diff --git a/doc/source/manual_tests/security/index.rst b/doc/source/manual_tests/security/index.rst index bea1b87..ee6ff07 100644 --- a/doc/source/manual_tests/security/index.rst +++ b/doc/source/manual_tests/security/index.rst @@ -16,3 +16,4 @@ Subdomains :maxdepth: 2 security_OAM_suite + security_VM_password_protection diff --git a/doc/source/manual_tests/security/security_VM_password_protection.rst b/doc/source/manual_tests/security/security_VM_password_protection.rst new file mode 100644 index 0000000..1a8e356 --- /dev/null +++ b/doc/source/manual_tests/security/security_VM_password_protection.rst @@ -0,0 +1,577 @@ +====================== +VM password protection +====================== + +.. contents:: + :local: + :depth: 1 + +---------------------------------- +SECURITY_VM_password_protection_01 +---------------------------------- + +:Test ID: SECURITY_VM_password_protection_01 +:Test Title: wrsroot Password expiration. +:Tags: Security psswd + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +This test verifies that once the linux wrsroot user password expires a user is +forced to change it on next login. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) At least 2 Controllers + 1 compute. + +b) Disable NTP automatic time synchronization in your system. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Go to controller-0 node terminal and login as admin user. e.g. "wrsroot" + +2. Type the following command to disable ntp automatic time synchronization. + +.. code:: bash + + $ sudo timedatectl set-ntp 0 + +3. Type following command and check ""NTP enabled: no"". + +.. code:: bash + + $ sudo timedatectl status + +4. Take a snapshoot of the time-date. + +5. Set password maximum number during which a password is valid to 1 day by +typing: + +.. code:: bash + + $ sudo chage -M 1 wrsroot + +6. Type below command and make sure the Maximum number of days between +password change is set to 1. + +.. code:: bash + + $ sudo chage -l wrosroot + +7. Wait 24 hours OR change the date-time of the system 1 day ahead by typing: + +.. code:: bash + + $ sudo timedatectl set-time 'YYYY-MM-DD' + + + +8. Type below command and check the time-date is 1 day ahead of the real time. + +.. code:: bash + + $ sudo timedatectl status + +9. From your host Attempt to ssh to the controller-0 after the password ages +out by typing: + +.. code:: bash + + $ ssh -q wrsroot@###.###.###.###"""" + +10. Do not change the password and CLOSE your wrsroot ssh connection. + +11. From your host Attempt to ssh wrsroot user again to the controller-0: + +.. code:: bash + + $ ssh -q @###.###.###.### + +12. Change your wrsroot aged password. + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Admin logged in successfully. + +2. NTP Automatic time synchronization should be disabled successfully. + +3. "NTP enabled: no" should be displayed. + +4. Time-date snapshot taken. + +5. Maximum number of days between password change should be set to 1. + +6. Maximum number of days between password change should be displayed '1'. + +7. You waited 24 hours or you changed the date of the system one day ahead +successfully. + +8. Time of the system should be displayed with 1 day ahead. + +9. Once you create ssh connection you would get a following message: + +:: + + "" You are required to change your password immediately (password aged) "" + "" Changing password for wrsroot"" + "" (current) UNIX password: "" + "" New password: + +10. wrsroot ssh connection closed successfully. + +11. "wrsroot" SSH connection established successfully even if the wrsroot was +aged out. + +12. Once you re-tried a wrsroot ssh connection you would get a following +message: + +:: + + "" You are required to change your password immediately (password aged) "" + "" Changing password for wrsroot"" + "" (current) UNIX password: "" + "" New password: "" + ""wrsroot"" user changed its password successfully. + +---------------------------------- +SECURITY_VM_password_protection_02 +---------------------------------- + +:Test ID: SECURITY_VM_password_protection_02 +:Test Title: Backup and restore with different password. +:Tags: backup_restore + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +Verify Starlingx backup and restore cluster with different password and run a +basic tet sanity after. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) At least 2 Controllers + 1 compute. + +b) Backup and restore find where password has to be changed. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Run test case "wrsroot Password expiration" and change the wrsroot Password + +OR + +install your Starlingx configuration and use "passwd wrsroot" command as a +"root user" to change its password. + +**BACKUP** + +2. Pre-requisites to do a BACKUP. + +To ensure recovery from backup files during a restore procedure, VMs must be +in the active state when performing the backup. VMs that are in a shutdown or +paused state at the time of the backup will not be recovered after a +subsequent restore procedure. + +3. Execute + +.. code:: bash + + "sudo config_controller --backup " + +4. Transfer the backup files to an external storage resource. + +You can use a command such as scp to transfer the backup files to a server +reachable over the OAM network. You can also copy them to a locally attached +storage device, such as an external USB drive. + +**RESTORE** + +5. Pre-requisites to do RESTORE. + +Create the same infrastructure from where you made the backup until one step +before "config_controller" command - that means that you should get you are + +a) "rMMYYY.iso" installed, b) your controller-0 active, and c) all your nodes +should be up and running (If you are restoring in a virtual lab, make sure ALL +cluster hosts must be prepared for network boot - means you should power-on +your nodes and wait for PXE messages) + +**REMARK:** The restore procedure requires all hosts but controller-0 to boot +over the internal management network using the PXE protocol. Ideally, the old +boot images are no longer present, so that the hosts boot from the network +when powered on. If this is not the case, you must configure each host +manually for network boot immediately after powering it on. + +6. Make a restore in a clean environment, perform + +.. code:: bash + + $ sudo config_controller --restore-system /home/user/ + +7. Verify all nodes are locked. + +a) Check the current lock status for the nodes. + +.. code:: bash + + i.e. + + $ system host-list + +b) Lock any unlocked nodes. + +.. code:: bash + + $ system host-update # action=force-lock + +8. Transfer file to master controller-0. + +**All nodes where waiting on PXE boot network.** + +9. Execute restore images command by typing: + +.. code:: bash + + $sudo confirg_controller --restore-image /home// + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. "wrsroot" password changed successfully. + +.. code:: bash + + i.e. + "Starlingx1!" + +2. Backup prerequisite set and all VMs were on active state successfully. + +3. Backup created successfully. + +.. code:: bash + + i.e. + Backup output + Step 16 of 16 + System backup file created: /opt/backups/_system.tgz + Images backup file created: /opt/backups/_images.tgz + +4. _sytem.tgz, _images.tgz, were transferred +successfully to an external storage for further restore steps. + +5. The same Lab infrastructure was created from where the backup was made. +Your a) "rMMYYY.iso" should be installed successfully, b) your controller-0 +should be active, and c) all your nodes should be up, running, locked and able +to boot over the internal management network. + +6. Restore the system was 100% complete. Meanwhile the restore command was in +progress all nodes where "Forced reset" constantly. + +**REMARK:** At this point PXE boot blue screen was displayed in every single +node. + +7. All nodes were locked successfully. + +8. file was transferred to master controller-0. + +9. Your Starlingx configuration lab should be restore successfully with proper +password changed on step 1. + +---------------------------------- +SECURITY_VM_password_protection_03 +---------------------------------- + +:Test ID: SECURITY_VM_password_protection_03 +:Test Title: Automatic logout of inactive ssh session. +:Tags: Security + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +This test verified automatic logout of inactive ssh session. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) At least 2 Controllers + 1 compute. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Go to controller-0 node terminal and login as admin user. e.g. "wrsroot" + +2. Take a snapshoot of the time-date. + +.. code:: bash + + "Keep the session inactive along "n" minutes until the session is automatically logout. + +**REMARK:** "n" minutes is described in the configuration user session. + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Admin logged in successfully. + +2. Time-date snapshot taken. + +3. The session should be logged out successfully after "n" minutes of inactive +session. + +---------------------------------- +SECURITY_VM_password_protection_04 +---------------------------------- + +:Test ID: SECURITY_VM_password_protection_04 +:Test Title: MAX time for login enforced. +:Tags: psswd + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +This test verifies that maximum time for login is enforced. If a user does not +login within previously configured time - login is aborted. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) At least 1 Controller. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Establish a ssh connection to controller-0 terminal. + +.. code:: bash + + e.g. + + $ ssh wrsroot@10.10.10.3"" + +2. DO NOT ENTER PASSWORD and wait 60 seconds in order to login. + +3. Try to enter password for ssh connection." + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Controller-0 should go back with "wrsroot@10.10.10.3's password:" message +successfuly. + +2. Password is not entered and session wait for more than 60 seconds +successfully. + +3. Login password request is timeout and session login is lost successfully. + +.. code:: bash + + e.g. + + expected message on CentOS: + + Connection to 10.10.10.3 closed by remote host. + + Connection to 10.10.10.3 closed. + +---------------------------------- +SECURITY_VM_password_protection_05 +---------------------------------- + +:Test ID: SECURITY_VM_password_protection_05 +:Test Title: wrsroot aging and swact. +:Tags: psswd + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +Verify wrsroot aging and swact. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) At least 2 Controllers + 1 compute. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. Go to controller-0 node terminal and login as admin user. e.g. ""wrsroot"" + +2. Type + +.. code:: bash + + $ sudo timedatectl set-ntp 0 to disable ntp automatic time synchronization."" + +3. Type following command and check NTP enabled: no" + +.. code:: bash + + $ sudo timedatectl status + +4. Take a snapshoot of the time-date. + +5. Set wrsroot password maximum number during which a password is valid to 1 +day by typing: + +.. code:: bash + + $ sudo chage -M 1 wrsroot"" + +6. Type following command and make sure the Maximum number of days between +password change is set to 1 and SWACT. + +.. code:: bash + + $ sudo chage -l wrosroot + +7. Wait 24 hours or change the date-time of the system 1 day ahead by typing: + +.. code:: bash + + $ sudo timedatectl set-time 'YYYY-MM-DD' + + where DD is one day ahead of the real time-date. + Go to horizon and do a SWACT. + Right after the SWACT is completed try to login using wrsroot user and correct password on controller-1. + Change your wrsroot aged out password. + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. Admin logged in successfully. + +2. NTP Automatic time synchronization should be disabled successfully. + +3. NTP enabled: no should be displayed. + +4. Time-date snapshot taken. + +5. Maximum number of days between wrsroot password change should be set to 1. + +6 Maximum number of days between password change should be displayed '1'. The +command should be executed successfully. SWACT is completed successfully. The +Controller-1 should got back with a message saying + +:: + + ** WARNING: Your password has expired ** + ** You must change your password now and login again!...**"" + +7. Password changed successfully. + +---------------------------------- +SECURITY_VM_password_protection_06 +---------------------------------- + +:Test ID: SECURITY_VM_password_protection_06 +:Test Title: swact wrsroot aging on controller-1 +:Tags: psswd + +~~~~~~~~~~~~~~~~~~ +Testcase Objective +~~~~~~~~~~~~~~~~~~ + +Verify wrsroot aging can be set on controller-1. + +~~~~~~~~~~~~~~~~~~~ +Test Pre-Conditions +~~~~~~~~~~~~~~~~~~~ + +a) At least 2 Controllers + 1 compute. + +b) Disable NTP automatic time synchronization in your system. + +~~~~~~~~~~ +Test Steps +~~~~~~~~~~ + +1. With controller-0 "Active", go to horizon and do a SWACT. + +2. Go to controller-1 node terminal and login as admin user. e.g. ""wrsroot"" + +3. Type + +.. code:: bash + + $ sudo timedatectl set-ntp 0 to disable ntp automatic time synchronization."" + +4. Type and check "NTP enabled: no" + +.. code:: bash + + $ sudo timedatectl status + +5. Take a snapshoot of the time-date. + +6. Set wrsroot password maximum number during which a password is valid to 1 +day by typing: + +.. code:: bash + + $ sudo chage -M 1 wrsroot"" + +7. Type following command and make sure the Maximum number of days between +password change is set to 1. + +.. code:: bash + + $ sudo chage -l wrosroot + +8. Wait 24 hours or change the date-time of the system 1 day ahead by typing: + +.. code:: bash + + $ sudo timedatectl set-time 'YYYY-MM-DD' + where DD is one day ahead of the real time-date. + +9. Change your wrsroot aged out password. + +~~~~~~~~~~~~~~~~~ +Expected Behavior +~~~~~~~~~~~~~~~~~ + +1. SWACT is completed successfully. + +2. Admin logged in successfully. + +3. NTP Automatic time synchronization should be disabled successfully. + +4. NTP enabled: no should be displayed. + +5. Time-date snapshot taken. + +6. Maximum number of days between wrsroot password change should be set to 1. + +7. Maximum number of days between password change should be displayed '1'. + +8. The command should be executed successfully. + +9. Password changed successfully. + +~~~~~~~~~~~ +References: +~~~~~~~~~~~