Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add VM tests for os_hardening #547

Merged
merged 23 commits into from Jul 11, 2022
Merged

add VM tests for os_hardening #547

merged 23 commits into from Jul 11, 2022

Conversation

schurzi
Copy link
Contributor

@schurzi schurzi commented Jul 11, 2022

Wen need to use full VMs to test every aspect of our os_hardening role. These are now integrated and check all controls of the supporting baseline.

While implementing there were some minor bugs to fix:

  • check for /boot existence was not correct
  • some sysctls were unsupported on older platforms (an exclude mechanism was introduced)
  • gpg-check for yum config did not account for already correct configuration

schurzi added 22 commits July 9, 2022 00:52
@schurzi
add testing of os_hardning on vm
e742330 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
call correct molecule task
8f3f724 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
force linking
013a554 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
setup python
0eddf28 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
use correct parameter
400e576 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
remove waiver
7535abd 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
icrease ressources for test vm
e49eacd 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
also harden /boot
9cfe1f2 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
speedup ansible
b6b2d45 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
fix bug in check for /boot
fa7f859 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
add opensuse and arch
730510c 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
fix yum gpg-check task
cd45a58 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
exclude opensuse
1825eba 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
exclude arch
fdc6b33 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
add sysctl exclude
92dc094 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
add sysctl exclude
4b519e8 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
add sysctl exclude
28baf0d 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
add sysctl exclude
5d50b5b 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
add sysctl exclude
0f631c1 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
add badge for tests
edda707 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
remove waivers file from docker test config
72cb97c 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi
disable ctrl+alt+del for vm tests
c81ce23 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@schurzi schurzi requested a review from rndmh3ro July 11, 2022 11:09
@schurzi
Copy link
Contributor Author

schurzi commented Jul 11, 2022

the task for ctrl-alt-del.target seems to not be idempotent, I have excluded it from the tests. Since it is disabled by default, I see no problem here.

@schurzi
reduce testing on vm
27d091e 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
@rndmh3ro rndmh3ro mentioned this pull request Jul 11, 2022
Open
@rndmh3ro
Copy link
Member

the task for ctrl-alt-del.target seems to not be idempotent, I have excluded it from the tests. Since it is disabled by default, I see no problem here.

#548

@schurzi schurzi mentioned this pull request Jul 11, 2022
Closed
@schurzi schurzi merged commit e03e435 into master Jul 11, 2022
@schurzi schurzi deleted the vm_tests branch July 11, 2022 19:57
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@schurzi
Merge pull request dev-sec#547 from dev-sec/vm_tests
5a405bc 
add VM tests for os_hardening
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rndmh3ro rndmh3ro rndmh3ro approved these changes

Assignees
No one assigned
Labels
bug os_hardening patch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@schurzi @rndmh3ro