def test_positive_oscap_run_via_ansible_bz_1814988(module_org, default_proxy, content_view, lifecycle_env): """End-to-End Oscap run via ansible :id: 375f8f08-9299-4d16-91f9-9426eeecb9c5 :parametrized: yes :customerscenario: true :setup: scap content, scap policy, host group :steps: 1. Create a valid scap content 2. Import Ansible role theforeman.foreman_scap_client 3. Import Ansible Variables needed for the role 4. Create a scap policy with anisble as deploy option 5. Associate the policy with a hostgroup 6. Provision a host using the hostgroup 7. Harden the host by remediating it with DISA STIG security policy 8. Configure REX and associate the Ansible role to created host 9. Play roles for the host :expectedresults: REX job should be success and ARF report should be sent to satellite :BZ: 1814988 :CaseImportance: Critical """ hgrp_name = gen_string('alpha') policy_name = gen_string('alpha') # Creates host_group for rhel7 make_hostgroup({ 'content-source-id': default_proxy, 'name': hgrp_name, 'organizations': module_org.name, }) # Creates oscap_policy. scap_id, scap_profile_id = fetch_scap_and_profile_id( OSCAP_DEFAULT_CONTENT['rhel7_content'], OSCAP_PROFILE['dsrhel7']) Ansible.roles_import({'proxy-id': default_proxy}) Ansible.variables_import({'proxy-id': default_proxy}) role_id = Ansible.roles_list({'search': 'foreman_scap_client'})[0].get('id') make_scap_policy({ 'scap-content-id': scap_id, 'hostgroups': hgrp_name, 'deploy-by': 'ansible', 'name': policy_name, 'period': OSCAP_PERIOD['weekly'].lower(), 'scap-content-profile-id': scap_profile_id, 'weekday': OSCAP_WEEKDAY['friday'].lower(), 'organizations': module_org.name, }) with VMBroker(nick=DISTRO_RHEL7, host_classes={'host': ContentHost}) as vm: host_name, _, host_domain = vm.hostname.partition('.') vm.install_katello_ca() vm.register_contenthost(module_org.name, ak_name[DISTRO_RHEL7]) assert vm.subscribed Host.set_parameter({ 'host': vm.hostname.lower(), 'name': 'remote_execution_connect_by_ip', 'value': 'True', }) vm.configure_rhel_repo(settings.repos.rhel7_repo) # Harden the rhel7 client with DISA STIG security policy vm.run('yum install -y scap-security-guide') vm.run( 'oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig ' '--fetch-remote-resources --results-arf results.xml ' '/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml', ) add_remote_execution_ssh_key(vm.ip_addr) Host.update({ 'name': vm.hostname.lower(), 'lifecycle-environment': lifecycle_env.name, 'content-view': content_view.name, 'hostgroup': hgrp_name, 'openscap-proxy-id': default_proxy, 'organization': module_org.name, 'ansible-role-ids': role_id, }) job_id = Host.ansible_roles_play({'name': vm.hostname.lower()})[0].get('id') wait_for_tasks( f'resource_type = JobInvocation and resource_id = {job_id} and action ~ "hosts job"' ) try: result = JobInvocation.info({'id': job_id})['success'] assert result == '1' except AssertionError: output = ' '.join( JobInvocation.get_output({ 'id': job_id, 'host': vm.hostname })) result = f'host output: {output}' raise AssertionError(result) result = vm.run( 'cat /etc/foreman_scap_client/config.yaml | grep profile') assert result.status == 0 # Runs the actual oscap scan on the vm/clients and # uploads report to Internal Capsule. vm.execute_foreman_scap_client() # Assert whether oscap reports are uploaded to # Satellite6. result = Arfreport.list({'search': f'host={vm.hostname.lower()}'}) assert result is not None
def test_positive_oscap_run_with_tailoring_file_with_ansible(self): """End-to-End Oscap run with tailoring files via ansible :id: c7ea56eb-6cf1-4e79-8d6a-fb872d1bb804 :setup: scap content, scap policy, tailoring file, host group :steps: 1. Create a valid scap content 2. Upload a valid tailoring file 3. Import Ansible role theforeman.foreman_scap_client 4. Import Ansible Variables needed for the role 5. Create a scap policy with anisble as deploy option 6. Associate scap content with it's tailoring file 7. Associate the policy with a hostgroup 8. Provision a host using the hostgroup 9. Configure REX and associate the Ansible role to created host 10. Play roles for the host :expectedresults: REX job should be success and ARF report should be sent to satellite reflecting the changes done via tailoring files :BZ: 1716307 :CaseImportance: Critical """ if settings.rhel7_repo is None: self.skipTest('Missing configuration for rhel7_repo') rhel7_repo = settings.rhel7_repo hgrp7_name = gen_string('alpha') policy_values = { 'content': self.rhel7_content, 'hgrp': hgrp7_name, 'policy': gen_string('alpha'), 'profile': OSCAP_PROFILE['security7'], } vm_values = { 'distro': DISTRO_RHEL7, 'hgrp': hgrp7_name, 'rhel_repo': rhel7_repo } tailoring_file_name = gen_string('alpha') tailor_path = file_downloader(file_url=settings.oscap.tailoring_path, hostname=settings.server.hostname)[0] # Creates host_group for rhel7 make_hostgroup({ 'content-source-id': self.proxy_id, 'name': hgrp7_name, 'organizations': self.config_env['org_name'], }) tailor_result = make_tailoringfile({ 'name': tailoring_file_name, 'scap-file': tailor_path, 'organization': self.config_env['org_name'], }) result = TailoringFiles.info({'name': tailoring_file_name}) assert result['name'] == tailoring_file_name # Creates oscap_policy for rhel7. scap_id, scap_profile_id = self.fetch_scap_and_profile_id( policy_values.get('content'), policy_values.get('profile')) Ansible.roles_import({'proxy-id': self.proxy_id}) Ansible.variables_import({'proxy-id': self.proxy_id}) role_id = Ansible.roles_list({'search': 'foreman_scap_client'})[0].get('id') make_scap_policy({ 'scap-content-id': scap_id, 'hostgroups': policy_values.get('hgrp'), 'deploy-by': 'ansible', 'name': policy_values.get('policy'), 'period': OSCAP_PERIOD['weekly'].lower(), 'scap-content-profile-id': scap_profile_id, 'weekday': OSCAP_WEEKDAY['friday'].lower(), 'tailoring-file-id': tailor_result['id'], 'tailoring-file-profile-id': tailor_result['tailoring-file-profiles'][0]['id'], 'organizations': self.config_env['org_name'], }) distro_os = vm_values.get('distro') with VirtualMachine(distro=distro_os) as vm: host_name, _, host_domain = vm.hostname.partition('.') vm.install_katello_ca() vm.register_contenthost(self.config_env['org_name'], self.config_env['ak_name'].get(distro_os)) assert vm.subscribed Host.set_parameter({ 'host': vm.hostname.lower(), 'name': 'remote_execution_connect_by_ip', 'value': 'True', }) vm.configure_rhel_repo(settings.rhel7_repo) add_remote_execution_ssh_key(vm.ip_addr) Host.update({ 'name': vm.hostname.lower(), 'lifecycle-environment': self.config_env['env_name'], 'content-view': self.config_env['cv_name'], 'hostgroup': vm_values.get('hgrp'), 'openscap-proxy-id': self.proxy_id, 'organization': self.config_env['org_name'], 'ansible-role-ids': role_id, }) job_id = Host.ansible_roles_play({'name': vm.hostname.lower() })[0].get('id') wait_for_tasks( f"resource_type = JobInvocation and resource_id = {job_id} and " "action ~ \"hosts job\"") try: result = JobInvocation.info({'id': job_id})['success'] assert result == '1' except AssertionError: output = ' '.join( JobInvocation.get_output({ 'id': job_id, 'host': vm.hostname })) result = f'host output: {output}' raise AssertionError(result) result = vm.run( 'cat /etc/foreman_scap_client/config.yaml | grep profile') assert result.return_code == 0 # Runs the actual oscap scan on the vm/clients and # uploads report to Internal Capsule. vm.execute_foreman_scap_client() # Assert whether oscap reports are uploaded to # Satellite6. result = Arfreport.list({'search': f'host={vm.hostname.lower()}'}) assert result is not None
def test_positive_oscap_run_via_ansible(module_org, default_proxy, content_view, lifecycle_env, distro): """End-to-End Oscap run via ansible :id: c7ea56eb-6cf1-4e79-8d6a-fb872d1bb804 :parametrized: yes :setup: scap content, scap policy, host group :steps: 1. Create a valid scap content 2. Import Ansible role theforeman.foreman_scap_client 3. Import Ansible Variables needed for the role 4. Create a scap policy with anisble as deploy option 5. Associate the policy with a hostgroup 6. Provision a host using the hostgroup 7. Configure REX and associate the Ansible role to created host 8. Play roles for the host :expectedresults: REX job should be success and ARF report should be sent to satellite :BZ: 1716307 :CaseImportance: Critical """ if distro == 'rhel7': rhel_repo = settings.repos.rhel7_repo profile = OSCAP_PROFILE['security7'] else: rhel_repo = settings.repos.rhel8_repo profile = OSCAP_PROFILE['ospp8'] content = OSCAP_DEFAULT_CONTENT[f'{distro}_content'] hgrp_name = gen_string('alpha') policy_name = gen_string('alpha') # Creates host_group for rhel7 make_hostgroup({ 'content-source-id': default_proxy, 'name': hgrp_name, 'organizations': module_org.name, }) # Creates oscap_policy. scap_id, scap_profile_id = fetch_scap_and_profile_id(content, profile) Ansible.roles_import({'proxy-id': default_proxy}) Ansible.variables_import({'proxy-id': default_proxy}) role_id = Ansible.roles_list({'search': 'foreman_scap_client'})[0].get('id') make_scap_policy({ 'scap-content-id': scap_id, 'hostgroups': hgrp_name, 'deploy-by': 'ansible', 'name': policy_name, 'period': OSCAP_PERIOD['weekly'].lower(), 'scap-content-profile-id': scap_profile_id, 'weekday': OSCAP_WEEKDAY['friday'].lower(), 'organizations': module_org.name, }) with VMBroker(nick=distro, host_classes={'host': ContentHost}) as vm: host_name, _, host_domain = vm.hostname.partition('.') vm.install_katello_ca() vm.register_contenthost(module_org.name, ak_name[distro]) assert vm.subscribed Host.set_parameter({ 'host': vm.hostname.lower(), 'name': 'remote_execution_connect_by_ip', 'value': 'True', }) vm.configure_rhel_repo(rhel_repo) add_remote_execution_ssh_key(vm.ip_addr) Host.update({ 'name': vm.hostname.lower(), 'lifecycle-environment': lifecycle_env.name, 'content-view': content_view.name, 'hostgroup': hgrp_name, 'openscap-proxy-id': default_proxy, 'organization': module_org.name, 'ansible-role-ids': role_id, }) job_id = Host.ansible_roles_play({'name': vm.hostname.lower()})[0].get('id') wait_for_tasks( f'resource_type = JobInvocation and resource_id = {job_id} and action ~ "hosts job"' ) try: result = JobInvocation.info({'id': job_id})['success'] assert result == '1' except AssertionError: output = ' '.join( JobInvocation.get_output({ 'id': job_id, 'host': vm.hostname })) result = f'host output: {output}' raise AssertionError(result) result = vm.run( 'cat /etc/foreman_scap_client/config.yaml | grep profile') assert result.status == 0 # Runs the actual oscap scan on the vm/clients and # uploads report to Internal Capsule. vm.execute_foreman_scap_client() # Assert whether oscap reports are uploaded to # Satellite6. result = Arfreport.list({'search': f'host={vm.hostname.lower()}'}) assert result is not None