.md -title: Rules of the Road +title: Security Benchmark Profile Management author: Aaron Lippold --- -## Best Practices for Profile Managment +## Introduction to Profile Management -When updating Benchmark Profiles, adhere to these key principles to maintain alignment with the original Guidance Documents: +Security benchmark profiles are critical tools for maintaining system security standards. Before diving into the implementation details, let's understand the fundamental principles that guide their management. -1. **Maintain Version Integrity:** **Never Merge** new requirements into older benchmark branches. This will create a 'mixed baseline' that doesn't align with any specific guidance document. Benchmarks, STIGs, and Guidance Documents form a 'proper subset' - they should be treated as 'all or nothing'. Mixing requirements from different versions can invalidate the concept of 'testing to a known benchmark'. +## Core Principles of Profile Management -2. **Benchmarks are a Complete Set of Requirements:** A Security Benchmark is 'complete and valid' only when all requirements for a specific Release or Major Version are met. Unlike traditional software projects, features and capabilities cannot be incrementally added. A Security Benchmark and its corresponding InSpec Profile are valid only within the scope of a specific 'Release' of that Benchmark. +### 1. Version Control and Integrity -3. **Release Readiness Is Predefined:** A Benchmark is considered 'ready for release' when it meets the expected thresholds, hardening, and validation results. Don't be overwhelmed by the multitude of changes across the files. Instead, focus on the specific requirement you are working on. Understand its expected failure and success states on each of the target testing platforms. This approach prevents you from being overwhelmed and provides solid pivot points as you work through the implementation of the automated tests for each requirement and its 'contexts'. +**Key Rule: Keep Versions Separate** -4. **Use Vendor-Managed Standard Releases:** When setting up a test suite, prioritize using vendor-managed standard releases for software installations and baseline configurations. This should be the starting point for both 'vanilla' and 'hardening' workflows. This approach ensures that your initial and ongoing testing, hardening, and validation closely mirror the real-world usage scenarios of your end-users. +- Never mix requirements from different versions +- Each version represents a distinct security baseline +- Example: Don't combine STIG v2.5 requirements with v3.0 requirements -By adhering to these principles, you ensure that your updates to Benchmark Profiles are consistent, accurate, and aligned with the original guidance documents. \ No newline at end of file +### 2. Completeness Principle + +**Key Rule: All or Nothing** + +- Security benchmarks must include all requirements for a specific version +- Think of it like a recipe - missing ingredients affect the final result +- Example: A Windows 10 STIG profile must implement all controls specified in that version + +### 3. Release Management + +**Key Rule: Meet All Standards** + +- Release readiness is determined by: + - Passing all validation tests + - Meeting security hardening requirements + - Achieving expected thresholds +- Focus on one requirement at a time during development + +### 4. Testing Environment Standards + +**Key Rule: Use Standard Baselines** + +- Start with vendor-managed standard releases +- Test against both: + - Default ("vanilla") configurations + - Hardened configurations +- This ensures real-world applicability + +## Best Practices for Implementation + +1. Document your testing environment +2. Maintain a changelog for each profile version +3. Use version control for tracking changes +4. Test thoroughly before releasing + +## Summary + +Remember: Security benchmarks are complete sets of requirements tied to specific versions. Success comes from methodical implementation and thorough testing against standard baselines. diff --git a/src/courses/profile-dev-test/12.md b/src/courses/profile-dev-test/12.md index e8d422d8e..c4d8ca942 100644 --- a/src/courses/profile-dev-test/12.md +++ b/src/courses/profile-dev-test/12.md @@ -1,20 +1,79 @@ --- order: 12 next: 13.md -title: Creating a `Patch Update` +title: Understanding Profile Patch Updates author: Aaron Lippold --- -## The `Patch Update` Process +## Learning Objectives -A patch update involves making minor changes to a profile to fix issues or improve functionality. Here's a step-by-step guide: +- Understand what constitutes a patch update +- Learn the complete patch update workflow +- Master the testing and validation process -1. **Report the Issue:** Open an issue on our project, detailing the problem and providing examples. Do this on [our issues page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/issues). -2. **Fork and Branch:** Fork the repository on GitHub, then create a branch off the `tagged` patch release you're targeting for the update. -3. **Set Up Testing Suites:** In your forked branch, set up the AWS and Docker testing suites. -4. **Make Updates:** Update the control, `inspec.yml` inputs, thresholds, etc. Don't worry about the InSpec version in the `inspec.yml` - the release process handles that. -5. **Test Your Updates Locally:** Test your updates on all `vanilla` and `hardened` variants of the `known bad` and `known good` states of the `AWS EC2` and `Docker` test targets. Also, test your controls outside perfect conditions to ensure they handle non-optimal target environments. Verify that your update considers the `container`, `virtual machine`, and `1U machine` testing context of applicability. -6. **Lint Your Updates:** Use the `bundle exec rake lint` and `bundle exec rake lint:autocorrect` commands from the test suite to lint your updates. -7. **Commit Your Updates:** After testing and linting, commit your updates to your branch. Include `Fixes #ISSUE` in your commit messages to automatically close the issue when your PR is merged. -8. **Open a PR:** Open a PR on the project repository from your fork. -9. **Check Test Suite:** Ensure the GitHub Action test suite on the project side passes. You can check this at [our actions page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/actions). +## What is a Patch Update? + +A patch update is a minor modification to an InSpec profile that addresses specific issues, bugs, or improvements without changing core functionality. Common examples include: + +- Fixing control logic errors +- Updating threshold values +- Improving error handling +- Adding missing test cases + +## Step-by-Step Patch Update Process + +### 1. Issue Documentation + +- Create a detailed issue in the project repository +- Include specific examples of the problem +- Reference any related documentation +- Link: [Project Issues Page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/issues) + +### 2. Environment Setup + +- Fork the repository +- Create a branch from the target patch release tag +- Configure test environments: + - AWS testing suite + - Docker testing suite + +### 3. Implementation + +- Make necessary updates to: + - Control logic + - `inspec.yml` inputs + - Threshold values +- Note: The InSpec version in `inspec.yml` is managed during release + +### 4. Testing Protocol + +Verify your changes across multiple environments: + +- Vanilla systems +- Hardened systems +- Known bad states +- Known good states +- Edge cases and error conditions + +Test contexts to cover: + +- Container environments +- Virtual machines +- Physical hardware (1U machines) + +### 5. Quality Assurance + +Run the provided linting tools: + +- `bundle exec rake lint` +- `bundle exec rake lint:autocorrect` + +### 6. Commit and PR + +- Commit your updates with a message including `Fixes #ISSUE` +- Open a PR from your fork to the project repository + +### 7. Test Suite Verification + +- Ensure the GitHub Action test suite passes +- Link: [Project Actions Page](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/actions) diff --git a/src/courses/profile-dev-test/13.md b/src/courses/profile-dev-test/13.md index 5bd26a58b..42cf4ecd9 100644 --- a/src/courses/profile-dev-test/13.md +++ b/src/courses/profile-dev-test/13.md @@ -1,18 +1,80 @@ --- order: 13 next: 14.md -title: Creating a `Release Update` +title: Understanding Release Updates in SAF author: Aaron Lippold --- -## The `Release Update` Process +## Learning Objectives -A `Release Update` involves creating a new branch, `v#{x}R#{x+1}`, from the current main or latest patch release branch. The `saf generate delta` workflow is then run, which updates the metadata of the `controls`, `inspec.yml`, `README.md`, and other profile elements, while preserving the `describe` and `ruby code logic`. This workflow is detailed in the [Inspec Delta](#2-inspec-delta) section. After the initial commit of the new release branch, follow these steps to keep your work organized: +- Understand what a Release Update is and when it's needed +- Learn the step-by-step process of creating a Release Update +- Master the key components of Release Update management -1. **Track Control IDs:** Create a table of all new `control ids` in the updated benchmark. This can be in CSV, Markdown Table, or in the PR overview information section. This helps track completed and pending work. PRs off the `v#{x}r#{x+1}` can also be linked in the table, especially if using a `micro` vs `massive` PR approach. -2. **Ensure Consistency:** Add 'check box columns' to your tracking table to ensure each requirement of the updated Benchmark receives the same level of scrutiny. -3. **Update CI/CD Process:** Update elements such as the `hardening` content (ansible, puppet, chef, hardened docker images, hardened vagrant boxes) to meet new requirements. Ensure the CI/CD process still functions with the updated elements, preferably on the PR as well. -4. **Update Labels:** Update `titles` and other labels to reflect the updated release number of the Benchmark. -5. **Commit Changes:** Commit these changes to your release branch, ensuring your CI/CD process exits cleanly. -6. **Follow Patch Update Workflow:** With the above in place, follow the 'Patch Update' process, but expect a larger number of requirements to revalidate or update. -7. **Identify Potential Code Changes:** Controls with changes to the `check text` or `fix text` are likely to require `inspec code changes`. If the `check text` and `fix text` of a control remain unchanged, it's likely only a cosmetic update, with no change in the security requirement or validation code. \ No newline at end of file +## What is a Release Update? + +A Release Update is a structured process for updating Security Automation Framework (SAF) profiles to accommodate new benchmark versions. This process ensures consistent quality and maintains traceability of changes. + +## Release Update Workflow + +### Step 1: Branch Creation + +Create a new branch named `v#{x}R#{x+1}` from either: + +- The main branch +- Latest patch release branch + +### Step 2: Generate Delta + +Run the `saf generate delta` workflow to update: + +- Control metadata +- inspec.yml configuration +- README.md documentation +- Other profile elements + +> Note: This process preserves existing `describe` blocks and Ruby code logic + +### Step 3: Change Management + +Follow these best practices to organize your work: + +#### 3.1 Control Tracking + +- Create a tracking table (CSV or Markdown) containing: + - New control IDs + - Status (completed/pending) + - Associated PR links + - Validation checkboxes + +#### 3.2 Quality Assurance Steps + +1. **Validation Checklist** + - [ ] Control requirements reviewed + - [ ] Code changes verified + - [ ] Tests updated + - [ ] Documentation current + +2. **Infrastructure Updates** + - Update hardening content: + - Ansible playbooks + - Puppet modules + - Chef cookbooks + - Docker images + - Vagrant boxes + +3. **Metadata Management** + - Update all version references + - Verify control titles + - Check benchmark labels + +## Tips for Success + +- Focus on controls with modified `check text` or `fix text` +- Unchanged control text typically means no code changes needed +- Use PR links to track changes in your tracking table +- Maintain CI/CD pipeline health throughout updates + +## Next Steps + +After completing these steps, proceed with the Patch Update workflow, keeping in mind that Release Updates typically involve more extensive validation. diff --git a/src/courses/profile-dev-test/14.md b/src/courses/profile-dev-test/14.md index c9d63d32e..50bd5ff2a 100644 --- a/src/courses/profile-dev-test/14.md +++ b/src/courses/profile-dev-test/14.md @@ -1,22 +1,75 @@ --- order: 14 next: 15.md -title: Creating a `Major Version Update` +title: Understanding Major Version Updates author: Aaron Lippold +difficulty: Advanced +prerequisites: + - Basic InSpec knowledge + - Understanding of STIG benchmarks + - Familiarity with Ruby --- -## The `Major Version Update` Process +## Learning Objectives -A `Major Version Update` involves transitioning to a new STIG Benchmark, which introduces a new Rule ID index. This process is more complex than a `Release Update` due to the need for aligning old requirements (Rule IDs) with the new ones. +- Understand what constitutes a Major Version Update and why they occur +- Master the requirement alignment process using multiple identification methods +- Learn to use available tools for version transition +- Develop strategies for efficient code migration +- Implement best practices for version control and testing -For example, when transitioning from RedHat Enterprise Linux 8 v1R12 to Red Hat Enterprise Linux 9 V1R1, the alignment of InSpec tests to the new requirements must be `fuzzy matched`. This involves using common identifiers such as `SRG ID`, `CCIs`, and, if necessary, the `title` and `descriptions`. +## What is a Major Version Update? -This is crucial when a single requirement from the old benchmark is split into multiple requirements in the new benchmark, although this is usually a rare occurrence. +A Major Version Update occurs when transitioning to a new STIG Benchmark version that introduces a completely new Rule ID index. Unlike minor Release Updates, this process requires careful mapping between old and new requirements. -We use a similar process in our [MITRE Vulcan](https://vulcan.mitre.org) to align 'Related Controls' in your Vulcan project to existing published STIG documents. However, the `Delta` tool currently requires manual intervention, and improvements are needed to automate this process. +## Key Concepts -The good news is that **these improvements are within reach**. We can leverage the existing work from `Vulcan` and hopefully soon incorporate these improvements into the SAF `Delta` tool as a direct function. +### Requirement Alignment -Once the 'old controls' and 'new controls' are aligned across 'Rule IDs', you can migrate the InSpec / Ruby code into their respective places. +:::tip 💡 **Pro Tip**: Create a spreadsheet to track your requirement mappings during the alignment process. +::: -Then, you follow the same setup, CI/CD organization, and control update process as in the `Release Update` process and hopfully finding that the actual InSpec code from the previous benchmark is very close to the needed InSpec code for the same 'requirement' in the new Benchmark. +When moving between major versions (e.g., RHEL 8 v1R12 to RHEL 9 V1R1), we need to align existing tests with new requirements using: + +- SRG IDs (Security Requirements Guide IDs) +- CCIs (Control Correlation Identifiers) +- Titles and descriptions when necessary + +### The Alignment Process + +1. **Initial Analysis** + - Compare old and new benchmark requirements + - Identify matching controls using common identifiers + - Note any split or merged requirements + +2. **Using Available Tools** + - MITRE Vulcan assists in alignment process + - Current Delta tool requires manual verification + - Future automation improvements are in development + +3. **Code Migration** + - Transfer InSpec/Ruby code to new requirement locations + - Verify control mappings + - Update test code as needed + +### Practical Example + +Consider this simplified alignment scenario: + +## Best Practices + +- Document all requirement mappings +- Verify control alignments thoroughly +- Test extensively after migration + +## What's Next + +After alignment is complete, follow the standard Release Update process for: + +- Setting up CI/CD +- Organizing controls +- Updating and testing requirements + +## Summary + +Major Version Updates require careful attention to requirement alignment and code migration. While tools like Vulcan help, some manual verification is still needed. Future improvements will streamline this process. diff --git a/src/courses/profile-dev-test/15.md b/src/courses/profile-dev-test/15.md index ee85de3d7..7b634b18f 100644 --- a/src/courses/profile-dev-test/15.md +++ b/src/courses/profile-dev-test/15.md @@ -1,29 +1,60 @@ --- order: 15 next: 16.md -title: Test Kitchen +title: Understanding Test Kitchen author: Aaron Lippold --- -## Test Kitchen - Getting Started +## Learning Objectives -[Test Kitchen](http://kitchen.ci) is a robust tool for testing infrastructure code and software on isolated platforms. It provides a consistent, reliable environment for developing and testing infrastructure code. +By the end of this module, you will be able to: -## Workflow Defined by our Test Kitchen Files +- Understand the purpose and benefits of Test Kitchen +- Describe the Test Kitchen workflow +- Differentiate between vanilla and hardened configurations +- Execute basic Test Kitchen commands -Test Kitchen's workflow involves building out suites and platforms using its drivers and provisioners. It follows a create, converge, verify, and destroy cycle: +## What is Test Kitchen? -1. **Create:** Test Kitchen creates an instance of the platform. -2. **Converge:** It applies the infrastructure code to the instance. -3. **Verify:** It checks if the instance is in the desired state. -4. **Destroy:** It destroys the instance after testing. +Test Kitchen is a powerful testing framework that allows developers to test infrastructure code across different platforms and configurations. Think of it as a laboratory where you can safely experiment with different system configurations without affecting your production environment. -In our testing workflow, we have defined four test suites to test different deployment patterns in two configurations - `vanilla` and `hardened`. +## Test Kitchen Workflow -- `vanilla`: This represents a completely stock installation of the testing target, as provided by the product vendor, with no configuration updates beyond what is 'shipped' by the vendor. Apart from the standard Test Kitchen initialization, the system is considered 'stock'. -- `hardened`: This configuration is set up using the `driver` section of the Test Kitchen suite and is executed during the `converge` phase. The `hardened` configuration represents the final `target configuration state` of our test instance, adhering to the recommended configuration of the Benchmark we are working on. For example, it aligns as closely as possible with the Red Hat Enterprise Linux V1R12 recommendations. +The testing process follows four key stages: -For more details on Test Kitchen's workflow, refer to the [official documentation](http://kitchen.ci/docs/getting-started/). +1. **Create** 🏗️ + - Spins up a fresh instance of your target platform + - Sets up the basic environment + +2. **Converge** 🔄 + - Applies your infrastructure code + - Configures the instance according to your specifications + +3. **Verify** ✅ + - Runs your tests against the instance + - Checks if everything is configured correctly + +4. **Destroy** 🧹 + - Cleans up the test environment + - Removes the instance completely + +## Testing Configurations + +We use two main testing configurations: + +### Vanilla Configuration + +- Stock installation with default settings +- No customization or hardening +- Represents "out-of-the-box" state +- Used as a baseline for comparison + +### Hardened Configuration + +- Implements security best practices +- Follows benchmark recommendations (e.g., RHEL V1R12) +- Represents the target secure state +- Applied during the converge phase ```journey Test Kitchen Workflow section Setup @@ -49,6 +80,11 @@ For more details on Test Kitchen's workflow, refer to the [official documentatio -## Test Kitchen's Modifications to Targets +## Behind the Scenes: System Access + +To enable testing, Test Kitchen makes minimal system modifications: -Test Kitchen makes minor modifications to the system to facilitate initialization and access. It adds a 'private ssh key' for the default user and sets up primary access to the system for this user using the generated key. Test Kitchen uses the 'platform standard' for access - SSH for Unix/Linux systems and WinRM for Windows systems. \ No newline at end of file +- Adds SSH private key authentication +- Sets up appropriate access protocols: + - SSH for Unix/Linux systems + - WinRM for Windows systems diff --git a/src/courses/profile-dev-test/16.md b/src/courses/profile-dev-test/16.md index 543e799be..0dc021f15 100644 --- a/src/courses/profile-dev-test/16.md +++ b/src/courses/profile-dev-test/16.md @@ -1,15 +1,41 @@ --- order: 16 next: 17.md -title: Test Kitchen - Create +title: Test Kitchen - Understanding the Create Stage author: Aaron Lippold index: true --- ## Test Kitchen Create Stage -The `create` stage in Test Kitchen sets up testing environments. It uses standard and patched images from AWS and Red Hat, including AMI EC2 images, Docker containers, and Vagrant boxes. +### What is the Create Stage? -Test Kitchen automatically fetches the latest images from sources like Amazon Marketplace, DockerHub, Vagrant Marketplace, and Bento Hub. You can customize this to use different images, private repositories (like Platform One's Iron Bank), or local images. +The `create` stage is a fundamental part of Test Kitchen that prepares your testing environments. Think of it as setting up your test laboratory where you'll run your security tests. -For more details on how Test Kitchen manages images, visit the [Test Kitchen website](https://kitchen.ci). You can also refer to the GitHub documentation for the `kitchen-ec2`, `kitchen-vagrant`, `kitchen-sync`, and [`kitchen-inspec`](https://github.com/inspec/kitchen-inspec) project on GitHub. \ No newline at end of file +### How it Works + +Test Kitchen handles environment creation by: + +- Fetching pre-configured system images +- Setting up virtual machines or containers +- Preparing the environment for testing + +### Supported Platforms + +Test Kitchen works with various platforms: + +- AWS EC2 instances (using AMIs) +- Docker containers +- Vagrant boxes +- Red Hat Enterprise Linux systems + +### Image Sources + +Test Kitchen automatically pulls from: + +- Amazon Marketplace +- DockerHub +- Vagrant Cloud +- Bento Box Repository +- Custom repositories (e.g., Platform One's Iron Bank) +- Local image storage diff --git a/src/courses/profile-dev-test/17.md b/src/courses/profile-dev-test/17.md index a4ada43d6..9aff7d368 100644 --- a/src/courses/profile-dev-test/17.md +++ b/src/courses/profile-dev-test/17.md @@ -6,28 +6,82 @@ author: Aaron Lippold index: true --- +## Learning Objectives + +By the end of this section, you will understand: + +- The purpose and function of Test Kitchen's converge stage +- How to use different infrastructure configurations +- The differences between vanilla and hardened environments + ## Test Kitchen Converge Stage -The `converge` stage uses Ansible Playbooks from the Ansible Lockdown project to apply hardening configurations, specifically the RHEL8-STIG playbook, and RedHat managed containers. +The `converge` stage applies system configurations using infrastructure as code (IaC) tools. This crucial stage transforms your environment from a base state to your desired configuration. -## EC2 and Vagrant Converge +> **Key Concept**: Think of the converge stage as "applying your recipe" - it takes your raw ingredients (base system) and follows your instructions to create the final dish (configured system). -For EC2 and Vagrant, we use 'wrapper playbooks' for the 'vanilla' and 'hardened' suites. +Supported configuration tools include: -- The 'vanilla' playbook establishes a basic test environment. -- The 'hardened' playbook applies the 'vanilla role' and the Ansible Lockdown RHEL8-STIG role to the 'hardened' target, using Ansible Galaxy, a `requirements.txt`, and Ansible Roles. +- Ansible Playbooks (used in this course) +- Puppet +- Chef +- Terraform +- Shell scripts -Some tasks in the hardening role were disabled for automated testing, but this doesn't significantly impact our security posture. We can still meet our validation and thresholds. +## EC2 and Vagrant Converge -For more on using these playbooks, running Ansible, or modifying the playbooks, roles, and tasks, see the Ansible Project Website. +We implement two distinct configurations using 'wrapper playbooks': -Find these roles and 'wrapper playbooks' in the [spec/](./spec/) directory. +1. **Vanilla Environment** + - Purpose: Establishes baseline test environment + - Implementation: Basic configuration playbook + +2. **Hardened Environment** + - Purpose: Creates security-enhanced environment + - Components: + - Base vanilla configuration + - RHEL8-STIG security controls + - Ansible Galaxy dependencies + - Custom roles and requirements + +> **Note**: While some hardening tasks are disabled for testing, this doesn't compromise our security validation goals. ## Container Converge -We use RedHat vendor images for both the `vanilla` and `hardened` containers. +Our container strategy utilizes two RedHat UBI8 (Universal Base Image) variants: + +1. **Vanilla Container** + +This container uses the `registry.access.redhat.com/ubi8/ubi:8.9-1028` image from RedHat's community repositories. + +It represents a standard, out-of-the-box configuration. + +- Community maintained +- Standard configuration + +1. **Hardened Container** +hardened: This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi8` image from Red Hat's Platform One Iron Bank project. + +It represents a security-enhanced configuration. + +- STIG-compliant +- Regular security updates +- Platform One certified + +## Hands-on Practice + +Try these exercises: + +1. Compare the contents of vanilla and hardened playbooks +2. Identify key security configurations in the RHEL8-STIG role +3. Examine the wrapper playbook structure in the spec/ directory + +### Summary -- **`vanilla`:** This container uses the `registry.access.redhat.com/ubi8/ubi:8.9-1028` image from RedHat's community repositories. -- **`hardened`:** This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi8` image from Red Hat's Platform One Iron Bank project. +- Converge stage implements your desired system configurations +- Multiple implementation tools available (Ansible, Puppet, Chef, etc.) +- Two primary configurations: vanilla (baseline) and hardened (security-enhanced) +- Container implementations use RedHat UBI8 images with different security postures -The Iron Bank UBI8 image is regularly patched, updated, and hardened according to STIG requirements. +::: info Next Steps: Practice running the converge stage with both vanilla and hardened configurations to understand the differences in outcomes. +::: diff --git a/src/courses/profile-dev-test/18.md b/src/courses/profile-dev-test/18.md index 1c623eca5..02b48d4fa 100644 --- a/src/courses/profile-dev-test/18.md +++ b/src/courses/profile-dev-test/18.md @@ -8,10 +8,26 @@ index: true ## Test Kitchen Validate Stage -The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the profile against the test targets. +The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the inspec profile against the test targets. -For this stage, the profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing false results. +For this stage, the inspec profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing false results. + +They are located at the root of the project and are named something like `kitchen.inputs.yml`. There are also specific `threshold` files for each target environment platform (EC2, container, and Vagrant) in both the `vanilla` and `hardened` suites. -The following sections provide a detailed breakdown of these files, their structure, and the workflow organization. \ No newline at end of file +These establish the expected or allowed thresholds for vanilla and hardened configurations. Sometimes, we also have specific thresholds for hardened container or DISA EC2 vanilla configurations to allow for different hardening configurations that may be part of the test suite. + +### Key Points to Remember + +- **Input Files**: Customize tests for each target environment. +- **Threshold Files**: Define acceptable limits for different configurations. +- **Platform-Specific Settings**: Ensure accurate validation across various platforms. + +### Practical Tips + +- Always review and update input files to match the target environment. +- Verify threshold settings to ensure they align with your security requirements. +- Regularly test across different platforms to catch environment-specific issues. +- Use the `kitchen verify` command to run the tests and validate the configurations. +- Limit the control verify is running by using the `INSPEC_CONTROL` environment variable. diff --git a/src/courses/profile-dev-test/19.md b/src/courses/profile-dev-test/19.md index 7fb8a7a41..08e0f12d0 100644 --- a/src/courses/profile-dev-test/19.md +++ b/src/courses/profile-dev-test/19.md @@ -11,7 +11,14 @@ The `destroy` stage terminates the EC2 instances, Vagrant boxes, or containers t Occasionally, the `destroy` stage may encounter issues if the hosting platforms have altered the state of the provisioned instance during your writing, testing, or debugging sessions. If you face any problems with the `destroy` stage or any other Test Kitchen commands, verify the following: -- The test target's login, hostname, and IP address are still accurate. -- The test instance is still running on the hosting platforms. +- Ensure the test target's login credentials, hostname, and IP address are still accurate. +- Confirm that the test instance is still running on the hosting platform. -Sometimes, the solution can be as simple as checking if the instance is still active. \ No newline at end of file +Sometimes, the solution can be as simple as checking if the instance is still active. + +### Additional Tips for Troubleshooting + +- **Check Logs**: Review the Test Kitchen logs for any error messages or clues about what might be going wrong. +- **Manual Cleanup**: If the `destroy` command fails, you may need to manually terminate the instances through your cloud provider's console or command-line tools. +- **Update Configurations**: Ensure that your `.kitchen.yml` configuration file is up-to-date and correctly references the instances you are trying to destroy. +- **Network Issues**: Verify that there are no network issues preventing Test Kitchen from communicating with the instances. diff --git a/src/courses/profile-dev-test/20.md b/src/courses/profile-dev-test/20.md index fc22727c3..45ace5336 100644 --- a/src/courses/profile-dev-test/20.md +++ b/src/courses/profile-dev-test/20.md @@ -1,10 +1,24 @@ --- order: 20 next: 21.md -title: Test Kitchen - .kitchen/ directory +title: Test Kitchen - .kitchen/ Directory author: Aaron Lippold --- ## The `.kitchen/` Directory -The [`.kitchen/`](/.kitchen/) directory contains the state file for Test Kitchen, which is automatically generated when you first run Test Kitchen. Refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section to see how you can use the `.kitchen/` directory. +The [`.kitchen/`](/.kitchen/) directory contains the state files for Test Kitchen. These files are automatically generated when you first run Test Kitchen. + +### Understanding the `.kitchen/` Directory + +The `.kitchen/` directory is crucial for managing the state of your Test Kitchen instances. It includes configuration and state information that Test Kitchen uses to manage your test environments. + +### Using the `.kitchen/` Directory + +Refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section to learn how to use the `.kitchen/` directory effectively. This section will guide you on locating and utilizing the login details for your test targets stored within this directory. + +### Key Points to Remember + +- The `.kitchen/` directory is automatically created when you run Test Kitchen for the first time. +- It stores state and configuration files necessary for managing test environments. +- Understanding the contents of this directory can help you troubleshoot and manage your test instances more effectively. diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 19075f8d7..08250aaa0 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -9,9 +9,9 @@ author: Aaron Lippold The [`kitchen.yml`](./kitchen.yml) file is the primary configuration file for Test Kitchen. It outlines the shared configuration for all your testing environments, platforms, and the testing framework to be used. -Each of the subsequent kitchen files will inherit the shared settings from this file automatlly and merge them with the setting in the child kitchen file. +Each of the subsequent kitchen files will inherit the shared settings from this file automatically and merge them with the settings in the child kitchen file. -## Example `kitchen.yml` file +## Example `kitchen.yml` File ```yaml --- @@ -41,7 +41,7 @@ suites: playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml ``` -# Breakdown of the `kitchen.yml` file: +# Breakdown of the `kitchen.yml` file ```yaml verifier: @@ -97,4 +97,4 @@ The workflow of Test Kitchen involves the following steps: 1. **Create:** Test Kitchen uses the driver to create an instance of the platform. 2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. In this case, it's using Ansible playbooks. 3. **Verify:** Test Kitchen uses the verifier to check if the instance is in the desired state. -4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. \ No newline at end of file +4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. diff --git a/src/courses/profile-dev-test/22.md b/src/courses/profile-dev-test/22.md index 6f5885953..46d0f2d61 100644 --- a/src/courses/profile-dev-test/22.md +++ b/src/courses/profile-dev-test/22.md @@ -9,11 +9,11 @@ author: Aaron Lippold The `kitchen.ec2.yml` file is instrumental in setting up our testing targets within the AWS environment. It outlines the configuration details for these targets, including their VPC assignments and the specific settings for each VPC. -This file leverages the ` AWS CLI and AWS Credentials` configured as described in the previous [Required Software](#13-required-software) section. +This file leverages the `AWS CLI and AWS Credentials` configured as described in the previous [Required Software](#13-required-software) section. Alternatively, if you've set up AWS Environment Variables, the file will use those for AWS interactions. -## Example `kitchen.ec2.yml` file +## Example `kitchen.ec2.yml` File ```yaml --- @@ -115,4 +115,4 @@ The workflow of Test Kitchen involves the following steps: 3. **Verify:** Test Kitchen checks if the instance is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. 4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file, but it would be configured in the `driver` section. -The `transport` is used in all these steps to communicate with the instance. \ No newline at end of file +The `transport` is used in all these steps to communicate with the instance. diff --git a/src/courses/profile-dev-test/23.md b/src/courses/profile-dev-test/23.md index e540604c4..6abc9ae40 100644 --- a/src/courses/profile-dev-test/23.md +++ b/src/courses/profile-dev-test/23.md @@ -7,7 +7,7 @@ author: Aaron Lippold ## Understanding the [`kitchen.container.yml`](./kitchen.container.yml) -The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers, hardened and vanilla, and specifies the inspec_tests to run against them. It also configures the generation and storage of test reports. +The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers: hardened and vanilla, and specifies the InSpec tests to run against them. It also configures the generation and storage of test reports. Unlike other test suites, the container suite skips the 'provisioner' stage for the vanilla and hardened targets. Instead, during the create stage, it simply downloads and starts the specified images. This is due to the use of the [dummy Test Kitchen driver](https://github.com/test-kitchen/test-kitchen/blob/main/lib/kitchen/driver/dummy.rb), which is ideal for interacting with pre-configured or immutable targets like containers. @@ -48,7 +48,7 @@ suites: # creds_file: './creds.json' ``` -# Breakdown of the `kitchen.container.yml` file: +# Breakdown of the `kitchen.container.yml` file ```yaml provisioner: @@ -117,4 +117,4 @@ The `kitchen.container.yml` file uses the following environment variables to sel - `VANILLA_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'not hardened'. - default: `registry.access.redhat.com/ubi8/ubi:8.9-1028` - `HARDENED_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'hardened'. - - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` \ No newline at end of file + - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` diff --git a/src/courses/profile-dev-test/24.md b/src/courses/profile-dev-test/24.md index 6fda8f8c3..42e35d0a8 100644 --- a/src/courses/profile-dev-test/24.md +++ b/src/courses/profile-dev-test/24.md @@ -7,7 +7,7 @@ author: Aaron Lippold ## GitHub Actions -Our profile utilizes GitHub Actions as its primary CI/CD process. The Actions are separated by general business or process functions, allowing for a clear distinction between the workflow stages that we are testing in our workflow. +Our profile utilizes GitHub Actions as its primary CI/CD process. The Actions are separated by general business or process functions, allowing for a clear distinction between the workflow stages that we are testing. ### [`lint-profile.yml`](.github/workflows/lint-profile.yml) @@ -29,10 +29,10 @@ This action performs the following steps: ### [`verify-container.yml`](.github/workflows/verify-container.yml) -This action performs similar steps to `verify-ec2.yml`, but with some differences: +This action performs similar steps to `verify-ec2.yml`, with some differences: -1. It configures access to the required container registries - Platform One and Red Hat. +1. Configures access to the required container registries - Platform One and Red Hat. ### [`verify-vagrant.yml.example`](.github/workflows/verify-vagrant.yml.example) -This action is similar to the `verify-ec2` workflow, but instead of using a remote AWS EC2 instance in a VPC, it uses a local Vagrant virtual machine as the test target. The user can configure whether to upload the results to our Heimdall Demo server or not by modifing the Github Action. \ No newline at end of file +This action is similar to the `verify-ec2` workflow, but instead of using a remote AWS EC2 instance in a VPC, it uses a local Vagrant virtual machine as the test target. The user can configure whether to upload the results to our Heimdall Demo server or not by modifying the GitHub Action. diff --git a/src/courses/profile-dev-test/25.md b/src/courses/profile-dev-test/25.md index c17d86e4c..fcfdc9d91 100644 --- a/src/courses/profile-dev-test/25.md +++ b/src/courses/profile-dev-test/25.md @@ -12,7 +12,11 @@ author: Aaron Lippold Before running Delta, it's beneficial to format the profile to match the format Delta will use. This minimizes changes to only those necessary based on the guidance update. Follow these steps: -1. **Run Cookstyle:** Install the Cookstyle gem and use it to lint the controls into Cookstyle format. Verify the gem installation with `gem list cookstyle`. Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. Run `cookstyle -a ./controls` and any tests you have for your profile. +1. **Run Cookstyle:** + + - **Install Cookstyle:** Install the Cookstyle gem by running `gem install cookstyle`. Verify the installation with `gem list cookstyle`. + - **Create Configuration:** Create a `.rubocop.yml` file with the provided example settings or modify these settings via the command line. + - **Lint Controls:** Run `cookstyle -a ./controls` to lint the controls into Cookstyle format. Also, run any tests you have for your profile to ensure everything is working correctly. ```shell AllCops: @@ -63,4 +67,7 @@ Lint/AmbiguousBlockAssociation: Enabled: false ``` -2. **Run the SAF CLI Command:** Use `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. +2. Run the SAF CLI Command: + +- Use the command: `saf generate update_controls4delta` to check and update the control IDs with the provided XCCDF guidance. +- Verify Changes: This process checks if the new guidance changes the control numbers and updates them if necessary. This minimizes the Delta output content and improves the visualization of the modifications provided by the Delta process. diff --git a/src/courses/profile-dev-test/26.md b/src/courses/profile-dev-test/26.md index e4f602575..bd7e3b0ab 100644 --- a/src/courses/profile-dev-test/26.md +++ b/src/courses/profile-dev-test/26.md @@ -2,14 +2,14 @@ order: 26 next: 27.md title: InSpec Delta - Making the Delta Release Branch -shortTitle: Delta - Making your Branch +shortTitle: Delta - Making Your Branch author: Aaron Lippold --- -## Prepair Your Environment +## Prepare Your Environment -- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and identify the `xccdf.xml` file. -- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file to be used in the `saf generate delta` command. +- **Download New Guidance:** Download the appropriate profile from the [DISA Document Library](https://public.cyber.mil/stigs/downloads/). Unzip the downloaded folder and locate the `xccdf.xml` file. +- **Create the InSpec Profile JSON File:** Clone or download the InSpec profile locally. Run the `inspec json` command to create the InSpec Profile JSON file, which will be used in the `saf generate delta` command. ## Delta Workflow Process @@ -17,7 +17,7 @@ author: Aaron Lippold ## Using Delta -The SAF InSpec Delta workflow typically involves two phases, `preformatting` and `delta`. +The SAF InSpec Delta workflow typically involves two phases: `preformatting` and `delta`. Before starting, ensure you have the latest SAF-CLI, the InSpec Profile JSON file, and the updated guidance file. @@ -31,9 +31,9 @@ For more information on these commands, refer to the following documentation: ## Scope of Changes by Delta -Delta focuses on specific modifications migrating the changes from the XCCDF Benchmark Rules to the Profiles controls, and updating the 'metadata' of each of thosin the `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. +Delta focuses on specific modifications, migrating the changes from the XCCDF Benchmark Rules to the Profile's controls, and updating the 'metadata' of each control, including `control ID`, `title`, `default desc`, `check text`, and `fix text`, between the XCCDF Benchmark Rules and the Profile Controls. -If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) (aliases xccdf-benchmark-to-inspec-stubs) tool. +If the XCCDF Guidance Document introduces a new 'Rule' or `inspec control` that is not in the current profile's `controls` directory, Delta will add it to the controls directory, populating the metadata from the XCCDF Benchmark data, similar to the [inspec_profile](#inspec-profile) tool. It also adjusts the `tags` and introduces a `ref` between the `impact` and `tags`. @@ -44,4 +44,3 @@ Delta does not modify the Ruby/InSpec code within the control, leaving it intact - The original Delta branch can be found [here](https://github.com/mitre/saf/pull/485). - Delta moves lines not labeled with 'desc' to the bottom, between tags and InSpec code. - Whether the controls are formatted to be 80 lines or not, Delta exhibits the same behavior with the extra text. -- Parameterizing should be considered. diff --git a/src/courses/profile-dev-test/27.md b/src/courses/profile-dev-test/27.md index cdb6f62fb..95d6f10bf 100644 --- a/src/courses/profile-dev-test/27.md +++ b/src/courses/profile-dev-test/27.md @@ -6,13 +6,13 @@ shortTitle: Tips & Troubleshooting author: Aaron Lippold --- -## Tips, Tricks and Troubleshooting +## Tips, Tricks, and Troubleshooting ### Test Kitchen #### Locating Test Target Login Details -Test Kitchen stores the current host details of your provisioned test targets in the `.kitchen/` directory. Here, you'll find a `yml` file containing your target's `hostname`, `ip address`, `host details`, and login credentials, which could be an `ssh pem key` or another type of credential. +Test Kitchen stores the current host details of your provisioned test targets in the `.kitchen/` directory. Here, you'll find a `yml` file containing your target's `hostname`, `IP address`, host details, and login credentials, which could be an `SSH PEM key` or another type of credential. ```shell .kitchen @@ -28,11 +28,11 @@ Test Kitchen stores the current host details of your provisioned test targets in #### Restoring Access to a Halted or Restarted Test Target -If your test target reboots or updates its network information, you don't need to execute bundle exec kitchen destroy. Instead, update the corresponding .kitchen/#{suite}-#{target}.yml file with the updated information. This will ensure that your kitchen login, kitchen validate, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. +If your test target reboots or updates its network information, you don't need to execute `bundle exec kitchen destroy`. Instead, update the corresponding `.kitchen/#{suite}-#{target}.yml` file with the new information. This ensures that your `kitchen login`, `kitchen validate`, and other kitchen commands function correctly by connecting to the correct location instead of using outdated data. -#### AWS Console and EC2 Oddities +#### AWS Console and EC2 Considerations -Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or 'reboot in the background' if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the .kitchen/#{suite}-#{target}.yml file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. +Since we're using the free tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or reboot in the background if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the `.kitchen/#{suite}-#{target}.yml` file with the updated IP address. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. ## InSpec / Ruby @@ -46,13 +46,13 @@ When developing InSpec controls, it's beneficial to use the `kitchen-test` suite 2. Then, insert `binding.pry` at the point in your code where you want to start debugging. 3. When you run your tests, execution will stop at the `binding.pry` line, and you can inspect variables, step through the code, and more. -***!Pro Tip!*** +***Pro Tip*** -- Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. +- Remember to remove or comment out the `binding.pry` lines when you're done debugging, or you may encounter issues with linting tools. ### Streamlining Your Testing with `inspec shell` -The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section. +The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Locating Test Target Login Details](#locating-test-target-login-details) section. Once you have your IP address and SSH PEM key (for AWS target instances), or the container ID (for Docker test instances), you can use the following commands: @@ -61,4 +61,4 @@ Once you have your IP address and SSH PEM key (for AWS target instances), or the ### Using `kitchen login` for Easy Test Review and Modification -The `kitchen login` command provides an easy way to review and modify your test target. This tool is particularly useful for introducing test cases, exploring corner cases, and validating both positive and negative test scenarios. +The `kitchen login` command allows you to access your test target's command line directly. This is particularly useful for introducing test cases, exploring edge cases, and validating both positive and negative test scenarios. By interacting directly with the test environment, you can deepen your understanding of how your controls perform in real-world conditions. diff --git a/src/courses/profile-dev-test/28.md b/src/courses/profile-dev-test/28.md index edc8506b6..c14072f31 100644 --- a/src/courses/profile-dev-test/28.md +++ b/src/courses/profile-dev-test/28.md @@ -11,20 +11,20 @@ author: Aaron Lippold #### Evolution of STIGs and Security Benchmarks -The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. +The Department of Defense (DoD) has continually updated its databases that track rules and the Security Technical Implementation Guides (STIGs), which define those rules. Initially, the system was known as the Vulnerability Management System (VMS). -In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. +In the STIGs, you might come across data elements that are remnants from previous systems. These include `Group Title` (`gid` or `gtitle`), `Vulnerability ID` (`VulnID`), `Rule ID` (`rule_id`), `STIG ID` (`stig_id`), and others. -A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. +A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the VMS used the `STIG_ID` as the primary index for the requirements in each benchmark. -However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. +However, when DISA updated the vendor STIG processes and replaced the VMS, they decided to migrate the primary ID from the `STIG ID` to the `Rule ID`, tracking changes in the rules. -Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. +Examples of tools that still use the `STIG ID`, either fully or partially, as a primary index include the DISA STIG Viewer, Nessus Audit Scans, and OpenSCAP client. -While these elements might seem confusing, understanding their historical context is essential. +Understanding the historical context of these elements is essential, even if they might seem confusing. -In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile. +Although some data from the XCCDF benchmarks still exist in our modern profiles, they are not used or rendered in modern InSpec profiles. The intention was to ensure easy and lossless conversion between XCCDF benchmarks and HDF profiles. -It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. +It was later realized that since the structure of these data elements was static, they could be easily reintroduced when converting back to an XCCDF benchmark. Therefore, including them in the profile was deemed unnecessary. diff --git a/src/courses/profile-dev-test/29.md b/src/courses/profile-dev-test/29.md index 0e970ff0b..e5fbb4fb9 100644 --- a/src/courses/profile-dev-test/29.md +++ b/src/courses/profile-dev-test/29.md @@ -7,16 +7,16 @@ author: Aaron Lippold ## Terms & Definitions - **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. -- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). -- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. -- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. -- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., RedHat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. -- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. +- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on their impact on Confidentiality, Integrity, and Availability (C.I.A). +- **[Control Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier provides a standard identifier and description for each individual, actionable statement that comprises an Information Assurance (IA) control or best practice. For example: 'CCI-000366'. +- **Group Title (gtitle)**: This is essentially the SRG ID but is a legacy value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. +- **Major Version Update**: These updates occur when a software vendor releases a new major version of their product, resulting in a new major version of the corresponding STIG. For example, Red Hat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. +- **Patch Update**: These are regular updates that address edge cases in testing for one or more benchmark requirements or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. - **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. - **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. -- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. -- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string—for example, 'SV-230221' and 'r858734_rule'. The first part remains unique within the major version of a benchmark document, while the latter part is updated each time the rule is updated with each release of the benchmark. For example: 'SV-230221r858734_rule'. +- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a class of software products such as web servers, operating systems, application servers, or databases. You can find these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on the relevant Security Requirements Guide that applies to the product's software class and function, such as operating systems, web servers, or databases. Archives are available at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). - **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. -- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. -- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **STIG ID (stig_id)**: Many testing and result analysis tools use this ID—versus the Rule ID—to display each of the individual results of a benchmark validation run. For example: 'RHEL-08-010000'. Examples include DISA STIG Viewer, Nessus Audit Scans, and the OpenSCAP client. +- **XCCDF Benchmark**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by the National Institute of Standards and Technology (NIST) and the Department of Defense (DoD) to provide a machine-readable XML format for creating security guidance documents and Security Technical Implementation Guides. Archives are available at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). From 3043ac6d4a0268785bc866bdb7119b3909e8330a Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Dec 2024 11:25:23 -0800 Subject: [PATCH 03/24] readme/pg 1 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/README.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/courses/profile-dev-test/README.md b/src/courses/profile-dev-test/README.md index 348b20072..09db9f566 100644 --- a/src/courses/profile-dev-test/README.md +++ b/src/courses/profile-dev-test/README.md @@ -1,7 +1,7 @@ --- order: 1 next: 02.md -title: Development & Testing InSpec Profile +title: 1. Developing & Testing InSpec Profiles author: Aaron Lippold --- @@ -46,7 +46,7 @@ The development and testing of profiles are accomplished using a variety of tool - **Test Kitchen**: Integration testing framework - Example: `kitchen test` validates your InSpec profiles - Use case: Automated compliance testing -- **Docker/Podman**: Container platforms +- **Docker/Podman**: Container runtime platforms - Example: `docker run` creates isolated test environments - Use case: Consistent testing across platforms - **InSpec**: Compliance testing framework @@ -60,7 +60,9 @@ The development and testing of profiles are accomplished using a variety of tool Our development and testing workflow is managed by Test Kitchen. This tool is integral to our GitHub Actions CI/CD Pipelines and is also used for local development, testing, and releasing updates, patches, and full releases of the profile. -> 💡 **Pro Tip**: When starting out, focus on Docker-based testing before moving to AWS environments. +::: tip Walk before you run! +When starting out, focus on Docker-based testing before moving to AWS environments. +::: ### Testing Environments @@ -68,15 +70,19 @@ Test Kitchen uses Docker (or Podman, if preferred) and AWS (using free-tier reso ### Platform One Integration -Additionally, Test Kitchen uses the Red Hat hardened `ubi8 base container` from Platform One for testing. To test the hardened container portion of the testing suite, you'll need to set up and log in to your P1 Free account, then obtain a CLI token to pull the Platform One Iron Bank Red Hat Enterprise Linux 8 Universal Base Image (P1 IB UBI8) image into the test suite. +Additionally, Test Kitchen uses images from Platform One during the hardened container test of the testing suite. In order for you to use them as well, you'll need to set up and log in to your P1 account (free but requires registration), then obtain a CLI token to pull the Platform One Iron Bank images into the test suite. -> ⚠️ **Important**: Ensure you keep your P1 CLI token secure and never commit it to version control. +::: important Secrets should be secret! +Ensure you keep your P1 CLI token secure and never commit it to version control. +::: ## Getting Started with Examples This guide refers to the [MITRE RedHat Enterprise Linux 8 STIG](https://github.com/mitre/redhat-enterprise-linux-8-stig-baseline/tree/metzger_dynamic_inputs) profile, which provides a working example of the workflow described here. -> 🔍 **Note**: Development happens in the `main` branch, with stable versions available as tagged releases. +::: note Development vs Releases +Development happens in the `main` branch, with stable versions available as tagged releases. +::: ### Hands-on Practice From 534686a2ba469459ab45d22d49b5164d114bf216 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Dec 2024 13:59:57 -0800 Subject: [PATCH 04/24] pg 2 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/02.md | 85 ++++++++++++++++++------------ 1 file changed, 50 insertions(+), 35 deletions(-) diff --git a/src/courses/profile-dev-test/02.md b/src/courses/profile-dev-test/02.md index edc4efad7..18d5648a1 100644 --- a/src/courses/profile-dev-test/02.md +++ b/src/courses/profile-dev-test/02.md @@ -1,7 +1,7 @@ --- order: 2 next: 03.md -title: Understanding Repository Organization +title: 2. Understanding Repository Organization author: Aaron Lippold --- @@ -15,25 +15,60 @@ By the end of this section, you will: ## Repository Structure Overview -The repository uses a structured branching and tagging strategy to manage STIG profile versions and updates. This organization ensures reliable tracking of changes and stable releases for production use. +The InSpec profile repository should have a structured branching and tagging strategy to manage STIG profile versions and updates. This organizational strategy ensures reliable tracking of changes and stable releases for production use. ## Branch Strategy -### Main Branch +Security developers and engineers should be putting actively developed changes and updates into feature branches. Once those feature branches have been completed and peer reviewed, they should be merged into the version branch for the respective guidance release. Once all required features, changes, bugfixes, etc. have been merged in, a release should be created - this means that the version branch should be merged into your main branch and a tag should be created. The main branch of the repository ought to be the latest, working version of the codebase. + +::: tip Branches are not releases +Sometimes code ends up merged directly to the main branch - this is fine - the main branch is not a formal release. +::: + + + + + + + + + + + + + + + + + + + + + + + + + + +
Main BranchVersion Branch (`v{x}r{xx}`)
PurposeActive development and testingWork-in-progress tracking a major STIG benchmark release
ContainsLatest code and patches

Code that is becoming aligned to an official guidance release

DISA usually releases updates to STIGs on a quarterly basis. See the [DISA STIG Document Library](https://public.cyber.mil/stigs/downloads/).

Example branch name`main` or `master``v1r12` for Version 1, Release 12
+ +## Version Control and Tagging Strategy + +### Tags + +#### Current Tag + +We do not recommend using a `current` or `latest` tag - if someone needs the latest and greatest, they can pull directly from the main branch of the repository. + +#### Major Tags + +Major tags point to the latest patch releases of the benchmark. For example, `v1`, `v1.3`, and `v1.3.0` all should point at the same commit representing the first release of the Red Hat Enterprise Linux 8 STIG V1R3 Benchmark. The `v1.12.xx` tag(s) would represent the V1R12 Benchmark releases as we find bugs, fixes, or general improvements to the testing profile. + +#### Patch Releases -- Purpose: Active development and testing -- Contains: Latest code and patches -- Best for: Development and testing workflows -- Note: For production, use stable releases instead - -### Version Branches (`v{x}r{xx}`) - -- Purpose: Track major STIG benchmark releases -- Example: `v1r12` for Version 1, Release 12 -- Aligns with: Official DISA STIG releases -- Reference: [DISA STIG Document Library](https://public.cyber.mil/stigs/downloads/) +The latest patch release always points to the major release for the profile. -## Version Control Strategy +For example, after releasing `v1.12.0`, we will point `v1.12` to that patch release: `v1.12.0`. When an issue is found, we will fix, tag, and release `v1.12.1`. We will then 'move' the `v1.12` tag so that it points to tag `v1.12.1`. This way, your pipelines can choose if they want to pin on a specific release of the InSpec profile or always run using the latest code on the main branch. ### Semantic Versioning (SemVer) @@ -42,23 +77,3 @@ Format: `MAJOR.RELEASE.PATCH` - MAJOR: Matches STIG version - RELEASE: Matches STIG release - PATCH: Profile updates between STIG releases - -Example timeline: - -## Tags - -### Current Tag - -We don't use a specific `current` or `latest` tag. The `current`/`latest` tag for the profile and repository will always be the latest major tag of the benchmark. For example, if `v1.12.3` is the latest Benchmark release from the STIG author, then the tag `v1.12` will point to the `v1.12.3` release of the code. - -To use the current `main`, point directly to the GitHub repo. - -### Major Tags - -Major tags point to the latest patch release of the benchmark. For example, `v1.3` and `v1.3.0` represent the first release of the Red Hat Enterprise Linux 8 STIG V1R3 Benchmark. The `v1.12.xx` tag(s) would represent the V1R12 Benchmark releases as we find bugs, fixes, or general improvements to the testing profile. This tag will point to its `v{x}r{xx}` counterpart. - -## Patch Releases - -The latest patch release always points to the major release for the profile. - -For example, after releasing `v1.12.0`, we will point `v1.12` to that patch release: `v1.12.0`. When an issue is found, we will fix, tag, and release `v1.12.1`. We will then 'move' the `v1.12` tag so that it points to tag `v1.12.1`. This way, your pipelines can choose if they want to pin on a specific release of the InSpec profile or always run 'current'. From 71489a993fac864bfb226bb1d5e77519b8bb6976 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Mon, 9 Dec 2024 14:31:28 -0800 Subject: [PATCH 05/24] pg 3 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/03.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/courses/profile-dev-test/03.md b/src/courses/profile-dev-test/03.md index d1177be71..bdb2a7602 100644 --- a/src/courses/profile-dev-test/03.md +++ b/src/courses/profile-dev-test/03.md @@ -1,11 +1,11 @@ --- order: 3 next: 04.md -title: Environment Setup Guide +title: 3. Environment Setup Guide author: Aaron Lippold --- -## Prerequisites Knowledge +## Prerequisite Knowledge - Basic command line experience - Familiarity with package managers @@ -37,7 +37,7 @@ Create accounts with these services before proceeding: 3. **P1 Harbor Access** - Purpose: Container registry access - - Get token: [Harbor Login](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor) + - Get CLI token from your user account page: [Harbor Login](https://login.dso.mil/auth/realms/baby-yoda/protocol/openid-connect/auth?client_id=harbor) ## Environment Configuration @@ -45,7 +45,7 @@ Create accounts with these services before proceeding: Important variables that control testing behavior: -- `INSPEC_CONTROL`: Specifies which single control to run in the `bundle exec kitchen verify` phase, useful for testing and debugging a single requirement. +- `INSPEC_CONTROL`: Specifies which single control to run in the `bundle exec kitchen verify` phase - useful for testing and debugging a single requirement. - default: `none` - `KITCHEN_LOCAL_YAML`: Specifies the target testing environment you want to use to run and validate the profile. - default: `none` From f5573e84855db2dbb8d667ab2d4dd612a3a42b49 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 10 Dec 2024 22:53:24 -0800 Subject: [PATCH 06/24] pg 4 and 5 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/04.md | 2 +- src/courses/profile-dev-test/05.md | 72 ++++++++++++++++-------------- 2 files changed, 40 insertions(+), 34 deletions(-) diff --git a/src/courses/profile-dev-test/04.md b/src/courses/profile-dev-test/04.md index e203b5e0b..47f44f531 100644 --- a/src/courses/profile-dev-test/04.md +++ b/src/courses/profile-dev-test/04.md @@ -1,7 +1,7 @@ --- order: 4 next: 05.md -title: Test your Test Environment +title: 4. Test your Test Environment author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index ab96b28ff..a0788827a 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -1,13 +1,15 @@ --- order: 5 next: 06.md -title: AWS Testing Suite +title: 5. AWS Testing Suite author: Aaron Lippold --- ## AWS Testing Setup -> -> Note: This guide assumes basic familiarity with AWS. If you're new to AWS, please review the [AWS Getting Started Guide](https://aws.amazon.com/getting-started/) first. + +:::note +This guide assumes basic familiarity with AWS. If you're new to AWS, please review the [AWS Getting Started Guide](https://aws.amazon.com/getting-started/) first. +::: 1. Configure your AWS CLI and set up your AWS credentials - If you haven't installed AWS CLI, [download it here](https://aws.amazon.com/cli/) @@ -31,13 +33,17 @@ author: Aaron Lippold ``` ## Running Through the AWS Test Suite -> -> Understanding the Test Workflow: -> -> - **Vanilla**: Represents an unmodified baseline system -> - **Hardened**: Represents a system with security controls applied -7. List the kitchen instances with: `bundle exec kitchen list`. You should see something like this: +::: important Understanding the Test Workflow: +`vanilla` represents an unmodified baseline system while `hardened` represents a system with security controls applied. +::: + +7. List the kitchen instances: +```bash + bundle exec kitchen list +``` + +You should see something like this: ```shell Instance Driver Provisioner Verifier Transport Last Action Last Error @@ -53,10 +59,10 @@ author: Aaron Lippold bundle exec kitchen create vanilla ``` - > This step launches a fresh EC2 instance for testing +Executing that line launches a fresh EC2 instance for testing: ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen create vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen create vanilla -----> Starting Test Kitchen (v3.5.1) -----> Creating ... < OTHER OUTPUT > @@ -70,10 +76,10 @@ author: Aaron Lippold bundle exec kitchen converge vanilla ``` - > Convergence applies the necessary configurations to prepare the system for testing +Convergence applies the necessary configurations to prepare the system for testing: ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen converge vanilla -----> Starting Test Kitchen (v3.5.1) NOTICE - Installing needed packages Updating Subscription Management repositories. @@ -88,10 +94,16 @@ author: Aaron Lippold -----> Test Kitchen is finished. (1m13.52s) ``` -10. Run InSpec on the kitchen instance: `bundle exec kitchen verify`. +10. **Verify** that the Kitchen instance meets our requirements by using InSpec: + +```bash +bundle exec kitchen verify +``` + +You'll see the same InSpec CLI output that we've gotten familiar with in our other classes: ```shell - ➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen verify vanilla + ➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen verify vanilla -----> Starting Test Kitchen (v3.5.1) -----> Setting up ... Finished setting up (0m0.00s). @@ -111,27 +123,21 @@ author: Aaron Lippold -----> Test Kitchen is finished. (0m6.62s) ``` +11. **Destroy** the Kitchen instance: + +```bash +bundle exec kitchen destroy vanilla +``` + +::: caution 💸 +Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges. You can do it via `kitchen` or by going into the AWS Console. +::: + ### Analyzing Results - Results Location: `./spec/results/rhel-8_*` - Use [Heimdall Lite](https://heimdall-lite.mitre.org) to compare results: - 1. Load both `hardened` and `vanilla` results - 2. Compare to verify expected failures and passes + 1. Load both the `vanilla` and `hardened` results + 2. Use the `Comparison View` (look for the toggle underneath the files list after selecting the hamburger menu in the top left) to compare the results sets and verify expected passes and failures 3. Review corner cases for complete coverage -::: tip Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges: -> -> ```bash -> bundle exec kitchen destroy vanilla -> ``` -> -> ```sh -> Pause your instance in the AWS Console -> ``` -> -::: - -1. Destroy the kitchen instance: `bundle exec kitchen destroy vanilla`. -2. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#18-updating-the-profile). -3. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/rhel-8_*`. -4. Use [Heimdall Lite](https://heimdall-lite.mitre.org "MITRE Heimdall Lite") to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." From 31d8a3b3d061636500c0313824718a004a2b436e Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 10 Dec 2024 23:37:42 -0800 Subject: [PATCH 07/24] pg 6 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/05.md | 4 ++- src/courses/profile-dev-test/06.md | 58 ++++++++++++++++++++---------- 2 files changed, 43 insertions(+), 19 deletions(-) diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index a0788827a..f1bbfc018 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -97,7 +97,7 @@ Convergence applies the necessary configurations to prepare the system for testi 10. **Verify** that the Kitchen instance meets our requirements by using InSpec: ```bash -bundle exec kitchen verify +bundle exec kitchen verify vanilla ``` You'll see the same InSpec CLI output that we've gotten familiar with in our other classes: @@ -133,6 +133,8 @@ bundle exec kitchen destroy vanilla Always remember to pause or destroy your test instances after testing to avoid unnecessary AWS charges. You can do it via `kitchen` or by going into the AWS Console. ::: +12. Repeat these steps but replace `vanilla` with `hardened`. + ### Analyzing Results - Results Location: `./spec/results/rhel-8_*` diff --git a/src/courses/profile-dev-test/06.md b/src/courses/profile-dev-test/06.md index e46d84fd6..a0dd4e31b 100644 --- a/src/courses/profile-dev-test/06.md +++ b/src/courses/profile-dev-test/06.md @@ -1,7 +1,7 @@ --- order: 6 next: 07.md -title: Testing with Docker Containers +title: 6. Testing with Docker Containers author: Aaron Lippold --- @@ -33,26 +33,36 @@ Before running tests, configure your environment: Set these environment variables: ```shell -> export KITCHEN_LOCAL_YAML=kitchen.container.yml -> export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028 -> export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8 -> (optional) export INSPEC_CONTROL='SV-230222' +export KITCHEN_LOCAL_YAML=kitchen.container.yml +export VANILLA_CONTAINER_IMAGE=registry.access.redhat.com/ubi8/ubi:8.9-1028 +export HARDENED_CONTAINER_IMAGE=registry1.dso.mil/ironbank/redhat/ubi/ubi8 +(optional) export INSPEC_CONTROL='SV-230222' ``` +Here we will be assessing vanilla and hardened container images. While many containers are hosted by Docker themselves on their [Docker Hub](https://hub.docker.com/) platform, organizations often deploy their own container registries. Red Hat makes their registry available at [`registry.access.redhat.com`](https://registry.access.redhat.com) - we will be using their [`ubi8` image](https://developers.redhat.com/blog/2019/10/09/what-is-red-hat-universal-base-image#high_quality__the_security_and_operational_benefits_of_rhel). Iron Bank is Platform One's hardened container image repository and is available at [`registry1.dso.mil`](https://registry1.dso.mil) - they publish a version of the `ubi8` container that they claim is more hardened than Red Hat's baseline. Let's use Red Hat's `ubi8` as the vanilla container image and Iron Bank's `ubi8` as the hardened container image and validate Iron Bank's claim of having a more hardened image! + ## Running Through the Docker Test Suite -1. List the kitchen instances with: `bundle exec kitchen list` +1. List the kitchen instances with: + +```bash +bundle exec kitchen list +``` ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen list +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen list Instance Driver Provisioner Verifier Transport Last Action Last Error vanilla-ubi8 Dokken Dummy Inspec Dokken hardened-ubi8 Dokken Dummy Inspec Dokken ``` -2. Create the kitchen instance: `bundle exec kitchen create vanilla` +2. Create the kitchen instance: +```bash +bundle exec kitchen create vanilla +``` ```shell +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen create vanilla -----> Starting Test Kitchen (v3.5.1) -----> Creating ... Creating kitchen sandbox at /Users/alippold/.dokken/kitchen_sandbox/de2da32d73-vanilla-ubi8 @@ -63,10 +73,13 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m1.77s) ``` -3. Converge the kitchen instance: `bundle exec kitchen converge vanilla` +3. Converge the kitchen instance: +```bash +bundle exec kitchen converge vanilla +``` ```shell -➜ redhat-enterprise-linux-8-stig-baseline git:(main*)bundle exec kitchen converge vanilla +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen converge vanilla -----> Starting Test Kitchen (v3.5.1) -----> Converging ... ... @@ -74,9 +87,13 @@ hardened-ubi8 Dokken Dummy Inspec Dokken -----> Test Kitchen is finished. (0m0.88s) ``` -4. Run InSpec on the kitchen instance: `bundle exec kitchen verify vanilla` +4. Run InSpec on the kitchen instance: +```bash +bundle exec kitchen verify vanilla +``` ```shell +➜ redhat-enterprise-linux-8-stig-baseline git:(main*) bundle exec kitchen verify vanilla -----> Starting Test Kitchen (v3.5.1) -----> Verifying ... Loaded redhat-enterprise-linux-8-stig-baseline @@ -93,7 +110,18 @@ Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped Test Summary: 0 successful, 4 failures, 0 skipped ``` -## This is not the **Error** Your Looking For, move along +5. Repeat these steps but replace `vanilla` with `hardened`. + +### Analyzing Results + +- Results Location: `./spec/results/rhel-8_*` +- Use [Heimdall Lite](https://heimdall-lite.mitre.org) to compare results: + 1. Load both the `vanilla` and `hardened` results + 2. Use the `Comparison View` (look for the toggle underneath the files list after selecting the hamburger menu in the top left) to compare the results sets and verify expected passes and failures + 3. Review corner cases for complete coverage + + +## This isn't the error you're looking for, move along The error below is just Test Kitchen telling you that not all of the `controls` of the profile passed. @@ -106,9 +134,3 @@ The error below is just Test Kitchen telling you that not all of the `controls` >>>>>> Please see .kitchen/logs/kitchen.log for more details >>>>>> Also try running `kitchen diagnose --all` for configuration ``` - -## Next Steps - -1. For steps that apply to making updates, patches, and updates to the profile, see the next section, [Updating the Profile](#updating-the-profile). -2. Your InSpec scan results are located in the `./spec/results/` directory, named `./spec/results/ubi-8_*.` -3. Use Heimdall Lite to load both the `hardened` and `vanilla` results to ensure your changes and updates, "failed as expected and passed as expected and covered your corner cases." From 0acf0b84a4ea0ef8a769f4b858fa0b5fb2b22b4d Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Tue, 10 Dec 2024 23:57:29 -0800 Subject: [PATCH 08/24] pg 7 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/07.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/courses/profile-dev-test/07.md b/src/courses/profile-dev-test/07.md index 819aee9c4..b68dbfd4b 100644 --- a/src/courses/profile-dev-test/07.md +++ b/src/courses/profile-dev-test/07.md @@ -1,7 +1,7 @@ --- order: 7 next: 08.md -title: Pull Request Strategies - Choosing Your Approach +title: 7. Pull Request Strategies - Choosing Your Approach author: Aaron Lippold --- @@ -9,11 +9,11 @@ author: Aaron Lippold By the end of this section, you will: -- Understand GitFlow workflow for repository management +- Understand the GitHub Flow workflow for repository management - Compare micro and macro PR approaches - Learn when to use different PR strategies -## GitFlow Overview +## GitHub Flow Overview This project uses the [GitHub Flow](https://docs.github.com/en/get-started/quickstart/github-flow) model for managing changes. This workflow helps maintain code quality and collaboration through systematic pull requests (PRs). @@ -102,4 +102,8 @@ Consider these scenarios and decide which PR strategy you would use: 1. What are the key differences between micro and macro PRs? 2. Which PR strategy would you choose for a critical security patch? -3. How does GitFlow support different PR strategies? +3. How does GitHub Flow support different PR strategies? + +::: tip Why not both? +One approach is to have the small feature branches get merged into a version branch on successful review following the "Micro PR" approach. Then you can do a more holistic review of the macro PR associated with the version branch focusing more on having a consistent coding style, ensuring no duplicate `input`s got created, identifying InSpec controls that weren't modified when similar ones were, etc. Once the version branch is approved, it can be merged into the main branch and a release can be cut. +::: From dc6e632a023b9e11596ae3b87f4bb98986ad7e66 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:06:54 -0800 Subject: [PATCH 09/24] pg 8 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/08.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/src/courses/profile-dev-test/08.md b/src/courses/profile-dev-test/08.md index e26f9135a..9e16f4f0f 100644 --- a/src/courses/profile-dev-test/08.md +++ b/src/courses/profile-dev-test/08.md @@ -1,13 +1,13 @@ --- order: 8 next: 09.md -title: Security Benchmarks vs Traditional Software +title: 8. Security Benchmarks vs Traditional Software author: Aaron Lippold --- ## Understanding Security Benchmarks -## Key Differences from Traditional Software +### Key Differences from Traditional Software Security benchmarks differ from traditional software development in several critical ways: @@ -19,24 +19,26 @@ Security benchmarks differ from traditional software development in several crit - Each benchmark version is a complete, standalone entity - InSpec profiles must match their corresponding benchmark version exactly -## Development Approaches +### Development Approaches Two common approaches to benchmark development: - **Micro Approach**: Gradual, incremental development -- **Massive Approach**: Complete implementation in larger chunks +- **Macro Approach**: Complete implementation in larger chunks -> 💡 **Key Point**: Both approaches are valid - choose based on your team's workflow preferences. +::: tip Both approaches are valid +Choose an approach or combination thereof that is based on your team's workflow preferences. +::: -## Version Control Best Practices +### Version Control Best Practices -### Working with Branches +#### Working with Branches -- ⚠️ Never work directly on 'main' +- Never work directly on 'main' - Always fork from the latest release - Consider 'main' or 'development' branches as pre-release candidates -## Practical Exercise +### Practical Exercise Try answering these questions: @@ -44,5 +46,6 @@ Try answering these questions: 2. How should you handle new requirements that arise between releases? 3. What branch strategy would you use for a new benchmark version? ---- -**Remember**: Security benchmark validation is binary - it either meets all requirements or it doesn't. +::: important Security benchmark validation is binary +The benchmark validation either meets all requirements or it doesn't. It being an accurate, representative assessment (and thereby useful to others) requires that it be the former. +::: From 84503226324b06bee8f1fa05b2c8eba8e8b9eeaa Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:51:31 -0800 Subject: [PATCH 10/24] pg 9 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 49 ++++++++++++++++++------------ 1 file changed, 30 insertions(+), 19 deletions(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index d4d4e2942..485c8860a 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -17,25 +17,36 @@ By the end of this section, you will be able to: Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: -### 1. Patch Updates (Minor Changes) - -- Frequency: Weekly to monthly -- Purpose: Address corner cases and improve testing code -- Version Change Example: v1.12.4 → v1.12.5 -- Typical Changes: Bug fixes, code improvements, test coverage expansion - -### 2. Release Updates (Intermediate Changes) - -- Triggered by: STIG Benchmark owner releases -- Example: RHEL STIG V1R12 → V1R13 -- Includes: New security requirements, updated controls - -### 3. Major Version Updates - -- Triggered by: New product versions -- Examples: - - RHEL 8 → RHEL 9 - - Windows Server 2019 → Windows Server 2022 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Patch UpdatesRelease UpdatesMajor Version Updates
ScopeMinorIntermediateIntermediate/Significant
TriggerThe validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests.Guidance author making a new release of the benchmark to address new security requirements or update metadata such as the associated controls.The guidance author is significantly overhauling their nomenclature or requirement identification schema. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely.
ExampleAn InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5.DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0.DISA adds, removes, and modifies a substantial number of controls due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0.
## Understanding Update Scope From 955f16bbb9c9a760b17a306cca7df50379912e68 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:54:29 -0800 Subject: [PATCH 11/24] pg 9 - forgot to update title so it has a number Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index 485c8860a..b7b845390 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -1,7 +1,7 @@ --- order: 9 next: 10.md -title: Understanding Profile Updates +title: 9. Understanding Profile Updates author: Aaron Lippold --- From 28ceec692336fb4ba4fe3acc71d99e6400aa871f Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:57:28 -0800 Subject: [PATCH 12/24] clarified language pg 9 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index b7b845390..561fe6dc4 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -36,8 +36,8 @@ Security benchmark profiles require regular updates to maintain their effectiven Trigger The validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests. - Guidance author making a new release of the benchmark to address new security requirements or update metadata such as the associated controls. - The guidance author is significantly overhauling their nomenclature or requirement identification schema. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely. + Guidance author making a new release of the benchmark to address new or updated security requirements. + The guidance author is significantly overhauling their nomenclature, requirement identification schema, or control alignment. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely. Example From 43be27b74a1c97df0e50e9bc70dad0d2feb481ee Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 00:58:31 -0800 Subject: [PATCH 13/24] ahhhhhhhhh Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index 561fe6dc4..9e046c754 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -43,7 +43,7 @@ Security benchmark profiles require regular updates to maintain their effectiven Example An InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5. DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0. - DISA adds, removes, and modifies a substantial number of controls due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0. + DISA adds, removes, and modifies a substantial number of requirements due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0. From 52d06c355b515b0fbd974432451d2352ca0b97f6 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 13:10:10 -0800 Subject: [PATCH 14/24] pg 10 Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/10.md | 179 +++++++++++++++++++++++++---- 1 file changed, 155 insertions(+), 24 deletions(-) diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index a3a19a342..8ee0f2464 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -1,7 +1,7 @@ --- order: 10 next: 11.md -title: What Is `Done` for a Control? +title: 10. What Is `Done` for a Control? author: Aaron Lippold --- @@ -33,14 +33,14 @@ Understanding when a security control is truly "done" is crucial for security au You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: -1. The security automation content and its tests are essentially a refactoring of the 'validation' and 'remediation' guidance already established by the benchmark. +1. The security automation content and its tests are essentially an alternative definition of the 'validation' and 'remediation' guidance already established by the benchmark. 2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. -3. The tests can - and usually do - capture known 'corner cases and security best practices' that are sometimes indirectly or not directly addressed by the benchmark but implied by the spirit of the security requirement being addressed. +3. The tests can - and usually do - capture known corner cases and security best practices which are sometimes only indirectly addressed by the benchmark but implied by the spirit of the security requirement being addressed. 4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. -Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured the spirit of the testing required by the Benchmark. +Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured all requirements and the spirit of the testing specified by the benchmark. ## The MITRE SAF Testing Framework @@ -48,20 +48,19 @@ Our framework provides a comprehensive approach to testing controls. We call thi We consider a control effectively tested when: -1. All aspects of the 'validation' - also known as 'check text' - have been addressed. -2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. +1. All aspects of the 'validation' - also known as 'check text' - have been addressed. This is usually straightforward. +2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. Sometimes guidance authors mix the type of information between the 'check' and 'fix' text areas, so we need to comprehensively read all of the guidance to ensure that we've extracted all of the 'validation' content wherever it might be. 3. Any documented conditions that are Not Applicable, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. -4. Any documented conditions that have Not Been Reviewed, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. -5. The conditions for Not Applicable and Not Reviewed are early in the control to ensure the control is as efficient as possible. +4. Any documented conditions that require manual review, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed such that the control is marked as Not Reviewed on execution of the profile. +5. The conditions for Not Applicable and Not Reviewed are assessed early in the control to ensure the control is as efficient as possible. 6. The control uses the `only_if` block vs 'if/else' logic when possible to ensure that the control is as clear, direct, and maintainable as possible from a coding perspective. 7. The control has been tested on both 'vanilla' and 'hardened' instances, ensuring that: - 1. The test communicates effectively and fails as expected on the 'vanilla' testing target. - 2. The test communicates effectively and passes on the 'hardened' testing target. - 3. The test communicates effectively and fails on a misconfigured 'vanilla' testing target. - 4. The test communicates effectively and fails on a misconfigured 'hardened' testing target. - 5. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. - 6. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. - 7. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. + 1. The test communicates effectively and passes as expected on both the 'vanilla' and `hardened` testing targets which were correctly configured. + 2. The test communicates effectively and fails as expected on both the `vanilla` and `hardened` testing targets which were misconfigured. + 3. The test communicates effectively and fails as expected on a misconfigured `vanilla` target, but then passes as expected on a properly configured `hardened` target. + 4. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. + 5. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. + 6. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. ## Best Practices for Test Implementation @@ -111,10 +110,142 @@ For example: Let's practice implementing a basic control: -1. Create a basic control test -2. Add passing and failing scenarios -3. Implement clear communication -4. Test edge cases +::: code-tabs#ruby + +@tab Create a basic control test +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' +end +``` +@tab Add passing and failing scenarios +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + tmp = mount('/tmp') + is_mounted = tmp.mounted? + describe is_mounted do + it { should cmp true } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +@tab Implement clear communication +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +@tab Test edge cases +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` ## Key Takeaways @@ -132,9 +263,9 @@ You might use a Spreadsheet or CSV file, a Markdown or RST Table, or even a 'che All these methods are acceptable. The important thing is to **choose one method and use it consistently.** -When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what 'still needs work' without constant direct communication. +When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what still needs work without constant direct communication. -The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](https://mitre.github.io/saf-training/courses/profile-dev-test/07.html#micro-vs-massive-pull-requests-prs) section. +The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](./07.md) section. ## Example Tracking Table @@ -162,10 +293,10 @@ The MITRE SAF team has found the following best practices effective for organizi 1. **Group Similar Controls:** When working on a security guidance document, group the controls you are working on using the guidance indexes - such as the SRG ID in STIGs, and requirement major version in CIS Benchmarks. This allows for efficient reuse of repeated patterns of control implementation. -2. **Tags, Status Columns & State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. +2. **Tags, Status Columns, and State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. -3. **Assign Priority & Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. +3. **Assign Priority, and Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. -4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the 'primary deployment platforms' that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. +4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the primary deployment platforms that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. 5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. From 7d9e6a828cd33b2c21b237456d75b15b387a079d Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 13:13:37 -0800 Subject: [PATCH 15/24] forgot to close the code tabs Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/10.md | 1 + 1 file changed, 1 insertion(+) diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index 8ee0f2464..7246aa210 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -246,6 +246,7 @@ If a separate entry for "/tmp" is not in use, this is a finding.' end end ``` +::: ## Key Takeaways From 769ee071003f98cc4495cfaaeb025cfee2297b27 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Wed, 11 Dec 2024 13:33:57 -0800 Subject: [PATCH 16/24] slight reordering so that it's profile management, then profile updates, and then what is each kind of update Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/09.md | 349 ++++++++++++++++++++++++----- src/courses/profile-dev-test/10.md | 314 +++----------------------- src/courses/profile-dev-test/11.md | 119 +++++----- 3 files changed, 391 insertions(+), 391 deletions(-) diff --git a/src/courses/profile-dev-test/09.md b/src/courses/profile-dev-test/09.md index 9e046c754..9cb8b3163 100644 --- a/src/courses/profile-dev-test/09.md +++ b/src/courses/profile-dev-test/09.md @@ -1,72 +1,303 @@ --- order: 9 next: 10.md -title: 9. Understanding Profile Updates +title: 9. What Is `Done` for a Control? author: Aaron Lippold --- +# Understanding Control Completion in Security Automation + ## Learning Objectives By the end of this section, you will be able to: -- Identify the three types of profile updates -- Understand the scope of STIG and CIS Benchmark updates -- Recognize the forward-only nature of security benchmark updates - -## Types of Profile Updates - -Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Patch UpdatesRelease UpdatesMajor Version Updates
ScopeMinorIntermediateIntermediate/Significant
TriggerThe validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests.Guidance author making a new release of the benchmark to address new or updated security requirements.The guidance author is significantly overhauling their nomenclature, requirement identification schema, or control alignment. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely.
ExampleAn InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5.DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0.DISA adds, removes, and modifies a substantial number of requirements due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0.
- -## Understanding Update Scope - -Important concepts to remember: - -- Updates are version-specific -- Changes only move forward ("forward-only" process) -- No "back-patching" to older versions -- Each requirement maps to: - - Source SRG document - - Control Correlation Identifier (CCI) - - Unique Rule and STIG IDs - -Example requirement identifiers: +- Define the criteria for a "done" security control +- Apply the MITRE SAF yardstick to evaluate controls +- Implement effective control testing strategies +- Create and maintain progress tracking systems +- Debug common control implementation issues + +## Knowledge Check Questions + +Before we begin, consider these questions: + +1. What makes a security control "complete"? +2. How do you verify a control works in different environments? +3. What's the difference between "passing well" and just passing? + +## Introduction + +Understanding when a security control is truly "done" is crucial for security automation engineers. This section will guide you through the criteria, best practices, and practical approaches to ensure your controls are complete and effective. + +## When is a Control Considered 'Done' + +You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: + +1. The security automation content and its tests are essentially an alternative definition of the 'validation' and 'remediation' guidance already established by the benchmark. +2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. +3. The tests can - and usually do - capture known corner cases and security best practices which are sometimes only indirectly addressed by the benchmark but implied by the spirit of the security requirement being addressed. +4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. + +The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. + +Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured all requirements and the spirit of the testing specified by the benchmark. + +## The MITRE SAF Testing Framework + +Our framework provides a comprehensive approach to testing controls. We call this the "SAF Yardstick": + +We consider a control effectively tested when: + +1. All aspects of the 'validation' - also known as 'check text' - have been addressed. This is usually straightforward. +2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. Sometimes guidance authors mix the type of information between the 'check' and 'fix' text areas, so we need to comprehensively read all of the guidance to ensure that we've extracted all of the 'validation' content wherever it might be. +3. Any documented conditions that are Not Applicable, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. +4. Any documented conditions that require manual review, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed such that the control is marked as Not Reviewed on execution of the profile. +5. The conditions for Not Applicable and Not Reviewed are assessed early in the control to ensure the control is as efficient as possible. +6. The control uses the `only_if` block vs 'if/else' logic when possible to ensure that the control is as clear, direct, and maintainable as possible from a coding perspective. +7. The control has been tested on both 'vanilla' and 'hardened' instances, ensuring that: + 1. The test communicates effectively and passes as expected on both the 'vanilla' and `hardened` testing targets which were correctly configured. + 2. The test communicates effectively and fails as expected on both the `vanilla` and `hardened` testing targets which were misconfigured. + 3. The test communicates effectively and fails as expected on a misconfigured `vanilla` target, but then passes as expected on a properly configured `hardened` target. + 4. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. + 5. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. + 6. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. + +## Best Practices for Test Implementation + +### Passing Tests (Passing Well) + +A well-implemented passing test should: + +- Clearly communicate success conditions +- Use simple, direct language +- Include validation of edge cases + +For example: + +```shell +✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. + ✔ All system security patches and updates are up to date and have been applied +``` + +`Passes as Expected` also encompasses: + +- The conditions for the Not Reviewed and Not Applicable states for the control, if any. + +### Failing Tests (Failing Well) + +When implementing failure scenarios, ensure: + +- Clear error messages +- Actionable feedback +- Proper error handling + +For example: + +```shell +✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. + x The following packages have security patches and need to be updated: + - package 1 + - package 2 + - package 3 + - package 4 +``` + +`Fails as Expected` also encompasses: + +- Misconfigurations, extra lines in files, extra settings, missing files, etc. + +## Hands-on Exercise 1: Creating Your First Control + +Let's practice implementing a basic control: + +::: code-tabs#ruby + +@tab Create a basic control test +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' +end +``` +@tab Add passing and failing scenarios +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + tmp = mount('/tmp') + is_mounted = tmp.mounted? + describe is_mounted do + it { should cmp true } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +@tab Implement clear communication ```ruby -tag gtitle: 'SRG-OS-000480-GPOS-00227' -tag gid: 'V-230221' -tag rid: 'SV-230221r858734_rule' -tag stig_id: 'RHEL-08-010000' -tag fix_id: 'F-32865r567410_fix' -tag cci: ['CCI-000366'] +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end ``` +@tab Test edge cases +```ruby +control 'SV-257844' do + title 'RHEL 9 must use a separate file system for /tmp.' + desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' + desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: + +$ mount | grep /tmp + +tmpfs /tmp tmpfs noatime,mode=1777 0 0 + +If a separate entry for "/tmp" is not in use, this is a finding.' + desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000480-GPOS-00227' + tag gid: 'V-257844' + tag rid: 'SV-257844r925519_rule' + tag stig_id: 'RHEL-09-231015' + tag fix_id: 'F-61509r925518_fix' + tag cci: ['CCI-000366'] + tag nist: ['CM-6 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe mount('/tmp') do + it { should be_mounted } + end + + describe etc_fstab.where { mount_point == '/tmp' } do + it { should exist } + end +end +``` +::: + +## Key Takeaways + +- Control completion is more than just passing tests +- Use the SAF Yardstick as your guide +- Clear communication is essential +- Track progress consistently +- Group similar controls for efficiency + +## Tracking Your Progress + +Updating a 'Patch', 'Release', or 'Major Version' can be a challenging task. However, there are several methods a team can use to track progress. + +You might use a Spreadsheet or CSV file, a Markdown or RST Table, or even a 'checklist' on the 'Pull Request' that your team updates as progress is made. + +All these methods are acceptable. The important thing is to **choose one method and use it consistently.** + +When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what still needs work without constant direct communication. + +The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](./07.md) section. + +## Example Tracking Table + +The key to effective tracking is simplicity. This ensures: + +1) Each team member can easily understand what and how they need to document their progress, and +2) They will actually document their progress. + +### Simple Tracking Table + +| Assignee | Control | Priority | Reviewed | Tested | Text Updated | New Resource | Inputs | +| -------- | --------- | -------- | -------- | ------ | ------------ | ------------ | ----------------------- | +| John | SV-230221 | N | Y | Y | Y | N | None | +| John | SV-230222 | Y | Y | Y | Y | N | `disable_slow_controls` | +| Jane | SV-230223 | Y | Y | Y | Y | N | `use_fips` | +| Bob | SV-230224 | Y | Y | Y | Y | N | `data_at_rest_exempt` | + +In this example, we used a simple markdown table. However, an Excel Spreadsheet, Google Sheet, or CSV might work better for your team. + +Ultimately, the most important thing is to track the work. The method you choose to do so is a team decision. + +## Considerations for Grouping Work + +The MITRE SAF team has found the following best practices effective for organizing our work: + +1. **Group Similar Controls:** When working on a security guidance document, group the controls you are working on using the guidance indexes - such as the SRG ID in STIGs, and requirement major version in CIS Benchmarks. This allows for efficient reuse of repeated patterns of control implementation. + +2. **Tags, Status Columns, and State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. + +3. **Assign Priority, and Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. + +4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the primary deployment platforms that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. + +5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. diff --git a/src/courses/profile-dev-test/10.md b/src/courses/profile-dev-test/10.md index 7246aa210..0f48dc35f 100644 --- a/src/courses/profile-dev-test/10.md +++ b/src/courses/profile-dev-test/10.md @@ -1,303 +1,59 @@ --- order: 10 next: 11.md -title: 10. What Is `Done` for a Control? +title: 10. Security Benchmark Profile Management author: Aaron Lippold --- -# Understanding Control Completion in Security Automation +## Introduction to Profile Management -## Learning Objectives +Security benchmark profiles are critical tools for maintaining system security standards. Before diving into the implementation details, let's understand the fundamental principles that guide their management. -By the end of this section, you will be able to: +## Core Principles of Profile Management -- Define the criteria for a "done" security control -- Apply the MITRE SAF yardstick to evaluate controls -- Implement effective control testing strategies -- Create and maintain progress tracking systems -- Debug common control implementation issues +### 1. Version Control and Integrity -## Knowledge Check Questions +**Key Rule: Keep Versions Separate** -Before we begin, consider these questions: +- Never mix requirements from different versions +- Each version represents a distinct security baseline +- Example: Don't combine STIG v2.5 requirements with v3.0 requirements -1. What makes a security control "complete"? -2. How do you verify a control works in different environments? -3. What's the difference between "passing well" and just passing? +### 2. Completeness Principle -## Introduction +**Key Rule: All or Nothing** -Understanding when a security control is truly "done" is crucial for security automation engineers. This section will guide you through the criteria, best practices, and practical approaches to ensure your controls are complete and effective. +- Security benchmarks must include all requirements for a specific version +- Think of it like a recipe - missing ingredients affect the final result +- Focus on one requirement at a time during development +- Example: A Windows 10 STIG profile must implement all controls specified in that version -## When is a Control Considered 'Done' +### 3. Release Management -You and your team might be wondering what 'done' means for a security control in your profile. Here are a few things to consider: +**Key Rule: Meet All Standards** -1. The security automation content and its tests are essentially an alternative definition of the 'validation' and 'remediation' guidance already established by the benchmark. -2. The security automation content tests should fully capture the spirit - or intention - of the guidance, including its caveats, notes, discussion, and 'validation' and 'remediation' content. -3. The tests can - and usually do - capture known corner cases and security best practices which are sometimes only indirectly addressed by the benchmark but implied by the spirit of the security requirement being addressed. -4. These tests, like all human-written code, may not be perfect. They will need updates and will evolve as our knowledge of the system and benchmark grows. We use the profile in production and real-world environments. In other words, don't let the pursuit of perfection hinder progress. +- Release readiness is determined by: + - Passing all validation tests + - Meeting security hardening requirements + - Achieving expected thresholds -The 'is it done' litmus test is not solely determined by a perfect InSpec control or describe and expect blocks. It also heavily relies on you, the security automation engineer. Your experience, understanding of the platform you're working on, and the processes that you and your team have collectively agreed upon are all vital components. +### 4. Testing Environment Standards -Trust your established expected test outcomes, the guidance document, and the CI/CD testing framework. They will help you know that, to the best of your ability, you have captured all requirements and the spirit of the testing specified by the benchmark. +**Key Rule: Use Standard Baselines** -## The MITRE SAF Testing Framework +- Start with vendor-managed standard releases +- Test against both: + - Default ("vanilla") configurations + - Hardened configurations +- This ensures real-world applicability -Our framework provides a comprehensive approach to testing controls. We call this the "SAF Yardstick": +## Best Practices for Implementation -We consider a control effectively tested when: +1. Document your testing environment +2. Maintain a changelog for each profile version +3. Use version control for tracking changes +4. Test thoroughly before releasing -1. All aspects of the 'validation' - also known as 'check text' - have been addressed. This is usually straightforward. -2. Any aspects of the 'remediation' - also known as 'fix text' - that are part of the 'validation' process have been captured. Sometimes guidance authors mix the type of information between the 'check' and 'fix' text areas, so we need to comprehensively read all of the guidance to ensure that we've extracted all of the 'validation' content wherever it might be. -3. Any documented conditions that are Not Applicable, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed. -4. Any documented conditions that require manual review, as outlined in the 'discussion', 'check', or 'fix' text, have been addressed such that the control is marked as Not Reviewed on execution of the profile. -5. The conditions for Not Applicable and Not Reviewed are assessed early in the control to ensure the control is as efficient as possible. -6. The control uses the `only_if` block vs 'if/else' logic when possible to ensure that the control is as clear, direct, and maintainable as possible from a coding perspective. -7. The control has been tested on both 'vanilla' and 'hardened' instances, ensuring that: - 1. The test communicates effectively and passes as expected on both the 'vanilla' and `hardened` testing targets which were correctly configured. - 2. The test communicates effectively and fails as expected on both the `vanilla` and `hardened` testing targets which were misconfigured. - 3. The test communicates effectively and fails as expected on a misconfigured `vanilla` target, but then passes as expected on a properly configured `hardened` target. - 4. The test communicates effectively and clearly articulates the Not Applicable condition for both 'vanilla' and 'hardened' testing targets. - 5. The test communicates effectively and clearly articulates the Not Reviewed condition for both the 'vanilla' and 'hardened' testing targets. - 6. The tests have been constructed in a way that they do not produce Profile Errors when looping, using conditional logic, or when system conditions - such as missing files, directories, or services - are not in the expected locations. +## Summary -## Best Practices for Test Implementation - -### Passing Tests (Passing Well) - -A well-implemented passing test should: - -- Clearly communicate success conditions -- Use simple, direct language -- Include validation of edge cases - -For example: - -```shell -✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. - ✔ All system security patches and updates are up to date and have been applied -``` - -`Passes as Expected` also encompasses: - -- The conditions for the Not Reviewed and Not Applicable states for the control, if any. - -### Failing Tests (Failing Well) - -When implementing failure scenarios, ensure: - -- Clear error messages -- Actionable feedback -- Proper error handling - -For example: - -```shell -✔ SV-230222: RHEL 8 vendor packaged system security patches and updates must be installed and up to date. - x The following packages have security patches and need to be updated: - - package 1 - - package 2 - - package 3 - - package 4 -``` - -`Fails as Expected` also encompasses: - -- Misconfigurations, extra lines in files, extra settings, missing files, etc. - -## Hands-on Exercise 1: Creating Your First Control - -Let's practice implementing a basic control: - -::: code-tabs#ruby - -@tab Create a basic control test -```ruby -control 'SV-257844' do - title 'RHEL 9 must use a separate file system for /tmp.' - desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' - desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: - -$ mount | grep /tmp - -tmpfs /tmp tmpfs noatime,mode=1777 0 0 - -If a separate entry for "/tmp" is not in use, this is a finding.' - desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' - impact 0.5 - ref 'DPMS Target Red Hat Enterprise Linux 9' - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-257844' - tag rid: 'SV-257844r925519_rule' - tag stig_id: 'RHEL-09-231015' - tag fix_id: 'F-61509r925518_fix' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - tag 'host' -end -``` -@tab Add passing and failing scenarios -```ruby -control 'SV-257844' do - title 'RHEL 9 must use a separate file system for /tmp.' - desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' - desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: - -$ mount | grep /tmp - -tmpfs /tmp tmpfs noatime,mode=1777 0 0 - -If a separate entry for "/tmp" is not in use, this is a finding.' - desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' - impact 0.5 - ref 'DPMS Target Red Hat Enterprise Linux 9' - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-257844' - tag rid: 'SV-257844r925519_rule' - tag stig_id: 'RHEL-09-231015' - tag fix_id: 'F-61509r925518_fix' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - tag 'host' - - tmp = mount('/tmp') - is_mounted = tmp.mounted? - describe is_mounted do - it { should cmp true } - end - - describe etc_fstab.where { mount_point == '/tmp' } do - it { should exist } - end -end -``` -@tab Implement clear communication -```ruby -control 'SV-257844' do - title 'RHEL 9 must use a separate file system for /tmp.' - desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' - desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: - -$ mount | grep /tmp - -tmpfs /tmp tmpfs noatime,mode=1777 0 0 - -If a separate entry for "/tmp" is not in use, this is a finding.' - desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' - impact 0.5 - ref 'DPMS Target Red Hat Enterprise Linux 9' - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-257844' - tag rid: 'SV-257844r925519_rule' - tag stig_id: 'RHEL-09-231015' - tag fix_id: 'F-61509r925518_fix' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - tag 'host' - - describe mount('/tmp') do - it { should be_mounted } - end - - describe etc_fstab.where { mount_point == '/tmp' } do - it { should exist } - end -end -``` -@tab Test edge cases -```ruby -control 'SV-257844' do - title 'RHEL 9 must use a separate file system for /tmp.' - desc 'The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.' - desc 'check', 'Verify that a separate file system/partition has been created for "/tmp" with the following command: - -$ mount | grep /tmp - -tmpfs /tmp tmpfs noatime,mode=1777 0 0 - -If a separate entry for "/tmp" is not in use, this is a finding.' - desc 'fix', 'Migrate the "/tmp" path onto a separate file system.' - impact 0.5 - ref 'DPMS Target Red Hat Enterprise Linux 9' - tag severity: 'medium' - tag gtitle: 'SRG-OS-000480-GPOS-00227' - tag gid: 'V-257844' - tag rid: 'SV-257844r925519_rule' - tag stig_id: 'RHEL-09-231015' - tag fix_id: 'F-61509r925518_fix' - tag cci: ['CCI-000366'] - tag nist: ['CM-6 b'] - tag 'host' - - only_if('This control is Not Applicable to containers', impact: 0.0) { - !virtualization.system.eql?('docker') - } - - describe mount('/tmp') do - it { should be_mounted } - end - - describe etc_fstab.where { mount_point == '/tmp' } do - it { should exist } - end -end -``` -::: - -## Key Takeaways - -- Control completion is more than just passing tests -- Use the SAF Yardstick as your guide -- Clear communication is essential -- Track progress consistently -- Group similar controls for efficiency - -## Tracking Your Progress - -Updating a 'Patch', 'Release', or 'Major Version' can be a challenging task. However, there are several methods a team can use to track progress. - -You might use a Spreadsheet or CSV file, a Markdown or RST Table, or even a 'checklist' on the 'Pull Request' that your team updates as progress is made. - -All these methods are acceptable. The important thing is to **choose one method and use it consistently.** - -When working with multiple team members, it's crucial to have an effective way to communicate progress, understand who is working on which parts of the security guide, and know what still needs work without constant direct communication. - -The tracking method will also be influenced by the PR process you and your team select - either 'Macro' or 'Micro' - as discussed in the [Micro vs Macro](./07.md) section. - -## Example Tracking Table - -The key to effective tracking is simplicity. This ensures: - -1) Each team member can easily understand what and how they need to document their progress, and -2) They will actually document their progress. - -### Simple Tracking Table - -| Assignee | Control | Priority | Reviewed | Tested | Text Updated | New Resource | Inputs | -| -------- | --------- | -------- | -------- | ------ | ------------ | ------------ | ----------------------- | -| John | SV-230221 | N | Y | Y | Y | N | None | -| John | SV-230222 | Y | Y | Y | Y | N | `disable_slow_controls` | -| Jane | SV-230223 | Y | Y | Y | Y | N | `use_fips` | -| Bob | SV-230224 | Y | Y | Y | Y | N | `data_at_rest_exempt` | - -In this example, we used a simple markdown table. However, an Excel Spreadsheet, Google Sheet, or CSV might work better for your team. - -Ultimately, the most important thing is to track the work. The method you choose to do so is a team decision. - -## Considerations for Grouping Work - -The MITRE SAF team has found the following best practices effective for organizing our work: - -1. **Group Similar Controls:** When working on a security guidance document, group the controls you are working on using the guidance indexes - such as the SRG ID in STIGs, and requirement major version in CIS Benchmarks. This allows for efficient reuse of repeated patterns of control implementation. - -2. **Tags, Status Columns, and State:** As a team, decide on the method for tracking work progress and agree on the terminology for concepts such as 'reviewed', 'tested', and 'done'/'completed'. Refer to the [`Tracking Table`](#simple-tracking-table) example above to understand how both 'technical' and 'business' requirements are tracked and reported for each requirement in the profile. - -3. **Assign Priority, and Agree on an In/Out Approach:** Every benchmark will have easy, medium, and complex requirements and tests that need implementation. You will need to review every control in the Profile, but choosing an 'easy first, hard last' or 'hard first, easy last' approach can help your team make efficient progress quickly and avoid continuous 'context switching' between straightforward and complicated testing. - -4. **Always Strive to Have a Full Test Suite:** Ensuring the fidelity of testing is crucial. This principle applies to both the 'vanilla' and 'hardened' contexts, as well as to the primary deployment platforms that your profile supports. These platforms might include Virtual Machines, Cloud Instances, and Container Deployments. Your goal should be to have both 'hardened' and 'vanilla' baselines for each deployment target. This strategy allows for easy provisioning of each platform. It also facilitates easy testing of your control on each platform as you progress from one control to another. This practice ensures that you are crafting the best possible tests for each target platform and configuration. - -5. **Try to Test Locally First, with the Pipeline Second:** One of the key patterns highlighted in this guidance is the combination of local and CI/CD-based testing. We advocate for both approaches for a specific reason. When you are working on multiple controls, it's more efficient to test each control on each platform locally. This method is quicker than waiting for the CI/CD pipeline to create a new deployment of the test and target platforms each time. Once you have configured your targets and platforms locally with Test Kitchen, you can be confident in their stability. You should prioritize these local targets for initial testing. After testing them and when you are ready to proceed to the next control, push those updates to the CI/CD pipeline. This step verifies that your controls still function in a clean environment. This approach promotes a more efficient workflow process and eliminates the need for continuous 'push and wait' for the pipeline. +Remember: Security benchmarks are complete sets of requirements tied to specific versions. Success comes from methodical implementation and thorough testing against standard baselines. diff --git a/src/courses/profile-dev-test/11.md b/src/courses/profile-dev-test/11.md index b94741697..6928b0a96 100644 --- a/src/courses/profile-dev-test/11.md +++ b/src/courses/profile-dev-test/11.md @@ -1,59 +1,72 @@ --- order: 11 next: 12.md -title: Security Benchmark Profile Management +title: 11. Understanding Profile Updates author: Aaron Lippold --- -## Introduction to Profile Management - -Security benchmark profiles are critical tools for maintaining system security standards. Before diving into the implementation details, let's understand the fundamental principles that guide their management. - -## Core Principles of Profile Management - -### 1. Version Control and Integrity - -**Key Rule: Keep Versions Separate** - -- Never mix requirements from different versions -- Each version represents a distinct security baseline -- Example: Don't combine STIG v2.5 requirements with v3.0 requirements - -### 2. Completeness Principle - -**Key Rule: All or Nothing** - -- Security benchmarks must include all requirements for a specific version -- Think of it like a recipe - missing ingredients affect the final result -- Example: A Windows 10 STIG profile must implement all controls specified in that version - -### 3. Release Management - -**Key Rule: Meet All Standards** - -- Release readiness is determined by: - - Passing all validation tests - - Meeting security hardening requirements - - Achieving expected thresholds -- Focus on one requirement at a time during development - -### 4. Testing Environment Standards - -**Key Rule: Use Standard Baselines** - -- Start with vendor-managed standard releases -- Test against both: - - Default ("vanilla") configurations - - Hardened configurations -- This ensures real-world applicability - -## Best Practices for Implementation - -1. Document your testing environment -2. Maintain a changelog for each profile version -3. Use version control for tracking changes -4. Test thoroughly before releasing - -## Summary - -Remember: Security benchmarks are complete sets of requirements tied to specific versions. Success comes from methodical implementation and thorough testing against standard baselines. +## Learning Objectives + +By the end of this section, you will be able to: + +- Identify the three types of profile updates +- Understand the scope of STIG and CIS Benchmark updates +- Recognize the forward-only nature of security benchmark updates + +## Types of Profile Updates + +Security benchmark profiles require regular updates to maintain their effectiveness. Let's explore the three main types of updates: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Patch UpdatesRelease UpdatesMajor Version Updates
ScopeMinorIntermediateIntermediate/Significant
TriggerThe validation code author desiring to address corner cases, fix bugs, or otherwise improve the quality of the tests.Guidance author making a new release of the benchmark to address new or updated security requirements.The guidance author is significantly overhauling their nomenclature, requirement identification schema, or control alignment. Alternatively, a new major version of the software system is being released which would require a new version of the benchmark to address the potentially significant implementation changes - though in this case, guidance authors sometimes choose to create a new benchmark entirely.
ExampleAn InSpec control did not properly address a caveat specified by the guidance. Making the fix bumps the profile from v1.3.4 to v1.3.5.DISA publishes a new version of the RHEL 8 STIG going from V1R13 to V1R14 in order to adjust the check text command syntax for several sshd configuration related requirements amongst other things. Making the changes bumps the profile from v1.13.4 to v1.14.0.DISA adds, removes, and modifies a substantial number of requirements due to transitioning between control versions (NIST SP 800-53 Rev. 4 to Rev. 5). Making the changes bumps the profile from v1.6.1 to v2.0.0.
+ +## Understanding Update Scope + +Important concepts to remember: + +- Updates are version-specific +- Changes only move forward ("forward-only" process) +- No "back-patching" to older versions +- Each requirement maps to: + - Source SRG document + - Control Correlation Identifier (CCI) + - Unique Rule and STIG IDs + +Example requirement identifiers: + +```ruby +tag gtitle: 'SRG-OS-000480-GPOS-00227' +tag gid: 'V-230221' +tag rid: 'SV-230221r858734_rule' +tag stig_id: 'RHEL-08-010000' +tag fix_id: 'F-32865r567410_fix' +tag cci: ['CCI-000366'] +``` From 357529aef8886eda290b9ed277936d407490af13 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 10:08:49 -0800 Subject: [PATCH 17/24] pg 12-14 - update types Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/12.md | 7 +- src/courses/profile-dev-test/13.md | 24 ++++-- src/courses/profile-dev-test/14.md | 130 +++++++++++++++++++++++++++-- 3 files changed, 142 insertions(+), 19 deletions(-) diff --git a/src/courses/profile-dev-test/12.md b/src/courses/profile-dev-test/12.md index c4d8ca942..edd015781 100644 --- a/src/courses/profile-dev-test/12.md +++ b/src/courses/profile-dev-test/12.md @@ -1,7 +1,7 @@ --- order: 12 next: 13.md -title: Understanding Profile Patch Updates +title: 12. Understanding Profile Patch Updates author: Aaron Lippold --- @@ -43,7 +43,10 @@ A patch update is a minor modification to an InSpec profile that addresses speci - Control logic - `inspec.yml` inputs - Threshold values -- Note: The InSpec version in `inspec.yml` is managed during release + +::: note Version number increments +The version attribute in `inspec.yml` is managed during releases so you shouldn't change it in every merged branch, just when you cut a new release. +::: ### 4. Testing Protocol diff --git a/src/courses/profile-dev-test/13.md b/src/courses/profile-dev-test/13.md index 42cf4ecd9..a881fc230 100644 --- a/src/courses/profile-dev-test/13.md +++ b/src/courses/profile-dev-test/13.md @@ -1,7 +1,7 @@ --- order: 13 next: 14.md -title: Understanding Release Updates in SAF +title: 13. Understanding Release Updates author: Aaron Lippold --- @@ -13,31 +13,33 @@ author: Aaron Lippold ## What is a Release Update? -A Release Update is a structured process for updating Security Automation Framework (SAF) profiles to accommodate new benchmark versions. This process ensures consistent quality and maintains traceability of changes. +A Release Update is a structured process for updating a profile to accommodate a new benchmark version. This process ensures consistent quality and maintains traceability of changes. ## Release Update Workflow ### Step 1: Branch Creation -Create a new branch named `v#{x}R#{x+1}` from either: +Create a new branch named `v{x}r{xx}` from either: - The main branch -- Latest patch release branch +- The tagged commit associated with the latest release ### Step 2: Generate Delta -Run the `saf generate delta` workflow to update: +Run the `saf generate delta` workflow to automatically update the InSpec profile as per the new guidance. Items that get updated include: - Control metadata - inspec.yml configuration - README.md documentation - Other profile elements -> Note: This process preserves existing `describe` blocks and Ruby code logic +::: info Saved! +This process preserves existing `describe` blocks and other Ruby code logic, but you will still need to review them to ensure that what they're assessing still lines up with what the requirement says we now need to be assessing. +::: ### Step 3: Change Management -Follow these best practices to organize your work: +Follow these best practices to organize your work as you implement any new requirements and update any changed ones: #### 3.1 Control Tracking @@ -56,13 +58,17 @@ Follow these best practices to organize your work: - [ ] Documentation current 2. **Infrastructure Updates** - - Update hardening content: + - Update the version of the hardening content that is used to test the InSpec profile to match the version of the benchmark: - Ansible playbooks - Puppet modules - Chef cookbooks - Docker images - Vagrant boxes +::: important Parallel workstreams +You might be required to update the hardening content itself to match the new or adjusted requirements coming from the benchmark instead of just consuming the newest version. However, updating the hardening and validation content lock-step is a straightforward process! +::: + 3. **Metadata Management** - Update all version references - Verify control titles @@ -71,7 +77,7 @@ Follow these best practices to organize your work: ## Tips for Success - Focus on controls with modified `check text` or `fix text` -- Unchanged control text typically means no code changes needed +- Unchanged control text typically means no code changes are needed - Use PR links to track changes in your tracking table - Maintain CI/CD pipeline health throughout updates diff --git a/src/courses/profile-dev-test/14.md b/src/courses/profile-dev-test/14.md index 50bd5ff2a..8206f8ff9 100644 --- a/src/courses/profile-dev-test/14.md +++ b/src/courses/profile-dev-test/14.md @@ -1,13 +1,8 @@ --- order: 14 next: 15.md -title: Understanding Major Version Updates +title: 14. Understanding Major Version Updates author: Aaron Lippold -difficulty: Advanced -prerequisites: - - Basic InSpec knowledge - - Understanding of STIG benchmarks - - Familiarity with Ruby --- ## Learning Objectives @@ -26,7 +21,7 @@ A Major Version Update occurs when transitioning to a new STIG Benchmark version ### Requirement Alignment -:::tip 💡 **Pro Tip**: Create a spreadsheet to track your requirement mappings during the alignment process. +:::tip Create a spreadsheet to track your requirement mappings during the alignment process. ::: When moving between major versions (e.g., RHEL 8 v1R12 to RHEL 9 V1R1), we need to align existing tests with new requirements using: @@ -54,7 +49,126 @@ When moving between major versions (e.g., RHEL 8 v1R12 to RHEL 9 V1R1), we need ### Practical Example -Consider this simplified alignment scenario: +Consider this alignment scenario where we are updating from RHEL8 to RHEL9. + +The requirements are the same: the `/var/log/messages` file must be owned by root. However, despite being the same, each requirement has its own id. Consequently, we need to use alternative means to realize that these requirements are aligned. + +Attributes to consider: + - The title is almost the same aside from the operating system version. + - The description is almost exactly the same aside from inconsequential differences. + - Whitespace + - Version number + - Capitalization + - Other alignment IDs are the same. + - SRG ID / `gtitle`: SRG-OS-000206-GPOS-00084 + - CCI: CCI-001314 + - NIST: SI-11 b + - Check and fix text + - Fix text is the same + - Check text specifies a different method to do the assessment, but they're functionally equivalent + +::: code-tab +@tab RHEL8 +```ruby +control 'SV-230246' do + title 'The RHEL 8 /var/log/messages file must be owned by root.' + desc "Only authorized personnel should be aware of errors and the details of +the errors. Error messages are an indicator of an organization's operational +state or can identify the RHEL 8 system or platform. Additionally, Personally +Identifiable Information (PII) and operational information must not be revealed +through error messages to unauthorized personnel or their designated +representatives. + + The structure and content of error messages must be carefully considered by +the organization and development team. The extent to which the information +system is able to identify and handle error conditions is guided by +organizational policy and operational requirements." + desc 'check', 'Verify that the /var/log/messages file is owned by root with the following +command: + + $ sudo stat -c "%U" /var/log/messages + + root + + If "root" is not returned as a result, this is a finding.' + desc 'fix', 'Change the owner of the file /var/log/messages to root by running the +following command: + + $ sudo chown root /var/log/messages' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 8' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000206-GPOS-00084' + tag gid: 'V-230246' + tag rid: 'SV-230246r627750_rule' + tag stig_id: 'RHEL-08-010220' + tag fix_id: 'F-32890r567485_fix' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe.one do + describe file('/var/log/messages') do + it { should be_owned_by 'root' } + end + describe file('/var/log/messages') do + it { should_not exist } + end + end +end +``` +@tab RHEL9 +```ruby +control 'SV-257916' do + title 'RHEL 9 /var/log/messages file must be owned by root.' + desc "Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements." + desc 'check', 'Verify the "/var/log/messages" file is owned by root with the following command: + +$ ls -la /var/log/messages + +rw-------. 1 root root 564223 July 11 11:34 /var/log/messages + +If "/var/log/messages" does not have an owner of "root", this is a finding.' + desc 'fix', 'Change the owner of the "/var/log/messages" file to "root" by running the following command: + +$ sudo chown root /var/log/messages' + impact 0.5 + ref 'DPMS Target Red Hat Enterprise Linux 9' + tag severity: 'medium' + tag gtitle: 'SRG-OS-000206-GPOS-00084' + tag gid: 'V-257916' + tag rid: 'SV-257916r925735_rule' + tag stig_id: 'RHEL-09-232180' + tag fix_id: 'F-61581r925734_fix' + tag cci: ['CCI-001314'] + tag nist: ['SI-11 b'] + tag 'host' + + only_if('This control is Not Applicable to containers', impact: 0.0) { + !virtualization.system.eql?('docker') + } + + describe.one do + describe file('/var/log/messages') do + it { should be_owned_by 'root' } + end + describe file('/var/log/messages') do + it { should_not exist } + end + end +end +``` +::: + +::: tip Different yet the same +Even though the check text changed, it doesn't mean that the InSpec code needs to as well! We are still correctly assessing that the `/var/log/messages` file is owned by root if it exists. +::: ## Best Practices From 0f658f40706c8dd2330622123d0c517d5fce6657 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 10:16:37 -0800 Subject: [PATCH 18/24] fix syntax Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/14.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/profile-dev-test/14.md b/src/courses/profile-dev-test/14.md index 8206f8ff9..d3c39b559 100644 --- a/src/courses/profile-dev-test/14.md +++ b/src/courses/profile-dev-test/14.md @@ -67,7 +67,7 @@ Attributes to consider: - Fix text is the same - Check text specifies a different method to do the assessment, but they're functionally equivalent -::: code-tab +::: code-tabs#shell @tab RHEL8 ```ruby control 'SV-230246' do From 2c6a8d70e8e09858eb638ffe2251217885beff8e Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 22:04:07 -0800 Subject: [PATCH 19/24] all the test kitchen ones Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/15.md | 8 +- src/courses/profile-dev-test/16.md | 3 +- src/courses/profile-dev-test/17.md | 35 +++--- src/courses/profile-dev-test/18.md | 11 +- src/courses/profile-dev-test/19.md | 2 +- src/courses/profile-dev-test/20.md | 115 ++++++++++++++++-- src/courses/profile-dev-test/21.md | 179 +++++++++++++++++++---------- src/courses/profile-dev-test/22.md | 150 ++++++++++++------------ src/courses/profile-dev-test/23.md | 120 ------------------- 9 files changed, 330 insertions(+), 293 deletions(-) delete mode 100644 src/courses/profile-dev-test/23.md diff --git a/src/courses/profile-dev-test/15.md b/src/courses/profile-dev-test/15.md index 7b634b18f..83070fb4d 100644 --- a/src/courses/profile-dev-test/15.md +++ b/src/courses/profile-dev-test/15.md @@ -1,7 +1,7 @@ --- order: 15 next: 16.md -title: Understanding Test Kitchen +title: 15. Understanding Test Kitchen author: Aaron Lippold --- @@ -77,8 +77,6 @@ We use two main testing configurations: Failed: 1: Passed: 5: ``` - ## Behind the Scenes: System Access @@ -88,3 +86,7 @@ To enable testing, Test Kitchen makes minimal system modifications: - Sets up appropriate access protocols: - SSH for Unix/Linux systems - WinRM for Windows systems + +## Where do we put it? + +We put our Test Kitchen code that we use to assess our InSpec code in the same repository. The example that we will be working through for the next few sections will use the [RHEL 9 InSpec repository](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline). diff --git a/src/courses/profile-dev-test/16.md b/src/courses/profile-dev-test/16.md index 0dc021f15..31f50c925 100644 --- a/src/courses/profile-dev-test/16.md +++ b/src/courses/profile-dev-test/16.md @@ -1,9 +1,8 @@ --- order: 16 next: 17.md -title: Test Kitchen - Understanding the Create Stage +title: 16. Test Kitchen - Create author: Aaron Lippold -index: true --- ## Test Kitchen Create Stage diff --git a/src/courses/profile-dev-test/17.md b/src/courses/profile-dev-test/17.md index 488cb1e1a..052859db7 100644 --- a/src/courses/profile-dev-test/17.md +++ b/src/courses/profile-dev-test/17.md @@ -1,9 +1,8 @@ --- order: 17 next: 18.md -title: Test Kitchen - Converge +title: 17. Test Kitchen - Converge author: Aaron Lippold -index: true --- ## Learning Objectives @@ -18,7 +17,9 @@ By the end of this section, you will understand: The `converge` stage applies system configurations using infrastructure as code (IaC) tools. This crucial stage transforms your environment from a base state to your desired configuration. -> **Key Concept**: Think of the converge stage as "applying your recipe" - it takes your raw ingredients (base system) and follows your instructions to create the final dish (configured system). +::: info Let 'em cook +Think of the converge stage as "applying your recipe" - it takes your raw ingredients (base system) and follows your instructions to create the final dish (configured system). +::: Supported configuration tools include: @@ -44,44 +45,46 @@ We implement two distinct configurations using 'wrapper playbooks': - Ansible Galaxy dependencies - Custom roles and requirements -> **Note**: While some hardening tasks are disabled for testing, this doesn't compromise our security validation goals. +::: note While some hardening tasks are disabled for testing, this doesn't compromise our security validation goals. +::: + +## Hands-on Practice -## Container Converge +### Container Converge -Our container strategy utilizes two RedHat UBI8 (Universal Base Image) variants: +Our container strategy utilizes two Red Hat UBI9 (Universal Base Image) variants. Take a look at the SAF's [RHEL9 InSpec profile](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/tree/main) which also includes our Test Kitchen and Ansible code that we use to test that our InSpec tests work properly. 1. **Vanilla Container** -This container uses the `registry.access.redhat.com/ubi8/ubi:8.9-1028` image from RedHat's community repositories. +This container uses the `registry.access.redhat.com/ubi9/ubi:9.3-1610` image from RedHat's community repositories. It represents a standard, out-of-the-box configuration. - - Community maintained - Standard configuration -1. **Hardened Container** -hardened: This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi8` image from Red Hat's Platform One Iron Bank project. +2. **Hardened Container** -It represents a security-enhanced configuration. +This container uses the `registry1.dso.mil/ironbank/redhat/ubi/ubi9` image from Red Hat's Platform One Iron Bank project. +It represents a security-enhanced configuration. - STIG-compliant - Regular security updates - Platform One certified -## Hands-on Practice Try these exercises: 1. Compare the contents of vanilla and hardened playbooks -2. Identify key security configurations in the RHEL8-STIG role +2. Identify key security configurations in the RHEL9-STIG role 3. Examine the wrapper playbook structure in the spec/ directory -### Summary +## Summary - Converge stage implements your desired system configurations - Multiple implementation tools available (Ansible, Puppet, Chef, etc.) - Two primary configurations: vanilla (baseline) and hardened (security-enhanced) -- Container implementations use RedHat UBI8 images with different security postures +- Container implementations use different images with different security postures -::: info Next Steps: Practice running the converge stage with both vanilla and hardened configurations to understand the differences in outcomes. +::: info Next Steps +Practice running the converge stage with both vanilla and hardened configurations to understand the differences in outcomes. ::: diff --git a/src/courses/profile-dev-test/18.md b/src/courses/profile-dev-test/18.md index 02b48d4fa..867acde6e 100644 --- a/src/courses/profile-dev-test/18.md +++ b/src/courses/profile-dev-test/18.md @@ -1,16 +1,17 @@ --- order: 18 next: 19.md -title: Test Kitchen - Validate +title: 18. Test Kitchen - Verify author: Aaron Lippold -index: true --- -## Test Kitchen Validate Stage +## Test Kitchen Verify Stage -The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the inspec profile against the test targets. +The `verify` stage is when we are able to use Test Kitchen to validate that our InSpec profile was written properly. -For this stage, the inspec profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing false results. +The `verify` stage uses the `kitchen-inspec` verifier from Test Kitchen to run the InSpec profile against the test targets. + +For this stage, the InSpec profile receives a set of tailored `input` YAML files. These files adjust the testing for each target, ensuring accurate validation against the expected state and minimizing incorrect results. They are located at the root of the project and are named something like `kitchen.inputs.yml`. diff --git a/src/courses/profile-dev-test/19.md b/src/courses/profile-dev-test/19.md index 08e0f12d0..382de54a2 100644 --- a/src/courses/profile-dev-test/19.md +++ b/src/courses/profile-dev-test/19.md @@ -1,7 +1,7 @@ --- order: 19 next: 20.md -title: Test Kitchen - Destroy +title: 19. Test Kitchen - Destroy author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/20.md b/src/courses/profile-dev-test/20.md index 45ace5336..7f4af4c96 100644 --- a/src/courses/profile-dev-test/20.md +++ b/src/courses/profile-dev-test/20.md @@ -1,24 +1,117 @@ --- order: 20 next: 21.md -title: Test Kitchen - .kitchen/ Directory +title: 20. Test Kitchen - `kitchen.yml` File author: Aaron Lippold --- -## The `.kitchen/` Directory +## Understanding the `kitchen.yml` File -The [`.kitchen/`](/.kitchen/) directory contains the state files for Test Kitchen. These files are automatically generated when you first run Test Kitchen. +The [`kitchen.yml`](./kitchen.yml) file is the primary configuration file for Test Kitchen. It outlines the shared configuration for all your testing environments, platforms, and the testing framework to be used. -### Understanding the `.kitchen/` Directory +Each of the subsequent Kitchen files will inherit the shared settings from this file automatically and merge them with the settings in the child Kitchen file. -The `.kitchen/` directory is crucial for managing the state of your Test Kitchen instances. It includes configuration and state information that Test Kitchen uses to manage your test environments. +## Example `kitchen.yml` File -### Using the `.kitchen/` Directory +```yaml +--- +verifier: + name: inspec + sudo: true + reporter: + - cli + - json:spec/results/%{platform}_%{suite}.json + inspec_tests: + - name: RedHat 9 STIG v1r2 + path: . + input_files: + - kitchen.inputs.yml + <% if ENV['INSPEC_CONTROL'] %> + controls: + - "<%= ENV['INSPEC_CONTROL'] %>" + <% end %> + load_plugins: true + env_vars: + - "CHEF_LICENSE=<%= ENV['CHEF_LICENSE'] %>" + +suites: + - name: vanilla + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + + - name: hardened + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + +transport: + max_ssh_sessions: 6 +``` + +# Breakdown of the `kitchen.yml` file + +```yaml +--- +verifier: + name: inspec + sudo: true + reporter: + - cli + - json:spec/results/%{platform}_%{suite}.json + inspec_tests: + - name: RedHat 9 STIG v1r2 + path: . + input_files: + - kitchen.inputs.yml + <% if ENV['INSPEC_CONTROL'] %> + controls: + - "<%= ENV['INSPEC_CONTROL'] %>" + <% end %> + load_plugins: true + env_vars: + - "CHEF_LICENSE=<%= ENV['CHEF_LICENSE'] %>" +``` + +This first section configures the verifier, which is the tool that checks if your system is in the desired state. Here, it's using InSpec. + +- `sudo: true` means that InSpec will run with sudo privileges. +- `reporter` specifies the formats in which the test results will be reported. Here, it's set to report in the command-line interface (`cli`) and in a JSON file (`json:spec/results/%{platform}_%{suite}.json`). Note that variables will be templated into this filename by Kitchen to help you differentiate between the different testing configurations you're iterating over. +- `inspec_tests` specifies the InSpec profiles to run. Here, it's running the "RedHat 9 STIG v1r2" profile located in the current directory (`path: .`). +- `input_files` specifies files that contain input variables for the InSpec profile. Here, it's using the `kitchen.inputs.yml` file. +- The `controls` section is dynamically set based on the `INSPEC_CONTROL` environment variable. If the variable is set, only the specified control will be run. +- `load_plugins: true` means that InSpec will load any available plugins. + +```yaml +suites: + - name: vanilla + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + + - name: hardened + provisioner: + playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml +``` + +This section defines the test suites. Each suite represents a different configuration to test. + +- Each suite has a `name` and a `provisioner`. +- The `provisioner` section specifies the Ansible playbook to use for the suite. Here, it's using the `ansible-role-rhel-vanilla.yml` playbook for the "vanilla" suite and the `ansible-role-rhel-hardened.yml` playbook for the "hardened" suite. + +```yaml +transport: + max_ssh_sessions: 6 +``` + +The last section allows you to configure attributes of the transport. In this case, we're setting the maximum number of parallel SSH sessions. + +## Environment Variables in `kitchen.yml` + +- `INSPEC_CONTROL`: This variable allows you to specify a single control to run during the `bundle exec kitchen verify` phase. This is particularly useful for testing or debugging a specific requirement. -Refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section to learn how to use the `.kitchen/` directory effectively. This section will guide you on locating and utilizing the login details for your test targets stored within this directory. +# Recap on Kitchen Stages -### Key Points to Remember +The workflow of Test Kitchen involves the following steps: -- The `.kitchen/` directory is automatically created when you run Test Kitchen for the first time. -- It stores state and configuration files necessary for managing test environments. -- Understanding the contents of this directory can help you troubleshoot and manage your test instances more effectively. +1. **Create:** Test Kitchen uses the driver to create an instance of the platform. +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. In this case, it's using Ansible playbooks. +3. **Verify:** Test Kitchen uses the verifier to check if the instance is in the desired state. +4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 08250aaa0..2ad522407 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -1,100 +1,157 @@ --- -order: 21 -next: 22.md -title: Test Kitchen - `kitchen.yml` File +order: 22 +next: 23.md +title: Test Kitchen - `kitchen.ec2.yml` File author: Aaron Lippold --- -## Understanding the `kitchen.yml` File +## Understanding the `kitchen.ec2.yml` File -The [`kitchen.yml`](./kitchen.yml) file is the primary configuration file for Test Kitchen. It outlines the shared configuration for all your testing environments, platforms, and the testing framework to be used. +The `kitchen.ec2.yml` file is instrumental in setting up our testing targets within the AWS environment. It outlines the configuration details for these targets, including their VPC assignments and the specific settings for each VPC. -Each of the subsequent kitchen files will inherit the shared settings from this file automatically and merge them with the settings in the child kitchen file. +This file leverages the AWS CLI and your AWS credentials, environment variables, and settings that you should have configured as described in the [Environment Setup Guide](./03.md) section. -## Example `kitchen.yml` File +## Example `kitchen.ec2.yml` File ```yaml --- -verifier: - name: inspec - sudo: true - reporter: - - cli - - json:spec/results/%{platform}_%{suite}.json - inspec_tests: - - name: RedHat 8 STIG v1r12 - path: . - input_files: - - kitchen.inputs.yml - <% if ENV['INSPEC_CONTROL'] %> - controls: - - "<%= ENV['INSPEC_CONTROL'] %>" - <% end %> - load_plugins: true +platforms: + - name: rhel-9 + +driver: + name: ec2 + subnet_id: "<%= ENV['SAF_PIPELINE_SUBNET'] %>" + security_group_ids: + - "<%= ENV['SAF_PIPELINE_SG'] %>" + metadata_options: + http_tokens: required + http_put_response_hop_limit: 1 + instance_metadata_tags: enabled + instance_type: t2.small + associate_public_ip: true + interface: public + skip_cost_warning: true + privileged: true + instance_initiated_shutdown_behavior: terminate + +provisioner: + name: ansible_playbook + hosts: all + require_chef_for_busser: false + require_ruby_for_busser: false + ansible_binary_path: /usr/local/bin + # require_pip3: true + ansible_verbose: true + roles_path: spec/ansible/roles + galaxy_ignore_certs: true + requirements_path: spec/ansible/roles/requirements.yml + requirements_collection_path: spec/ansible/roles/requirements.yml + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> suites: - name: vanilla provisioner: playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml + driver: + tags: + Name: Vanilla-<%= ENV['USER'] %> + CreatedBy: test-kitchen + - name: hardened provisioner: playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + driver: + tags: + Name: Hardened-<%= ENV['USER'] %> + CreatedBy: test-kitchen + +lifecycle: + pre_converge: + - remote: | + # echo "+++ Refreshing DNF package cache +++" + # sudo dnf -y clean all + echo "" + echo "+++ Updating DNF Packages +++" + sudo dnf -y update --nogpgcheck --nobest + echo "" + echo "+++ Installing needed packages for workflow and utility +++\n\n" + sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim git wget gcc openssl-devel libffi-devel bzip2-devel + echo "" + echo "+++ Installing Python 3.9 and Ansible +++\n\n" + export PATH=/usr/local/bin:$PATH + sudo dnf -y install python3-pip + sudo python3 -m pip install ansible jmespath + echo "" + echo "+++ Updating the ec2-user to keep sudo working after hardening phase +++\n\n" + sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user + echo "" + echo "+++ updating ec2-user sudo config for hardening phase +++\n\n" + sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers + sudo dnf -y install git + echo "+++ add cinc-auditor for local shell +++\n\n" + curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-auditor + +transport: + name: ssh + #https://github.com/neillturner/kitchen-ansible/issues/295 + max_ssh_sessions: 2 ``` -# Breakdown of the `kitchen.yml` file +# Breakdown of the `kitchen.ec2.yml` file ```yaml -verifier: - name: inspec - sudo: true - reporter: - - cli - - json:spec/results/%{platform}_%{suite}.json - inspec_tests: - - name: RedHat 8 STIG v1r12 - path: . - input_files: - - kitchen.inputs.yml - <% if ENV['INSPEC_CONTROL'] %> - controls: - - "<%= ENV['INSPEC_CONTROL'] %>" - <% end %> - load_plugins: true +platforms: + - name: rhel-9 ``` -This first section configures the verifier, which is the tool that checks if your system is in the desired state. Here, it's using InSpec. +This section defines the platforms on which your tests will run. In this case, it's Red Hat Enterprise Linux 9. -- `sudo: true` means that InSpec will run with sudo privileges. -- `reporter` specifies the formats in which the test results will be reported. Here, it's set to report in the command-line interface (`cli`) and in a JSON file (`json:spec/results/%{platform}_%{suite}.json`). -- `inspec_tests` specifies the InSpec profiles to run. Here, it's running the "RedHat 8 STIG v1r12" profile located in the current directory (`path: .`). -- `input_files` specifies files that contain input variables for the InSpec profile. Here, it's using the `kitchen.inputs.yml` file. -- The `controls` section is dynamically set based on the `INSPEC_CONTROL` environment variable. If the variable is set, only the specified control will be run. -- `load_plugins: true` means that InSpec will load any available plugins. +```yaml +driver: + name: ec2 + ... +``` + +This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use Amazon EC2 instances. The various options configure the EC2 instances, such as instance type (`t2.small`), whether to associate a public IP address (`associate_public_ip: true`), and various metadata options. + +```yaml +provisioner: + name: ansible_playbook + ... +``` + +This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using Ansible playbooks. The various options configure how Ansible is run, such as the path to the Ansible binary (`ansible_binary_path: /usr/local/bin`) and the paths to the roles and requirements files. ```yaml suites: - name: vanilla - provisioner: - playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml - - name: hardened - provisioner: - playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml + ... ``` -This section defines the test suites. Each suite represents a different configuration to test. +This section configures the test suites, which are the various configurations that are being tested. Here, we outline how to spin up our vanilla and hardened containers. Each suite contains various options such as one to specify the path to the playbook that the provisioner should use. -- Each suite has a `name` and a `provisioner`. -- The `provisioner` section specifies the Ansible playbook to use for the suite. Here, it's using the `ansible-role-rhel-vanilla.yml` playbook for the "vanilla" suite and the `ansible-role-rhel-hardened.yml` playbook for the "hardened" suite. +```yaml +lifecycle: + pre_converge: + - remote: | + ... +``` -## Environment Variables in `kitchen.yml` +This section defines lifecycle hooks, which are commands that run at certain points in the Test Kitchen run. Here, it's running a series of commands before the converge phase (i.e., before applying the infrastructure code). These commands install necessary packages, update system packages, and update the `ec2-user` configuration. -- `INSPEC_CONTROL`: This variable allows you to specify a single control to run during the `bundle exec kitchen verify` phase. This is particularly useful for testing or debugging a specific requirement. +```yaml +transport: + name: ssh + max_ssh_sessions: 2 +``` -# Recap on Kitchen Stages +This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using SSH and allowing a maximum of 2 SSH sessions. The workflow of Test Kitchen involves the following steps: 1. **Create:** Test Kitchen uses the driver to create an instance of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. In this case, it's using Ansible playbooks. -3. **Verify:** Test Kitchen uses the verifier to check if the instance is in the desired state. -4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file. +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. Before this phase, it runs the commands defined in the `pre_converge` lifecycle hook. +3. **Verify:** Test Kitchen checks if the instance is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. +4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file, but it would be configured in the `driver` section. + +The `transport` is used in all these steps to communicate with the instance. diff --git a/src/courses/profile-dev-test/22.md b/src/courses/profile-dev-test/22.md index 46d0f2d61..c3555ebd2 100644 --- a/src/courses/profile-dev-test/22.md +++ b/src/courses/profile-dev-test/22.md @@ -1,118 +1,120 @@ --- order: 22 next: 23.md -title: Test Kitchen - `kitchen.ec2.yml` File +title: 22. Test Kitchen - `kitchen.container.yml` File author: Aaron Lippold --- -## Understanding the `kitchen.ec2.yml` File +## Understanding the `kitchen.container.yml` File -The `kitchen.ec2.yml` file is instrumental in setting up our testing targets within the AWS environment. It outlines the configuration details for these targets, including their VPC assignments and the specific settings for each VPC. +The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers: hardened and vanilla, and specifies the InSpec tests to run against them. It also configures the generation and storage of test reports. -This file leverages the `AWS CLI and AWS Credentials` configured as described in the previous [Required Software](#13-required-software) section. +Unlike other test suites, the container suite skips the 'provisioner' stage for the vanilla and hardened targets. Instead, during the create stage, it simply downloads and starts the specified images. This is due to the use of the [dummy Test Kitchen driver](https://github.com/test-kitchen/test-kitchen/blob/main/lib/kitchen/driver/dummy.rb), which is ideal for interacting with pre-configured or immutable targets like containers. -Alternatively, if you've set up AWS Environment Variables, the file will use those for AWS interactions. +This approach allows for the evaluation of existing containers, even those created by other workflows. It can be leveraged to build a generalized workflow for validating any container against our Benchmark requirements, providing a comprehensive assessment of its security posture. -## Example `kitchen.ec2.yml` File +## Example `kitchen.container.yml` file ```yaml --- -platforms: - - name: rhel-8 - -driver: - name: ec2 - metadata_options: - http_tokens: required - http_put_response_hop_limit: 1 - instance_metadata_tags: enabled - instance_type: m5.large - associate_public_ip: true - interface: public - skip_cost_warning: true - privileged: true - tags: - CreatedBy: test-kitchen +# see: https://kitchen.ci/docs/drivers/dokken/ provisioner: - name: ansible_playbook - hosts: all - require_chef_for_busser: false - require_ruby_for_busser: false - ansible_binary_path: /usr/local/bin - require_pip3: true - ansible_verbose: true - roles_path: spec/ansible/roles - galaxy_ignore_certs: true - requirements_path: spec/ansible/roles/requirements.yml - ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> - -lifecycle: - pre_converge: - - remote: | - echo "NOTICE - Installing needed packages" - sudo dnf -y clean all - sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim - echo "updating system packages" - sudo dnf -y update --nogpgcheck --nobest - sudo dnf -y distro-sync - echo "NOTICE - Updating the ec2-user to keep sudo working" - sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user - echo "NOTICE - updating ec2-user sudo config" - sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers + name: dummy + +driver: + name: dokken + pull_platform_image: false transport: - name: ssh - max_ssh_sessions: 2 + name: dokken + +platforms: + - name: ubi9 + +suites: + - name: vanilla + driver: + image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi9/ubi:9.3-1610" %> + verifier: + input_files: + - container.vanilla.inputs.yml + - name: hardened + driver: + image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi9" %> + verifier: + input_files: + - container.hardened.inputs.yml + # creds_file: './creds.json' ``` -# Breakdown of the `kitchen.ec2.yml` file +# Breakdown of the `kitchen.container.yml` file ```yaml -platforms: - - name: rhel-8 +provisioner: + name: dummy ``` -This section defines the platforms on which your tests will run. In this case, it's Red Hat Enterprise Linux 8. +This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using the dummy provisioner, which means no provisioning will be done. ```yaml driver: - name: ec2 - ... + name: dokken + pull_platform_image: false ``` -This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use Amazon EC2 instances. The various options configure the EC2 instances, such as instance type (`m5.large`), whether to associate a public IP address (`associate_public_ip: true`), and various metadata options. +This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use the Dokken driver, which is designed for running tests in Docker containers. The `pull_platform_image: false` option means that it won't automatically pull the Docker image for the platform; it will use the image specified in the suite. ```yaml -provisioner: - name: ansible_playbook - ... +transport: + name: dokken ``` -This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using Ansible playbooks. The various options configure how Ansible is run, such as the path to the Ansible binary (`ansible_binary_path: /usr/local/bin`), whether to require pip3 (`require_pip3: true`), and the path to the roles and requirements files. +This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using the Dokken transport, which communicates with the Docker container. ```yaml -lifecycle: - pre_converge: - - remote: | - ... +platforms: + - name: ubi9 ``` -This section defines lifecycle hooks, which are commands that run at certain points in the Test Kitchen run. Here, it's running a series of commands before the converge phase (i.e., before applying the infrastructure code). These commands install necessary packages, update system packages, and update the `ec2-user` configuration. +This section defines the platforms on which your tests will run. In this case, it's UBI 9 (Red Hat's Universal Base Image 9). ```yaml -transport: - name: ssh - max_ssh_sessions: 2 +suites: + - name: vanilla + driver: + image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi9/ubi:9.3-1610" %> + verifier: + input_files: + - container.vanilla.inputs.yml + - name: hardened + driver: + image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi9" %> + verifier: + input_files: + - container.hardened.inputs.yml ``` -This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using SSH and allowing a maximum of 2 SSH sessions. +This section defines the test suites. Each suite represents a different configuration to test. + +- Each suite has a `name`, a `driver`, and a `verifier`. +- The `driver` section specifies the Docker image to use for the suite. It's dynamically set based on the `VANILLA_CONTAINER_IMAGE` or `HARDENED_CONTAINER_IMAGE` environment variable, with a default value if the variable is not set. +- The `verifier` section specifies files that contain input variables for the InSpec profile. The workflow of Test Kitchen involves the following steps: -1. **Create:** Test Kitchen uses the driver to create an instance of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the instance. Before this phase, it runs the commands defined in the `pre_converge` lifecycle hook. -3. **Verify:** Test Kitchen checks if the instance is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. -4. **Destroy:** Test Kitchen uses the driver to destroy the instance after testing. This is not shown in your file, but it would be configured in the `driver` section. +1. **Create:** Test Kitchen uses the driver to create a Docker container of the platform. +2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the container. In this case, no provisioning is done. +3. **Verify:** Test Kitchen checks if the container is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. +4. **Destroy:** Test Kitchen uses the driver to destroy the container after testing. This is not shown in your file, but it would be configured in the `driver` section. + +The `transport` is used in all these steps to communicate with the container. + +## Environment Variables in `kitchen.container.yml` + +The `kitchen.container.yml` file uses the following environment variables to select the containers used during its `hardened` and `vanilla` testing runs. You can test any container using these environment variables, even though standard defaults are set. -The `transport` is used in all these steps to communicate with the instance. +- `VANILLA_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'not hardened'. + - default: `registry.access.redhat.com/ubi9/ubi:9.3-1610` +- `HARDENED_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'hardened'. + - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi9` diff --git a/src/courses/profile-dev-test/23.md b/src/courses/profile-dev-test/23.md deleted file mode 100644 index 6abc9ae40..000000000 --- a/src/courses/profile-dev-test/23.md +++ /dev/null @@ -1,120 +0,0 @@ ---- -order: 23 -next: 24.md -title: Test Kitchen - `kitchen.container.yml` -author: Aaron Lippold ---- - -## Understanding the [`kitchen.container.yml`](./kitchen.container.yml) - -The `kitchen.container.yml` file orchestrates our container-based test suite. It defines two types of containers: hardened and vanilla, and specifies the InSpec tests to run against them. It also configures the generation and storage of test reports. - -Unlike other test suites, the container suite skips the 'provisioner' stage for the vanilla and hardened targets. Instead, during the create stage, it simply downloads and starts the specified images. This is due to the use of the [dummy Test Kitchen driver](https://github.com/test-kitchen/test-kitchen/blob/main/lib/kitchen/driver/dummy.rb), which is ideal for interacting with pre-configured or immutable targets like containers. - -This approach allows for the evaluation of existing containers, even those created by other workflows. It can be leveraged to build a generalized workflow for validating any container against our Benchmark requirements, providing a comprehensive assessment of its security posture. - -## Example `kitchen.container.yml` file - -```yaml ---- -# see: https://kitchen.ci/docs/drivers/dokken/ - -provisioner: - name: dummy - -driver: - name: dokken - pull_platform_image: false - -transport: - name: dokken - -platforms: - - name: ubi8 - -suites: - - name: vanilla - driver: - image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi8/ubi:8.9-1028" %> - verifier: - input_files: - - container.vanilla.inputs.yml - - name: hardened - driver: - image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi8" %> - verifier: - input_files: - - container.hardened.inputs.yml - # creds_file: './creds.json' -``` - -# Breakdown of the `kitchen.container.yml` file - -```yaml -provisioner: - name: dummy -``` - -This section configures the provisioner, which is the tool that brings your system to the desired state. Here, it's using a dummy provisioner, which means no provisioning will be done. - -```yaml -driver: - name: dokken - pull_platform_image: false -``` - -This section configures the driver, which is responsible for creating and managing the instances. Here, it's set to use the Dokken driver, which is designed for running tests in Docker containers. The `pull_platform_image: false` option means that it won't automatically pull the Docker image for the platform; it will use the image specified in the suite. - -```yaml -transport: - name: dokken -``` - -This section configures the transport, which is the method Test Kitchen uses to communicate with the instance. Here, it's using the Dokken transport, which communicates with the Docker container. - -```yaml -platforms: - - name: ubi8 -``` - -This section defines the platforms on which your tests will run. In this case, it's UBI 8 (Red Hat's Universal Base Image 8). - -```yaml -suites: - - name: vanilla - driver: - image: <%= ENV['VANILLA_CONTAINER_IMAGE'] || "registry.access.redhat.com/ubi8/ubi:8.9-1028" %> - verifier: - input_files: - - container.vanilla.inputs.yml - - name: hardened - driver: - image: <%= ENV['HARDENED_CONTAINER_IMAGE'] || "registry1.dso.mil/ironbank/redhat/ubi/ubi8" %> - verifier: - input_files: - - container.hardened.inputs.yml -``` - -This section defines the test suites. Each suite represents a different configuration to test. - -- Each suite has a `name`, a `driver`, and a `verifier`. -- The `driver` section specifies the Docker image to use for the suite. It's dynamically set based on the `VANILLA_CONTAINER_IMAGE` or `HARDENED_CONTAINER_IMAGE` environment variable, with a default value if the variable is not set. -- The `verifier` section specifies files that contain input variables for the InSpec profile. - -The workflow of Test Kitchen involves the following steps: - -1. **Create:** Test Kitchen uses the driver to create a Docker container of the platform. -2. **Converge:** Test Kitchen uses the provisioner to apply the infrastructure code to the container. In this case, no provisioning is done. -3. **Verify:** Test Kitchen checks if the container is in the desired state. This is not shown in your file, but it would be configured in the `verifier` section. -4. **Destroy:** Test Kitchen uses the driver to destroy the container after testing. This is not shown in your file, but it would be configured in the `driver` section. - -The `transport` is used in all these steps to communicate with the container. - -## Environment Variables in `kitchen.container.yml` - -The `kitchen.container.yml` file uses the following environment variables to select the containers used during its `hardened` and `vanilla` testing runs. You can test any container using these environment variables, even though standard defaults are set. - -- `VANILLA_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'not hardened'. - - default: `registry.access.redhat.com/ubi8/ubi:8.9-1028` -- `HARDENED_CONTAINER_IMAGE`: This variable specifies the Docker container image considered 'hardened'. - - default: `registry1.dso.mil/ironbank/redhat/ubi/ubi8` From 6251f30dddca644bace0db9f970620ec807702ab Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 22:26:31 -0800 Subject: [PATCH 20/24] pg 23 - github Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/21.md | 4 ++-- src/courses/profile-dev-test/{24.md => 23.md} | 20 +++++++------------ 2 files changed, 9 insertions(+), 15 deletions(-) rename src/courses/profile-dev-test/{24.md => 23.md} (57%) diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 2ad522407..94fb6c7d7 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -1,6 +1,6 @@ --- -order: 22 -next: 23.md +order: 21 +next: 22.md title: Test Kitchen - `kitchen.ec2.yml` File author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/24.md b/src/courses/profile-dev-test/23.md similarity index 57% rename from src/courses/profile-dev-test/24.md rename to src/courses/profile-dev-test/23.md index 42e35d0a8..9c244a1b8 100644 --- a/src/courses/profile-dev-test/24.md +++ b/src/courses/profile-dev-test/23.md @@ -1,7 +1,7 @@ --- -order: 24 -next: 25.md -title: GitHub Actions +order: 23 +next: 24.md +title: 23. GitHub Actions author: Aaron Lippold --- @@ -9,11 +9,11 @@ author: Aaron Lippold Our profile utilizes GitHub Actions as its primary CI/CD process. The Actions are separated by general business or process functions, allowing for a clear distinction between the workflow stages that we are testing. -### [`lint-profile.yml`](.github/workflows/lint-profile.yml) +### [`lint-profile.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/lint-profile.yml) This action checks out the repository, installs Ruby and InSpec, then runs `bundle exec inspec check .` to validate the structure and syntax of the InSpec profile and its Ruby code. -### [`verify-ec2.yml`](.github/workflows/verify-ec2.yml) +### [`verify-ec2.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/verify-ec2.yml) This action performs the following steps: @@ -27,12 +27,6 @@ This action performs the following steps: 8. Uploads the results to our Heimdall Demo server. 9. Determines the success or failure of the test run based on the validation of the test suite results against the `threshold.yml` files for each test suite (`hardened` and `vanilla`). -### [`verify-container.yml`](.github/workflows/verify-container.yml) +### [`verify-container.yml`](https://github.com/mitre/redhat-enterprise-linux-9-stig-baseline/blob/main/.github/workflows/verify-container.yml) -This action performs similar steps to `verify-ec2.yml`, with some differences: - -1. Configures access to the required container registries - Platform One and Red Hat. - -### [`verify-vagrant.yml.example`](.github/workflows/verify-vagrant.yml.example) - -This action is similar to the `verify-ec2` workflow, but instead of using a remote AWS EC2 instance in a VPC, it uses a local Vagrant virtual machine as the test target. The user can configure whether to upload the results to our Heimdall Demo server or not by modifying the GitHub Action. +This action performs similar steps to `verify-ec2.yml`, with a key additional step of configuring access to the required container registries - Platform One and Red Hat. From 592361aa5b3a02c977939ca51bfe0a9d7dbb7cd3 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 22:37:14 -0800 Subject: [PATCH 21/24] pg 24 - tips Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/21.md | 2 +- src/courses/profile-dev-test/{25.md => 24.md} | 22 +++++++++++-------- 2 files changed, 14 insertions(+), 10 deletions(-) rename src/courses/profile-dev-test/{25.md => 24.md} (66%) diff --git a/src/courses/profile-dev-test/21.md b/src/courses/profile-dev-test/21.md index 94fb6c7d7..b3ae927c3 100644 --- a/src/courses/profile-dev-test/21.md +++ b/src/courses/profile-dev-test/21.md @@ -1,7 +1,7 @@ --- order: 21 next: 22.md -title: Test Kitchen - `kitchen.ec2.yml` File +title: 21. Test Kitchen - `kitchen.ec2.yml` File author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/25.md b/src/courses/profile-dev-test/24.md similarity index 66% rename from src/courses/profile-dev-test/25.md rename to src/courses/profile-dev-test/24.md index 728b4f02d..60abdd1a6 100644 --- a/src/courses/profile-dev-test/25.md +++ b/src/courses/profile-dev-test/24.md @@ -1,7 +1,7 @@ --- -order: 25 -next: 26.md -title: Tips, Tricks, and Troubleshooting +order: 24 +next: 25.md +title: 24. Tips, Tricks, and Troubleshooting shortTitle: Tips & Troubleshooting author: Aaron Lippold --- @@ -28,11 +28,15 @@ Test Kitchen stores the current host details of your provisioned test targets in #### Restoring Access to a Halted or Restarted Test Target -If your test target reboots or updates its network information, you don't need to execute bundle exec kitchen destroy. Instead, update the corresponding .kitchen/#{suite}-#{target}.yml file with the updated information. This will ensure that your kitchen login, kitchen validate, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. +If your test target reboots or updates its network information, you don't need to execute `bundle exec kitchen destroy`. Instead, update the corresponding `.kitchen/#{suite}-#{target}.yml` file with the updated information. This will ensure that your `kitchen login`, `kitchen validate`, and other kitchen commands function correctly, as they'll be connecting to the correct location instead of using outdated data. #### AWS Console and EC2 Oddities -Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or 'reboot in the background' if you stop interacting with them, halt them, put them in a stop state, or leave them overnight. To regain access, edit the .kitchen/#{suite}-#{target}.yml file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. +Since we're using the free-tier for our AWS testing resources instead of a dedicated host, your test targets might shut down or reboot in the background if you stop interacting with them, halt them, put them in a stop state, or leave them unattended overnight. To regain access, edit the `.kitchen/#{suite}-#{target}.yml` file. As mentioned above, there's no need to recreate your testing targets if you can simply point Test Kitchen to the correct IP address. + +:::warning Auto-generated, sensitive files +Since the `.kitchen/` directory is automatically generated by Test Kitchen, you need to be careful not to accidentally mess up its internal workings when editing it by hand as suggested above. Additionally, be sure not to place this directory underneath version control since you could unintentionally leak sensitive information such as your ip addresses and credentials! +::: ## InSpec / Ruby @@ -46,13 +50,13 @@ When developing InSpec controls, it's beneficial to use the `kitchen-test` suite 2. Then, insert `binding.pry` at the point in your code where you want to start debugging. 3. When you run your tests, execution will stop at the `binding.pry` line, and you can inspect variables, step through the code, and more. -***!Pro Tip!*** - -- Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. +::: tip Linter +Remember to remove or comment out the `binding.pry` lines when you're done debugging or you won't have a good 'linting' down the road. +::: ### Streamlining Your Testing with `inspec shell` -The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Finding Your Test Target Login Details](#311-locating-test-target-login-details) section. +The `inspec shell` command allows you to test your full control update on your test target directly. To do this, you'll need to retrieve the IP address and SSH PEM key for your target instance from the Test Kitchen `.kitchen` directory. For more details on this, refer to the [Locating Test Target Login Details](#locating-test-target-login-details) section. Once you have your IP address and SSH PEM key (for AWS target instances), or the container ID (for Docker test instances), you can use the following commands: From 11d1cd193f64a277e6907811e22cf0c9d38a3848 Mon Sep 17 00:00:00 2001 From: Amndeep Singh Mann Date: Thu, 12 Dec 2024 22:47:34 -0800 Subject: [PATCH 22/24] last few Signed-off-by: Amndeep Singh Mann --- src/courses/profile-dev-test/24.md | 1 - src/courses/profile-dev-test/25.md | 30 ++ src/courses/profile-dev-test/26.md | 42 +- src/courses/profile-dev-test/27.md | 22 - .../kitchen-workflow-dark.svg | 481 ------------------ 5 files changed, 47 insertions(+), 529 deletions(-) create mode 100644 src/courses/profile-dev-test/25.md delete mode 100644 src/courses/profile-dev-test/27.md delete mode 100644 src/courses/profile-dev-test/kitchen-workflow-dark.svg diff --git a/src/courses/profile-dev-test/24.md b/src/courses/profile-dev-test/24.md index 60abdd1a6..55cf4a2c5 100644 --- a/src/courses/profile-dev-test/24.md +++ b/src/courses/profile-dev-test/24.md @@ -2,7 +2,6 @@ order: 24 next: 25.md title: 24. Tips, Tricks, and Troubleshooting -shortTitle: Tips & Troubleshooting author: Aaron Lippold --- diff --git a/src/courses/profile-dev-test/25.md b/src/courses/profile-dev-test/25.md new file mode 100644 index 000000000..d04297ed4 --- /dev/null +++ b/src/courses/profile-dev-test/25.md @@ -0,0 +1,30 @@ +--- +order: 25 +next: 26.md +title: 25. Background & Definitions +author: Aaron Lippold +--- + +## Background and Definitions + +### Background + +#### Evolution of STIGs and Security Benchmarks + +The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. + +Initially, the system was known as the Vulnerability Management System (VMS). + +In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. + +A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. + +When DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. + +Examples of tools that still use either fully or in part the 'STIG ID' instead of the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. + +While these elements might seem confusing, understanding their historical context is essential. + +In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between the XCCDF Benchmark and OHDF Profile. + +It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. diff --git a/src/courses/profile-dev-test/26.md b/src/courses/profile-dev-test/26.md index 48ee12ecc..3cf3cca0f 100644 --- a/src/courses/profile-dev-test/26.md +++ b/src/courses/profile-dev-test/26.md @@ -1,30 +1,22 @@ --- order: 26 -next: 27.md -title: Background & Definitions +title: 26. Terms & Definitions author: Aaron Lippold --- -## Background and Definitions - -### Background - -#### Evolution of STIGs and Security Benchmarks - -The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules. - -Initially, the system was known as the Vulnerability Management System (VMS). - -In the STIGs, you might come across data elements that are remnants from these iterations. These include `Group Title` (gid or gtitle), `Vulnerability ID` (VulnID), `Rule ID` (rule_id), `STIG ID` (stig_id), and others. - -A significant change was the shift from using `STIG ID` to `Rule ID` in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS. - -However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above. - -Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client. - -While these elements might seem confusing, understanding their historical context is essential. - -In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as `tags` in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile. - -It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary. +## Terms & Definitions + +- **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. +- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). +- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. +- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. +- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., Red Hat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. +- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. +- **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. +- **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. +- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. +- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). +- **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. +- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. +- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). diff --git a/src/courses/profile-dev-test/27.md b/src/courses/profile-dev-test/27.md deleted file mode 100644 index 496c4d319..000000000 --- a/src/courses/profile-dev-test/27.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -order: 27 -title: Terms & Definitions -author: Aaron Lippold ---- - -## Terms & Definitions - -- **Baseline**: This refers to a set of relevant security controls, such as NIST 800-53 controls or Center for Internet Security Controls. These controls offer high-level security best practices, grouped into common areas of concern. -- **Benchmark**: This is a set of security controls tailored to a specific type of application or product. These controls are typically categorized into 'high', 'medium', and 'low' levels based on Confidentiality, Integrity, and Availability (C.I.A). -- **[Common Correlation Identifier](https://public.cyber.mil/stigs/cci/) (CCI)**: The Control Correlation Identifier (CCI) provides a standard identifier and description for each of the singular, actionable statements that comprise an IA control or IA best practice. For example: 'CCI-000366'. -- **Group Title (gtitle)**: This is essentially the SRG ID but is a holdover data value from the old Vulnerability Management System. For example: 'SRG-OS-000480-GPOS-00227'. -- **Major Version Update**: These are updates that occur when a software vendor releases a new major version of their product's STIG, e.g., RedHat releasing version 9 of Red Hat Enterprise Linux or Microsoft releasing a new major version of Windows. -- **Patch Update**: These are regular updates that address missing corner cases of testing for one or more benchmark requirements, or improvements to the InSpec code for a requirement. These updates result in a new patch release of the benchmark, e.g., `v1.12.4` to `v1.12.5`. -- **Profile**: This is a set of tests representing a STIG or a CIS Benchmark. These tests automate the validation of a system against that STIG or CIS Benchmark. -- **Release Update**: These are updates that occur when the STIG Benchmark owner releases an updated version of the STIG, e.g., Red Hat Enterprise Linux V1R12 to V1R13. -- **Rule ID (rid)**: The Rule ID has two parts separated by the `r` in the string - ('SV-230221) and (r858734_rule)'. The first part remains unique within the major version of a Benchmark document, while the latter part of the string is updated each time the 'Rule' is updated 'release to release' of the Benchmark. For example: 'SV-230221r858734_rule'. -- **Security Requirements Guide (SRG)**: SRG documents provide generalized security guidance in XCCDF format that applies to a 'class' of software products such as 'web server', 'operating systems', 'application servers' or 'databases'. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **Security Technical Implementation Guide (STIG)**: This is a set of specific technical actions required to establish a certain security posture for a software product. It is based on a desired Security Requirements Guide that applies to the product's software class and function, such as operating system, web server, database, etc. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). -- **SRG_ID**: This is the unique identifier of the SRG requirement. These indexes, like the STIG Rule IDs, also show their parent-child relationship. For example: 'SRG-OS-000480-GPOS-00227'. -- **STIG ID (stig_id)**: Many testing tools and testing results tools use this ID - vs the Rule ID - to display each of the individual results of a Benchmark validation run. For example: 'RHEL-08-010000'. Examples include: DISA STIG Viewer, Nessus Audit Scans and the Open SCAP client. -- **XCCDF Benchmark (XCCDF or XCCDF Benchmark)**: XCCDF (Extensible Configuration Checklist Description Format) is a standard developed by NIST and DOD to provide a machine-readable XML format for creating security guidance documents and security technical implementation guides. You can find an archive of these at the DISA STIG [Document Library](https://public.cyber.mil/stigs/downloads/). diff --git a/src/courses/profile-dev-test/kitchen-workflow-dark.svg b/src/courses/profile-dev-test/kitchen-workflow-dark.svg deleted file mode 100644 index 7a552a96f..000000000 --- a/src/courses/profile-dev-test/kitchen-workflow-dark.svg +++ /dev/null @@ -1,481 +0,0 @@ -1
Setup
Setup
Checkout Repo
Checkout Repo
Install Tools
Install Tools
Setup Runner
Setup Runner
Configure
Configure
Setup Vanilla Instance
Setup Vanilla Instance
Setup Hardened Instance
Setup Hardened Instance
Run Test Suite
Run Test Suite
Run Tests on Vanilla
Run Tests on Vanilla
Run Tests on Hardened
Run Tests on Hardened
Record Results
Record Results
Save Tests in Pipeline
Save Tests in Pipeline
Upload Tests to Heimdall Server
Upload Tests to Heimdall Server
Validate Aginst Threshold
Validate Aginst Threshold
Validate the 'vanilla' threshold
Validate the 'vanilla' threshold
Validate the 'hardened' threshold
Validate the 'hardened' threshold
Pass/Fail the Run
Pass/Fail the Run
Threshold Met
Threshold Met
1
Threshold Not Met
Threshold Not Met
Test Kitchen Workflow - - - - - - - - - - - - 1 - - - - - - - - - - -
-
- Setup -
-
-
- - - Setup - - -
-
- - - - - - - - - - - - - - -
-
- Checkout Repo -
-
-
- - - Checkout Repo - - -
-
- - - - - - - - - - - - - - -
-
- Install Tools -
-
-
- - - Install Tools - - -
-
- - - - - - - - - - - - - - -
-
- Setup Runner -
-
-
- - - Setup Runner - - -
-
- - - - -
-
- Configure -
-
-
- - - Configure - - -
-
- - - - - - - - - - - - - - -
-
- Setup Vanilla Instance -
-
-
- - - Setup Vanilla Instance - - -
-
- - - - - - - - - - - - - - -
-
- Setup Hardened Instance -
-
-
- - - Setup Hardened Instance - - -
-
- - - - -
-
- Run Test Suite -
-
-
- - - Run Test Suite - - -
-
- - - - - - - - - - - - - - -
-
- Run Tests on Vanilla -
-
-
- - - Run Tests on Vanilla - - -
-
- - - - - - - - - - - - - - -
-
- Run Tests on Hardened -
-
-
- - - Run Tests on Hardened - - -
-
- - - - -
-
- Record Results -
-
-
- - - Record Results - - -
-
- - - - - - - - - - - - - - -
-
- Save Tests in Pipeline -
-
-
- - - Save Tests in Pipeline - - -
-
- - - - - - - - - - - - - - -
-
- Upload Tests to Heimdall Server -
-
-
- - - Upload Tests to Heimdall Server - - -
-
- - - - -
-
- Validate Aginst Threshold -
-
-
- - - Validate Aginst Threshold - - -
-
- - - - - - - - - - - - - - -
-
- Validate the 'vanilla' threshold -
-
-
- - - Validate the 'vanilla' threshold - - -
-
- - - - - - - - - - - - - - -
-
- Validate the 'hardened' threshold -
-
-
- - - Validate the 'hardened' threshold - - -
-
- - - - -
-
- Pass/Fail the Run -
-
-
- - - Pass/Fail the Run - - -
-
- - - - - - - - - - - - - - -
-
- Threshold Met -
-
-
- - - Threshold Met - - -
-
- - - - - - - - - - - - 1 - - - - -
-
- Threshold Not Met -
-
-
- - - Threshold Not Met - - -
-
- - Test Kitchen Workflow - - -
\ No newline at end of file From dd54750a5837b743cc55b8b82703993d68d66e4a Mon Sep 17 00:00:00 2001 From: Will Date: Thu, 12 Dec 2024 23:56:22 -0800 Subject: [PATCH 23/24] module --> class, fixing weird indentation on code blocks Signed-off-by: Will --- src/courses/profile-dev-test/05.md | 26 +++++++++++++------------- src/courses/profile-dev-test/README.md | 6 +++--- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/courses/profile-dev-test/05.md b/src/courses/profile-dev-test/05.md index f1bbfc018..a8bf539d3 100644 --- a/src/courses/profile-dev-test/05.md +++ b/src/courses/profile-dev-test/05.md @@ -28,9 +28,9 @@ This guide assumes basic familiarity with AWS. If you're new to AWS, please revi 6. (Optional) Target a specific control: - ```bash - export INSPEC_CONTROL='SV-230222' - ``` +```bash +export INSPEC_CONTROL='SV-230222' +``` ## Running Through the AWS Test Suite @@ -40,24 +40,24 @@ This guide assumes basic familiarity with AWS. If you're new to AWS, please revi 7. List the kitchen instances: ```bash - bundle exec kitchen list +bundle exec kitchen list ``` You should see something like this: ```shell - Instance Driver Provisioner Verifier Transport Last Action Last Error - vanilla-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None - hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None +Instance Driver Provisioner Verifier Transport Last Action Last Error +vanilla-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None +hardened-rhel-8 Ec2 AnsiblePlaybook Inspec Ssh Verified None ``` ### Key Testing Steps Explained 8. **Create** the test instance: - ```bash - bundle exec kitchen create vanilla - ``` +```bash +bundle exec kitchen create vanilla +``` Executing that line launches a fresh EC2 instance for testing: @@ -72,9 +72,9 @@ Executing that line launches a fresh EC2 instance for testing: 9. **Converge** the instance: - ```bash - bundle exec kitchen converge vanilla - ``` +```bash +bundle exec kitchen converge vanilla +``` Convergence applies the necessary configurations to prepare the system for testing: diff --git a/src/courses/profile-dev-test/README.md b/src/courses/profile-dev-test/README.md index 09db9f566..5e17a28ab 100644 --- a/src/courses/profile-dev-test/README.md +++ b/src/courses/profile-dev-test/README.md @@ -10,7 +10,7 @@ author: Aaron Lippold ## Learning Objectives -By completing this module, you will be able to: +By the end of this class, you will be able to: - Build and validate InSpec profiles using Test Kitchen - Configure local testing environments for security compliance @@ -20,7 +20,7 @@ By completing this module, you will be able to: ## Prerequisites -Before starting this module, ensure you have: +Before starting this class, ensure you have: - Basic knowledge of Ruby ([Learn Ruby Basics](https://ruby-lang.org/en/documentation/quickstart/)) - Docker or Podman installed ([Docker Installation Guide](https://docs.docker.com/get-docker/)) @@ -39,7 +39,7 @@ Before proceeding, verify you can: ## Overview -The development and testing of profiles are accomplished using a variety of tools, including Ruby, the Test Kitchen suite, InSpec compliance language, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite by following the instructions provided below. +The development and testing of InSpec validation profiles can be accomplished using a variety of tools working in concert, including Ruby, the Test Kitchen suite, the InSpec compliance language itself, Ansible, Docker, and shell scripting (bash/zsh). To contribute with Pull Requests and fixes, you'll need to set up your local test suite by following the instructions provided below. ### Key Tools Explained From 40ad023cabecda3550d71238603851042f5f3a1d Mon Sep 17 00:00:00 2001 From: Will Date: Fri, 13 Dec 2024 00:07:22 -0800 Subject: [PATCH 24/24] typo Signed-off-by: Will --- src/courses/profile-dev-test/07.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/courses/profile-dev-test/07.md b/src/courses/profile-dev-test/07.md index b68dbfd4b..dcedf2b03 100644 --- a/src/courses/profile-dev-test/07.md +++ b/src/courses/profile-dev-test/07.md @@ -81,7 +81,7 @@ The choice between micro and massive PRs can significantly impact the workflows - **Patch and Release Updates:** These updates typically involve minor changes or additions, which can be easily managed with either micro or massive PRs. The choice depends on your team's preference for review speed and context switching. -- **Major Version or Large Jump Release Updates:** These updates require a thorough review of every single control and requirement. They also necessitate extensive testing, both automated (via the CI/CD testing matrix) and manual. In this scenario, the overhead of managing multiple micro or mini PRs can be substantial. However, the benefit is that it allows for more granitary control and review of changes. It's also easier to isolate and fix issues that arise during testing. +- **Major Version or Large Jump Release Updates:** These updates require a thorough review of every single control and requirement. They also necessitate extensive testing, both automated (via the CI/CD testing matrix) and manual. In this scenario, the overhead of managing multiple micro or mini PRs can be substantial. However, the benefit is that it allows for more granular control and review of changes. It's also easier to isolate and fix issues that arise during testing. ## Practice Exercise