Skip to content

Commit

Permalink
(SIMP-5682) Add v2 compliance_markup data
Browse files Browse the repository at this point in the history
SIMP-5682 #close
  • Loading branch information
silug authored and Brandon Riden committed Jun 7, 2019
1 parent a59bad8 commit dd7c0a5
Show file tree
Hide file tree
Showing 7 changed files with 258 additions and 12 deletions.
3 changes: 3 additions & 0 deletions .fixtures.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
---
fixtures:
repositories:
compliance_markup:
repo: "https://github.com/simp/pupmod-simp-compliance_markup"
branch: "testing_hotfix_06062019"
concat: https://github.com/simp/puppetlabs-concat
haveged: https://github.com/simp/pupmod-simp-haveged
iptables: https://github.com/simp/pupmod-simp-iptables
Expand Down
3 changes: 3 additions & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
* Thu Jun 06 2019 Steven Pritchard <steven.pritchard@onypoint.com> - 5.2.2-0
- Add v2 compliance_markup data

* Tue Mar 05 2019 Chris Tessmer <chris.tessmer@onypoint.com> - 5.2.1-0
- Fixed "unrecognized escape `\''" error in /root/.muttrc
- Fix DOS formatting of CHANGELOG
Expand Down
135 changes: 135 additions & 0 deletions SIMP/compliance_profiles/checks.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
---
version: 2.0.0
checks:
oval:com.puppet.forge.simp.postfix.enable_server:
settings:
parameter: postfix::enable_server
value: false
type: puppet-class-parameter
controls:
nist_800_53_rev4:CM-7: true
disa_stig: true
RHEL-07-040480: true
SRG-OS-000480-GPOS-00227: true
cci:CCI-000366: true
identifiers:
nist_800_53_rev4:
- CM-7
disa_stig:
- RHEL-07-040480
- SRG-OS-000480-GPOS-00227
- CCI-000366
oval:com.puppet.forge.simp.postfix.server.enforce_tls:
settings:
parameter: postfix::server::enforce_tls
value: true
type: puppet-class-parameter
controls:
nist_800_53_rev4:SC-8: true
nist_800_53_rev4:SC-8:1: true
nist_800_53_rev4:SC-8:2: true
nist_800_53_rev4:SC-23: true
identifiers:
nist_800_53_rev4:
- SC-8
- SC-8:1
- SC-8:2
- SC-23
oval:com.puppet.forge.simp.postfix.server.firewall:
settings:
parameter: postfix::server::firewall
value: true
type: puppet-class-parameter
controls:
nist_800_53_rev4:AC-4: true
disa_stig: true
RHEL-07-040920: true
SRG-OS-000480-GPOS-00227: true
cci:CCI-000366: true
identifiers:
nist_800_53_rev4:
- AC-4
disa_stig:
- RHEL-07-040920
- SRG-OS-000480-GPOS-00227
- CCI-000366
oval:com.puppet.forge.simp.postfix.server.mandatory_ciphers:
settings:
parameter: postfix::server::mandatory_ciphers
value: true
type: puppet-class-parameter
controls:
nist_800_53_rev4:SC-8: true
nist_800_53_rev4:SC-8:1: true
nist_800_53_rev4:SC-8:2: true
nist_800_53_rev4:SC-23: true
identifiers:
nist_800_53_rev4:
- SC-8
- SC-8:1
- SC-8:2
- SC-23
oval:com.puppet.forge.simp.postfix.server.pki:
settings:
parameter: postfix::server::pki
value: true
type: puppet-class-parameter
controls:
nist_800_53_rev4:SC-8: true
nist_800_53_rev4:SC-8:1: true
nist_800_53_rev4:SC-8:2: true
nist_800_53_rev4:SC-23: true
identifiers:
nist_800_53_rev4:
- SC-8
- SC-8:1
- SC-8:2
- SC-23
oval:com.puppet.forge.simp.postfix.server.tls:
settings:
parameter: postfix::server::tls
value: true
type: puppet-class-parameter
controls:
nist_800_53_rev4:SC-8: true
nist_800_53_rev4:SC-8:1: true
nist_800_53_rev4:SC-8:2: true
nist_800_53_rev4:SC-23: true
identifiers:
nist_800_53_rev4:
- SC-8
- SC-8:1
- SC-8:2
- SC-23
oval:com.puppet.forge.simp.postfix.server.user_connect:
settings:
parameter: postfix::server::user_connect
value: true
type: puppet-class-parameter
controls:
nist_800_53_rev4:AC-1: true
identifiers:
nist_800_53_rev4:
- AC-1
oval:com.puppet.forge.simp.postfix.main_cf_hash:
settings:
parameter: postfix::main_cf_hash
value:
smtpd_client_restrictions:
value:
- permit_mynetworks
- reject
type: puppet-class-parameter
controls:
disa_stig: true
RHEL-07-040680: true
SRG-OS-000480-GPOS-00227: true
cci:CCI-000366: true
identifiers:
disa_stig:
- RHEL-07-040680
- SRG-OS-000480-GPOS-00227
- CCI-000366
confine:
osfamily: RedHat
operatingsystemmajrelease: '7'
2 changes: 1 addition & 1 deletion metadata.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "simp-postfix",
"version": "5.2.1",
"version": "5.2.2",
"author": "SIMP Team",
"summary": "Manages the Postfix mail server",
"license": "Apache-2.0",
Expand Down
23 changes: 23 additions & 0 deletions spec/fixtures/hieradata/default.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
# SIMP infrastructure settings
simp_options::trusted_nets: ['192.168.122.0/24']

compliance_markup::validate_profiles:
- 'disa_stig'
- 'nist_800_53'
- 'nist_800_53_rev4'

# Needed for catalog inspection to ensure valid data
compliance_markup::report_on_client: true
compliance_markup::report_on_server: false
compliance_markup::report_types:
- 'non_compliant'
- 'unknown_parameters'
- 'unknown_resources'

# Ideally, this would be the same as the validation array but you may want to
# do something different based on your test requirements
compliance_markup::enforcement:
- 'disa_stig'
- 'nist_800_53'
- 'nist_800_53_rev4'
35 changes: 24 additions & 11 deletions spec/spec_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -24,16 +24,21 @@

default_hiera_config =<<-EOM
---
:backends:
- "rspec"
- "yaml"
:yaml:
:datadir: "stub"
:hierarchy:
- "%{custom_hiera}"
- "%{spec_title}"
- "%{module_name}"
- "default"
version: 5
hierarchy:
- name: SIMP Compliance Engine
lookup_key: compliance_markup::enforcement
options:
enabled_sce_versions: [2]
- name: Custom Test Hiera
path: "%{custom_hiera}.yaml"
- name: "%{module_name}"
path: "%{module_name}.yaml"
- name: Common
path: default.yaml
defaults:
data_hash: yaml_data
datadir: "stub"
EOM

# This can be used from inside your spec tests to set the testable environment.
Expand Down Expand Up @@ -112,7 +117,15 @@ def set_hieradata(hieradata)

c.before(:all) do
data = YAML.load(default_hiera_config)
data[:yaml][:datadir] = File.join(fixture_path, 'hieradata')
data.keys.each do |key|
next unless data[key].is_a?(Hash)

if data[key][:datadir] == 'stub'
data[key][:datadir] = File.join(fixture_path, 'hieradata')
elsif data[key]['datadir'] == 'stub'
data[key]['datadir'] = File.join(fixture_path, 'hieradata')
end
end

File.open(c.hiera_config, 'w') do |f|
f.write data.to_yaml
Expand Down
69 changes: 69 additions & 0 deletions spec/unit/compliance_engine/compliance_engine_enforce_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
require 'spec_helper'

# This is the class that needs to be added to the catalog last to make the
# reporting work.
describe 'compliance_markup', type: :class do

compliance_profiles = [
'disa_stig',
'nist_800_53',
'nist_800_53_rev4'
]

# A list of classes that we expect to be included for compliance
#
# This needs to be well defined since we can also manipulate defined type
# defaults
expected_classes = [
'postfix'
]

on_supported_os.each do |os, os_facts|
context "on #{os}" do
let(:facts){ os_facts }

compliance_profiles.each do |target_profile|
context "with compliance profile '#{target_profile}'" do
let(:pre_condition) {%(
#{expected_classes.map{|c| %{include #{c}}}.join("\n")}
)}

it { is_expected.to compile }

let(:compliance_report) {
JSON.load(
catalogue.resource("File[#{facts[:puppet_vardir]}/compliance_report.json]")[:content]
)
}

let(:compliance_profile_data) { compliance_report['compliance_profiles'][target_profile] }

it 'should have a compliance profile report' do
expect(compliance_profile_data).to_not be_nil
end

# The list of report sections that should not exist and if they do
# exist, we need to know what is wrong so that we can fix them
report_validators = [
# This should *always* be empty on enforcement
'non_compliant',
# If something is set here, either the upstream API changed or you
# have a typo in your data
'documented_missing_parameters'
]

report_validators.each do |report_section|
it "should have no issues with the '#{report_section}' report" do
if compliance_profile_data[report_section]
# This just gets us a good print out of what went wrong
expect(compliance_profile_data[report_section]).to eq({})
else
expect(compliance_profile_data[report_section]).to be_nil
end
end
end
end
end
end
end
end

0 comments on commit dd7c0a5

Please sign in to comment.