From: Daniel Stoica Date: Mon, 24 Feb 2020 16:15:15 +0000 (+0200) Subject: Add Vuls security test for ubuntu and centos X-Git-Tag: 3.0.0~7^2 X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F55%2F2255%2F8;p=validation.git Add Vuls security test for ubuntu and centos JIRA: VAL-79 Signed-off-by: Daniel Stoica Change-Id: If81d5ecb68bea40ae179823d655311260e04fc56 --- diff --git a/docker/os/Dockerfile b/docker/os/Dockerfile index 95d8cfe..676062d 100644 --- a/docker/os/Dockerfile +++ b/docker/os/Dockerfile @@ -28,10 +28,12 @@ RUN apt-get update && apt-get -y install \ libffi-dev \ make \ libssl-dev \ + wget \ golint \ sqlite3 \ debian-goodies \ build-essential \ + pkg-config \ autoconf automake autotools-dev m4 \ linux-headers-generic \ libaio-dev libattr1-dev libcap-dev @@ -55,37 +57,13 @@ RUN tar czvf /opt/akraino/ltp.tar.gz /opt/ltp WORKDIR /root/src RUN git clone https://github.com/CISOfy/lynis && tar czvf /opt/akraino/lynis-remote.tar.gz ./lynis -# Copy binaries into the final container and install robot framework -FROM ubuntu:18.04 -COPY --from=build /wheels /wheels -COPY --from=build /opt/akraino/validation /opt/akraino/validation -COPY --from=build /opt/akraino/ltp.tar.gz /opt/akraino/ltp.tar.gz -COPY --from=build /opt/akraino/lynis-remote.tar.gz /opt/akraino/lynis-remote.tar.gz - - -RUN apt-get update && apt-get -y upgrade && apt-get -y install \ - python3-pip python3.6 \ - sqlite \ - debian-goodies \ - wget \ - curl apt-transport-https ca-certificates software-properties-common && \ - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && \ - add-apt-repository "deb https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" && \ - apt-get update && \ - apt-get install -y docker-ce && \ - cd /usr/bin && ln -s python3 python && \ - pip3 install -r /wheels/requirements/pip-requirements.txt \ - -f /wheels && \ - rm -rf /wheels && \ - rm -rf /root/.cache/pip/* && \ - rm -rf /var/cache/apt/* && \ - rm -rf /var/lib/apt/lists/* - -# Fetches vuls databases +#Fetches vuls databases SHELL ["/bin/bash", "-c"] -RUN wget https://dl.google.com/go/go1.12.6.linux-amd64.tar.gz -P /root/ && \ +RUN if [ $(uname -m) == 'aarch64' ]; then HOST_ARCH=arm64; else HOST_ARCH=amd64; fi && \ + wget https://dl.google.com/go/go1.12.6.linux-$HOST_ARCH.tar.gz -P /root/ && \ cd /root/ && \ - tar -xzf go1.12.6.linux-amd64.tar.gz -C /root/ && \ + tar -xzf go1.12.6.linux-$HOST_ARCH.tar.gz -C /root/ && \ + rm go1.12.6.linux-$HOST_ARCH.tar.gz && \ export GOROOT=/root/go && \ export GOPATH=/root/go/src && \ export PATH=$PATH:/root/go/bin:/root/go/src/bin && \ @@ -98,16 +76,41 @@ RUN wget https://dl.google.com/go/go1.12.6.linux-amd64.tar.gz -P /root/ && \ git -C /root/go/src/github.com/kotakanbe clone https://github.com/kotakanbe/go-cve-dictionary.git && \ cd /root/go/src/github.com/kotakanbe/go-cve-dictionary/ && \ make install && \ - mkdir /opt/akraino/validation/tests/os/vuls/ && \ for i in $(seq 2002 "$(date +"%Y")"); do go-cve-dictionary fetchnvd -http-proxy=${HTTP_PROXY} -dbpath /opt/akraino/validation/tests/os/vuls/cve.sqlite3 -years "$i"; done && \ git -C /root/go/src/github.com/kotakanbe clone https://github.com/kotakanbe/goval-dictionary.git && \ cd /root/go/src/github.com/kotakanbe/goval-dictionary && \ make install && \ - goval-dictionary fetch-ubuntu -http-proxy=${HTTP_PROXY} -dbpath=/opt/akraino/validation/tests/os/vuls/oval.sqlite3 16 && \ + goval-dictionary fetch-ubuntu -http-proxy=${HTTP_PROXY} -dbpath=/opt/akraino/validation/tests/os/vuls/oval_ubuntu_16.sqlite3 16 && \ + goval-dictionary fetch-ubuntu -http-proxy=${HTTP_PROXY} -dbpath=/opt/akraino/validation/tests/os/vuls/oval_ubuntu_18.sqlite3 18 && \ + goval-dictionary fetch-redhat -http-proxy=${HTTP_PROXY} -dbpath=/opt/akraino/validation/tests/os/vuls/oval_centos.sqlite3 7 && \ + mkdir -p /root/go/src/github.com/knqyf263 && \ + git -C /root/go/src/github.com/knqyf263 clone https://github.com/knqyf263/gost.git && \ + cd /root/go/src/github.com/knqyf263/gost && \ + make install && \ + gost fetch redhat --http-proxy=${HTTP_PROXY} --dbpath=/opt/akraino/validation/tests/os/vuls/gost_centos.sqlite3 && \ cd /opt/akraino/validation/tests/os/vuls && \ tar cvzf db.tar.gz *.sqlite3 && \ rm *.sqlite3 +# Copy binaries into the final container and install robot framework +FROM ubuntu:18.04 +COPY --from=build /wheels /wheels +COPY --from=build /opt/akraino/validation /opt/akraino/validation +COPY --from=build /opt/akraino/ltp.tar.gz /opt/akraino/ltp.tar.gz +COPY --from=build /opt/akraino/lynis-remote.tar.gz /opt/akraino/lynis-remote.tar.gz +COPY --from=build /root/go/bin /root/go/bin +COPY --from=build /root/go/src/bin /root/go/src/bin + +RUN apt-get update && apt-get -y install \ + python3-pip python3.6 && \ + cd /usr/bin && ln -s python3 python && \ + pip3 install -r /wheels/requirements/pip-requirements.txt \ + -f /wheels && \ + rm -rf /wheels && \ + rm -rf /root/.cache/pip/* && \ + rm -rf /var/cache/apt/* && \ + rm -rf /var/lib/apt/lists/* + # Install bluval dependencies RUN pip3 install -r /opt/akraino/validation/bluval/requirements.txt ENV LC_ALL=C.UTF-8 diff --git a/tests/os/vuls/vuls.robot b/tests/os/vuls/vuls.robot index 6ddc283..c630c5a 100644 --- a/tests/os/vuls/vuls.robot +++ b/tests/os/vuls/vuls.robot @@ -19,7 +19,8 @@ Library SSHLibrary Library OperatingSystem Library BuiltIn -Library Process +Suite Setup Open Connection And Log In +Suite Teardown Close All Connections *** Variables *** ${LOG_PATH} /opt/akraino/validation/tests/os/vuls @@ -43,10 +44,27 @@ Run Vuls test ${rc} = Run And Return Rc tar xvzf db.tar.gz -C /opt/akraino/validation/tests/os/vuls/ Should Be Equal As Integers ${rc} 0 - + + ${os} = SSHLibrary.Execute Command source /etc/os-release && echo $ID + ${rc} = Run And Return Rc vuls scan -config config.toml -ssh-config Should Be Equal As Integers ${rc} 0 - ${rc} ${output} = Run And Return Rc And Output vuls report + Run Keyword IF '${os}' == 'ubuntu' Run vuls for ubuntu ELSE IF '${os}' == 'centos' Run vuls for centos ELSE FAIL Distro '${os}' not supported + +*** Keywords *** +Run vuls for ubuntu + ${os_version} = SSHLibrary.Execute Command source /etc/os-release && echo $VERSION_ID | cut -d '.' -f1 + + ${rc} ${output} = Run And Return Rc And Output vuls report -cvedb-sqlite3-path=${LOG_PATH}/cve.sqlite3 -ovaldb-sqlite3-path=${LOG_PATH}/oval_ubuntu_${os_version}.sqlite3 + Should Be Equal As Integers ${rc} 0 + Append To File ${LOG_PATH}/vuls.log ${output}${\n} + +Run vuls for centos + ${rc} ${output} = Run And Return Rc And Output vuls report -cvedb-sqlite3-path=${LOG_PATH}/cve.sqlite3 -ovaldb-sqlite3-path=${LOG_PATH}/oval_centos.sqlite3 -gostdb-sqlite3-path=${LOG_PATH}/gost_centos.sqlite3 Should Be Equal As Integers ${rc} 0 Append To File ${LOG_PATH}/vuls.log ${output}${\n} + +Open Connection And Log In + Open Connection ${HOST} + Login With Public Key ${USERNAME} ${SSH_KEYFILE}