class zzzTestRuleInstallCasperSuite(RuleTest): def setUp(self): """ Perform this task before running any of the tests in this class @author: Roy Nielsen """ RuleTest.setUp(self) self.rule = InstallCasperSuite(self.config, self.environ, self.logdispatch, self.statechglogger) self.rulename = self.rule.rulename self.rulenumber = self.rule.rulenumber self.ch = CommandHelper(self.logdispatch) self.pkgr = MacPkgr(self.environ, self.logdispatch) self.pkgUrl = self.rule.reporoot + self.rule.package message = "Reporoot: " + str(self.rule.reporoot) self.logdispatch.log(LogPriority.DEBUG, message) self.connection = Connectivity(self.logdispatch) ########################################################################### def tearDown(self): pass ########################################################################### def test_defaultOsInstall(self): """ Test as if testing on a default OS install. May result initial report pass, which would not run Fix mode. @author: Roy Nielsen """ ##### # Ensure the system is set as the default install would be set for this # OS self.removeJamfFramework() ##### # Run simpleRuleTest self.simpleRuleTest() ##### # Validate successful final state self.checkForBadInstallation() ########################################################################### def test_wrongSystemSettings(self): """ Initial state for this test is set up to fail initial report run, forcing a fix run. @author: Roy Nielsen """ ##### # Put the system in a known bad state, then run the simpleRuleTest self.removeJamfFramework() ##### # Run simpleRuleTest self.simpleRuleTest() ##### # Validate successful final state self.checkForBadInstallation() ########################################################################### def test_correctSystemSettigns(self): """ Only report should run. @author: Roy Nielsen """ ##### # Put the system in a known good state, then run the simpleRuleTest ##### # If there is a network connection, install, otherwise just log hasconnection = self.connection.isPageAvailable(self.pkgUrl) if hasconnection: msg = "Connected to " + str(self.rule.package) self.logdispatch.log(LogPriority.DEBUG, msg) ##### # Install the package if self.pkgr.installPackage(self.rule.package): self.rulesuccess = True self.rule.touch_imaged() ##### # Run simpleRuleTest self.simpleRuleTest() ##### # Validate successful final state self.checkForSuccessfullInstallation() ########################################################################### def test_resultAppend(self): """ Test the unique rule method "resultAppend". @author: Roy Nielsen """ ##### # First test: # test the string case # self.detailedresults = string # passing in string self.rule.detailedresults = "Snow season looks good this year..." string_to_append = "The End" self.rule.resultAppend("The End") self.logdispatch.log(LogPriority.DEBUG, "results: " + str(self.rule.detailedresults)) self.assertTrue( re.search("%s" % string_to_append, self.rule.detailedresults)) ##### # second test: # test the first list case # self.detailedresults = list # passing in string self.rule.detailedresults = ["Snow season looks good this year..."] string_to_append = "The End" ##### ##### # Note here - we're not testing right, but the code passes test. # assertRasis isn't the right assert to be using self.assertRaises(TypeError, self.rule.resultAppend, string_to_append) ##### # Third test: # test the second list case # self.detailedresults = list # passing in list self.rule.detailedresults = ["Snow season looks good this year..."] list_to_append = ["The End"] ##### ##### # Note here - we're not testing right, but the code passes test. # assertRasis isn't the right assert to be using self.assertRaises(TypeError, self.rule.resultAppend, list_to_append) ##### # fourth test: # test the first "else" case # self.detailedresults = string # passing in boolean self.rule.detailedresults = "Snow season looks good this year..." ##### ##### # Note - assertRaises is being correctly used here self.assertRaises(TypeError, self.rule.resultAppend, False) ##### # fifth test: # test the second "else" case # self.detailedresults = list # passing in False self.rule.detailedresults = ["Snow season looks good this year..."] ##### ##### # Note - assertRaises is being correctly used here self.assertRaises(TypeError, self.rule.resultAppend, False) ##### # sixth test: # test the first "else" case # self.detailedresults = string # passing in None self.rule.detailedresults = "Snow season looks good this year..." ##### ##### # Note - assertRaises is being correctly used here self.assertRaises(TypeError, self.rule.resultAppend, None) ##### # seventh test: # test the second "else" case # self.detailedresults = list # passing in None self.rule.detailedresults = ["Snow season looks good this year..."] ##### ##### # Note - assertRaises is being correctly used here self.assertRaises(TypeError, self.rule.resultAppend, None) ##### ##### # Note, we are not testing the passing in of every python type... # Be careful when choosing a representative selection of tests, # as critical tests might be missed. # # In this case, if another valid case is found, a test can be added # that will test that specific case, or class of cases. # # Testing is an iterative process. # ########################################################################### def test_touch_imaged(self): """ Test the unique rule method "touch_imaged". The touched_imaged method is not dependent of any other methods, so it can be tested atomically. @author: Roy Nielsen """ sig1 = "/etc/dds.txt" sig2 = "/var/log/dds.log" ##### # Check for the existence of the first signature file, remove it if it # exists if os.path.exists(sig1): os.unlink(sig1) foundSig1 = True else: foundSig1 = False ##### # Check for the existence of the second signature file, remove it if it # exists if os.path.exists(sig2): os.unlink(sig2) foundSig2 = True else: foundSig2 = False ##### # Call the method self.rule.touch_imaged() ##### # Check for the first file system signature success_a = os.path.isfile("/etc/dds.txt") self.logdispatch.log(LogPriority.DEBUG, "Found first signature file...") self.assertTrue(success_a) ##### # Check for the Second file system signature success_b = os.path.isfile("/var/log/dds.log") self.logdispatch.log(LogPriority.DEBUG, "Found second signature file..") self.assertTrue(success_b) self.assertTrue(success_a and success_b) ##### # If the files didn't exist at the beginning of the test, remove them. if not foundSig1: os.unlink(sig1) if not foundSig2: os.unlink(sig2) ########################################################################### def checkForSuccessfullInstallation(self): """ Check for successfull test run. Specifically what needs to have happened after a successfull run. IE: must satisfy ALL conditions. @author: Roy Nielsen """ ##### # Check for existence of jamf binary success = os.path.isfile("/usr/local/bin/jamf") self.logdispatch.log(LogPriority.DEBUG, "Found the jamf binary..") self.assertTrue(success) ##### # Check for the existence of the LANL Self Service.app success = os.path.isdir("/Applications/LANL Self Service.app") self.logdispatch.log( LogPriority.DEBUG, "Found result: " + str(success) + " Lanl Self Service.app") self.assertTrue(success) ##### # Check for the first file system signature success = os.path.isfile("/etc/dds.txt") self.logdispatch.log(LogPriority.DEBUG, "Found first sig file...") self.assertTrue(success) ##### # Check for the Second file system signature success = os.path.isfile("/var/log/dds.log") self.logdispatch.log(LogPriority.DEBUG, "Found second sig file...") self.assertTrue(success) ##### # Check to make sure the "jamf recon" command works cmd = ["/usr/local/bin/jamf", "recon"] self.ch.executeCommand(cmd) return_code = self.ch.getReturnCode() self.logdispatch.log( LogPriority.DEBUG, "Return code from jamf " + " recon command: " + str(return_code)) self.assertEqual(str(0), str(return_code)) ########################################################################### def checkForBadInstallation(self): """ Check for UNsuccessfull test run. IE: must fail any of the following conditions. Needs fuzzing applied, or variation on inputs to prove the variation works as expected. @Note: Running of the "/usr/local/bin/jamf recon" command is not executed in this test, as that functionality has already been tested. The other variables need to be "fuzzed". IE, run every combination of the variables tested in this test. @author: Roy Nielsen """ ##### # Check if any of the following are false. At least one must be false. success_a = os.path.isfile("/usr/local/bin/jamf") success_b = os.path.isdir("/Applications/LANL Self Service.app") success_c = os.path.isfile("/etc/dds.txt") success_d = os.path.isfile("/var/log/dds.log") ##### # If any of these success parameters are false, the test fails self.assertTrue( success_a and success_b and success_c and success_d, "Could not find all files and directories " + "associated with a successful Casper installation") ##### # Future testing needs to perform "fuzzing" - automated or auto # generated input testing # -- # for every combination of inputs assert the correct outputs # # - at least one case is missing in this method - making sure to also # test for the existence of the Jamf plist. # ########################################################################### def setConditionsForRule(self): '''Configure system for the unit test :param self: essential if you override this definition :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' success = True return success ########################################################################### def checkReportForRule(self, pCompliance, pRuleSuccess): '''check on whether report was correct :param self: essential if you override this definition :param pCompliance: the self.iscompliant value of rule :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + str(pCompliance) + ".") self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + str(pRuleSuccess) + ".") success = True return success ########################################################################### def checkFixForRule(self, pRuleSuccess): '''check on whether fix was correct :param self: essential if you override this definition :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + str(pRuleSuccess) + ".") if pRuleSuccess: success = True else: success = False return success ########################################################################### def checkUndoForRule(self, pRuleSuccess): '''check on whether undo was correct :param self: essential if you override this definition :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + str(pRuleSuccess) + ".") if pRuleSuccess: success = True else: success = False return success ########################################################################### def removeJamfFramework(self): """ Remove the jamf framework for setting initial conditions.. @NOTE: There are many ways that a jamf install can be broken, This tests a clean uninstall. Partial or broken installs are not covered in this test, however it may be a good idea to test for this in the future. @author: Roy Nielsen """ success = False jamf_path = "/usr/local/bin/jamf" if os.path.exists(jamf_path): cmd = [jamf_path, "removeFramework"] self.ch.executeCommand(cmd) output = self.ch.getOutputString().split("\n") self.logdispatch.log(LogPriority.DEBUG, output) if self.ch.getReturnCode() == 0: success = True else: success = True return success
class zzzTestRuleDisableOpenSafeSafari(RuleTest): def setUp(self): RuleTest.setUp(self) self.rule = DisableOpenSafeSafari(self.config, self.environ, self.logdispatch, self.statechglogger) self.rulename = self.rule.rulename self.rulenumber = self.rule.rulenumber self.ch = CommandHelper(self.logdispatch) self.dc = "/usr/bin/defaults" self.path = "com.apple.Safari" self.key = "AutoOpenSafeDownloads" def tearDown(self): pass def runTest(self): self.simpleRuleTest() def setConditionsForRule(self): '''This makes sure the intial report fails by executing the following commands: defaults write com.apple.Safari AutoOpenSafeDownloads -bool yes :param self: essential if you override this definition :returns: boolean - If successful True; If failure False @author: dwalker ''' success = False cmd = [self.dc, "write", self.path, self.key, "-bool", "yes"] self.logdispatch.log(LogPriority.DEBUG, str(cmd)) if self.ch.executeCommand(cmd): success = self.checkReportForRule(False, True) return success def checkReportForRule(self, pCompliance, pRuleSuccess): '''To see what happended run these commands: defaults read com.apple.Safari AutoOpenSafeDownloads :param self: essential if you override this definition :param pCompliance: :param pRuleSuccess: :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' success = True self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \ str(pCompliance) + ".") self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") cmd = [self.dc, "read", self.path, self.key] self.logdispatch.log(LogPriority.DEBUG, str(cmd)) if self.ch.executeCommand(cmd): output = self.ch.getOutputString() return success def checkFixForRule(self, pRuleSuccess): self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = self.checkReportForRule(True, pRuleSuccess) return success def checkUndoForRule(self, pRuleSuccess): self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = self.checkReportForRule(False, pRuleSuccess) return success
class zzzTestRuleConfigureLinuxFirewall(RuleTest): def setUp(self): RuleTest.setUp(self) self.rule = ConfigureLinuxFirewall(self.config, self.environ, self.logdispatch, self.statechglogger) self.rulename = self.rule.rulename self.rulenumber = self.rule.rulenumber self.logger = self.logdispatch self.ch = CommandHelper(self.logger) self.servicehelper = ServiceHelper(self.environ, self.logger) self.checkUndo = True self.isfirewalld = False self.isufw = False if os.path.exists('/bin/firewall-cmd'): self.isfirewalld = True if os.path.exists('/usr/sbin/ufw'): self.isufw = True # mostly pertains to RHEL6, Centos6 self.iptables = "/usr/sbin/iptables" if not os.path.exists(self.iptables): self.iptables = '/sbin/iptables' self.ip6tables = "/usr/sbin/ip6tables" if not os.path.exists(self.ip6tables): self.ip6tables = '/sbin/ip6tables' if os.path.exists("/usr/sbin/iptables-restore"): self.iprestore = "/usr/sbin/iptables-restore" elif os.path.exists("/sbin/iptables-restore"): self.iprestore = "/sbin/iptables-restore" if os.path.exists("/usr/sbin/ip6tables-restore"): self.ip6restore = "/usr/sbin/ip6tables-restore" elif os.path.exists("/sbin/ip6tables-restore"): self.ip6restore = "/sbin/ip6tables-restore" self.scriptType = "" def tearDown(self): pass def runTest(self): self.simpleRuleTest() def setConditionsForRule(self): '''Configure system for the unit test :param self: essential if you override this definition :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' success = True self.detailedresults = "" self.iptScriptPath = "" scriptExists = "" debug = "" if self.isfirewalld: if self.servicehelper.auditService('firewalld.service'): if not self.servicehelper.disableService('firewalld.service'): success = False if self.isufw: cmdufw = '/usr/sbin/ufw status' if not self.ch.executeCommand(cmdufw): debug = "Unable to run ufw status command in unit test\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: outputufw = self.ch.getOutputString() if re.search('Status: active', outputufw): ufwcmd = '/usr/sbin/ufw --force disable' if not self.ch.executeCommand(ufwcmd): debug = "Unable to disable firewall for unit test\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: cmdufw = "/usr/sbin/ufw status verbose" if not self.ch.executeCommand(cmdufw): debug = "Unable to get verbose status for unit test\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: outputfw = self.cmdhelper.getOutputString() if re.search("Default\:\ deny\ \(incoming\)", outputfw): ufwcmd = "/usr/sbin/ufw default allow incoming" if not self.ch.executeCommand(ufwcmd): debug = "Unable to set allow status for unit test\n" self.logger.log(LogPriority.DEBUG, debug) success = False elif os.path.exists('/usr/bin/system-config-firewall') or \ os.path.exists('/usr/bin/system-config-firewall-tui'): print("system-config-firewall commands exist\n") fwpath = '/etc/sysconfig/system-config-firewall' iptpath = '/etc/sysconfig/iptables' ip6tpath = '/etc/sysconfig/ip6tables' if os.path.exists(fwpath): os.remove(fwpath) if os.path.exists(iptpath): os.remove(iptpath) if os.path.exists(ip6tpath): os.remove(ip6tpath) if not self.servicehelper.disableService('iptables'): print("unable to disable iptables\n") success = False debug = "Could not disable iptables in unit test\n" self.logger.log(LogPriority.DEBUG, debug) if not self.servicehelper.disableService('ip6tables'): print("unable to disable ip6tables\n") success = False debug = "Could not disable ip6tables in unit test\n" self.logger.log(LogPriority.DEBUG, debug) cmd = "/sbin/service iptables stop" if not self.ch.executeCommand(cmd): success = False debug = "Unable to stop iptables in unit test\n" print("unable to stop iptables in unit test\n") self.logger.log(LogPriority.DEBUG, debug) cmd = "/sbin/service ip6tables stop" if not self.ch.executeCommand(cmd): success = False debug = "Unable to stop ip6tables in unit test\n" print("unable to stop iop6tables in unit test\n") self.logger.log(LogPriority.DEBUG, debug) elif os.path.exists(self.iprestore) and \ os.path.exists(self.ip6restore): if os.path.exists(self.iptScriptPath): if not os.remove(self.iptScriptPath): debug = "Unable to remove " + self.iptScriptPath + " for setConditionsForRule\n" self.logger.log(LogPriority.DEBUG, debug) success = False return success def checkReportForRule(self, pCompliance, pRuleSuccess): '''check on whether report was correct :param self: essential if you override this definition :param pCompliance: the self.iscompliant value of rule :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \ str(pCompliance) + ".") self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def checkFixForRule(self, pRuleSuccess): '''check on whether fix was correct :param self: essential if you override this definition :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def checkUndoForRule(self, pRuleSuccess): '''check on whether undo was correct :param self: essential if you override this definition :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def getScriptValues(self, scriptname): if scriptname == "iptscript": iptScript = '''fw_custom_after_chain_creation() { *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited true } fw_custom_before_port_handling() { true } fw_custom_before_masq() { true } fw_custom_before_denyall() { true } fw_custom_after_finished() { true } ''' return iptScript elif scriptname == "iptables": iptables = '''*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ''' return iptables elif scriptname == "ip6tables": ip6tables = '''*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT ''' return ip6tables elif scriptname == "systemconfigurefirewall": systemconfigfirewall = '''# Configuration file for system-config-firewall --enabled --service=ssh ''' return systemconfigfirewall elif scriptname == "sysconfigiptables": sysconfigiptables = '''# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ''' return sysconfigiptables elif scriptname == "sysconfigip6tables": sysconfigip6tables = '''# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT ''' return sysconfigip6tables
class zzzTestRuleDisableOpenSafeSafari(RuleTest): def setUp(self): RuleTest.setUp(self) self.rule = DisableOpenSafeSafari(self.config, self.environ, self.logdispatch, self.statechglogger) self.rulename = self.rule.rulename self.rulenumber = self.rule.rulenumber self.ch = CommandHelper(self.logdispatch) self.dc = "/usr/bin/defaults" self.path = "com.apple.Safari" self.key = "AutoOpenSafeDownloads" def tearDown(self): pass def runTest(self): self.simpleRuleTest() def setConditionsForRule(self): ''' This makes sure the intial report fails by executing the following commands: defaults write com.apple.Safari AutoOpenSafeDownloads -bool yes @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: dwalker ''' success = False cmd = [self.dc, "write", self.path, self.key, "-bool", "yes"] self.logdispatch.log(LogPriority.DEBUG, str(cmd)) if self.ch.executeCommand(cmd): success = self.checkReportForRule(False, True) return success def checkReportForRule(self, pCompliance, pRuleSuccess): ''' To see what happended run these commands: defaults read com.apple.Safari AutoOpenSafeDownloads @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: ekkehard j. koch ''' success = True self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \ str(pCompliance) + ".") self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") cmd = [self.dc, "read", self.path, self.key] self.logdispatch.log(LogPriority.DEBUG, str(cmd)) if self.ch.executeCommand(cmd): output = self.ch.getOutputString() return success def checkFixForRule(self, pRuleSuccess): self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = self.checkReportForRule(True, pRuleSuccess) return success def checkUndoForRule(self, pRuleSuccess): self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = self.checkReportForRule(False, pRuleSuccess) return success
class zzzTestRuleNoCoreDumps(RuleTest): def setUp(self): RuleTest.setUp(self) self.rule = NoCoreDumps(self.config, self.environ, self.logdispatch, self.statechglogger) self.logger = self.logdispatch self.rulename = self.rule.rulename self.rulenumber = self.rule.rulenumber self.checkUndo = True self.ch = CommandHelper(self.logger) def tearDown(self): pass def runTest(self): self.simpleRuleTest() def setConditionsForRule(self): """ Configure system for the unit test @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: Ekkehard J. Koch """ success = True if self.environ.getosfamily() == "linux": if not self.setLinuxConditions(): success = False elif self.environ.getostype() == "mac": if not self.setMacConditions(): success = False return success def setMacConditions(self): success = True self.ch.executeCommand("/usr/bin/launchctl limit core") retcode = self.ch.getReturnCode() if retcode != 0: self.detailedresults += "\nFailed to run launchctl command to get current value of core dumps configuration" errmsg = self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, errmsg) else: output = self.ch.getOutputString() if output: if not re.search("1", output): self.ch.executeCommand("/usr/bin/launchctl limit core 1 1") def setLinuxConditions(self): success = True path1 = "/etc/security/limits.conf" if os.path.exists(path1): lookfor1 = "(^\*)\s+hard\s+core\s+0?" contents = readFile(path1, self.logger) if contents: tempstring = "" for line in contents: if not re.search(lookfor1, line.strip()): tempstring += line if not writeFile(path1, tempstring, self.logger): debug = "unable to write incorrect contents to " + path1 + "\n" self.logger.log(LogPriority.DEBUG, debug) success = False if checkPerms(path1, [0, 0, 0o644], self.logger): if not setPerms(path1, [0, 0, 0o777], self.logger): debug = "Unable to set incorrect permissions on " + path1 + "\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: debug = "successfully set incorrect permissions on " + path1 + "\n" self.logger.log(LogPriority.DEBUG, debug) self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable") retcode = self.ch.getReturnCode() if retcode != 0: self.detailedresults += "Failed to get value of core dumps configuration with sysctl command\n" errmsg = self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, errmsg) success = False else: output = self.ch.getOutputString() if output.strip() != "fs.suid_dumpable = 1": if not self.ch.executeCommand("/sbin/sysctl -w fs.suid_dumpable=1"): debug = "Unable to set incorrect value for fs.suid_dumpable" self.logger.log(LogPriority.DEBUG, debug) success = False elif not self.ch.executeCommand("/sbin/sysctl -p"): debug = "Unable to set incorrect value for fs.suid_dumpable" self.logger.log(LogPriority.DEBUG, debug) success = False return success def checkReportForRule(self, pCompliance, pRuleSuccess): """ check on whether report was correct @param self: essential if you override this definition @param pCompliance: the self.iscompliant value of rule @param pRuleSuccess: did report run successfully @return: boolean - If successful True; If failure False @author: Ekkehard J. Koch """ self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \ str(pCompliance) + ".") self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def checkFixForRule(self, pRuleSuccess): """ check on whether fix was correct @param self: essential if you override this definition @param pRuleSuccess: did report run successfully @return: boolean - If successful True; If failure False @author: Ekkehard J. Koch """ self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def checkUndoForRule(self, pRuleSuccess): """ check on whether undo was correct @param self: essential if you override this definition @param pRuleSuccess: did report run successfully @return: boolean - If successful True; If failure False @author: Ekkehard J. Koch """ self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success
class zzzTestRuleConfigureLinuxFirewall(RuleTest): def setUp(self): RuleTest.setUp(self) self.rule = ConfigureLinuxFirewall(self.config, self.environ, self.logdispatch, self.statechglogger) self.rulename = self.rule.rulename self.rulenumber = self.rule.rulenumber self.logger = self.logdispatch self.ch = CommandHelper(self.logger) self.servicehelper = ServiceHelper(self.environ, self.logger) self.checkUndo = True self.isfirewalld = False self.isufw = False if os.path.exists('/bin/firewall-cmd'): self.isfirewalld = True if os.path.exists('/usr/sbin/ufw'): self.isufw = True # mostly pertains to RHEL6, Centos6 self.iptables = "/usr/sbin/iptables" if not os.path.exists(self.iptables): self.iptables = '/sbin/iptables' self.ip6tables = "/usr/sbin/ip6tables" if not os.path.exists(self.ip6tables): self.ip6tables = '/sbin/ip6tables' if os.path.exists("/usr/sbin/iptables-restore"): self.iprestore = "/usr/sbin/iptables-restore" elif os.path.exists("/sbin/iptables-restore"): self.iprestore = "/sbin/iptables-restore" if os.path.exists("/usr/sbin/ip6tables-restore"): self.ip6restore = "/usr/sbin/ip6tables-restore" elif os.path.exists("/sbin/ip6tables-restore"): self.ip6restore = "/sbin/ip6tables-restore" self.scriptType = "" def tearDown(self): pass def runTest(self): self.simpleRuleTest() def setConditionsForRule(self): ''' Configure system for the unit test @param self: essential if you override this definition @return: boolean - If successful True; If failure False @author: ekkehard j. koch ''' success = True self.detailedresults = "" self.iptScriptPath = "" scriptExists = "" debug = "" if self.isfirewalld: if self.servicehelper.auditService('firewalld.service'): if not self.servicehelper.disableService('firewalld.service'): success = False if self.isufw: cmdufw = '/usr/sbin/ufw status' if not self.ch.executeCommand(cmdufw): debug = "Unable to run ufw status command in unit test\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: outputufw = self.ch.getOutputString() if re.search('Status: active', outputufw): ufwcmd = '/usr/sbin/ufw --force disable' if not self.ch.executeCommand(ufwcmd): debug = "Unable to disable firewall for unit test\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: cmdufw = "/usr/sbin/ufw status verbose" if not self.ch.executeCommand(cmdufw): debug = "Unable to get verbose status for unit test\n" self.logger.log(LogPriority.DEBUG, debug) success = False else: outputfw = self.cmdhelper.getOutputString() if re.search("Default\:\ deny\ \(incoming\)", outputfw): ufwcmd = "/usr/sbin/ufw default allow incoming" if not self.ch.executeCommand(ufwcmd): debug = "Unable to set allow status for unit test\n" self.logger.log(LogPriority.DEBUG, debug) success = False elif os.path.exists('/usr/bin/system-config-firewall') or \ os.path.exists('/usr/bin/system-config-firewall-tui'): print "system-config-firewall commands exist\n" fwpath = '/etc/sysconfig/system-config-firewall' iptpath = '/etc/sysconfig/iptables' ip6tpath = '/etc/sysconfig/ip6tables' if os.path.exists(fwpath): os.remove(fwpath) if os.path.exists(iptpath): os.remove(iptpath) if os.path.exists(ip6tpath): os.remove(ip6tpath) if not self.servicehelper.disableService('iptables'): print "unable to disable iptables\n" success = False debug = "Could not disable iptables in unit test\n" self.logger.log(LogPriority.DEBUG, debug) if not self.servicehelper.disableService('ip6tables'): print "unable to disable ip6tables\n" success = False debug = "Could not disable ip6tables in unit test\n" self.logger.log(LogPriority.DEBUG, debug) cmd = "/sbin/service iptables stop" if not self.ch.executeCommand(cmd): success = False debug = "Unable to stop iptables in unit test\n" print "unable to stop iptables in unit test\n" self.logger.log(LogPriority.DEBUG, debug) cmd = "/sbin/service ip6tables stop" if not self.ch.executeCommand(cmd): success = False debug = "Unable to stop ip6tables in unit test\n" print "unable to stop iop6tables in unit test\n" self.logger.log(LogPriority.DEBUG, debug) elif os.path.exists(self.iprestore) and \ os.path.exists(self.ip6restore): if os.path.exists(self.iptScriptPath): if not os.remove(self.iptScriptPath): debug = "Unable to remove " + self.iptScriptPath + " for setConditionsForRule\n" self.logger.log(LogPriority.DEBUG, debug) success = False return success def checkReportForRule(self, pCompliance, pRuleSuccess): ''' check on whether report was correct @param self: essential if you override this definition @param pCompliance: the self.iscompliant value of rule @param pRuleSuccess: did report run successfully @return: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \ str(pCompliance) + ".") self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def checkFixForRule(self, pRuleSuccess): ''' check on whether fix was correct @param self: essential if you override this definition @param pRuleSuccess: did report run successfully @return: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def checkUndoForRule(self, pRuleSuccess): ''' check on whether undo was correct @param self: essential if you override this definition @param pRuleSuccess: did report run successfully @return: boolean - If successful True; If failure False @author: ekkehard j. koch ''' self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def getScriptValues(self, scriptname): if scriptname == "iptscript": iptScript = '''fw_custom_after_chain_creation() { *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited true } fw_custom_before_port_handling() { true } fw_custom_before_masq() { true } fw_custom_before_denyall() { true } fw_custom_after_finished() { true } ''' return iptScript elif scriptname == "iptables": iptables = '''*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ''' return iptables elif scriptname == "ip6tables": ip6tables = '''*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT ''' return ip6tables elif scriptname == "systemconfigurefirewall": systemconfigfirewall = '''# Configuration file for system-config-firewall --enabled --service=ssh ''' return systemconfigfirewall elif scriptname == "sysconfigiptables": sysconfigiptables = '''# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ''' return sysconfigiptables elif scriptname == "sysconfigip6tables": sysconfigip6tables = '''# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT ''' return sysconfigip6tables
class zzzTestRuleNoCoreDumps(RuleTest): def setUp(self): RuleTest.setUp(self) self.rule = NoCoreDumps(self.config, self.environ, self.logdispatch, self.statechglogger) self.logger = self.logdispatch self.rulename = self.rule.rulename self.rulenumber = self.rule.rulenumber self.checkUndo = True self.ch = CommandHelper(self.logger) def tearDown(self): pass def runTest(self): self.simpleRuleTest() def setConditionsForRule(self): '''Configure system for the unit test :param self: essential if you override this definition :returns: boolean - If successful True; If failure False @author: Ekkehard J. Koch ''' success = True if self.environ.getosfamily() == "linux": if not self.setLinuxConditions(): success = False elif self.environ.getostype() == "mac": if not self.setMacConditions(): success = False return success def setMacConditions(self): success = True self.ch.executeCommand("/usr/bin/launchctl limit core") retcode = self.ch.getReturnCode() if retcode != 0: debug = "Failed to run launchctl command to get current value of core dumps configuration\n" debug += self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, debug) else: output = self.ch.getOutputString() if output: if not re.search("1", output): self.ch.executeCommand("/usr/bin/launchctl limit core 1 1") def setLinuxConditions(self): success = True debug = "" path1 = "/etc/security/limits.conf" if os.path.exists(path1): lookfor1 = "(^\*)\s+hard\s+core\s+0?" contents = readFile(path1, self.logger) if contents: tempstring = "" for line in contents: if not re.search(lookfor1, line.strip()): tempstring += line if not writeFile(path1, tempstring, self.logger): debug = "unable to write incorrect contents to " + path1 self.logger.log(LogPriority.DEBUG, debug) success = False if not checkPerms(path1, [0, 0, 0o777], self.logger): if not setPerms(path1, [0, 0, 0o777], self.logger): debug = "Unable to set incorrect permissions on " + path1 self.logger.log(LogPriority.DEBUG, debug) success = False else: debug = "successfully set incorrect permissions on " + path1 self.logger.log(LogPriority.DEBUG, debug) sysctl = "/etc/sysctl.conf" tmpfile = sysctl + ".tmp" editor = KVEditorStonix(self.statechglogger, self.logger, "conf", sysctl, tmpfile, {"fs.suid_dumpable": "1"}, "present", "openeq") if not checkPerms(sysctl, [0, 0, 0o777], self.logger): if not setPerms(sysctl, [0, 0, 0o777], self.logger): debug = "Unable to set incorrect permissions on " + path1 self.logger.log(LogPriority.DEBUG, debug) success = False else: debug = "successfully set incorrect permissions on " + path1 self.logger.log(LogPriority.DEBUG, debug) if not editor.report(): if not editor.fix(): success = False debug = "Unable to set conditions for /etc/sysctl.conf file" self.logger.log(LogPriority.DEBUG, debug) elif not editor.commit(): success = False debug = "Unable to set conditions for /etc/sysctl.conf file" self.logger.log(LogPriority.DEBUG, debug) self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable") retcode = self.ch.getReturnCode() if retcode != 0: debug = "Failed to get value of core dumps configuration with sysctl command" debug += self.ch.getErrorString() self.logger.log(LogPriority.DEBUG, debug) success = False else: output = self.ch.getOutputString() if output.strip() != "fs.suid_dumpable = 1": if not self.ch.executeCommand( "/sbin/sysctl -w fs.suid_dumpable=1"): debug = "Unable to set incorrect value for fs.suid_dumpable" self.logger.log(LogPriority.DEBUG, debug) success = False elif not self.ch.executeCommand("/sbin/sysctl -q -e -p"): debug = "Unable to set incorrect value for fs.suid_dumpable" self.logger.log(LogPriority.DEBUG, debug) success = False return success def checkReportForRule(self, pCompliance, pRuleSuccess): '''check on whether report was correct :param self: essential if you override this definition :param pCompliance: the self.iscompliant value of rule :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: Ekkehard J. Koch ''' self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \ str(pCompliance) + ".") self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def checkFixForRule(self, pRuleSuccess): '''check on whether fix was correct :param self: essential if you override this definition :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: Ekkehard J. Koch ''' self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success def checkUndoForRule(self, pRuleSuccess): '''check on whether undo was correct :param self: essential if you override this definition :param pRuleSuccess: did report run successfully :returns: boolean - If successful True; If failure False @author: Ekkehard J. Koch ''' self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \ str(pRuleSuccess) + ".") success = True return success