diff --git a/hubblestack/__init__.py b/hubblestack/__init__.py index 00c3889f6..dbd7bf93d 100644 --- a/hubblestack/__init__.py +++ b/hubblestack/__init__.py @@ -1 +1 @@ -__version__ = '2.2.9' +__version__ = '2.2.10' diff --git a/hubblestack/extmods/modules/pulsar.py b/hubblestack/extmods/modules/pulsar.py index 72d6d5bab..98678e70c 100644 --- a/hubblestack/extmods/modules/pulsar.py +++ b/hubblestack/extmods/modules/pulsar.py @@ -18,6 +18,7 @@ import os import re import yaml +from salt.exceptions import CommandExecutionError # Import salt libs import salt.ext.six diff --git a/hubblestack/extmods/modules/win_pulsar.py b/hubblestack/extmods/modules/win_pulsar.py index 6d447bfa1..ba344fd34 100644 --- a/hubblestack/extmods/modules/win_pulsar.py +++ b/hubblestack/extmods/modules/win_pulsar.py @@ -234,7 +234,7 @@ def canary(change_file=None): conf_dir = os.path.dirname(__opts__['conf_file']) change_file = os.path.join(conf_dir, 'fim_canary.tmp') __salt__['file.touch'](change_file) - __salt__['file.remove'](change_file) + os.remove(change_file) def _check_acl(path, mask, wtype, recurse): @@ -245,6 +245,7 @@ def _check_acl(path, mask, wtype, recurse): else: wtype = [wtype] + path = "'" + path + "'" audit_acl = __salt__['cmd.run']('(Get-Acl {0} -Audit).Audit | fl'.format(path), shell='powershell', python_shell=True) if not audit_acl: diff --git a/hubblestack/files/hubblestack_nova/win_pkg.py b/hubblestack/files/hubblestack_nova/win_pkg.py index dd540f8a2..a5e93a2ca 100644 --- a/hubblestack/files/hubblestack_nova/win_pkg.py +++ b/hubblestack/files/hubblestack_nova/win_pkg.py @@ -14,6 +14,7 @@ import logging import salt.utils from salt.exceptions import CommandExecutionError +from distutils.version import LooseVersion log = logging.getLogger(__name__) @@ -66,7 +67,7 @@ def audit(data_list, tags, debug=False, **kwargs): # Whitelisted audit (must include) if 'whitelist' in audit_type: if name in __pkgdata__: - audit_value = __pkgdata__['name'] + audit_value = __pkgdata__[name] tag_data['found_value'] = audit_value secret = _translate_value_type(audit_value, tag_data['value_type'], match_output) if secret: @@ -152,7 +153,10 @@ def _get_tags(data): def _translate_value_type(current, value, evaluator): - if int(current) >= int(evaluator): + if 'equal' in value.lower() and LooseVersion(current) == LooseVersion(evaluator): return True - else: - return False + if 'less' in value.lower() and LooseVersion(current) <= LooseVersion(evaluator): + return True + if 'more' in value.lower() and LooseVersion(current) >= LooseVersion(evaluator): + return True + return False diff --git a/hubblestack/files/hubblestack_nova/win_reg.py b/hubblestack/files/hubblestack_nova/win_reg.py index 5ae5d007b..0d7033c99 100644 --- a/hubblestack/files/hubblestack_nova/win_reg.py +++ b/hubblestack/files/hubblestack_nova/win_reg.py @@ -67,7 +67,7 @@ def audit(data_list, tags, debug=False, **kwargs): current = _find_option_value_in_reg(reg_dict['hive'], reg_dict['key'], reg_dict['value']) if isinstance(current, dict): tag_data['value_found'] = current - if False in current.values(): + if any( x is False for x in current.values()): ret['Failure'].append(tag_data) else: answer_list = [] @@ -195,8 +195,8 @@ def _find_option_value_in_reg(reg_hive, reg_key, reg_value): for sid in key_list: if len(sid) <= 15 or '_Classes' in sid: continue - reg_key = reg_key.replace('', sid) - reg_result = __salt__['reg.read_value'](reg_hive, reg_key, reg_value) + temp_reg_key = reg_key.replace('', sid) + reg_result = __salt__['reg.read_value'](reg_hive, temp_reg_key, reg_value) if reg_result['success']: if reg_result['vdata'] == '(value not set)': ret_dict[sid] = False diff --git a/pkg/amazonlinux2016.09/Dockerfile b/pkg/amazonlinux2016.09/Dockerfile index 1b6cdb250..c93d00c08 100644 --- a/pkg/amazonlinux2016.09/Dockerfile +++ b/pkg/amazonlinux2016.09/Dockerfile @@ -16,7 +16,7 @@ RUN mkdir -p /etc/osquery /var/log/osquery /etc/hubble/hubble.d /opt/hubble /opt #osquery should be built first since requirements for other packages can interfere with osquery dependencies #to build, osquery scripts want sudo and a user to sudo with. #to pin to a different version change the following envirnment variable -ENV OSQUERY_SRC_VERSION=2.8.0 +ENV OSQUERY_SRC_VERSION=2.9.2 ENV OSQUERY_BUILD_USER=osquerybuilder ENV OSQUERY_GIT_URL=https://github.com/facebook/osquery.git RUN yum -y install git make python ruby sudo which @@ -85,14 +85,14 @@ RUN wget -c https://bootstrap.pypa.io/get-pip.py \ && pip -v install -r pyinstaller-requirements.txt #fpm package making requirements start -RUN yum install -y ruby ruby-devel rpmbuild rubygems gcc make \ +RUN yum install -y ruby ruby-devel rpmbuild rpm-build rubygems gcc make \ && gem install --no-ri --no-rdoc fpm #pyinstaller start #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built #use the following variables to choose the version of hubble -ENV HUBBLE_CHECKOUT=v2.2.9 -ENV HUBBLE_VERSION=2.2.9 +ENV HUBBLE_CHECKOUT=v2.2.10 +ENV HUBBLE_VERSION=2.2.10 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git ENV HUBBLE_SRC_PATH=/hubble_src ENV _HOOK_DIR="./pkg/" diff --git a/pkg/amazonlinux2017.03/Dockerfile b/pkg/amazonlinux2017.03/Dockerfile index 44883f5bd..3ec8fcf93 100644 --- a/pkg/amazonlinux2017.03/Dockerfile +++ b/pkg/amazonlinux2017.03/Dockerfile @@ -16,7 +16,7 @@ RUN mkdir -p /etc/osquery /var/log/osquery /etc/hubble/hubble.d /opt/hubble /opt #osquery should be built first since requirements for other packages can interfere with osquery dependencies #to build, osquery scripts want sudo and a user to sudo with. #to pin to a different version change the following envirnment variable -ENV OSQUERY_SRC_VERSION=2.8.0 +ENV OSQUERY_SRC_VERSION=2.9.2 ENV OSQUERY_BUILD_USER=osquerybuilder ENV OSQUERY_GIT_URL=https://github.com/facebook/osquery.git RUN yum -y install git make python ruby sudo which @@ -85,14 +85,14 @@ RUN wget -c https://bootstrap.pypa.io/get-pip.py \ && pip -v install -r pyinstaller-requirements.txt #fpm package making requirements start -RUN yum install -y ruby ruby-devel rpmbuild rubygems gcc make \ +RUN yum install -y ruby ruby-devel rpmbuild rpm-build rubygems gcc make \ && gem install --no-ri --no-rdoc fpm #pyinstaller start #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built #use the following variables to choose the version of hubble -ENV HUBBLE_CHECKOUT=v2.2.9 -ENV HUBBLE_VERSION=2.2.9 +ENV HUBBLE_CHECKOUT=v2.2.10 +ENV HUBBLE_VERSION=2.2.10 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git ENV HUBBLE_SRC_PATH=/hubble_src ENV _HOOK_DIR="./pkg/" diff --git a/pkg/centos6/Dockerfile b/pkg/centos6/Dockerfile index a56016455..d81a3950b 100644 --- a/pkg/centos6/Dockerfile +++ b/pkg/centos6/Dockerfile @@ -16,7 +16,7 @@ RUN mkdir -p /etc/osquery /var/log/osquery /etc/hubble/hubble.d /opt/hubble /opt #osquery should be built first since requirements for other packages can interfere with osquery dependencies #to build, osquery scripts want sudo and a user to sudo with. #to pin to a different version change the following envirnment variable -ENV OSQUERY_SRC_VERSION=2.8.0 +ENV OSQUERY_SRC_VERSION=2.9.2 ENV OSQUERY_BUILD_USER=osquerybuilder ENV OSQUERY_GIT_URL=https://github.com/facebook/osquery.git RUN yum -y install git make python ruby sudo which python-argparse @@ -87,14 +87,14 @@ RUN wget -c https://bootstrap.pypa.io/get-pip.py \ && scl enable python27 "pip -v install -r pyinstaller-requirements.txt" #fpm package making requirements start -RUN yum install -y rpmbuild gcc make rh-ruby23 rh-ruby23-ruby-devel \ +RUN yum install -y rpmbuild rpm-build gcc make rh-ruby23 rh-ruby23-ruby-devel \ && scl enable rh-ruby23 "gem install --no-ri --no-rdoc fpm" #pyinstaller start #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built #use the following variables to choose the version of hubble -ENV HUBBLE_CHECKOUT=v2.2.9 -ENV HUBBLE_VERSION=2.2.9 +ENV HUBBLE_CHECKOUT=v2.2.10 +ENV HUBBLE_VERSION=2.2.10 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git ENV HUBBLE_SRC_PATH=/hubble_src ENV _HOOK_DIR="./pkg/" diff --git a/pkg/centos7/Dockerfile b/pkg/centos7/Dockerfile index 60d1c8cd6..57bca7618 100644 --- a/pkg/centos7/Dockerfile +++ b/pkg/centos7/Dockerfile @@ -16,7 +16,7 @@ RUN mkdir -p /etc/osquery /var/log/osquery /etc/hubble/hubble.d /opt/hubble /opt #osquery should be built first since requirements for other packages can interfere with osquery dependencies #to build, osquery scripts want sudo and a user to sudo with. #to pin to a different version change the following envirnment variable -ENV OSQUERY_SRC_VERSION=2.8.0 +ENV OSQUERY_SRC_VERSION=2.9.2 ENV OSQUERY_BUILD_USER=osquerybuilder ENV OSQUERY_GIT_URL=https://github.com/facebook/osquery.git RUN yum -y install git make python ruby sudo which @@ -84,14 +84,14 @@ RUN wget -c https://bootstrap.pypa.io/get-pip.py \ && pip -v install -r pyinstaller-requirements.txt #fpm package making requirements start -RUN yum install -y ruby ruby-devel rpmbuild rubygems gcc make \ +RUN yum install -y ruby ruby-devel rpmbuild rpm-build rubygems gcc make \ && gem install --no-ri --no-rdoc fpm #pyinstaller start #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built #use the following variables to choose the version of hubble -ENV HUBBLE_CHECKOUT=v2.2.9 -ENV HUBBLE_VERSION=2.2.9 +ENV HUBBLE_CHECKOUT=v2.2.10 +ENV HUBBLE_VERSION=2.2.10 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git ENV HUBBLE_SRC_PATH=/hubble_src ENV _HOOK_DIR="./pkg/" diff --git a/pkg/coreos/Dockerfile b/pkg/coreos/Dockerfile index 9c2fa6891..48b7c9f00 100644 --- a/pkg/coreos/Dockerfile +++ b/pkg/coreos/Dockerfile @@ -17,7 +17,7 @@ RUN mkdir -p /etc/osquery /var/log/osquery /etc/hubble/hubble.d /opt/hubble /opt #osquery should be built first since requirements for other packages can interfere with osquery dependencies #to build, osquery scripts want sudo and a user to sudo with. #to pin to a different version change the following envirnment variable -ENV OSQUERY_SRC_VERSION=2.8.0 +ENV OSQUERY_SRC_VERSION=2.9.2 ENV OSQUERY_BUILD_USER=osquerybuilder ENV OSQUERY_GIT_URL=https://github.com/facebook/osquery.git RUN apt-get -y install git make python ruby sudo @@ -88,8 +88,8 @@ RUN pip install --upgrade pip \ #pyinstaller start #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built #use the following variables to choose the version of hubble -ENV HUBBLE_CHECKOUT=v2.2.9 -ENV HUBBLE_VERSION=2.2.9 +ENV HUBBLE_CHECKOUT=v2.2.10 +ENV HUBBLE_VERSION=2.2.10 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git ENV HUBBLE_SRC_PATH=/hubble_src ENV _HOOK_DIR="./pkg/" diff --git a/pkg/debian7/Dockerfile b/pkg/debian7/Dockerfile index fa65918ab..2a7119eec 100644 --- a/pkg/debian7/Dockerfile +++ b/pkg/debian7/Dockerfile @@ -115,8 +115,8 @@ RUN apt-get install -y ruby ruby-dev rubygems gcc make \ #pyinstaller start #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built #use the following variables to choose the version of hubble -ENV HUBBLE_CHECKOUT=v2.2.9 -ENV HUBBLE_VERSION=2.2.9 +ENV HUBBLE_CHECKOUT=v2.2.10 +ENV HUBBLE_VERSION=2.2.10 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git ENV HUBBLE_SRC_PATH=/hubble_src ENV _HOOK_DIR="./pkg/" diff --git a/pkg/debian8/Dockerfile b/pkg/debian8/Dockerfile index 48b89c028..df4bd7191 100644 --- a/pkg/debian8/Dockerfile +++ b/pkg/debian8/Dockerfile @@ -17,7 +17,7 @@ RUN mkdir -p /etc/osquery /var/log/osquery /etc/hubble/hubble.d /opt/hubble /opt #osquery should be built first since requirements for other packages can interfere with osquery dependencies #to build, osquery scripts want sudo and a user to sudo with. #to pin to a different version change the following envirnment variable -ENV OSQUERY_SRC_VERSION=2.8.0 +ENV OSQUERY_SRC_VERSION=2.9.2 ENV OSQUERY_BUILD_USER=osquerybuilder ENV OSQUERY_GIT_URL=https://github.com/facebook/osquery.git RUN apt-get -y install git make python ruby sudo locales @@ -96,8 +96,8 @@ RUN apt-get install -y ruby ruby-dev rubygems gcc make \ #pyinstaller start #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built #use the following variables to choose the version of hubble -ENV HUBBLE_CHECKOUT=v2.2.9 -ENV HUBBLE_VERSION=2.2.9 +ENV HUBBLE_CHECKOUT=v2.2.10 +ENV HUBBLE_VERSION=2.2.10 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git ENV HUBBLE_SRC_PATH=/hubble_src ENV _HOOK_DIR="./pkg/" diff --git a/pkg/debian9/Dockerfile b/pkg/debian9/Dockerfile index 21ae22cdf..dd05854c1 100644 --- a/pkg/debian9/Dockerfile +++ b/pkg/debian9/Dockerfile @@ -17,7 +17,7 @@ RUN mkdir -p /etc/osquery /var/log/osquery /etc/hubble/hubble.d /opt/hubble /opt #osquery should be built first since requirements for other packages can interfere with osquery dependencies #to build, osquery scripts want sudo and a user to sudo with. #to pin to a different version change the following envirnment variable -ENV OSQUERY_SRC_VERSION=2.8.0 +ENV OSQUERY_SRC_VERSION=2.9.2 ENV OSQUERY_BUILD_USER=osquerybuilder ENV OSQUERY_GIT_URL=https://github.com/facebook/osquery.git RUN apt-get -y install git make python ruby sudo @@ -92,8 +92,8 @@ RUN apt-get install -y ruby ruby-dev rubygems gcc make \ #pyinstaller start #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built #use the following variables to choose the version of hubble -ENV HUBBLE_CHECKOUT=v2.2.9 -ENV HUBBLE_VERSION=2.2.9 +ENV HUBBLE_CHECKOUT=v2.2.10 +ENV HUBBLE_VERSION=2.2.10 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git ENV HUBBLE_SRC_PATH=/hubble_src ENV _HOOK_DIR="./pkg/" diff --git a/test-requirements.txt b/test-requirements.txt new file mode 100644 index 000000000..e0f101126 --- /dev/null +++ b/test-requirements.txt @@ -0,0 +1,7 @@ +# +############# test-requirements.txt #################### +# +pytest +pyyaml +salt-ssh +# diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 000000000..200ee5125 --- /dev/null +++ b/tests/README.md @@ -0,0 +1,20 @@ +# Hubble Unittests + +## Running unit tests + +Follow the steps to run unit tests for Hubble +``` +yum install git wget vim python python-setuptools -y +easy_install pip +git clone https://github.com/hubblestack/hubble.git +cd hubble +pip install -r test-requirements.txt +py.test (this will run all the test files in /tests/unittests/) +py.test tests/unittests/test_pulsar.py (this will run the test file mentioned) +``` + +## Adding new unit test + +The files in `/tests/unittests/` are unit tests. We are using pytest framework to write unit tests. If you want to add new tests please use the same framework. The new unit tests can be added at the path `/tests/unittests/`. + +[Python Unit Testing](https://wiki.corp.adobe.com/display/CoreServicesTeam/Python+Unit+Testing) CST wiki is helpful to understand pytest framework and to write new unit tests. diff --git a/tests/unittests/resources/top.nebula b/tests/unittests/resources/top.nebula new file mode 100644 index 000000000..420ced50f --- /dev/null +++ b/tests/unittests/resources/top.nebula @@ -0,0 +1,3 @@ +nebula: + '*': + - hubblestack_nebula_queries diff --git a/tests/unittests/resources/top.pulsar b/tests/unittests/resources/top.pulsar new file mode 100644 index 000000000..24e2c26b0 --- /dev/null +++ b/tests/unittests/resources/top.pulsar @@ -0,0 +1,3 @@ +pulsar: + '*': + - hubblestack_pulsar_config diff --git a/tests/unittests/test_grep_nova.py b/tests/unittests/test_grep_nova.py new file mode 100644 index 000000000..dd2294e18 --- /dev/null +++ b/tests/unittests/test_grep_nova.py @@ -0,0 +1,120 @@ +import sys, os +myPath = os.path.abspath(os.getcwd()) +sys.path.insert(0, myPath) +import hubblestack.files.hubblestack_nova.grep +import yaml +import pytest + +class TestGrep(): + + def test_virtual(self): + expected_val = True + val = hubblestack.files.hubblestack_nova.grep.__virtual__() + assert expected_val == val + + def test_merge_yaml(self): + ret = {'grep':{}} + data = {'grep': + {'blacklist': {'talk': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}, + 'whitelist': {'ssh_ignore_rhosts': {'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}}} + profile = 'ubuntu-1604-level-1-scored-v1-0-0' + val = hubblestack.files.hubblestack_nova.grep._merge_yaml(ret, data, profile) + assert val['grep'] == {'blacklist': [{'talk': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}], + 'whitelist': [{'ssh_ignore_rhosts': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}]} + + def test_merge_yaml_recurssive(self): + ret = {} + profile = 'ubuntu-1604-level-1-scored-v1-0-0' + data1 = {'grep': + {'blacklist': {'talk1': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}, + 'whitelist': {'ssh_ignore_rhosts': {'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}}} + data2 = {'grep': + {'blacklist': {'talk2': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}}} + data_list = [data1, data2] + for data in data_list: + val = hubblestack.files.hubblestack_nova.grep._merge_yaml(ret, data, profile) + assert (len(val['grep']['blacklist'])) == 2 + + def test_audit_for_success(self): + val = {} + data_list = [('ubuntu-1604-level-1-scored-v1-0-0', + {'grep': + {'blacklist': {'talk': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}, + 'whitelist': {'ssh_permit_user_env': {'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'PermitUserEnvironment', 'tag': 'CIS-9.3.10', 'match_output': 'no'}}]}, 'description': 'Do Not Allow Users to Set Environment Options'}, + 'ssh_ignore_rhosts': {'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}}})] + __tags__ = 'CIS-9.3.10' + __salt__ = {} + def cmd_run_all(cmd, python_shell=False, ignore_retcode=False): + test_val = {'pid': 28191, 'retcode': 0, 'stderr': '', 'stdout': 'tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0'} + return test_val + __salt__['cmd.run_all'] = cmd_run_all + hubblestack.files.hubblestack_nova.grep.__salt__ = __salt__ + hubblestack.files.hubblestack_nova.grep.__grains__ = {'osfinger' : 'Ubuntu-16.04'} + val = hubblestack.files.hubblestack_nova.grep.audit(data_list, __tags__, debug=False) + assert len(val['Success']) != 0 + assert len(val['Failure']) == 0 + + def test_audit_for_value_error(self): + val = {} + data_list = 'wrong_test_data' + __tags__ = 'CIS-9.3.10' + __salt__ = {} + def cmd_run_all(cmd, python_shell=False, ignore_retcode=False): + test_val = {'pid': 28191, 'retcode': 0, 'stderr': '', 'stdout': 'tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0'} + return test_val + __salt__['cmd.run_all'] = cmd_run_all + hubblestack.files.hubblestack_nova.grep.__salt__ = __salt__ + hubblestack.files.hubblestack_nova.grep.__grains__ = {'osfinger' : 'Ubuntu-16.04'} + try: + val = hubblestack.files.hubblestack_nova.grep.audit(data_list, __tags__, debug=False) + except ValueError: + pass + hubblestack.files.hubblestack_nova.grep.__salt__ = {} + + def test_audit_for_incorrect_input(self): + val = {} + data_list = [] + __tags__ = 'wrong_test_data' + __salt__ = {} + expected_val = {'Failure': [], 'Controlled': [], 'Success': []} + def cmd_run_all(cmd, python_shell=False, ignore_retcode=False): + test_val = {'pid': 28191, 'retcode': 0, 'stderr': '', 'stdout': 'tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0'} + return test_val + __salt__['cmd.run_all'] = cmd_run_all + hubblestack.files.hubblestack_nova.grep.__salt__ = __salt__ + hubblestack.files.hubblestack_nova.grep.__grains__ = {'osfinger' : 'Ubuntu-16.04'} + val = hubblestack.files.hubblestack_nova.grep.audit(data_list, __tags__, debug=False) + assert val == expected_val + hubblestack.files.hubblestack_nova.grep.__salt__ = {} + + def test_get_tags(self): + hubblestack.files.hubblestack_nova.grep.__grains__ = {'osfinger': 'Ubuntu-16.04'} + data = {'grep': + {'blacklist': [{'talk1': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}, + {'talk2': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}], + 'whitelist': [{'ssh_ignore_rhosts': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}]}} + val = hubblestack.files.hubblestack_nova.grep._get_tags(data) + assert val['CIS-5.1.4'] != 0 + assert val['CIS-9.3.6'] != 0 + + def test_get_tags_with_empty_list(self): + hubblestack.files.hubblestack_nova.grep.__grains__ = {'osfinger': 'Ubuntu-16.04'} + data = {'grep': + {'blacklist': [], + 'whitelist': []}} + val = hubblestack.files.hubblestack_nova.grep._get_tags(data) + assert val == {} + + def test_grep(self): + path = '/proc/mount/' + pattern = '/dev/shm' + arg = '' + __salt__ = {} + def cmd_run_all(cmd, python_shell=False, ignore_retcode=False): + test_val = {'pid': 28191, 'retcode': 0, 'stderr': '', 'stdout': 'tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0'} + return test_val + __salt__['cmd.run_all'] = cmd_run_all + hubblestack.files.hubblestack_nova.grep.__salt__ = __salt__ + val = hubblestack.files.hubblestack_nova.grep._grep(path,pattern,arg) + hubblestack.files.hubblestack_nova.grep.__salt__ = {} + assert val['stdout'] == 'tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0' diff --git a/tests/unittests/test_nebula_osquery.py b/tests/unittests/test_nebula_osquery.py new file mode 100644 index 000000000..dd5d9673b --- /dev/null +++ b/tests/unittests/test_nebula_osquery.py @@ -0,0 +1,97 @@ +import sys, os +myPath = os.path.abspath(os.getcwd()) +sys.path.insert(0, myPath) +import pytest +import yaml +import hubblestack.extmods.modules.nebula_osquery + +class TestNebula(): + + def test__virtual__(self): + var = hubblestack.extmods.modules.nebula_osquery.__virtual__() + assert var == 'nebula' + + def test_hubble_versions(self): + var = hubblestack.extmods.modules.nebula_osquery.hubble_versions() + assert ((var.get('hubble_versions')).get('result')) == True + + def test_queries(self): + query_group = 'day' + query_file = 'tests/unittests/resources/hubblestack_nebula_queries.yaml' + def cp_cache_file(queryFile): + return 'tests/unittests/resources/hubblestack_nebula_queries.yaml' + def uptime(): + return {} + def cmd_run(default): + return default + __salt__ = {} + __salt__['cp.cache_file'] = cp_cache_file + __salt__['status.uptime'] = uptime + __salt__['cmd.run'] = cmd_run + hubblestack.extmods.modules.nebula_osquery.__salt__ = __salt__ + hubblestack.extmods.modules.nebula_osquery.__grains__ = {'osfinger': 'Ubuntu-16.04'} + def cmd_run_all(cmd): + return {'retcode': 0, 'pid': 3478, + 'stdout': '[{"build":"","codename":"xenial","major":"16","minor":"4","name":"Ubuntu","patch":"",' + '"platform":"ubuntu","platform_like":"debian","query_time":"1500395829","version":"16.04.2 LTS (Xenial Xerus)"}]', + 'stderr': ''} + __salt__['cmd.run_all'] = cmd_run_all + var = hubblestack.extmods.modules.nebula_osquery.queries(query_group, query_file,verbose=False,report_version_with_day=False) + assert len(var) != 0 + assert var[0]['fallback_osfinger']['data'][0]['osfinger'] == 'Ubuntu-16.04' + + def test_queries_for_report_version_with_day(self): + query_group = 'day' + query_file = 'tests/unittests/resources/hubblestack_nebula_queries.yaml' + def cp_cache_file(queryFile): + return 'tests/unittests/resources/hubblestack_nebula_queries.yaml' + def uptime(): + return {} + def cmd_run(default): + return default + __salt__ = {} + __salt__['cp.cache_file'] = cp_cache_file + __salt__['status.uptime'] = uptime + __salt__['cmd.run'] = cmd_run + hubblestack.extmods.modules.nebula_osquery.__salt__ = __salt__ + hubblestack.extmods.modules.nebula_osquery.__grains__ = {'osfinger': 'Ubuntu-16.04'} + def cmd_run_all(cmd): + return {'retcode': 0, 'pid': 3478, + 'stdout': '[{"build":"","codename":"xenial","major":"16","minor":"4","name":"Ubuntu","patch":"",' + '"platform":"ubuntu","platform_like":"debian","query_time":"1500395829","version":"16.04.2 LTS (Xenial Xerus)"}]', + 'stderr': ''} + __salt__['cmd.run_all'] = cmd_run_all + hubblestack.extmods.modules.nebula_osquery.__salt__ = __salt__ + var = hubblestack.extmods.modules.nebula_osquery.queries(query_group, query_file,verbose=False, report_version_with_day=True) + hubblestack.extmods.modules.nebula_osquery.__salt__ = {} + assert len(var) != 0 + assert (var[2]['hubble_versions']) != None + + def test_hubble_version(self): + var = hubblestack.extmods.modules.nebula_osquery.hubble_versions() + assert (var['hubble_versions']) != None + + def test_top(self): + __salt__ = {} + query_group = 'day' + topfile = 'tests/unittests/resources/top.nebula' + verbose = False, + report_version_with_day=True + def cp_cache_file(queryFile): + return 'tests/unittests/resources/top.nebula' + def match_compound(value): + return value + def status_uptime(): + return {} + def cmd_run(default): + return default + __salt__['status.uptime'] = status_uptime + __salt__['cmd.run'] = cmd_run + __salt__['cp.cache_file'] = cp_cache_file + __salt__['match.compound'] = match_compound + hubblestack.extmods.modules.nebula_osquery.__salt__ = __salt__ + var = hubblestack.extmods.modules.nebula_osquery.top(query_group, topfile, verbose, report_version_with_day) + hubblestack.extmods.modules.nebula_osquery.__salt__ = {} + assert len(var) != 0 + assert var[0]['fallback_osfinger']['data'][0]['osfinger'] == 'Ubuntu-16.04' + diff --git a/tests/unittests/test_pkg_nova.py b/tests/unittests/test_pkg_nova.py new file mode 100644 index 000000000..59318c189 --- /dev/null +++ b/tests/unittests/test_pkg_nova.py @@ -0,0 +1,101 @@ +import sys, os +myPath = os.path.abspath(os.getcwd()) +sys.path.insert(0, myPath) +import hubblestack.files.hubblestack_nova.pkg +import yaml +import pytest + +class TestPkg(): + + def test_virtual(self): + expected_val = True + val = hubblestack.files.hubblestack_nova.pkg.__virtual__() + assert expected_val == val + + def test_merge_yaml(self): + ret = {'pkg':{}} + data = {'pkg': + {'blacklist': {'talk': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}, + 'whitelist': {'ssh_ignore_rhosts': {'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}}} + profile = 'ubuntu-1604-level-1-scored-v1-0-0' + val = hubblestack.files.hubblestack_nova.pkg._merge_yaml(ret, data, profile) + assert val['pkg'] == {'blacklist': [{'talk': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}], + 'whitelist': [{'ssh_ignore_rhosts': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}]} + + def test_merge_yaml_recurssive(self): + ret = {} + profile = 'ubuntu-1604-level-1-scored-v1-0-0' + data1 = {'pkg': + {'blacklist': {'talk1': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}, + 'whitelist': {'ssh_ignore_rhosts': {'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}}} + data2 = {'pkg': + {'blacklist': {'talk2': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}}} + data_list = [data1, data2] + for data in data_list: + val = hubblestack.files.hubblestack_nova.pkg._merge_yaml(ret, data, profile) + assert (len(val['pkg']['blacklist'])) == 2 + + def test_audit_for_success(self): + val = {} + data_list = [('ubuntu-1604-level-1-scored-v1-0-0', + {'pkg': + {'blacklist': {'prelink': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'prelink': 'CIS-4.4'}]}, 'description': 'Disable Prelink'}, 'nis': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'nis': 'CIS-5.1.1'}]}, 'description': 'Ensure NIS is not installed'}}, + 'whitelist': {'ntp': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'ntp': 'CIS-6.5'}]}, 'description': 'Configure Network Time Protocol (NTP)'}, 'rsyslog': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'rsyslog': 'CIS-8.2.1'}]}, 'description': 'Install the rsyslog package'}}}})] + __tags__ = 'CIS-6.5' + hubblestack.files.hubblestack_nova.pkg.__grains__ = {'osfinger': 'Ubuntu-16.04'} + __salt__ = {} + def pkg_version(name): + return name + __salt__['pkg.version'] = pkg_version + hubblestack.files.hubblestack_nova.pkg.__salt__ = __salt__ + val = hubblestack.files.hubblestack_nova.pkg.audit(data_list, __tags__, debug=False) + assert len(val['Success']) != 0 + assert len(val['Failure']) == 0 + + def test_audit_for_incorrect_input(self): + val = {} + data_list = [] + __tags__ = 'wrong_test_data' + hubblestack.files.hubblestack_nova.pkg.__grains__ = {'osfinger': 'Ubuntu-16.04'} + __salt__ = {} + expected_val = {'Failure' : [], 'Controlled' : [], 'Success' : []} + def pkg_version(name): + return name + __salt__['pkg.version'] = pkg_version + hubblestack.files.hubblestack_nova.pkg.__salt__ = __salt__ + val = hubblestack.files.hubblestack_nova.pkg.audit(data_list, __tags__, debug=False) + assert val == expected_val + + def test_audit_for_value_error(self): + val = {} + data_list = 'wrong_test_data' + __tags__ = 'CIS-6.5' + hubblestack.files.hubblestack_nova.pkg.__grains__ = {'osfinger': 'Ubuntu-16.04'} + __salt__ = {} + def pkg_version(name): + return name + __salt__['pkg.version'] = pkg_version + hubblestack.files.hubblestack_nova.pkg.__salt__ = __salt__ + try: + val = hubblestack.files.hubblestack_nova.pkg.audit(data_list, __tags__, debug=False) + except ValueError: + pass + + def test_get_tags(self): + hubblestack.files.hubblestack_nova.pkg.__grains__ = {'osfinger': 'Ubuntu-16.04'} + data = {'pkg': + {'blacklist': [{'talk1': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}, + {'talk2': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}], + 'whitelist': [{'ssh_ignore_rhosts': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', 'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}]}} + val = hubblestack.files.hubblestack_nova.pkg._get_tags(data) + assert val['CIS-5.1.4'] != 0 + assert val['CIS-9.3.6'] != 0 + + def test_get_tags_for_empty_data(self): + data = {'pkg': {}} + hubblestack.files.hubblestack_nova.pkg.__grains__ = {'osfinger' : 'Ubuntu-16.04'} + ret = hubblestack.files.hubblestack_nova.pkg._get_tags(data) + assert ret == {} + + + diff --git a/tests/unittests/test_pulsar.py b/tests/unittests/test_pulsar.py new file mode 100644 index 000000000..b9f2a38b7 --- /dev/null +++ b/tests/unittests/test_pulsar.py @@ -0,0 +1,126 @@ +import sys, os +myPath = os.path.abspath(os.getcwd()) +sys.path.insert(0, myPath) +import pytest +import hubblestack.extmods.modules.pulsar +import collections +from salt.exceptions import CommandExecutionError + +class TestPulsar(): + + def test_virtual(self): + var = hubblestack.extmods.modules.pulsar.__virtual__() + assert var == True + + def test_enqueue(self): + hubblestack.extmods.modules.pulsar.__context__ = {} + var = hubblestack.extmods.modules.pulsar._enqueue + assert var != 0 + + def test_get_notifier(self): + hubblestack.extmods.modules.pulsar.__context__ = {} + var = hubblestack.extmods.modules.pulsar._get_notifier + assert var != 0 + + def test_dict_update_for_merge_dict(self): + dest = {'key1' : 'val1'} + upd = {'key_2' : 'val_2'} + test_dict = {'key1' : 'val1', 'key_2' : 'val_2'} + var = hubblestack.extmods.modules.pulsar._dict_update(dest, upd, recursive_update=True, merge_lists=False) + assert var == test_dict + + def test_dict_update_for_classic_dictUpdate(self): + dest = {'key1' : 'val1'} + upd = {'key_2' : 'val_2'} + test_dict = {'key1' : 'val1', 'key_2' : 'val_2'} + var = hubblestack.extmods.modules.pulsar._dict_update(dest, upd, recursive_update=False, merge_lists=False) + assert var == test_dict + + def test_dict_update_for_dest_TypeError(self): + dest = 'TestValue1' + upd = {'key_1' : 'val_1', 'key_2' : 'val_2'} + try: + var = hubblestack.extmods.modules.pulsar._dict_update(dest, upd, recursive_update=True, merge_lists=False) + except TypeError: + pass + + def test_dict_update_for_upd_TypeError(self): + dest = {'key_1' : 'val_1', 'key_2' : 'val_2'} + upd = 'TestValue2' + try: + var = hubblestack.extmods.modules.pulsar._dict_update(dest, upd, recursive_update=True, merge_lists=False) + except TypeError: + pass + + def test_dict_update_recurssive(self): + ret = {} + dest = {'data': + {'blacklist': {'talk1': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}, + 'whitelist': {'ssh_ignore_rhosts': {'data': {'Ubuntu-16.04': [{'/etc/ssh/sshd_config': {'pattern': 'IgnoreRhosts', 'tag': 'CIS-9.3.6', 'match_output': 'yes'}}]}, 'description': 'Set SSH IgnoreRhosts to Yes'}}}} + upd = {'data': + {'blacklist': {'talk2': {'data': {'Ubuntu-16.04': [{'/etc/inetd.conf': {'pattern': '^talk', 'tag': 'CIS-5.1.4'}}, {'/etc/inetd.conf': {'pattern': '^ntalk', 'tag': 'CIS-5.1.4'}}]}, 'description': 'Ensure talk server is not enabled'}}}} + data_list = [dest, upd] + for data in data_list: + val = hubblestack.extmods.modules.pulsar._dict_update(dest, data, recursive_update=True, merge_lists=True) + assert (len(val['data']['blacklist'])) == 2 + + def test_process(self): + configfile='tests/unittests/resources/hubblestack_pulsar_config.yaml' + verbose = False + def config_get(value, default): + return default + __salt__ = {} + __salt__['config.get'] = config_get + hubblestack.extmods.modules.pulsar.__salt__ = __salt__ + hubblestack.extmods.modules.pulsar.__opts__ = {} + var = hubblestack.extmods.modules.pulsar.process(configfile,verbose) + hubblestack.extmods.modules.pulsar.__salt__ = {} + assert len(var) == 0 + assert isinstance(var, list) + + def test_top_result_for_list(self): + topfile = 'tests/unittests/resources/top.pulsar' + def cp_cache_file(value): + return 'tests/unittests/resources/top.pulsar' + def match_compound(value): + return value + __salt__ = {} + __salt__['cp.cache_file'] = cp_cache_file + __salt__['match.compound'] = match_compound + hubblestack.extmods.modules.pulsar.__salt__ = __salt__ + get_top_data_config = hubblestack.extmods.modules.pulsar.get_top_data(topfile) + configs = ['salt://hubblestack_pulsar/' + config.replace('.', '/') + '.yaml' + for config in get_top_data_config] + assert configs[0] == 'salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml' + + def test_get_top_data(self): + topfile = 'tests/unittests/resources/top.pulsar' + def cp_cache_file(topfile): + return topfile + def match_compound(value): + return value + __salt__ = {} + __salt__['cp.cache_file'] = cp_cache_file + __salt__['match.compound'] = match_compound + hubblestack.extmods.modules.pulsar.__salt__ = __salt__ + result = hubblestack.extmods.modules.pulsar.get_top_data(topfile) + hubblestack.extmods.modules.pulsar.__salt__ = {} + assert isinstance(result, list) + assert result[0] == 'hubblestack_pulsar_config' + + def test_get_top_data_for_CommandExecutionError(self): + topfile = '/testfile' + def cp_cache_file(topfile): + return '/testfile' + def match_compound(value): + return value + __salt__ = {} + __salt__['cp.cache_file'] = cp_cache_file + __salt__['match.compound'] = match_compound + hubblestack.extmods.modules.pulsar.__salt__ = __salt__ + try: + result = hubblestack.extmods.modules.pulsar.get_top_data(topfile) + hubblestack.extmods.modules.pulsar.__salt__ = {} + except CommandExecutionError: + pass + diff --git a/tests/unittests/test_stat_nova.py b/tests/unittests/test_stat_nova.py new file mode 100644 index 000000000..a2257a177 --- /dev/null +++ b/tests/unittests/test_stat_nova.py @@ -0,0 +1,137 @@ +import sys, os +myPath = os.path.abspath(os.getcwd()) +sys.path.insert(0, myPath) +import hubblestack.files.hubblestack_nova.stat_nova +import yaml +import pytest + +class TestStatNova(): + + def test_virtual(self): + expected_val = True + val = hubblestack.files.hubblestack_nova.stat_nova.__virtual__() + assert expected_val == val + + def test_merge_yaml(self): + ret = {} + data = {'stat': {'passwd_owner_group': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', + 'data': {'Ubuntu-16.04': [{'/etc/passwd': {'gid': 0, 'tag': 'CIS-12.4', 'group': 'root', 'uid': 0, 'user': 'root'}}]}, + 'description': 'Verify User/Group Ownership on /etc/passwd'}}} + profile = 'ubuntu-1604-level-1-scored-v1-0-0' + val = hubblestack.files.hubblestack_nova.stat_nova._merge_yaml(ret, data, profile) + assert val['stat'] == [{'passwd_owner_group': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', + 'data': {'Ubuntu-16.04': [{'/etc/passwd': {'group': 'root', 'gid': 0, 'tag': 'CIS-12.4', 'uid': 0, 'user': 'root'}}]}, + 'description': 'Verify User/Group Ownership on /etc/passwd'}}] + + + def test_merge_yaml_recurssive(self): + ret = {} + profile = 'ubuntu-1604-level-1-scored-v1-0-0' + data1 = {'stat': {'passwd_owner_group1': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', + 'data': {'Ubuntu-16.04': [{'/etc/passwd': {'gid': 0, 'tag': 'CIS-12.4', 'group': 'root', 'uid': 0, 'user': 'root'}}]}, + 'description': 'Verify User/Group Ownership on /etc/passwd'}}} + + data2 = {'stat': {'passwd_owner_group2': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', + 'data': {'Ubuntu-16.04': [{'/etc/passwd': {'gid': 0, 'tag': 'CIS-12.4', 'group': 'root', 'uid': 0, 'user': 'root'}}]}, + 'description': 'Verify User/Group Ownership on /etc/passwd'}}} + data_list = [data1, data2] + for data in data_list: + val = hubblestack.files.hubblestack_nova.stat_nova._merge_yaml(ret, data, profile) + assert (len(val['stat'])) == 2 + + def test_get_tags(self): + data = {'stat': [{'passwd_owner_group': {'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', + 'data': {'Ubuntu-16.04': [{'/etc/passwd': {'gid': 0, 'tag': 'CIS-12.4', 'group': 'root', 'uid': 0, 'user': 'root'}}]}, + 'description': 'Verify User/Group Ownership on /etc/passwd'}}]} + hubblestack.files.hubblestack_nova.stat_nova.__grains__ = {'osfinger' : 'Ubuntu-16.04'} + ret = hubblestack.files.hubblestack_nova.stat_nova._get_tags(data) + assert ret['CIS-12.4'] == [{'nova_profile': 'ubuntu-1604-level-1-scored-v1-0-0', + 'tag': 'CIS-12.4', 'group': 'root', 'name': '/etc/passwd', 'uid': 0, 'gid': 0, + 'description': 'Verify User/Group Ownership on /etc/passwd', 'module': 'stat', 'user': 'root'}] + + def test_get_tags_for_empty_data(self): + data = {'stat': []} + hubblestack.files.hubblestack_nova.stat_nova.__grains__ = {'osfinger' : 'Ubuntu-16.04'} + ret = hubblestack.files.hubblestack_nova.stat_nova._get_tags(data) + assert ret == {} + + def test_audit_for_success(self): + val = {} + data_list = [('ubuntu-1604-level-1-scored-v1-0-0', {'stat': + {'passwd_owner_group': {'data': {'Ubuntu-16.04': [{'/etc/passwd': {'gid': 0, 'tag': 'CIS-12.4', 'group': 'root', 'uid': 0, 'user': 'root'}}]}, + 'description': 'Verify User/Group Ownership on /etc/passwd'}}})] + __tags__ = 'CIS-12.4' + __salt__ = {} + def file_stats(name): + return {'size': 26, 'group': 'root', 'uid': 0, 'type': 'file', 'mode': '0644', 'gid': 0, 'target': '/etc/issue', 'user': 'root', 'mtime': 1486511757.0, 'atime': 1507221810.408013, 'inode': 1322, 'ctime': 1491870657.914388} + __salt__['file.stats'] = file_stats + hubblestack.files.hubblestack_nova.stat_nova.__salt__ = __salt__ + val = hubblestack.files.hubblestack_nova.stat_nova.audit(data_list, __tags__, debug=False) + assert len(val['Success']) != 0 + + def test_audit_for_incorrect_input(self): + val = {} + data_list = [] + __tags__ = '' + __salt__ = {} + expected_val = {'Failure' : [], 'Controlled' : [], 'Success' : []} + def file_stats(name): + return {'size': 26, 'group': 'root', 'uid': 0, 'type': 'file', 'mode': '0644', 'gid': 0, 'target': '/etc/issue', 'user': 'root', 'mtime': 1486511757.0, 'atime': 1507221810.408013, 'inode': 1322, 'ctime': 1491870657.914388} + __salt__['file.stats'] = file_stats + hubblestack.files.hubblestack_nova.stat_nova.__salt__ = __salt__ + val = hubblestack.files.hubblestack_nova.stat_nova.audit(data_list, __tags__, debug=False) + assert val == expected_val + + def test_audit_for_value_error(self): + val = {} + data_list = 'wrong_test_data' + __tags__ = 'CIS-12.4' + __salt__ = {} + def file_stats(name): + return {'size': 26, 'group': 'root', 'uid': 0, 'type': 'file', 'mode': '0644', 'gid': 0, 'target': '/etc/issue', 'user': 'root', 'mtime': 1486511757.0, 'atime': 1507221810.408013, 'inode': 1322, 'ctime': 1491870657.914388} + __salt__['file.stats'] = file_stats + hubblestack.files.hubblestack_nova.stat_nova.__salt__ = __salt__ + try: + val = hubblestack.files.hubblestack_nova.stat_nova.audit(data_list, __tags__, debug=False) + except ValueError: + pass + + def test_check_mode_1(self): + test_data_max_permission = '644' + test_data_given_permission = '644' + test_data_allow_more_strict = True + expected_val = True + result = hubblestack.files.hubblestack_nova.stat_nova._check_mode(test_data_max_permission, test_data_given_permission, test_data_allow_more_strict) + assert expected_val == result + + def test_check_mode_2(self): + test_data_max_permission = '644' + test_data_given_permission = '644' + test_data_allow_more_strict = False + expected_val = True + result = hubblestack.files.hubblestack_nova.stat_nova._check_mode(test_data_max_permission, test_data_given_permission, test_data_allow_more_strict) + assert expected_val == result + + def test_check_mode_3(self): + test_data_max_permission = '644' + test_data_given_permission = '600' + test_data_allow_more_strict = True + expected_val = True + result = hubblestack.files.hubblestack_nova.stat_nova._check_mode(test_data_max_permission, test_data_given_permission, test_data_allow_more_strict) + assert expected_val == result + + def test_check_mode_4(self): + test_data_max_permission = '644' + test_data_given_permission = '600' + test_data_allow_more_strict = False + expected_val = False + result = hubblestack.files.hubblestack_nova.stat_nova._check_mode(test_data_max_permission, test_data_given_permission, test_data_allow_more_strict) + assert expected_val == result + + def test_check_mode_5(self): + test_data_max_permission = '644' + test_data_given_permission = '655' + test_data_allow_more_strict = True + expected_val = False + result = hubblestack.files.hubblestack_nova.stat_nova._check_mode(test_data_max_permission, test_data_given_permission, test_data_allow_more_strict) + assert expected_val == result