diff options
author | lukehinds <lukehinds@gmail.com> | 2016-05-26 19:53:28 +0100 |
---|---|---|
committer | Jose Lausuch <jose.lausuch@ericsson.com> | 2016-05-31 13:14:11 +0000 |
commit | c6caba5fd5261909ce0ab26b9b9dabbd35e0bf00 (patch) | |
tree | 191036d84f706e5a5650bf3f63b99de5a997547b /testcases/security_scan/security_scan.py | |
parent | 03a5887906ce8c757f8b646b8ec65bf56f44829c (diff) |
Add Apex based security scan code
JIRA: FUNCTEST-169
Performs a SCAP based security scan of all overcloud
nodes, followed by report download to functest dashboard
Change-Id: I9058227e19c0877e5f8913931febdd667a908cdd
Signed-off-by: lukehinds <lukehinds@gmail.com>
Diffstat (limited to 'testcases/security_scan/security_scan.py')
-rw-r--r-- | testcases/security_scan/security_scan.py | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/testcases/security_scan/security_scan.py b/testcases/security_scan/security_scan.py new file mode 100644 index 00000000..f7f02cd9 --- /dev/null +++ b/testcases/security_scan/security_scan.py @@ -0,0 +1,178 @@ +#!/usr/bin/python +# +# Copyright (c) 2016 Red Hat +# Luke Hinds (lhinds@redhat.com) +# This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# 0.1: This script installs OpenSCAP on the remote host, and scans the +# nominated node. Post scan a report is downloaded and if '--clean' is passed +# all trace of the scan is removed from the remote system. + +import argparse +import connect +import datetime +import os + +from ConfigParser import SafeConfigParser +from keystoneclient.auth.identity import v2 +from keystoneclient import session +from novaclient import client + +__version__ = 0.1 +__author__ = 'Luke Hinds (lhinds@redhat.com)' +__url__ = 'https://wiki.opnfv.org/display/functest/Functest+Security' + +# Global vars +INSTALLER_IP = os.getenv('INSTALLER_IP') +oscapbin = 'sudo /bin/oscap' + +# Configure Nova Credentials +com = 'sudo hiera admin_password' +connect = connect.novaManager(com) +keypass = connect.keystonepass() +auth = v2.Password(auth_url='http://{0}:5000/v2.0'.format(INSTALLER_IP), + username='admin', + password=str(keypass).rstrip(), + tenant_name='admin') +sess = session.Session(auth=auth) +nova = client.Client(2, session=sess) + + +# args +parser = argparse.ArgumentParser(description='OPNFV OpenSCAP Scanner') +parser.add_argument('--config', action='store', dest='cfgfile', + help='Config file', required=True) +args = parser.parse_args() + +# functest logger +logger = ft_logger.Logger("security_scan").getLogger() + +# Config Parser +cfgparse = SafeConfigParser() +cfgparse.read(args.cfgfile) + + +def run_tests(host, nodetype): + port = cfgparse.get(nodetype, 'port') + user = cfgparse.get(nodetype, 'user') + user_key = cfgparse.get(nodetype, 'user_key') + logger.info("Host: {0} Selected Profile: {1}").format(host, nodetype) + logger.info("Creating temp file structure..") + createfiles(host, port, user, user_key) + logger.info("Installing OpenSCAP...") + install_pkg(host, port, user, user_key) + logger.info("Running scan...") + run_scanner(host, port, user, user_key, nodetype) + clean = cfgparse.get(nodetype, 'clean') + logger.info("Post installation tasks....") + post_tasks(host, port, user, user_key, nodetype) + if clean: + logger.info("Cleaning down environment....") + logger.info("Removing OpenSCAP....") + removepkg(host, port, user, user_key, nodetype) + logger.info("Deleting tmp file and reports (remote)...") + cleandir(host, port, user, user_key, nodetype) + + +def nova_iterate(): + # Find compute nodes, active with network on ctlplane + for server in nova.servers.list(): + if server.status == 'ACTIVE' and 'compute' in server.name: + networks = server.networks + nodetype = 'compute' + for host in networks['ctlplane']: + run_tests(host, nodetype) + # Find controller nodes, active with network on ctlplane + elif server.status == 'ACTIVE' and 'controller' in server.name: + networks = server.networks + nodetype = 'controller' + for host in networks['ctlplane']: + run_tests(host, nodetype) + + +def createfiles(host, port, user, user_key): + import connect + global tmpdir + localpath = os.getcwd() + '/scripts/createfiles.py' + remotepath = '/tmp/createfiles.py' + com = 'python /tmp/createfiles.py' + connect = connect.connectionManager(host, port, user, user_key, + localpath, remotepath, com) + tmpdir = connect.remotescript() + + +def install_pkg(host, port, user, user_key): + import connect + com = 'sudo yum -y install openscap-scanner scap-security-guide' + connect = connect.connectionManager(host, port, user, user_key, com) + connect.remotecmd() + + +def run_scanner(host, port, user, user_key, nodetype): + import connect + scantype = cfgparse.get(nodetype, 'scantype') + profile = cfgparse.get(nodetype, 'profile') + results = cfgparse.get(nodetype, 'results') + report = cfgparse.get(nodetype, 'report') + secpolicy = cfgparse.get(nodetype, 'secpolicy') + # Here is where we contruct the actual scan command + if scantype == 'xccdf': + cpe = cfgparse.get(nodetype, 'cpe') + com = '{0} xccdf eval --profile {1} --results {2}/{3}' \ + ' --report {2}/{4} --cpe {5} {6}'.format(oscapbin, + profile, + tmpdir.rstrip(), + results, + report, + cpe, + secpolicy) + connect = connect.connectionManager(host, port, user, user_key, com) + connect.remotecmd() + elif scantype == 'oval': + com = '{0} oval eval --results {1}/{2} ' + '--report {1}/{3} {4}'.format(oscapbin, tmpdir.rstrip(), + results, report, secpolicy) + connect = connect.connectionManager(host, port, user, user_key, com) + connect.remotecmd() + else: + com = '{0} oval-collect '.format(oscapbin) + connect = connect.connectionManager(host, port, user, user_key, com) + connect.remotecmd() + + +def post_tasks(host, port, user, user_key, nodetype): + import connect + # Create the download folder for functest dashboard and download reports + reports_dir = cfgparse.get(nodetype, 'reports_dir') + dl_folder = os.path.join(reports_dir, host + "_" + + datetime.datetime. + now().strftime('%Y-%m-%d_%H-%M-%S')) + os.makesdir(dl_folder, 0755) + report = cfgparse.get(nodetype, 'report') + results = cfgparse.get(nodetype, 'results') + reportfile = '{0}/{1}'.format(tmpdir.rstrip(), report) + connect = connect.connectionManager(host, port, user, user_key, dl_folder, + reportfile, report, results) + connect.download_reports() + + +def removepkg(host, port, user, user_key, nodetype): + import connect + com = 'sudo yum -y remove openscap-scanner scap-security-guide' + connect = connect.connectionManager(host, port, user, user_key, com) + connect.remotecmd() + + +def cleandir(host, port, user, user_key, nodetype): + import connect + com = 'sudo rm -r {0}'.format(tmpdir.rstrip()) + connect = connect.connectionManager(host, port, user, user_key, com) + connect.remotecmd() + + +if __name__ == '__main__': + nova_iterate() |