diff --git a/doc/source/manual_tests/security/index.rst b/doc/source/manual_tests/security/index.rst index 2acaa58..798a9ca 100644 --- a/doc/source/manual_tests/security/index.rst +++ b/doc/source/manual_tests/security/index.rst @@ -18,3 +18,4 @@ Subdomains security_OAM_suite security_VM_password_protection security_https_suite + security_file_access diff --git a/doc/source/manual_tests/security/security_file_access.rst b/doc/source/manual_tests/security/security_file_access.rst new file mode 100644 index 0000000..8d69a7d --- /dev/null +++ b/doc/source/manual_tests/security/security_file_access.rst @@ -0,0 +1,447 @@ +======================= +Appropriate File Access +======================= + +.. contents:: + :local: + :depth: 1 + +----------------------------- +SECURITY_Appro_File_Access_01 +----------------------------- + +:Test ID: SECURITY_Appro_File_Access_01 +:Test Title: File permission after initial install. +:Tags: Security + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +Verify "opt/platform" and "etc/(system)-config" file permission after initial +install. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +New Starlingx configuration lab install with all nodes up and running. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Go to active controller and make sure that all config files have at least +this kind of permission by root ""-rw-r--r--"". If there are some other config +files with less permissions is ok. + +.. code:: bash + + $ ls -la /etc/*.conf + i.e. + controller-0:/etc$ ls -la /etc/*.conf + -rw-r--r--. 1 root root 55 Apr 10 2018 /etc/asound.conf + -rw-r--r-- 1 root root 3661 Feb 8 15:23 /etc/collectd.conf + -rw-r----- 1 root root 2643 Feb 8 15:23 /etc/dnsmasq.conf + -rw-r--r--. 1 root root 1285 Apr 11 2018 /etc/dracut.conf + -rw-r----- 1 root root 71 Feb 8 15:19 /etc/drbd.conf + ... + +2. Go to active controller and make sure that /opt/platform/* files have +following permission (If there are some other files with less permissions is +ok), use following command to get /opt/platform file tree. + +.. code:: bash + + i.e. + controller-0:/opt/platform# ls -R | grep "":$"" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' + |-config + |---18.10 + |-----branding + |-----postgresql + |-----pxelinux.cfg + |-----ssh_config + |-lost+found + |-nfv + |---vim + |-----18.10 + |-puppet + |---18.10 + |-----hieradata + |-sysinv + |---18.10 + +Use the following command to get all file permissions. + +.. code:: bash + + i.e. + controller-0:/opt/platform# ls -ll -R + .: + total 32 + drwxr-xr-x 3 root root 4096 Feb 8 15:20 config + -rw-r--r-- 1 root root 0 Feb 11 13:09 files.txt + drwx------ 2 root root 16384 Feb 8 15:19 lost+found + drwxr-xr-x 3 root root 4096 Feb 8 15:32 nfv + drwxr-xr-x 3 root root 4096 Feb 8 15:20 puppet + drwxr-xr-x 3 sysinv root 4096 Feb 8 15:20 sysinv + + ./config: + total 4 + drwxr-xr-x 6 root root 4096 Feb 8 15:54 18.10 + + ./config/18.10: + total 44 + drwxr-xr-x 2 root root 4096 Feb 8 15:20 branding + -rw-r--r-- 1 root root 1895 Feb 8 15:18 cgcs_config + -rw-r--r-- 1 root root 338 Feb 8 15:43 dnsmasq.addn_hosts + -rw-r--r-- 1 root root 1 Feb 8 15:20 dnsmasq.addn_hosts_dc + -rw-r--r-- 1 root root 338 Feb 8 16:03 dnsmasq.addn_hosts.temp + -rw-r--r-- 1 root root 222 Feb 8 15:54 dnsmasq.hosts + -rw-r--r-- 1 root root 222 Feb 8 16:03 dnsmasq.hosts.temp + -rw-r--r-- 1 root root 0 Feb 9 16:04 dnsmasq.leases + -rw-r--r-- 1 root root 526 Feb 8 15:30 hosts + drwxr-xr-x 2 root root 4096 Feb 8 15:20 postgresql + drwxr-xr-x 2 root root 4096 Feb 8 16:03 pxelinux.cfg + drwxr-xr-x 2 root root 4096 Feb 8 15:18 ssh_config + + ./config/18.10/branding: + total 4 + -rwxr-xr-x 1 root root 525 Oct 3 14:37 horizon-region-exclusions.csv + + ./config/18.10/postgresql: + total 28 + -rw-r----- 1 postgres postgres 929 Feb 8 15:19 pg_hba.conf + -rw-r----- 1 postgres postgres 47 Feb 8 15:19 pg_ident.conf + -rw------- 1 postgres postgres 20195 Feb 8 15:19 postgresql.conf + + ./config/18.10/pxelinux.cfg: + total 16 + -rw-r--r-- 1 root root 861 Feb 8 16:03 01-52-54-00-c8-5c-10 + -rw-r--r-- 1 root root 939 Feb 8 15:46 01-52-54-00-c8-84-5c + lrwxrwxrwx 1 root root 35 Feb 8 15:31 default -> /pxeboot/pxelinux.cfg.files/default + -rw-r--r-- 1 root root 684 Feb 8 16:03 efi-01-52-54-00-c8-5c-10 + -rw-r--r-- 1 root root 762 Feb 8 15:46 efi-01-52-54-00-c8-84-5c + lrwxrwxrwx 1 root root 36 Feb 8 15:31 grub.cfg -> /pxeboot/pxelinux.cfg.files/grub.cfg + + ./config/18.10/ssh_config: + total 16 + -rw------- 1 root root 1679 Feb 8 15:18 nova_migration_key + -rw-r--r-- 1 root root 396 Feb 8 15:18 nova_migration_key.pub + -rw------- 1 root root 227 Feb 8 15:18 system_host_key + -rw-r--r-- 1 root root 176 Feb 8 15:18 system_host_key.pub + + ./lost+found: + total 0 + + ./nfv: + total 4 + drwxr-xr-x 3 root root 4096 Feb 8 15:32 vim + + ./nfv/vim: + total 4 + drwxr-xr-x 2 root root 4096 Feb 8 15:54 18.10 + + ./nfv/vim/18.10: + total 1112 + -rw-r--r-- 1 root root 49152 Feb 11 13:03 vim_db_v1 + -rw-r--r-- 1 root root 32768 Feb 11 13:08 vim_db_v1-shm + -rw-r--r-- 1 root root 1049080 Feb 11 13:08 vim_db_v1-wal + + ./puppet: + total 4 + drwxr-xr-x 3 root root 4096 Feb 8 15:20 18.10 + + ./puppet/18.10: + total 4 + drwxr-xr-x 2 root root 4096 Feb 8 16:03 hieradata + + ./puppet/18.10/hieradata: + total 92 + -rw------- 1 root root 9627 Feb 8 15:54 192.168.204.3.yaml + -rw------- 1 root root 9620 Feb 8 16:03 192.168.204.4.yaml + -rw------- 1 root root 8494 Feb 8 15:18 secure_static.yaml + -rw------- 1 root root 3196 Feb 8 16:03 secure_system.yaml + -rw------- 1 root root 1968 Feb 8 15:18 static.yaml + -rw------- 1 root root 45299 Feb 8 16:03 system.yaml + + ./sysinv: + total 4 + drwxr-xr-x 2 sysinv root 4096 Feb 8 15:26 18.10 + + ./sysinv/18.10: + total 4 + -rw-r--r-- 1 root root 1505 Feb 8 15:26 sysinv.conf.default + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. All ``ls -la /etc/*.conf`` config files have at least -rw-r--r-- permissions. + +2. All /opt/platform files have proper permissions. + +----------------------------- +SECURITY_Appro_File_Access_02 +----------------------------- + +:Test ID: SECURITY_Appro_File_Access_02 +:Test Title: File permission after reboot nodes. +:Tags: Security + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +Verify "opt/platform" and "etc/(system)-config" file permission after reboot +nodes. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +Any Starlingx configuration lab with all nodes rebooted, up and running. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Go to active controller and make sure that all config files have at least +this kind of permission by root ""-rw-r--r--"". If there are some other config +files with less permissions is ok. + +.. code:: bash + + $ ls -la /etc/*.conf + i.e. + + controller-0:/etc$ ls -la /etc/*.conf + -rw-r--r--. 1 root root 55 Apr 10 2018 /etc/asound.conf + -rw-r--r-- 1 root root 3661 Feb 8 15:23 /etc/collectd.conf + -rw-r----- 1 root root 2643 Feb 8 15:23 /etc/dnsmasq.conf + -rw-r--r--. 1 root root 1285 Apr 11 2018 /etc/dracut.conf + -rw-r----- 1 root root 71 Feb 8 15:19 /etc/drbd.conf + ... + +2. Go to active controller and make sure that /opt/platform/* files have +following permission (If there are some other files with less permissions is +ok), use following command to get /opt/platform file tree. + +.. code:: bash + + i.e. + + controller-0:/opt/platform# ls -R | grep "":$"" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/' + . + |-config + |---18.10 + |-----branding + |-----postgresql + |-----pxelinux.cfg + |-----ssh_config + |-lost+found + |-nfv + |---vim + |-----18.10 + |-puppet + |---18.10 + |-----hieradata + |-sysinv + |---18.10 + + Use the following command to get all file permissions. + i.e. + controller-0:/opt/platform# ls -ll -R + .: + total 32 + drwxr-xr-x 3 root root 4096 Feb 8 15:20 config + -rw-r--r-- 1 root root 0 Feb 11 13:09 files.txt + drwx------ 2 root root 16384 Feb 8 15:19 lost+found + drwxr-xr-x 3 root root 4096 Feb 8 15:32 nfv + drwxr-xr-x 3 root root 4096 Feb 8 15:20 puppet + drwxr-xr-x 3 sysinv root 4096 Feb 8 15:20 sysinv + + ./config: + total 4 + drwxr-xr-x 6 root root 4096 Feb 8 15:54 18.10 + + ./config/18.10: + total 44 + drwxr-xr-x 2 root root 4096 Feb 8 15:20 branding + -rw-r--r-- 1 root root 1895 Feb 8 15:18 cgcs_config + -rw-r--r-- 1 root root 338 Feb 8 15:43 dnsmasq.addn_hosts + -rw-r--r-- 1 root root 1 Feb 8 15:20 dnsmasq.addn_hosts_dc + -rw-r--r-- 1 root root 338 Feb 8 16:03 dnsmasq.addn_hosts.temp + -rw-r--r-- 1 root root 222 Feb 8 15:54 dnsmasq.hosts + -rw-r--r-- 1 root root 222 Feb 8 16:03 dnsmasq.hosts.temp + -rw-r--r-- 1 root root 0 Feb 9 16:04 dnsmasq.leases + -rw-r--r-- 1 root root 526 Feb 8 15:30 hosts + drwxr-xr-x 2 root root 4096 Feb 8 15:20 postgresql + drwxr-xr-x 2 root root 4096 Feb 8 16:03 pxelinux.cfg + drwxr-xr-x 2 root root 4096 Feb 8 15:18 ssh_config + + ./config/18.10/branding: + total 4 + -rwxr-xr-x 1 root root 525 Oct 3 14:37 horizon-region-exclusions.csv + + ./config/18.10/postgresql: + total 28 + -rw-r----- 1 postgres postgres 929 Feb 8 15:19 pg_hba.conf + -rw-r----- 1 postgres postgres 47 Feb 8 15:19 pg_ident.conf + -rw------- 1 postgres postgres 20195 Feb 8 15:19 postgresql.conf + + ./config/18.10/pxelinux.cfg: + total 16 + -rw-r--r-- 1 root root 861 Feb 8 16:03 01-52-54-00-c8-5c-10 + -rw-r--r-- 1 root root 939 Feb 8 15:46 01-52-54-00-c8-84-5c + lrwxrwxrwx 1 root root 35 Feb 8 15:31 default -> /pxeboot/pxelinux.cfg.files/default + -rw-r--r-- 1 root root 684 Feb 8 16:03 efi-01-52-54-00-c8-5c-10 + -rw-r--r-- 1 root root 762 Feb 8 15:46 efi-01-52-54-00-c8-84-5c + lrwxrwxrwx 1 root root 36 Feb 8 15:31 grub.cfg -> /pxeboot/pxelinux.cfg.files/grub.cfg + + ./config/18.10/ssh_config: + total 16 + -rw------- 1 root root 1679 Feb 8 15:18 nova_migration_key + -rw-r--r-- 1 root root 396 Feb 8 15:18 nova_migration_key.pub + -rw------- 1 root root 227 Feb 8 15:18 system_host_key + -rw-r--r-- 1 root root 176 Feb 8 15:18 system_host_key.pub + + ./lost+found: + total 0 + + ./nfv: + total 4 + drwxr-xr-x 3 root root 4096 Feb 8 15:32 vim + + ./nfv/vim: + total 4 + drwxr-xr-x 2 root root 4096 Feb 8 15:54 18.10 + + ./nfv/vim/18.10: + total 1112 + -rw-r--r-- 1 root root 49152 Feb 11 13:03 vim_db_v1 + -rw-r--r-- 1 root root 32768 Feb 11 13:08 vim_db_v1-shm + -rw-r--r-- 1 root root 1049080 Feb 11 13:08 vim_db_v1-wal + + ./puppet: + total 4 + drwxr-xr-x 3 root root 4096 Feb 8 15:20 18.10 + + ./puppet/18.10: + total 4 + drwxr-xr-x 2 root root 4096 Feb 8 16:03 hieradata + + ./puppet/18.10/hieradata: + total 92 + -rw------- 1 root root 9627 Feb 8 15:54 192.168.204.3.yaml + -rw------- 1 root root 9620 Feb 8 16:03 192.168.204.4.yaml + -rw------- 1 root root 8494 Feb 8 15:18 secure_static.yaml + -rw------- 1 root root 3196 Feb 8 16:03 secure_system.yaml + -rw------- 1 root root 1968 Feb 8 15:18 static.yaml + -rw------- 1 root root 45299 Feb 8 16:03 system.yaml + + ./sysinv: + total 4 + drwxr-xr-x 2 sysinv root 4096 Feb 8 15:26 18.10 + + ./sysinv/18.10: + total 4 + -rw-r--r-- 1 root root 1505 Feb 8 15:26 sysinv.conf.default + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. All ``"ls -la /etc/*.conf"`` config files have at least "-rw-r--r--" +permissions. + +2. All /opt/platform files have proper permissions. + +----------------------------- +SECURITY_Appro_File_Access_03 +----------------------------- + +:Test ID: SECURITY_Appro_File_Access_03 +:Test Title: bash.log behaviour on node. +:Tags: Security + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +Validate bash.log behavior on node. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +At least 1 Controller + 1 compute + 1 Storage + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. On node type: + +.. code:: bash + + $ sudo lsattr /var/log/bash.log + +and confirm that bash.log is set to append only. + +.. code:: bash + + -----a-------e-- bash.log <-- append-only attr on + +2- On node type + +.. code:: bash + + $ sudo lsattr /var/log/user.log + +and confirm that bash.log is set to append only. + +.. code:: bash + + -------------e-- user.log <-- append-only attr off"" + +3- Attempt to edit bash.log, modify the existing data and save the file. + +.. code:: bash + + $ sudo vim /var/log/bash.log + +:: + Hit ´i´ to change to INSERT mode + Edit the file + Hit Escape, :wq! "" + +4- Attempt to remove the append-only attribute of bash.log + +.. code:: bash + + $ sudo chattr -a bash.log in order to + +**Repeat steps on a compute and storage nodes.** + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +* Confirm append-only attribute ON of bash.log + +* Confirm append-only attribute OFF of user.log + +* Validate that this is blocked and system gets back with + +.. code:: bash + + "/var/log/bash.log ERROR:: Can´t open file for writing remove the append-only attribute." + +* Validate this is rejected. + +* Steps validated on compute and storage nodes. + +~~~~~~~~~~~ +References: +~~~~~~~~~~~