class zzzTestRuleInstallCasperSuite(RuleTest):
def setUp(self):
"""
Perform this task before running any of the tests in this class
@author: Roy Nielsen
"""
RuleTest.setUp(self)
self.rule = InstallCasperSuite(self.config, self.environ,
self.logdispatch, self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
self.pkgr = MacPkgr(self.environ, self.logdispatch)
self.pkgUrl = self.rule.reporoot + self.rule.package
message = "Reporoot: " + str(self.rule.reporoot)
self.logdispatch.log(LogPriority.DEBUG, message)
self.connection = Connectivity(self.logdispatch)
###########################################################################
def tearDown(self):
pass
###########################################################################
def test_defaultOsInstall(self):
"""
Test as if testing on a default OS install. May result initial report
pass, which would not run Fix mode.
@author: Roy Nielsen
"""
#####
# Ensure the system is set as the default install would be set for this
# OS
self.removeJamfFramework()
#####
# Run simpleRuleTest
self.simpleRuleTest()
#####
# Validate successful final state
self.checkForBadInstallation()
###########################################################################
def test_wrongSystemSettings(self):
"""
Initial state for this test is set up to fail initial report run,
forcing a fix run.
@author: Roy Nielsen
"""
#####
# Put the system in a known bad state, then run the simpleRuleTest
self.removeJamfFramework()
#####
# Run simpleRuleTest
self.simpleRuleTest()
#####
# Validate successful final state
self.checkForBadInstallation()
###########################################################################
def test_correctSystemSettigns(self):
"""
Only report should run.
@author: Roy Nielsen
"""
#####
# Put the system in a known good state, then run the simpleRuleTest
#####
# If there is a network connection, install, otherwise just log
hasconnection = self.connection.isPageAvailable(self.pkgUrl)
if hasconnection:
msg = "Connected to " + str(self.rule.package)
self.logdispatch.log(LogPriority.DEBUG, msg)
#####
# Install the package
if self.pkgr.installPackage(self.rule.package):
self.rulesuccess = True
self.rule.touch_imaged()
#####
# Run simpleRuleTest
self.simpleRuleTest()
#####
# Validate successful final state
self.checkForSuccessfullInstallation()
###########################################################################
def test_resultAppend(self):
"""
Test the unique rule method "resultAppend".
@author: Roy Nielsen
"""
#####
# First test:
# test the string case
# self.detailedresults = string
# passing in string
self.rule.detailedresults = "Snow season looks good this year..."
string_to_append = "The End"
self.rule.resultAppend("The End")
self.logdispatch.log(LogPriority.DEBUG,
"results: " + str(self.rule.detailedresults))
self.assertTrue(
re.search("%s" % string_to_append, self.rule.detailedresults))
#####
# second test:
# test the first list case
# self.detailedresults = list
# passing in string
self.rule.detailedresults = ["Snow season looks good this year..."]
string_to_append = "The End"
#####
#####
# Note here - we're not testing right, but the code passes test.
# assertRasis isn't the right assert to be using
self.assertRaises(TypeError, self.rule.resultAppend, string_to_append)
#####
# Third test:
# test the second list case
# self.detailedresults = list
# passing in list
self.rule.detailedresults = ["Snow season looks good this year..."]
list_to_append = ["The End"]
#####
#####
# Note here - we're not testing right, but the code passes test.
# assertRasis isn't the right assert to be using
self.assertRaises(TypeError, self.rule.resultAppend, list_to_append)
#####
# fourth test:
# test the first "else" case
# self.detailedresults = string
# passing in boolean
self.rule.detailedresults = "Snow season looks good this year..."
#####
#####
# Note - assertRaises is being correctly used here
self.assertRaises(TypeError, self.rule.resultAppend, False)
#####
# fifth test:
# test the second "else" case
# self.detailedresults = list
# passing in False
self.rule.detailedresults = ["Snow season looks good this year..."]
#####
#####
# Note - assertRaises is being correctly used here
self.assertRaises(TypeError, self.rule.resultAppend, False)
#####
# sixth test:
# test the first "else" case
# self.detailedresults = string
# passing in None
self.rule.detailedresults = "Snow season looks good this year..."
#####
#####
# Note - assertRaises is being correctly used here
self.assertRaises(TypeError, self.rule.resultAppend, None)
#####
# seventh test:
# test the second "else" case
# self.detailedresults = list
# passing in None
self.rule.detailedresults = ["Snow season looks good this year..."]
#####
#####
# Note - assertRaises is being correctly used here
self.assertRaises(TypeError, self.rule.resultAppend, None)
#####
#####
# Note, we are not testing the passing in of every python type...
# Be careful when choosing a representative selection of tests,
# as critical tests might be missed.
#
# In this case, if another valid case is found, a test can be added
# that will test that specific case, or class of cases.
#
# Testing is an iterative process.
#
###########################################################################
def test_touch_imaged(self):
"""
Test the unique rule method "touch_imaged".
The touched_imaged method is not dependent of any other methods, so it
can be tested atomically.
@author: Roy Nielsen
"""
sig1 = "/etc/dds.txt"
sig2 = "/var/log/dds.log"
#####
# Check for the existence of the first signature file, remove it if it
# exists
if os.path.exists(sig1):
os.unlink(sig1)
foundSig1 = True
else:
foundSig1 = False
#####
# Check for the existence of the second signature file, remove it if it
# exists
if os.path.exists(sig2):
os.unlink(sig2)
foundSig2 = True
else:
foundSig2 = False
#####
# Call the method
self.rule.touch_imaged()
#####
# Check for the first file system signature
success_a = os.path.isfile("/etc/dds.txt")
self.logdispatch.log(LogPriority.DEBUG,
"Found first signature file...")
self.assertTrue(success_a)
#####
# Check for the Second file system signature
success_b = os.path.isfile("/var/log/dds.log")
self.logdispatch.log(LogPriority.DEBUG,
"Found second signature file..")
self.assertTrue(success_b)
self.assertTrue(success_a and success_b)
#####
# If the files didn't exist at the beginning of the test, remove them.
if not foundSig1:
os.unlink(sig1)
if not foundSig2:
os.unlink(sig2)
###########################################################################
def checkForSuccessfullInstallation(self):
"""
Check for successfull test run. Specifically what needs to have
happened after a successfull run. IE: must satisfy ALL conditions.
@author: Roy Nielsen
"""
#####
# Check for existence of jamf binary
success = os.path.isfile("/usr/local/bin/jamf")
self.logdispatch.log(LogPriority.DEBUG, "Found the jamf binary..")
self.assertTrue(success)
#####
# Check for the existence of the LANL Self Service.app
success = os.path.isdir("/Applications/LANL Self Service.app")
self.logdispatch.log(
LogPriority.DEBUG,
"Found result: " + str(success) + " Lanl Self Service.app")
self.assertTrue(success)
#####
# Check for the first file system signature
success = os.path.isfile("/etc/dds.txt")
self.logdispatch.log(LogPriority.DEBUG, "Found first sig file...")
self.assertTrue(success)
#####
# Check for the Second file system signature
success = os.path.isfile("/var/log/dds.log")
self.logdispatch.log(LogPriority.DEBUG, "Found second sig file...")
self.assertTrue(success)
#####
# Check to make sure the "jamf recon" command works
cmd = ["/usr/local/bin/jamf", "recon"]
self.ch.executeCommand(cmd)
return_code = self.ch.getReturnCode()
self.logdispatch.log(
LogPriority.DEBUG,
"Return code from jamf " + " recon command: " + str(return_code))
self.assertEqual(str(0), str(return_code))
###########################################################################
def checkForBadInstallation(self):
"""
Check for UNsuccessfull test run. IE: must fail any of the following
conditions. Needs fuzzing applied, or variation on inputs to prove
the variation works as expected.
@Note: Running of the "/usr/local/bin/jamf recon" command is not
executed in this test, as that functionality has already been
tested. The other variables need to be "fuzzed". IE, run
every combination of the variables tested in this test.
@author: Roy Nielsen
"""
#####
# Check if any of the following are false. At least one must be false.
success_a = os.path.isfile("/usr/local/bin/jamf")
success_b = os.path.isdir("/Applications/LANL Self Service.app")
success_c = os.path.isfile("/etc/dds.txt")
success_d = os.path.isfile("/var/log/dds.log")
#####
# If any of these success parameters are false, the test fails
self.assertTrue(
success_a and success_b and success_c and success_d,
"Could not find all files and directories " +
"associated with a successful Casper installation")
#####
# Future testing needs to perform "fuzzing" - automated or auto
# generated input testing
# --
# for every combination of inputs assert the correct outputs
#
# - at least one case is missing in this method - making sure to also
# test for the existence of the Jamf plist.
#
###########################################################################
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
return success
###########################################################################
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pCompliance = " + str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
success = True
return success
###########################################################################
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
if pRuleSuccess:
success = True
else:
success = False
return success
###########################################################################
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG,
"pRuleSuccess = " + str(pRuleSuccess) + ".")
if pRuleSuccess:
success = True
else:
success = False
return success
###########################################################################
def removeJamfFramework(self):
"""
Remove the jamf framework for setting initial conditions..
@NOTE: There are many ways that a jamf install can be broken,
This tests a clean uninstall. Partial or broken installs
are not covered in this test, however it may be a good idea
to test for this in the future.
@author: Roy Nielsen
"""
success = False
jamf_path = "/usr/local/bin/jamf"
if os.path.exists(jamf_path):
cmd = [jamf_path, "removeFramework"]
self.ch.executeCommand(cmd)
output = self.ch.getOutputString().split("\n")
self.logdispatch.log(LogPriority.DEBUG, output)
if self.ch.getReturnCode() == 0:
success = True
else:
success = True
return success
class zzzTestRuleDisableOpenSafeSafari(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = DisableOpenSafeSafari(self.config, self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
self.dc = "/usr/bin/defaults"
self.path = "com.apple.Safari"
self.key = "AutoOpenSafeDownloads"
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''This makes sure the intial report fails by executing the following
commands:
defaults write com.apple.Safari AutoOpenSafeDownloads -bool yes
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: dwalker
'''
success = False
cmd = [self.dc, "write", self.path, self.key, "-bool", "yes"]
self.logdispatch.log(LogPriority.DEBUG, str(cmd))
if self.ch.executeCommand(cmd):
success = self.checkReportForRule(False, True)
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''To see what happended run these commands:
defaults read com.apple.Safari AutoOpenSafeDownloads
:param self: essential if you override this definition
:param pCompliance:
:param pRuleSuccess:
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
cmd = [self.dc, "read", self.path, self.key]
self.logdispatch.log(LogPriority.DEBUG, str(cmd))
if self.ch.executeCommand(cmd):
output = self.ch.getOutputString()
return success
def checkFixForRule(self, pRuleSuccess):
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = self.checkReportForRule(True, pRuleSuccess)
return success
def checkUndoForRule(self, pRuleSuccess):
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = self.checkReportForRule(False, pRuleSuccess)
return success
class zzzTestRuleConfigureLinuxFirewall(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = ConfigureLinuxFirewall(self.config, self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.logger = self.logdispatch
self.ch = CommandHelper(self.logger)
self.servicehelper = ServiceHelper(self.environ, self.logger)
self.checkUndo = True
self.isfirewalld = False
self.isufw = False
if os.path.exists('/bin/firewall-cmd'):
self.isfirewalld = True
if os.path.exists('/usr/sbin/ufw'):
self.isufw = True
# mostly pertains to RHEL6, Centos6
self.iptables = "/usr/sbin/iptables"
if not os.path.exists(self.iptables):
self.iptables = '/sbin/iptables'
self.ip6tables = "/usr/sbin/ip6tables"
if not os.path.exists(self.ip6tables):
self.ip6tables = '/sbin/ip6tables'
if os.path.exists("/usr/sbin/iptables-restore"):
self.iprestore = "/usr/sbin/iptables-restore"
elif os.path.exists("/sbin/iptables-restore"):
self.iprestore = "/sbin/iptables-restore"
if os.path.exists("/usr/sbin/ip6tables-restore"):
self.ip6restore = "/usr/sbin/ip6tables-restore"
elif os.path.exists("/sbin/ip6tables-restore"):
self.ip6restore = "/sbin/ip6tables-restore"
self.scriptType = ""
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
self.detailedresults = ""
self.iptScriptPath = ""
scriptExists = ""
debug = ""
if self.isfirewalld:
if self.servicehelper.auditService('firewalld.service'):
if not self.servicehelper.disableService('firewalld.service'):
success = False
if self.isufw:
cmdufw = '/usr/sbin/ufw status'
if not self.ch.executeCommand(cmdufw):
debug = "Unable to run ufw status command in unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
outputufw = self.ch.getOutputString()
if re.search('Status: active', outputufw):
ufwcmd = '/usr/sbin/ufw --force disable'
if not self.ch.executeCommand(ufwcmd):
debug = "Unable to disable firewall for unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
cmdufw = "/usr/sbin/ufw status verbose"
if not self.ch.executeCommand(cmdufw):
debug = "Unable to get verbose status for unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
outputfw = self.cmdhelper.getOutputString()
if re.search("Default\:\ deny\ \(incoming\)",
outputfw):
ufwcmd = "/usr/sbin/ufw default allow incoming"
if not self.ch.executeCommand(ufwcmd):
debug = "Unable to set allow status for unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
elif os.path.exists('/usr/bin/system-config-firewall') or \
os.path.exists('/usr/bin/system-config-firewall-tui'):
print("system-config-firewall commands exist\n")
fwpath = '/etc/sysconfig/system-config-firewall'
iptpath = '/etc/sysconfig/iptables'
ip6tpath = '/etc/sysconfig/ip6tables'
if os.path.exists(fwpath):
os.remove(fwpath)
if os.path.exists(iptpath):
os.remove(iptpath)
if os.path.exists(ip6tpath):
os.remove(ip6tpath)
if not self.servicehelper.disableService('iptables'):
print("unable to disable iptables\n")
success = False
debug = "Could not disable iptables in unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
if not self.servicehelper.disableService('ip6tables'):
print("unable to disable ip6tables\n")
success = False
debug = "Could not disable ip6tables in unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
cmd = "/sbin/service iptables stop"
if not self.ch.executeCommand(cmd):
success = False
debug = "Unable to stop iptables in unit test\n"
print("unable to stop iptables in unit test\n")
self.logger.log(LogPriority.DEBUG, debug)
cmd = "/sbin/service ip6tables stop"
if not self.ch.executeCommand(cmd):
success = False
debug = "Unable to stop ip6tables in unit test\n"
print("unable to stop iop6tables in unit test\n")
self.logger.log(LogPriority.DEBUG, debug)
elif os.path.exists(self.iprestore) and \
os.path.exists(self.ip6restore):
if os.path.exists(self.iptScriptPath):
if not os.remove(self.iptScriptPath):
debug = "Unable to remove " + self.iptScriptPath + " for setConditionsForRule\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def getScriptValues(self, scriptname):
if scriptname == "iptscript":
iptScript = '''fw_custom_after_chain_creation() {
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
true
}
fw_custom_before_port_handling() {
true
}
fw_custom_before_masq() {
true
}
fw_custom_before_denyall() {
true
}
fw_custom_after_finished() {
true
}
'''
return iptScript
elif scriptname == "iptables":
iptables = '''*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
'''
return iptables
elif scriptname == "ip6tables":
ip6tables = '''*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
'''
return ip6tables
elif scriptname == "systemconfigurefirewall":
systemconfigfirewall = '''# Configuration file for system-config-firewall
--enabled
--service=ssh
'''
return systemconfigfirewall
elif scriptname == "sysconfigiptables":
sysconfigiptables = '''# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
'''
return sysconfigiptables
elif scriptname == "sysconfigip6tables":
sysconfigip6tables = '''# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
'''
return sysconfigip6tables
class zzzTestRuleDisableOpenSafeSafari(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = DisableOpenSafeSafari(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.ch = CommandHelper(self.logdispatch)
self.dc = "/usr/bin/defaults"
self.path = "com.apple.Safari"
self.key = "AutoOpenSafeDownloads"
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''
This makes sure the intial report fails by executing the following
commands:
defaults write com.apple.Safari AutoOpenSafeDownloads -bool yes
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: dwalker
'''
success = False
cmd = [self.dc, "write", self.path, self.key, "-bool", "yes"]
self.logdispatch.log(LogPriority.DEBUG, str(cmd))
if self.ch.executeCommand(cmd):
success = self.checkReportForRule(False, True)
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''
To see what happended run these commands:
defaults read com.apple.Safari AutoOpenSafeDownloads
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
cmd = [self.dc, "read", self.path, self.key]
self.logdispatch.log(LogPriority.DEBUG, str(cmd))
if self.ch.executeCommand(cmd):
output = self.ch.getOutputString()
return success
def checkFixForRule(self, pRuleSuccess):
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = self.checkReportForRule(True, pRuleSuccess)
return success
def checkUndoForRule(self, pRuleSuccess):
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = self.checkReportForRule(False, pRuleSuccess)
return success
class zzzTestRuleNoCoreDumps(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = NoCoreDumps(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.logger = self.logdispatch
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.checkUndo = True
self.ch = CommandHelper(self.logger)
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
"""
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: Ekkehard J. Koch
"""
success = True
if self.environ.getosfamily() == "linux":
if not self.setLinuxConditions():
success = False
elif self.environ.getostype() == "mac":
if not self.setMacConditions():
success = False
return success
def setMacConditions(self):
success = True
self.ch.executeCommand("/usr/bin/launchctl limit core")
retcode = self.ch.getReturnCode()
if retcode != 0:
self.detailedresults += "\nFailed to run launchctl command to get current value of core dumps configuration"
errmsg = self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, errmsg)
else:
output = self.ch.getOutputString()
if output:
if not re.search("1", output):
self.ch.executeCommand("/usr/bin/launchctl limit core 1 1")
def setLinuxConditions(self):
success = True
path1 = "/etc/security/limits.conf"
if os.path.exists(path1):
lookfor1 = "(^\*)\s+hard\s+core\s+0?"
contents = readFile(path1, self.logger)
if contents:
tempstring = ""
for line in contents:
if not re.search(lookfor1, line.strip()):
tempstring += line
if not writeFile(path1, tempstring, self.logger):
debug = "unable to write incorrect contents to " + path1 + "\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
if checkPerms(path1, [0, 0, 0o644], self.logger):
if not setPerms(path1, [0, 0, 0o777], self.logger):
debug = "Unable to set incorrect permissions on " + path1 + "\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "successfully set incorrect permissions on " + path1 + "\n"
self.logger.log(LogPriority.DEBUG, debug)
self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable")
retcode = self.ch.getReturnCode()
if retcode != 0:
self.detailedresults += "Failed to get value of core dumps configuration with sysctl command\n"
errmsg = self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, errmsg)
success = False
else:
output = self.ch.getOutputString()
if output.strip() != "fs.suid_dumpable = 1":
if not self.ch.executeCommand("/sbin/sysctl -w fs.suid_dumpable=1"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
elif not self.ch.executeCommand("/sbin/sysctl -p"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
"""
check on whether report was correct
@param self: essential if you override this definition
@param pCompliance: the self.iscompliant value of rule
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: Ekkehard J. Koch
"""
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
"""
check on whether fix was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: Ekkehard J. Koch
"""
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
"""
check on whether undo was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: Ekkehard J. Koch
"""
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
class zzzTestRuleConfigureLinuxFirewall(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = ConfigureLinuxFirewall(self.config,
self.environ,
self.logdispatch,
self.statechglogger)
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.logger = self.logdispatch
self.ch = CommandHelper(self.logger)
self.servicehelper = ServiceHelper(self.environ, self.logger)
self.checkUndo = True
self.isfirewalld = False
self.isufw = False
if os.path.exists('/bin/firewall-cmd'):
self.isfirewalld = True
if os.path.exists('/usr/sbin/ufw'):
self.isufw = True
# mostly pertains to RHEL6, Centos6
self.iptables = "/usr/sbin/iptables"
if not os.path.exists(self.iptables):
self.iptables = '/sbin/iptables'
self.ip6tables = "/usr/sbin/ip6tables"
if not os.path.exists(self.ip6tables):
self.ip6tables = '/sbin/ip6tables'
if os.path.exists("/usr/sbin/iptables-restore"):
self.iprestore = "/usr/sbin/iptables-restore"
elif os.path.exists("/sbin/iptables-restore"):
self.iprestore = "/sbin/iptables-restore"
if os.path.exists("/usr/sbin/ip6tables-restore"):
self.ip6restore = "/usr/sbin/ip6tables-restore"
elif os.path.exists("/sbin/ip6tables-restore"):
self.ip6restore = "/sbin/ip6tables-restore"
self.scriptType = ""
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''
Configure system for the unit test
@param self: essential if you override this definition
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
success = True
self.detailedresults = ""
self.iptScriptPath = ""
scriptExists = ""
debug = ""
if self.isfirewalld:
if self.servicehelper.auditService('firewalld.service'):
if not self.servicehelper.disableService('firewalld.service'):
success = False
if self.isufw:
cmdufw = '/usr/sbin/ufw status'
if not self.ch.executeCommand(cmdufw):
debug = "Unable to run ufw status command in unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
outputufw = self.ch.getOutputString()
if re.search('Status: active', outputufw):
ufwcmd = '/usr/sbin/ufw --force disable'
if not self.ch.executeCommand(ufwcmd):
debug = "Unable to disable firewall for unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
cmdufw = "/usr/sbin/ufw status verbose"
if not self.ch.executeCommand(cmdufw):
debug = "Unable to get verbose status for unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
outputfw = self.cmdhelper.getOutputString()
if re.search("Default\:\ deny\ \(incoming\)", outputfw):
ufwcmd = "/usr/sbin/ufw default allow incoming"
if not self.ch.executeCommand(ufwcmd):
debug = "Unable to set allow status for unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
elif os.path.exists('/usr/bin/system-config-firewall') or \
os.path.exists('/usr/bin/system-config-firewall-tui'):
print "system-config-firewall commands exist\n"
fwpath = '/etc/sysconfig/system-config-firewall'
iptpath = '/etc/sysconfig/iptables'
ip6tpath = '/etc/sysconfig/ip6tables'
if os.path.exists(fwpath):
os.remove(fwpath)
if os.path.exists(iptpath):
os.remove(iptpath)
if os.path.exists(ip6tpath):
os.remove(ip6tpath)
if not self.servicehelper.disableService('iptables'):
print "unable to disable iptables\n"
success = False
debug = "Could not disable iptables in unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
if not self.servicehelper.disableService('ip6tables'):
print "unable to disable ip6tables\n"
success = False
debug = "Could not disable ip6tables in unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
cmd = "/sbin/service iptables stop"
if not self.ch.executeCommand(cmd):
success = False
debug = "Unable to stop iptables in unit test\n"
print "unable to stop iptables in unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
cmd = "/sbin/service ip6tables stop"
if not self.ch.executeCommand(cmd):
success = False
debug = "Unable to stop ip6tables in unit test\n"
print "unable to stop iop6tables in unit test\n"
self.logger.log(LogPriority.DEBUG, debug)
elif os.path.exists(self.iprestore) and \
os.path.exists(self.ip6restore):
if os.path.exists(self.iptScriptPath):
if not os.remove(self.iptScriptPath):
debug = "Unable to remove " + self.iptScriptPath + " for setConditionsForRule\n"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''
check on whether report was correct
@param self: essential if you override this definition
@param pCompliance: the self.iscompliant value of rule
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''
check on whether fix was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''
check on whether undo was correct
@param self: essential if you override this definition
@param pRuleSuccess: did report run successfully
@return: boolean - If successful True; If failure False
@author: ekkehard j. koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def getScriptValues(self, scriptname):
if scriptname == "iptscript":
iptScript = '''fw_custom_after_chain_creation() {
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
true
}
fw_custom_before_port_handling() {
true
}
fw_custom_before_masq() {
true
}
fw_custom_before_denyall() {
true
}
fw_custom_after_finished() {
true
}
'''
return iptScript
elif scriptname == "iptables":
iptables = '''*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
'''
return iptables
elif scriptname == "ip6tables":
ip6tables = '''*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
'''
return ip6tables
elif scriptname == "systemconfigurefirewall":
systemconfigfirewall = '''# Configuration file for system-config-firewall
--enabled
--service=ssh
'''
return systemconfigfirewall
elif scriptname == "sysconfigiptables":
sysconfigiptables = '''# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
'''
return sysconfigiptables
elif scriptname == "sysconfigip6tables":
sysconfigip6tables = '''# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
'''
return sysconfigip6tables
class zzzTestRuleNoCoreDumps(RuleTest):
def setUp(self):
RuleTest.setUp(self)
self.rule = NoCoreDumps(self.config, self.environ, self.logdispatch,
self.statechglogger)
self.logger = self.logdispatch
self.rulename = self.rule.rulename
self.rulenumber = self.rule.rulenumber
self.checkUndo = True
self.ch = CommandHelper(self.logger)
def tearDown(self):
pass
def runTest(self):
self.simpleRuleTest()
def setConditionsForRule(self):
'''Configure system for the unit test
:param self: essential if you override this definition
:returns: boolean - If successful True; If failure False
@author: Ekkehard J. Koch
'''
success = True
if self.environ.getosfamily() == "linux":
if not self.setLinuxConditions():
success = False
elif self.environ.getostype() == "mac":
if not self.setMacConditions():
success = False
return success
def setMacConditions(self):
success = True
self.ch.executeCommand("/usr/bin/launchctl limit core")
retcode = self.ch.getReturnCode()
if retcode != 0:
debug = "Failed to run launchctl command to get current value of core dumps configuration\n"
debug += self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, debug)
else:
output = self.ch.getOutputString()
if output:
if not re.search("1", output):
self.ch.executeCommand("/usr/bin/launchctl limit core 1 1")
def setLinuxConditions(self):
success = True
debug = ""
path1 = "/etc/security/limits.conf"
if os.path.exists(path1):
lookfor1 = "(^\*)\s+hard\s+core\s+0?"
contents = readFile(path1, self.logger)
if contents:
tempstring = ""
for line in contents:
if not re.search(lookfor1, line.strip()):
tempstring += line
if not writeFile(path1, tempstring, self.logger):
debug = "unable to write incorrect contents to " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
if not checkPerms(path1, [0, 0, 0o777], self.logger):
if not setPerms(path1, [0, 0, 0o777], self.logger):
debug = "Unable to set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "successfully set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
sysctl = "/etc/sysctl.conf"
tmpfile = sysctl + ".tmp"
editor = KVEditorStonix(self.statechglogger, self.logger, "conf",
sysctl, tmpfile, {"fs.suid_dumpable": "1"},
"present", "openeq")
if not checkPerms(sysctl, [0, 0, 0o777], self.logger):
if not setPerms(sysctl, [0, 0, 0o777], self.logger):
debug = "Unable to set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
debug = "successfully set incorrect permissions on " + path1
self.logger.log(LogPriority.DEBUG, debug)
if not editor.report():
if not editor.fix():
success = False
debug = "Unable to set conditions for /etc/sysctl.conf file"
self.logger.log(LogPriority.DEBUG, debug)
elif not editor.commit():
success = False
debug = "Unable to set conditions for /etc/sysctl.conf file"
self.logger.log(LogPriority.DEBUG, debug)
self.ch.executeCommand("/sbin/sysctl fs.suid_dumpable")
retcode = self.ch.getReturnCode()
if retcode != 0:
debug = "Failed to get value of core dumps configuration with sysctl command"
debug += self.ch.getErrorString()
self.logger.log(LogPriority.DEBUG, debug)
success = False
else:
output = self.ch.getOutputString()
if output.strip() != "fs.suid_dumpable = 1":
if not self.ch.executeCommand(
"/sbin/sysctl -w fs.suid_dumpable=1"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
elif not self.ch.executeCommand("/sbin/sysctl -q -e -p"):
debug = "Unable to set incorrect value for fs.suid_dumpable"
self.logger.log(LogPriority.DEBUG, debug)
success = False
return success
def checkReportForRule(self, pCompliance, pRuleSuccess):
'''check on whether report was correct
:param self: essential if you override this definition
:param pCompliance: the self.iscompliant value of rule
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: Ekkehard J. Koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pCompliance = " + \
str(pCompliance) + ".")
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkFixForRule(self, pRuleSuccess):
'''check on whether fix was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: Ekkehard J. Koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
def checkUndoForRule(self, pRuleSuccess):
'''check on whether undo was correct
:param self: essential if you override this definition
:param pRuleSuccess: did report run successfully
:returns: boolean - If successful True; If failure False
@author: Ekkehard J. Koch
'''
self.logdispatch.log(LogPriority.DEBUG, "pRuleSuccess = " + \
str(pRuleSuccess) + ".")
success = True
return success
