Add security-checklist action
Change-Id: Iec48205fd98c67b9f1d4ddf68bcbefb68c10102f
This commit is contained in:
parent
19b73c6c7b
commit
eb30d95f3f
|
@ -32,3 +32,5 @@ volume-host-add-driver:
|
|||
volume-backend-name:
|
||||
type: string
|
||||
description: The backend volume name as shown by the volume_backend_name parameter in the driver section
|
||||
security-checklist:
|
||||
description: Validate the running configuration against the OpenStack security guides checklist
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
security_checklist.py
|
|
@ -0,0 +1,151 @@
|
|||
#!/usr/bin/env python3
|
||||
#
|
||||
# Copyright 2019 Canonical Ltd
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import configparser
|
||||
import os
|
||||
import sys
|
||||
|
||||
sys.path.append('.')
|
||||
|
||||
import charmhelpers.contrib.openstack.audits as audits
|
||||
from charmhelpers.contrib.openstack.audits import (
|
||||
openstack_security_guide,
|
||||
)
|
||||
|
||||
|
||||
# Via the openstack_security_guide above, we are running the following
|
||||
# security assertions automatically:
|
||||
#
|
||||
# - Check-Block-01 - validate-file-ownership
|
||||
# - Check-Block-02 - validate-file-permissions
|
||||
# - Check-Block-03 - validate-uses-keystone
|
||||
# - Check-Block-04 - validate-uses-tls-for-keystone
|
||||
|
||||
|
||||
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),)
|
||||
def uses_tls_for_nova(audit_options):
|
||||
"""Validate that TLS is used to communicate with Nova.
|
||||
|
||||
Security Guide Check Name: Check-Block-05
|
||||
|
||||
:param audit_options: Dictionary of options for audit configuration
|
||||
:type audit_options: Dict
|
||||
:raises: AssertionError if the assertion fails.
|
||||
"""
|
||||
section = audit_options['cinder-conf']['DEFAULT']
|
||||
nova_api_insecure = section.get("nova_api_insecure")
|
||||
assert "False" == nova_api_insecure, \
|
||||
"nova_api_insecure should be False"
|
||||
|
||||
|
||||
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),)
|
||||
def uses_tls_for_glance(audit_options):
|
||||
"""Validate that TLS is used to communicate with Glance.
|
||||
|
||||
Security Guide Check Name: Check-Block-06
|
||||
|
||||
:param audit_options: Dictionary of options for audit configuration
|
||||
:type audit_options: Dict
|
||||
:raises: AssertionError if the assertion fails.
|
||||
"""
|
||||
section = audit_options['cinder-conf']['DEFAULT']
|
||||
nova_api_insecure = section.get("glance_api_insecure")
|
||||
assert "False" == nova_api_insecure, \
|
||||
"nova_api_insecure should be False"
|
||||
glance_api_servers = section.get("glance_api_servers")
|
||||
assert glance_api_servers.startswith("https://"), \
|
||||
"glance_api_servers should use https"
|
||||
|
||||
|
||||
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),)
|
||||
def validate_nas_uses_secure_environment(audit_options):
|
||||
"""Validate NAS security.
|
||||
|
||||
Security Guide Check Name: Check-Block-07
|
||||
|
||||
:param audit_options: Dictionary of options for audit configuration
|
||||
:type audit_options: Dict
|
||||
:raises: AssertionError if the assertion fails.
|
||||
"""
|
||||
section = audit_options['cinder-conf']['DEFAULT']
|
||||
nas_secure_file_permissions = section.get('nas_secure_file_permissions')
|
||||
nas_secure_file_operations = section.get('nas_secure_file_operations')
|
||||
assert (nas_secure_file_permissions != "False" and
|
||||
nas_secure_file_operations != "False"), \
|
||||
"NAS is not using a secure environment"
|
||||
|
||||
|
||||
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),)
|
||||
def check_max_request_body_size(audit_options):
|
||||
"""Validate max_request_body_size is set.
|
||||
|
||||
Security Guide Check Name: Check-Block-08
|
||||
|
||||
:param audit_options: Dictionary of options for audit configuration
|
||||
:type audit_options: Dict
|
||||
:raises: AssertionError if the assertion fails.
|
||||
"""
|
||||
default = audit_options['cinder-conf']['DEFAULT']
|
||||
oslo_middleware = audit_options['cinder-conf'] \
|
||||
.get('oslo_middleware', {})
|
||||
assert (default.get('osapi_max_request_body_size') or
|
||||
oslo_middleware.get('max_request_body_size') == "114688"), \
|
||||
"max_request_body_size should be set"
|
||||
|
||||
|
||||
@audits.audit(audits.is_audit_type(audits.AuditType.OpenStackSecurityGuide),)
|
||||
def is_volume_encryption_enabled(audit_options):
|
||||
"""Validate volume encryption is enabled in Cinder.
|
||||
|
||||
Security Guide Check Name: Check-Block-09
|
||||
|
||||
:param audit_options: Dictionary of options for audit configuration
|
||||
:type audit_options: Dict
|
||||
:raises: AssertionError if the assertion fails.
|
||||
"""
|
||||
key_manager = audit_options['cinder-conf']['key_manager']
|
||||
assert key_manager.get('backend') is not None, \
|
||||
"key_manager.backend should be set"
|
||||
|
||||
|
||||
def _config_file(path):
|
||||
"""Read and parse config file at `path` as an ini file.
|
||||
|
||||
:param path: Path of the file
|
||||
:type path: List[str]
|
||||
:returns: Parsed contents of the file at path
|
||||
:rtype Dict:
|
||||
"""
|
||||
conf = configparser.ConfigParser()
|
||||
conf.read(os.path.join(*path))
|
||||
return dict(conf)
|
||||
|
||||
|
||||
def main():
|
||||
config = {
|
||||
'config_path': '/etc/cinder',
|
||||
'config_file': 'cinder.conf',
|
||||
'audit_type': audits.AuditType.OpenStackSecurityGuide,
|
||||
'files': openstack_security_guide.FILE_ASSERTIONS['cinder'],
|
||||
'excludes': [
|
||||
'validate-uses-tls-for-glance',
|
||||
],
|
||||
}
|
||||
config['cinder-conf'] = _config_file('/etc/cinder/cinder.conf')
|
||||
return audits.action_parse_results(audits.run(config))
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
|
@ -841,6 +841,17 @@ class CinderBasicDeployment(OpenStackAmuletDeployment):
|
|||
vol_new = u.create_cinder_volume(self.cinder_non_admin)
|
||||
vol_new.force_delete()
|
||||
|
||||
def test_500_security_checklist_action(self):
|
||||
"""Verify expected result on a default install"""
|
||||
u.log.debug("Testing security-checklist")
|
||||
sentry_unit = self.cinder_sentry
|
||||
|
||||
action_id = u.run_action(sentry_unit, "security-checklist")
|
||||
u.wait_on_action(action_id)
|
||||
data = amulet.actions.get_action_output(action_id, full_output=True)
|
||||
assert data.get(u"status") == "failed", \
|
||||
"Security check is expected to not pass by default"
|
||||
|
||||
def test_900_restart_on_config_change(self):
|
||||
"""Verify that the specified services are restarted when the
|
||||
config is changed."""
|
||||
|
|
Loading…
Reference in New Issue