Skip to content

migrate from Serverspec to InSpec #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 23, 2016
Merged

migrate from Serverspec to InSpec #29

merged 3 commits into from
Dec 23, 2016

Conversation

chris-rock
Copy link
Member

this migrates all Serverspec tests to InSpec

before:

➜  chef-mysql-hardening git:(master) b kitchen verify default-ubuntu-1204
-----> Starting Kitchen (v1.11.1)
-----> Setting up <default-ubuntu-1204>...
       Finished setting up <default-ubuntu-1204> (0m0.00s).
-----> Verifying <default-ubuntu-1204>...
       Preparing files for transfer
-----> Installing Busser (busser)
Fetching: thor-0.19.0.gem (100%)
       Successfully installed thor-0.19.0
Fetching: busser-0.7.1.gem (100%)
       Successfully installed busser-0.7.1
       2 gems installed
       Installing Busser plugins: busser-puppet busser-serverspec
       Plugin puppet installed (version 0.0.2)
-----> Running postinstall for puppet plugin
       Plugin serverspec installed (version 0.5.10)
-----> Running postinstall for serverspec plugin
       Suite path directory /tmp/verifier/suites does not exist, skipping.
       Transferring files to <default-ubuntu-1204>
-----> Running puppet test suite
-----> Running serverspec test suite
-----> Installing Serverspec..
Fetching: sfl-2.3.gem (100%)
Fetching: net-telnet-0.1.1.gem (100%)
Fetching: net-ssh-3.2.0.gem (100%)
Fetching: net-scp-1.2.1.gem (100%)
Fetching: specinfra-2.66.3.gem (100%)
Fetching: multi_json-1.12.1.gem (100%)
Fetching: diff-lcs-1.2.5.gem (100%)
Fetching: rspec-expectations-3.5.0.gem (100%)
Fetching: rspec-its-1.2.0.gem (100%)
Fetching: rspec-mocks-3.5.0.gem (100%)
Fetching: rspec-3.5.0.gem (100%)
Fetching: serverspec-2.37.2.gem (100%)
-----> serverspec installed (version 2.37.2)
       /opt/chef/embedded/bin/ruby -I/tmp/verifier/suites/serverspec -I/tmp/verifier/gems/gems/rspec-support-3.5.0/lib:/tmp/verifier/gems/gems/rspec-core-3.5.4/lib /opt/chef/embedded/bin/rspec --pattern /tmp/verifier/suites/serverspec/\*\*/\*_spec.rb --color --format documentation --default-path /tmp/verifier/suites/serverspec
       
       Service "mysql"
         should be enabled
         should be running
       
       Combining configfiles
         Command "cat /etc/mysql/my.cnf | tr -s [:space:]  > /root/tmp-my.cnf; cat /etc/mysql/conf.d/hardening.cnf | tr -s [:space:] >> /root/tmp-my.cnf"
           exit_status
             should eq 0
       
       Checking MySQL-databases for risky entries
         Command "mysql -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select version();' | tail -1"
           stdout
             should not match /Community/
         Command "mysql -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select substring(version(),1,1);' | tail -1"
           stdout
             should match /^5/
         Command "mysql -uroot -piloverandompasswordsbutthiswilldo -s -e 'show databases like "test";'"
           stdout
             should not match /test/
         Command "mysql -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where user="";' | tail -1"
           stdout
             should match /^0/
         Command "mysql -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where length(password)=0 or password="";' | tail -1"
           stdout
             should match /^0/
         Command "mysql -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where grant_priv="y" and User!="root" and User!="debian-sys-maint";' | tail -1"
           stdout
             should match /^0/
         Command "mysql -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where host="%"' | tail -1"
           stdout
             should match /^0/
         Command "mysql -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where user="root" and host not in ("localhost","127.0.0.1","::1")' | tail -1"
           stdout
             should match /^0/
       
       Check for multiple instances
         Command "ps aux | grep mysqld | egrep -v "grep|mysqld_safe|logger" | wc -l"
           stdout
             should match /^1$/
       
       Parsing configfiles for unwanted entries
         File "/root/tmp-my.cnf"
           content
             should match key value "safe-user-create" and "1"
           content
             should not match key value "old_passwords" and "1"
           content
             should match key value "secure-auth" and "1"
           content
             should match key value "user" and "mysql"
           content
             should match key value "skip-symbolic-links" and "1"
           content
             should match /^\s*?secure-file-priv/
           content
             should match key value "local-infile" and "0"
           content
             should match /^\s*?skip-show-database/
           content
             should not match /^\s*?skip-grant-tables/
           content
             should match key value "allow-suspicious-udfs" and "0"
       
       Mysql-data owner, group and permissions
         File "/var/lib/mysql/"
           should be directory
           should be owned by "mysql"
           should be grouped into "mysql"
         File "/var/lib/mysql//ibdata1"
           should be owned by "mysql"
           should be grouped into "mysql"
           should not be readable
           should not be writable
           should not be executable
         File "/var/log/"
           should be directory
           should be owned by "root"
           should be grouped into "root"
         File "/var/log//mysql.log"
           should be owned by "mysql"
           should be grouped into "adm"
           should not be readable
           should not be writable
           should not be executable
       
       Mysql-config: owner, group and permissions
         File "/etc/mysql/"
           should be directory
           should be owned by "root"
           should be grouped into "root"
           should be owned by "root"
           should be grouped into "root"
           should not be readable (FAILED - 1)
         File "/etc/mysql/conf.d/hardening.cnf"
           should be owned by "mysql"
           should be grouped into "root"
           should not be readable
       
       Mysql environment
         Command "env"
           stdout
             should not match /^MYSQL_PWD=/
       
       Failures:
       
         1) Mysql-config: owner, group and permissions File "/etc/mysql/" should not be readable
            Failure/Error: it { should_not be_readable.by('others') }
              expected File "/etc/mysql/" not to be readable
              /bin/sh -c stat\ -c\ \%a\ /etc/mysql/
              755
       
            # /tmp/verifier/suites/serverspec/mysql_spec.rb:158:in `block (3 levels) in <top (required)>'
       
       Finished in 0.47089 seconds (files took 0.5633 seconds to load)
       48 examples, 1 failure
       
       Failed examples:
       
       rspec /tmp/verifier/suites/serverspec/mysql_spec.rb:158 # Mysql-config: owner, group and permissions File "/etc/mysql/" should not be readable
       
       /opt/chef/embedded/bin/ruby -I/tmp/verifier/suites/serverspec -I/tmp/verifier/gems/gems/rspec-support-3.5.0/lib:/tmp/verifier/gems/gems/rspec-core-3.5.4/lib /opt/chef/embedded/bin/rspec --pattern /tmp/verifier/suites/serverspec/\*\*/\*_spec.rb --color --format documentation --default-path /tmp/verifier/suites/serverspec failed
       !!!!!! Ruby Script [/tmp/verifier/gems/gems/busser-serverspec-0.5.10/lib/busser/runner_plugin/../serverspec/runner.rb /tmp/verifier/suites/serverspec] exit code was 1
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Verify failed on instance <default-ubuntu-1204>.  Please see .kitchen/logs/default-ubuntu-1204.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

after:

➜  chef-mysql-hardening git:(master) ✗ KITCHEN_YAML=.kitchen.vagrant.yml b kitchen verify default-ubuntu-1204  
-----> Starting Kitchen (v1.11.1)
-----> Setting up <default-ubuntu-1204>...
       Finished setting up <default-ubuntu-1204> (0m0.00s).
-----> Verifying <default-ubuntu-1204>...
       Detected alternative framework tests for `serverspec`
       Loaded mysql-baseline 

Profile: DevSec MySQL Baseline (mysql-baseline)
Version: 2.0.0
Target:  ssh://vagrant@127.0.0.1:2222


  Command env
     ✔  stdout should not match /^MYSQL_PWD=/
  Service mysql
     ✔  should be enabled
     ✔  should be running
  Command mysql
     ✔  -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select version();' | tail -1 stdout should not match /Community/
  Command mysql
     ✔  -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select substring(version(),1,1);' | tail -1 stdout should match /^5/
  Command mysql
     ✔  -uroot -piloverandompasswordsbutthiswilldo -s -e 'show databases like "test";' stdout should not match /test/
  Command mysql
     ✔  -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where user="";' | tail -1 stdout should match /^0/
  Command mysql
     ✔  -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where length(password)=0 or password="";' | tail -1 stdout should match /^0/
  Command mysql
     ✔  -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where grant_priv="y" and User!="root" and User!="debian-sys-maint";' | tail -1 stdout should match /^0/
  Command mysql
     ✔  -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where host="%"' | tail -1 stdout should match /^0/
  Command mysql
     ✔  -uroot -piloverandompasswordsbutthiswilldo mysql -s -e 'select count(*) from mysql.user where user="root" and host not in ("localhost","127.0.0.1","::1")' | tail -1 stdout should match /^0/
  Command ps
     ✔  aux | grep mysqld | egrep -v "grep|mysqld_safe|logger" | wc -l stdout should match /^1$/
  MySQL Config
     ✔  entry [mysqld] safe-user-create should cmp == 1
     ✔  entry [mysqld] old_passwords should not cmp == 1
     ✔  entry [mysqld] secure-auth should cmp == 1
     ✔  entry [mysqld] user should cmp == "mysql"
     ✔  entry [mysqld] skip-symbolic-links should cmp == 1
     ✔  entry [mysqld] secure-file-priv should not eq nil
     ✔  entry [mysqld] local-infile should cmp == 0
     ✔  entry [mysqld] skip-show-database should eq ""
     ✔  entry [mysqld] skip-grant-tables should eq nil
     ✔  entry [mysqld] allow-suspicious-udfs should cmp == 0
  File /var/lib/mysql/
     ✔  should be directory
     ✔  should be owned by "mysql"
     ✔  should be grouped into "mysql"
  File /var/lib/mysql//ibdata1
     ✔  should be owned by "mysql"
     ✔  should be grouped into "mysql"
     ✔  should not be readable by others
     ✔  should not be writable by others
     ✔  should not be executable by others
  File /var/log/
     ✔  should be directory
     ✔  should be owned by "root"
     ✔  should be grouped into "root"
  File /var/log//mysql.log
     ✔  should be owned by "mysql"
     ✔  should be grouped into "adm"
     ✔  should not be readable by others
     ✔  should not be writable by others
     ✔  should not be executable by others
  File /etc/mysql/
     ✔  should be directory
     ✔  should be owned by "root"
     ✔  should be grouped into "root"
     ✔  should be owned by "root"
     ✔  should be grouped into "root"
     ∅  should not be readable by others
     expected File /etc/mysql/ not to be readable by others
  File /etc/mysql/conf.d/hardening.cnf
     ✔  should be owned by "mysql"
     ✔  should be grouped into "root"
     ✔  should not be readable by others
  Command env
     ✔  stdout should not match /^MYSQL_PWD=/

Test Summary: 47 successful, 1 failures, 0 skipped
>>>>>> ------Exception-------
>>>>>> Class: Kitchen::ActionFailed
>>>>>> Message: 1 actions failed.
>>>>>>     Verify failed on instance <default-ubuntu-1204>.  Please see .kitchen/logs/default-ubuntu-1204.log for more details
>>>>>> ----------------------
>>>>>> Please see .kitchen/logs/kitchen.log for more details
>>>>>> Also try running `kitchen diagnose --all` for configuration

@chris-rock chris-rock mentioned this pull request Dec 23, 2016
Merged
@atomic111
Copy link
Member

@chris-rock wow, great work!!! thank you

@atomic111 atomic111 merged commit 43bf9d8 into master Dec 23, 2016
@chris-rock chris-rock deleted the 2.0 branch May 8, 2017 20:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@atomic111 atomic111 atomic111 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chris-rock @atomic111