Add package vulnerability tests

pending
(Bruce Becker) #1

Add package vulnerability tests

From ec935550911bff758704ce645cda3a5d5d01f53f Mon Sep 17 00:00:00 2001
From: Bruce Becker <brucellino@gmail.com>
Date: Thu, 6 Dec 2018 20:15:34 +0100
Subject: [PATCH] Add package vulnerability tests


diff --git a/molecule/default/tests/test_security.py b/molecule/default/tests/test_security.py
new file mode 100644
index 0000000..c0011b5
--- /dev/null
+++ b/molecule/default/tests/test_security.py
@@ -0,0 +1,35 @@
+import os
+import testinfra.utils.ansible_runner
+import ruamel.yaml as yaml
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+# Get the CVEs declared in the vars
+def vulnerable_packages(os, version):
+    '''
+    Get the list of vulnerabilities as declared in the os-specific
+    variable file
+    '''
+    with open("../../vars/%s%s.yml" % (os.lower(), version)) as stream:
+        try:
+            vars = (yaml.safe_load(stream))['security_updates']
+            return vars
+        except yaml.YAMLError as exc:
+            print(exc)
+
+
+def test_security_some_other_way(host):
+    '''
+    Check that known vulnerable package versions are not installed
+    '''
+    cves = vulnerable_packages(host.system_info.distribution,
+                               host.system_info.release)
+    for cve in cves:
+        patched_version = cve['patched_version']
+        name = cve['name']
+        if (host.package(name).is_installed):
+            assert (str(host.package(name).version + '-' +
+                        host.package(name).release) ==
+                    patched_version)
diff --git a/tasks/main.yml b/tasks/main.yml
index 36c5cf8..139e589 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: OS specific variables
-  include_vars: "{{ ansible_distribution }}{{ ansible_distribution_major_version }}.yml"
+  include_vars: "{{ ansible_distribution |lower}}{{ ansible_distribution_major_version }}.yml"
 
 - name: Fail if release is not defined
   fail:
@@ -18,6 +18,12 @@
   when: verification_repofile is defined
 
 - name: Set up IGTF repository
-  include_tasks: igtf.yml
+  import_tasks: igtf.yml
+  tags:
+    - certificates
 
 - import_tasks: baseline.yml
+- import_tasks: updates.yml
+  tags:
+    - security
+    - updates
diff --git a/tasks/updates.yml b/tasks/updates.yml
new file mode 100644
index 0000000..f37f1d1
--- /dev/null
+++ b/tasks/updates.yml
@@ -0,0 +1,7 @@
+---
+# Security updates from scanning
+- name: Ensure that CVEs are patched
+  package:
+    state: present
+    name: "{{ item.name }}-{{ item.patched_version }}"
+  loop: "{{ security_updates }}"
diff --git a/vars/CentOS6.yml b/vars/CentOS6.yml
deleted file mode 100644
index 239917e..0000000
--- a/vars/CentOS6.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-release_url:
-  3: http://repository.egi.eu/sw/production/umd/3/sl6/x86_64/updates/umd-release-3.14.4-1.el6.noarch.rpm
-  4: http://repository.egi.eu/sw/production/umd/4/sl6/x86_64/updates/umd-release-4.1.3-1.el6.noarch.rpm
-sources_dir: /etc/yum.repos.d/
-nick: sl6
-baseline_packages:
-  - ntpdate
diff --git a/vars/CentOS7.yml b/vars/CentOS7.yml
deleted file mode 120000
index fe5b156..0000000
--- a/vars/CentOS7.yml
+++ /dev/null
@@ -1 +0,0 @@
-RedHat7.yml
\ No newline at end of file
diff --git a/vars/Debian6.yml b/vars/Debian6.yml
index 1375c05..3f1f88e 100644
--- a/vars/Debian6.yml
+++ b/vars/Debian6.yml
@@ -5,3 +5,4 @@ sources_dir: /etc/apt/sources.list.d
 nick: squeeze
 baseline:
   - ntpdate
+security_updates: []
diff --git a/vars/Debian8.yml b/vars/Debian8.yml
index 1375c05..3f1f88e 100644
--- a/vars/Debian8.yml
+++ b/vars/Debian8.yml
@@ -5,3 +5,4 @@ sources_dir: /etc/apt/sources.list.d
 nick: squeeze
 baseline:
   - ntpdate
+security_updates: []
diff --git a/vars/Debian9.yml b/vars/Debian9.yml
index 1375c05..3f1f88e 100644
--- a/vars/Debian9.yml
+++ b/vars/Debian9.yml
@@ -5,3 +5,4 @@ sources_dir: /etc/apt/sources.list.d
 nick: squeeze
 baseline:
   - ntpdate
+security_updates: []
diff --git a/vars/RedHat7.yml b/vars/RedHat7.yml
index cefbcb4..a3802d2 100644
--- a/vars/RedHat7.yml
+++ b/vars/RedHat7.yml
@@ -5,3 +5,15 @@ sources_dir: /etc/yum.repos.d/
 nick: centos7
 baseline_packages:
   - ntpdate
+
+security_updates:
+  - name: python
+    patched_version: "2.7.5-76.el7"
+  - name: python-libs
+    patched_version: "2.7.5-76.el7"
+  - name: openssl-libs
+    patched_version: "1.0.2k-16.el7"
+  - name: openssl
+    patched_version: "1.0.2k-16.el7"
+  - name: glibc
+    patched_version: "2.17-260.el7"
diff --git a/vars/Scientific5.yml b/vars/Scientific5.yml
index e1eb66a..0737adb 100644
--- a/vars/Scientific5.yml
+++ b/vars/Scientific5.yml
@@ -3,3 +3,4 @@ release_url:
   3: http://repository.egi.eu/sw/production/umd/3/sl5/x86_64/updates/umd-release-3.0.1-1.el5.noarch.rpm
 sources_dir: /etc/yum.repos.d/
 nick: sl5
+security_updates: []
diff --git a/vars/Scientific6.yml b/vars/Scientific6.yml
index 5dae08d..5bb552a 100644
--- a/vars/Scientific6.yml
+++ b/vars/Scientific6.yml
@@ -3,4 +3,5 @@ release_url:
   3: http://repository.egi.eu/sw/production/umd/3/sl6/x86_64/updates/umd-release-3.14.4-1.el6.noarch.rpm
   4: http://repository.egi.eu/sw/production/umd/4/sl6/x86_64/updates/umd-release-4.1.3-1.el6.noarch.rpm
 sources_dir: /etc/yum.repos.d/
-nick: sl6
+nick: centos6
+security_updates: []
diff --git a/vars/Ubuntu14.yml b/vars/Ubuntu14.yml
index 14e76e4..996fb38 100644
--- a/vars/Ubuntu14.yml
+++ b/vars/Ubuntu14.yml
@@ -4,3 +4,4 @@ release_url:
   4: http://repository.egi.eu/sw/production/umd/4/repofiles/ubuntu-trusty/
 sources_dir: /etc/apt/sources.list.d
 nick: trusty
+security_updates: []
diff --git a/vars/Ubuntu16.yml b/vars/Ubuntu16.yml
index a2a6a75..5f7e652 100644
--- a/vars/Ubuntu16.yml
+++ b/vars/Ubuntu16.yml
@@ -3,3 +3,4 @@ release_url:
   3: http://repository.egi.eu/sw/production/umd/3/
 sources_dir: /etc/apt/sources.list.d
 nick: xenial
+security_updates: []
diff --git a/vars/centos6.10.yml b/vars/centos6.10.yml
new file mode 120000
index 0000000..4c1a625
--- /dev/null
+++ b/vars/centos6.10.yml
@@ -0,0 +1 @@
+centos6.yml
\ No newline at end of file
diff --git a/vars/centos6.yml b/vars/centos6.yml
new file mode 100644
index 0000000..6b2f502
--- /dev/null
+++ b/vars/centos6.yml
@@ -0,0 +1,15 @@
+---
+release_url:
+  3: http://repository.egi.eu/sw/production/umd/3/sl6/x86_64/updates/umd-release-3.14.4-1.el6.noarch.rpm
+  4: http://repository.egi.eu/sw/production/umd/4/sl6/x86_64/updates/umd-release-4.1.3-1.el6.noarch.rpm
+sources_dir: /etc/yum.repos.d/
+nick: centos6
+baseline_packages:
+  - ntpdate
+security_updates:
+  # RHSA-2013:0568
+  - name: dbus-glib
+    patched_version: 0.86-6.el6
+  # RHSA-2017:3071
+  - name: ntpdate
+    patched_version: 4.2.6p5-12.el6.centos.2
diff --git a/vars/centos7.yml b/vars/centos7.yml
new file mode 120000
index 0000000..fe5b156
--- /dev/null
+++ b/vars/centos7.yml
@@ -0,0 +1 @@
+RedHat7.yml
\ No newline at end of file

GitHub