-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(SIMP-5682) Add v2 compliance_markup data
SIMP-5682 #close
- Loading branch information
Showing
7 changed files
with
258 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,135 @@ | ||
--- | ||
version: 2.0.0 | ||
checks: | ||
oval:com.puppet.forge.simp.postfix.enable_server: | ||
settings: | ||
parameter: postfix::enable_server | ||
value: false | ||
type: puppet-class-parameter | ||
controls: | ||
nist_800_53_rev4:CM-7: true | ||
disa_stig: true | ||
RHEL-07-040480: true | ||
SRG-OS-000480-GPOS-00227: true | ||
cci:CCI-000366: true | ||
identifiers: | ||
nist_800_53_rev4: | ||
- CM-7 | ||
disa_stig: | ||
- RHEL-07-040480 | ||
- SRG-OS-000480-GPOS-00227 | ||
- CCI-000366 | ||
oval:com.puppet.forge.simp.postfix.server.enforce_tls: | ||
settings: | ||
parameter: postfix::server::enforce_tls | ||
value: true | ||
type: puppet-class-parameter | ||
controls: | ||
nist_800_53_rev4:SC-8: true | ||
nist_800_53_rev4:SC-8:1: true | ||
nist_800_53_rev4:SC-8:2: true | ||
nist_800_53_rev4:SC-23: true | ||
identifiers: | ||
nist_800_53_rev4: | ||
- SC-8 | ||
- SC-8:1 | ||
- SC-8:2 | ||
- SC-23 | ||
oval:com.puppet.forge.simp.postfix.server.firewall: | ||
settings: | ||
parameter: postfix::server::firewall | ||
value: true | ||
type: puppet-class-parameter | ||
controls: | ||
nist_800_53_rev4:AC-4: true | ||
disa_stig: true | ||
RHEL-07-040920: true | ||
SRG-OS-000480-GPOS-00227: true | ||
cci:CCI-000366: true | ||
identifiers: | ||
nist_800_53_rev4: | ||
- AC-4 | ||
disa_stig: | ||
- RHEL-07-040920 | ||
- SRG-OS-000480-GPOS-00227 | ||
- CCI-000366 | ||
oval:com.puppet.forge.simp.postfix.server.mandatory_ciphers: | ||
settings: | ||
parameter: postfix::server::mandatory_ciphers | ||
value: true | ||
type: puppet-class-parameter | ||
controls: | ||
nist_800_53_rev4:SC-8: true | ||
nist_800_53_rev4:SC-8:1: true | ||
nist_800_53_rev4:SC-8:2: true | ||
nist_800_53_rev4:SC-23: true | ||
identifiers: | ||
nist_800_53_rev4: | ||
- SC-8 | ||
- SC-8:1 | ||
- SC-8:2 | ||
- SC-23 | ||
oval:com.puppet.forge.simp.postfix.server.pki: | ||
settings: | ||
parameter: postfix::server::pki | ||
value: true | ||
type: puppet-class-parameter | ||
controls: | ||
nist_800_53_rev4:SC-8: true | ||
nist_800_53_rev4:SC-8:1: true | ||
nist_800_53_rev4:SC-8:2: true | ||
nist_800_53_rev4:SC-23: true | ||
identifiers: | ||
nist_800_53_rev4: | ||
- SC-8 | ||
- SC-8:1 | ||
- SC-8:2 | ||
- SC-23 | ||
oval:com.puppet.forge.simp.postfix.server.tls: | ||
settings: | ||
parameter: postfix::server::tls | ||
value: true | ||
type: puppet-class-parameter | ||
controls: | ||
nist_800_53_rev4:SC-8: true | ||
nist_800_53_rev4:SC-8:1: true | ||
nist_800_53_rev4:SC-8:2: true | ||
nist_800_53_rev4:SC-23: true | ||
identifiers: | ||
nist_800_53_rev4: | ||
- SC-8 | ||
- SC-8:1 | ||
- SC-8:2 | ||
- SC-23 | ||
oval:com.puppet.forge.simp.postfix.server.user_connect: | ||
settings: | ||
parameter: postfix::server::user_connect | ||
value: true | ||
type: puppet-class-parameter | ||
controls: | ||
nist_800_53_rev4:AC-1: true | ||
identifiers: | ||
nist_800_53_rev4: | ||
- AC-1 | ||
oval:com.puppet.forge.simp.postfix.main_cf_hash: | ||
settings: | ||
parameter: postfix::main_cf_hash | ||
value: | ||
smtpd_client_restrictions: | ||
value: | ||
- permit_mynetworks | ||
- reject | ||
type: puppet-class-parameter | ||
controls: | ||
disa_stig: true | ||
RHEL-07-040680: true | ||
SRG-OS-000480-GPOS-00227: true | ||
cci:CCI-000366: true | ||
identifiers: | ||
disa_stig: | ||
- RHEL-07-040680 | ||
- SRG-OS-000480-GPOS-00227 | ||
- CCI-000366 | ||
confine: | ||
osfamily: RedHat | ||
operatingsystemmajrelease: '7' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
# SIMP infrastructure settings | ||
simp_options::trusted_nets: ['192.168.122.0/24'] | ||
|
||
compliance_markup::validate_profiles: | ||
- 'disa_stig' | ||
- 'nist_800_53' | ||
- 'nist_800_53_rev4' | ||
|
||
# Needed for catalog inspection to ensure valid data | ||
compliance_markup::report_on_client: true | ||
compliance_markup::report_on_server: false | ||
compliance_markup::report_types: | ||
- 'non_compliant' | ||
- 'unknown_parameters' | ||
- 'unknown_resources' | ||
|
||
# Ideally, this would be the same as the validation array but you may want to | ||
# do something different based on your test requirements | ||
compliance_markup::enforcement: | ||
- 'disa_stig' | ||
- 'nist_800_53' | ||
- 'nist_800_53_rev4' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
69 changes: 69 additions & 0 deletions
69
spec/unit/compliance_engine/compliance_engine_enforce_spec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
require 'spec_helper' | ||
|
||
# This is the class that needs to be added to the catalog last to make the | ||
# reporting work. | ||
describe 'compliance_markup', type: :class do | ||
|
||
compliance_profiles = [ | ||
'disa_stig', | ||
'nist_800_53', | ||
'nist_800_53_rev4' | ||
] | ||
|
||
# A list of classes that we expect to be included for compliance | ||
# | ||
# This needs to be well defined since we can also manipulate defined type | ||
# defaults | ||
expected_classes = [ | ||
'postfix' | ||
] | ||
|
||
on_supported_os.each do |os, os_facts| | ||
context "on #{os}" do | ||
let(:facts){ os_facts } | ||
|
||
compliance_profiles.each do |target_profile| | ||
context "with compliance profile '#{target_profile}'" do | ||
let(:pre_condition) {%( | ||
#{expected_classes.map{|c| %{include #{c}}}.join("\n")} | ||
)} | ||
|
||
it { is_expected.to compile } | ||
|
||
let(:compliance_report) { | ||
JSON.load( | ||
catalogue.resource("File[#{facts[:puppet_vardir]}/compliance_report.json]")[:content] | ||
) | ||
} | ||
|
||
let(:compliance_profile_data) { compliance_report['compliance_profiles'][target_profile] } | ||
|
||
it 'should have a compliance profile report' do | ||
expect(compliance_profile_data).to_not be_nil | ||
end | ||
|
||
# The list of report sections that should not exist and if they do | ||
# exist, we need to know what is wrong so that we can fix them | ||
report_validators = [ | ||
# This should *always* be empty on enforcement | ||
'non_compliant', | ||
# If something is set here, either the upstream API changed or you | ||
# have a typo in your data | ||
'documented_missing_parameters' | ||
] | ||
|
||
report_validators.each do |report_section| | ||
it "should have no issues with the '#{report_section}' report" do | ||
if compliance_profile_data[report_section] | ||
# This just gets us a good print out of what went wrong | ||
expect(compliance_profile_data[report_section]).to eq({}) | ||
else | ||
expect(compliance_profile_data[report_section]).to be_nil | ||
end | ||
end | ||
end | ||
end | ||
end | ||
end | ||
end | ||
end |