starlingx
/
test
Code Issues Proposed changes

Manual Tests: Security Appropriate File Access 

Adding Appropriate File Access subdomain for Security Test Suite.

Change-Id: I4ee004cc457ce9af928311f12a23aa989e4b8f56
This commit is contained in:
fhernan2 2019-03-12 03:18:26 -05:00 committed by Abraham Arce
parent 11ab639ea9
commit 87b9e6e8da
2 changed files with 448 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
doc/source/manual_tests/security/index.rst
View File

@ -18,3 +18,4 @@ Subdomains
security_OAM_suite
security_VM_password_protection
security_https_suite
security_file_access

447
doc/source/manual_tests/security/security_file_access.rst Normal file
View File

@ -0,0 +1,447 @@
=======================
Appropriate File Access
=======================
.. contents::
:local:
:depth: 1
-----------------------------
SECURITY_Appro_File_Access_01
-----------------------------
:Test ID: SECURITY_Appro_File_Access_01
:Test Title: File permission after initial install.
:Tags: Security
~~~~~~~~~~~~~~~~~~
Testcase Objective
~~~~~~~~~~~~~~~~~~
Verify "opt/platform" and "etc/(system)-config" file permission after initial
install.
~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~
New Starlingx configuration lab install with all nodes up and running.
~~~~~~~~~~
Test Steps
~~~~~~~~~~
1. Go to active controller and make sure that all config files have at least
this kind of permission by root ""-rw-r--r--"". If there are some other config
files with less permissions is ok.
.. code:: bash
$ ls -la /etc/*.conf
i.e.
controller-0:/etc$ ls -la /etc/*.conf
-rw-r--r--. 1 root root 55 Apr 10 2018 /etc/asound.conf
-rw-r--r-- 1 root root 3661 Feb 8 15:23 /etc/collectd.conf
-rw-r----- 1 root root 2643 Feb 8 15:23 /etc/dnsmasq.conf
-rw-r--r--. 1 root root 1285 Apr 11 2018 /etc/dracut.conf
-rw-r----- 1 root root 71 Feb 8 15:19 /etc/drbd.conf
...
2. Go to active controller and make sure that /opt/platform/* files have
following permission (If there are some other files with less permissions is
ok), use following command to get /opt/platform file tree.
.. code:: bash
i.e.
controller-0:/opt/platform# ls -R | grep "":$"" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
|-config
|---18.10
|-----branding
|-----postgresql
|-----pxelinux.cfg
|-----ssh_config
|-lost+found
|-nfv
|---vim
|-----18.10
|-puppet
|---18.10
|-----hieradata
|-sysinv
|---18.10
Use the following command to get all file permissions.
.. code:: bash
i.e.
controller-0:/opt/platform# ls -ll -R
.:
total 32
drwxr-xr-x 3 root root 4096 Feb 8 15:20 config
-rw-r--r-- 1 root root 0 Feb 11 13:09 files.txt
drwx------ 2 root root 16384 Feb 8 15:19 lost+found
drwxr-xr-x 3 root root 4096 Feb 8 15:32 nfv
drwxr-xr-x 3 root root 4096 Feb 8 15:20 puppet
drwxr-xr-x 3 sysinv root 4096 Feb 8 15:20 sysinv
./config:
total 4
drwxr-xr-x 6 root root 4096 Feb 8 15:54 18.10
./config/18.10:
total 44
drwxr-xr-x 2 root root 4096 Feb 8 15:20 branding
-rw-r--r-- 1 root root 1895 Feb 8 15:18 cgcs_config
-rw-r--r-- 1 root root 338 Feb 8 15:43 dnsmasq.addn_hosts
-rw-r--r-- 1 root root 1 Feb 8 15:20 dnsmasq.addn_hosts_dc
-rw-r--r-- 1 root root 338 Feb 8 16:03 dnsmasq.addn_hosts.temp
-rw-r--r-- 1 root root 222 Feb 8 15:54 dnsmasq.hosts
-rw-r--r-- 1 root root 222 Feb 8 16:03 dnsmasq.hosts.temp
-rw-r--r-- 1 root root 0 Feb 9 16:04 dnsmasq.leases
-rw-r--r-- 1 root root 526 Feb 8 15:30 hosts
drwxr-xr-x 2 root root 4096 Feb 8 15:20 postgresql
drwxr-xr-x 2 root root 4096 Feb 8 16:03 pxelinux.cfg
drwxr-xr-x 2 root root 4096 Feb 8 15:18 ssh_config
./config/18.10/branding:
total 4
-rwxr-xr-x 1 root root 525 Oct 3 14:37 horizon-region-exclusions.csv
./config/18.10/postgresql:
total 28
-rw-r----- 1 postgres postgres 929 Feb 8 15:19 pg_hba.conf
-rw-r----- 1 postgres postgres 47 Feb 8 15:19 pg_ident.conf
-rw------- 1 postgres postgres 20195 Feb 8 15:19 postgresql.conf
./config/18.10/pxelinux.cfg:
total 16
-rw-r--r-- 1 root root 861 Feb 8 16:03 01-52-54-00-c8-5c-10
-rw-r--r-- 1 root root 939 Feb 8 15:46 01-52-54-00-c8-84-5c
lrwxrwxrwx 1 root root 35 Feb 8 15:31 default -> /pxeboot/pxelinux.cfg.files/default
-rw-r--r-- 1 root root 684 Feb 8 16:03 efi-01-52-54-00-c8-5c-10
-rw-r--r-- 1 root root 762 Feb 8 15:46 efi-01-52-54-00-c8-84-5c
lrwxrwxrwx 1 root root 36 Feb 8 15:31 grub.cfg -> /pxeboot/pxelinux.cfg.files/grub.cfg
./config/18.10/ssh_config:
total 16
-rw------- 1 root root 1679 Feb 8 15:18 nova_migration_key
-rw-r--r-- 1 root root 396 Feb 8 15:18 nova_migration_key.pub
-rw------- 1 root root 227 Feb 8 15:18 system_host_key
-rw-r--r-- 1 root root 176 Feb 8 15:18 system_host_key.pub
./lost+found:
total 0
./nfv:
total 4
drwxr-xr-x 3 root root 4096 Feb 8 15:32 vim
./nfv/vim:
total 4
drwxr-xr-x 2 root root 4096 Feb 8 15:54 18.10
./nfv/vim/18.10:
total 1112
-rw-r--r-- 1 root root 49152 Feb 11 13:03 vim_db_v1
-rw-r--r-- 1 root root 32768 Feb 11 13:08 vim_db_v1-shm
-rw-r--r-- 1 root root 1049080 Feb 11 13:08 vim_db_v1-wal
./puppet:
total 4
drwxr-xr-x 3 root root 4096 Feb 8 15:20 18.10
./puppet/18.10:
total 4
drwxr-xr-x 2 root root 4096 Feb 8 16:03 hieradata
./puppet/18.10/hieradata:
total 92
-rw------- 1 root root 9627 Feb 8 15:54 192.168.204.3.yaml
-rw------- 1 root root 9620 Feb 8 16:03 192.168.204.4.yaml
-rw------- 1 root root 8494 Feb 8 15:18 secure_static.yaml
-rw------- 1 root root 3196 Feb 8 16:03 secure_system.yaml
-rw------- 1 root root 1968 Feb 8 15:18 static.yaml
-rw------- 1 root root 45299 Feb 8 16:03 system.yaml
./sysinv:
total 4
drwxr-xr-x 2 sysinv root 4096 Feb 8 15:26 18.10
./sysinv/18.10:
total 4
-rw-r--r-- 1 root root 1505 Feb 8 15:26 sysinv.conf.default
~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~
1. All ``ls -la /etc/*.conf`` config files have at least -rw-r--r-- permissions.
2. All /opt/platform files have proper permissions.
-----------------------------
SECURITY_Appro_File_Access_02
-----------------------------
:Test ID: SECURITY_Appro_File_Access_02
:Test Title: File permission after reboot nodes.
:Tags: Security
~~~~~~~~~~~~~~~~~~
Testcase Objective
~~~~~~~~~~~~~~~~~~
Verify "opt/platform" and "etc/(system)-config" file permission after reboot
nodes.
~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~
Any Starlingx configuration lab with all nodes rebooted, up and running.
~~~~~~~~~~
Test Steps
~~~~~~~~~~
1. Go to active controller and make sure that all config files have at least
this kind of permission by root ""-rw-r--r--"". If there are some other config
files with less permissions is ok.
.. code:: bash
$ ls -la /etc/*.conf
i.e.
controller-0:/etc$ ls -la /etc/*.conf
-rw-r--r--. 1 root root 55 Apr 10 2018 /etc/asound.conf
-rw-r--r-- 1 root root 3661 Feb 8 15:23 /etc/collectd.conf
-rw-r----- 1 root root 2643 Feb 8 15:23 /etc/dnsmasq.conf
-rw-r--r--. 1 root root 1285 Apr 11 2018 /etc/dracut.conf
-rw-r----- 1 root root 71 Feb 8 15:19 /etc/drbd.conf
...
2. Go to active controller and make sure that /opt/platform/* files have
following permission (If there are some other files with less permissions is
ok), use following command to get /opt/platform file tree.
.. code:: bash
i.e.
controller-0:/opt/platform# ls -R | grep "":$"" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
.
|-config
|---18.10
|-----branding
|-----postgresql
|-----pxelinux.cfg
|-----ssh_config
|-lost+found
|-nfv
|---vim
|-----18.10
|-puppet
|---18.10
|-----hieradata
|-sysinv
|---18.10
Use the following command to get all file permissions.
i.e.
controller-0:/opt/platform# ls -ll -R
.:
total 32
drwxr-xr-x 3 root root 4096 Feb 8 15:20 config
-rw-r--r-- 1 root root 0 Feb 11 13:09 files.txt
drwx------ 2 root root 16384 Feb 8 15:19 lost+found
drwxr-xr-x 3 root root 4096 Feb 8 15:32 nfv
drwxr-xr-x 3 root root 4096 Feb 8 15:20 puppet
drwxr-xr-x 3 sysinv root 4096 Feb 8 15:20 sysinv
./config:
total 4
drwxr-xr-x 6 root root 4096 Feb 8 15:54 18.10
./config/18.10:
total 44
drwxr-xr-x 2 root root 4096 Feb 8 15:20 branding
-rw-r--r-- 1 root root 1895 Feb 8 15:18 cgcs_config
-rw-r--r-- 1 root root 338 Feb 8 15:43 dnsmasq.addn_hosts
-rw-r--r-- 1 root root 1 Feb 8 15:20 dnsmasq.addn_hosts_dc
-rw-r--r-- 1 root root 338 Feb 8 16:03 dnsmasq.addn_hosts.temp
-rw-r--r-- 1 root root 222 Feb 8 15:54 dnsmasq.hosts
-rw-r--r-- 1 root root 222 Feb 8 16:03 dnsmasq.hosts.temp
-rw-r--r-- 1 root root 0 Feb 9 16:04 dnsmasq.leases
-rw-r--r-- 1 root root 526 Feb 8 15:30 hosts
drwxr-xr-x 2 root root 4096 Feb 8 15:20 postgresql
drwxr-xr-x 2 root root 4096 Feb 8 16:03 pxelinux.cfg
drwxr-xr-x 2 root root 4096 Feb 8 15:18 ssh_config
./config/18.10/branding:
total 4
-rwxr-xr-x 1 root root 525 Oct 3 14:37 horizon-region-exclusions.csv
./config/18.10/postgresql:
total 28
-rw-r----- 1 postgres postgres 929 Feb 8 15:19 pg_hba.conf
-rw-r----- 1 postgres postgres 47 Feb 8 15:19 pg_ident.conf
-rw------- 1 postgres postgres 20195 Feb 8 15:19 postgresql.conf
./config/18.10/pxelinux.cfg:
total 16
-rw-r--r-- 1 root root 861 Feb 8 16:03 01-52-54-00-c8-5c-10
-rw-r--r-- 1 root root 939 Feb 8 15:46 01-52-54-00-c8-84-5c
lrwxrwxrwx 1 root root 35 Feb 8 15:31 default -> /pxeboot/pxelinux.cfg.files/default
-rw-r--r-- 1 root root 684 Feb 8 16:03 efi-01-52-54-00-c8-5c-10
-rw-r--r-- 1 root root 762 Feb 8 15:46 efi-01-52-54-00-c8-84-5c
lrwxrwxrwx 1 root root 36 Feb 8 15:31 grub.cfg -> /pxeboot/pxelinux.cfg.files/grub.cfg
./config/18.10/ssh_config:
total 16
-rw------- 1 root root 1679 Feb 8 15:18 nova_migration_key
-rw-r--r-- 1 root root 396 Feb 8 15:18 nova_migration_key.pub
-rw------- 1 root root 227 Feb 8 15:18 system_host_key
-rw-r--r-- 1 root root 176 Feb 8 15:18 system_host_key.pub
./lost+found:
total 0
./nfv:
total 4
drwxr-xr-x 3 root root 4096 Feb 8 15:32 vim
./nfv/vim:
total 4
drwxr-xr-x 2 root root 4096 Feb 8 15:54 18.10
./nfv/vim/18.10:
total 1112
-rw-r--r-- 1 root root 49152 Feb 11 13:03 vim_db_v1
-rw-r--r-- 1 root root 32768 Feb 11 13:08 vim_db_v1-shm
-rw-r--r-- 1 root root 1049080 Feb 11 13:08 vim_db_v1-wal
./puppet:
total 4
drwxr-xr-x 3 root root 4096 Feb 8 15:20 18.10
./puppet/18.10:
total 4
drwxr-xr-x 2 root root 4096 Feb 8 16:03 hieradata
./puppet/18.10/hieradata:
total 92
-rw------- 1 root root 9627 Feb 8 15:54 192.168.204.3.yaml
-rw------- 1 root root 9620 Feb 8 16:03 192.168.204.4.yaml
-rw------- 1 root root 8494 Feb 8 15:18 secure_static.yaml
-rw------- 1 root root 3196 Feb 8 16:03 secure_system.yaml
-rw------- 1 root root 1968 Feb 8 15:18 static.yaml
-rw------- 1 root root 45299 Feb 8 16:03 system.yaml
./sysinv:
total 4
drwxr-xr-x 2 sysinv root 4096 Feb 8 15:26 18.10
./sysinv/18.10:
total 4
-rw-r--r-- 1 root root 1505 Feb 8 15:26 sysinv.conf.default
~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~
1. All ``"ls -la /etc/*.conf"`` config files have at least "-rw-r--r--"
permissions.
2. All /opt/platform files have proper permissions.
-----------------------------
SECURITY_Appro_File_Access_03
-----------------------------
:Test ID: SECURITY_Appro_File_Access_03
:Test Title: bash.log behaviour on node.
:Tags: Security
~~~~~~~~~~~~~~~~~~
Testcase Objective
~~~~~~~~~~~~~~~~~~
Validate bash.log behavior on node.
~~~~~~~~~~~~~~~~~~~
Test Pre-Conditions
~~~~~~~~~~~~~~~~~~~
At least 1 Controller + 1 compute + 1 Storage
~~~~~~~~~~
Test Steps
~~~~~~~~~~
1. On node type:
.. code:: bash
$ sudo lsattr /var/log/bash.log
and confirm that bash.log is set to append only.
.. code:: bash
-----a-------e-- bash.log <-- append-only attr on
2- On node type
.. code:: bash
$ sudo lsattr /var/log/user.log
and confirm that bash.log is set to append only.
.. code:: bash
-------------e-- user.log <-- append-only attr off""
3- Attempt to edit bash.log, modify the existing data and save the file.
.. code:: bash
$ sudo vim /var/log/bash.log
::
Hit ´i´ to change to INSERT mode
Edit the file
Hit Escape, :wq! ""
4- Attempt to remove the append-only attribute of bash.log
.. code:: bash
$ sudo chattr -a bash.log in order to
**Repeat steps on a compute and storage nodes.**
~~~~~~~~~~~~~~~~~
Expected Behavior
~~~~~~~~~~~~~~~~~
* Confirm append-only attribute ON of bash.log
* Confirm append-only attribute OFF of user.log
* Validate that this is blocked and system gets back with
.. code:: bash
"/var/log/bash.log ERROR:: Can´t open file for writing remove the append-only attribute."
* Validate this is rejected.
* Steps validated on compute and storage nodes.
~~~~~~~~~~~
References:
~~~~~~~~~~~