Add Docker Bench for Security

The Docker Bench for Security [1] is a script that checks for common
best-practices around deploying Docker containers. The Robot test case
added uploads the test script on all nodes of the cluster, runs all
available CIS tests and downloads produced execution logs.

[1] https://github.com/docker/docker-bench-security/tree/master

JIRA: VAL-35

Change-Id: I107673363453f38344fd9db3c88b88ea70f1074a
Signed-off-by: Juha Kosonen <juha.kosonen@nokia.com>

diff --git a/tests/security/docker/docker_bench.resource b/tests/security/docker/docker_bench.resource
new file mode 100644 (file)
index 0000000..f4b9336
--- /dev/null
+++ b/tests/security/docker/docker_bench.resource
@@ -0,0 +1,75 @@
+##############################################################################
+# Copyright (c) 2019 AT&T Intellectual Property.                             #
+# Copyright (c) 2019 Nokia.                                                  #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License");            #
+# you maynot use this file except in compliance with the License.            #
+#                                                                            #
+# You may obtain a copy of the License at                                    #
+#       http://www.apache.org/licenses/LICENSE-2.0                           #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT  #
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.           #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+##############################################################################
+
+
+*** Settings ***
+Library            BuiltIn
+Library            OperatingSystem
+Library            Process
+Library            SSHLibrary
+Library            String
+
+
+*** Variables ***
+${REPORTDIR}       ${LOG_PATH}${/}${SUITE_NAME.replace(' ','_')}
+${SRCDIR}          ./docker-bench-security
+${DESTDIR}         /tmp/docker-bench-security
+${NODEDIR}         /tmp/docker-bench-security-run
+${SSH_OPTS}        -o StrictHostKeyChecking=no
+
+
+*** Keywords ***
+Open Connection And Log In
+    Open Connection        ${HOST}
+    Login With Public Key  ${USERNAME}  ${SSH_KEYFILE}
+
+Download Docker Bench Software
+    Remove Docker Bench Software
+    Run Process            git  clone
+    ...                    https://github.com/docker/docker-bench-security.git  ${SRCDIR}
+
+Upload Test Software To Nodes
+    Put Directory          ${SRCDIR}  ${DESTDIR}  recursive=True
+    Get Node Addresses
+    Copy Test Software To All Nodes
+
+Run Test Software On Nodes
+    :FOR  ${node}  IN  @{nodes}
+    \   Execute Command   ssh ${SSH_OPTS} ${node} "cd ${NODEDIR}; sudo ./docker-bench-security.sh -b -l bench.log"
+    \   Execute Command   scp ${SSH_OPTS} ${node}:${NODEDIR}/bench.log ${DESTDIR}/docker-bench-${node}.log
+    \   Execute Command   scp ${SSH_OPTS} ${node}:${NODEDIR}/bench.log.json ${DESTDIR}/docker-bench-${node}.json
+    \   SSHLibrary.Get File  ${DESTDIR}/docker-bench-${node}.log  ${REPORTDIR}/
+    \   SSHLibrary.Get File  ${DESTDIR}/docker-bench-${node}.json  ${REPORTDIR}/
+
+Get Node Addresses
+    ${stdout}=            Execute Command
+    ...                   kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address'}
+    @{nodes}=             Split String  ${stdout}
+    Set Test Variable     @{nodes}
+
+Copy Test Software To All Nodes
+    :FOR  ${node}  IN  @{nodes}
+    \   Execute Command   ssh ${SSH_OPTS} ${node} "mkdir -p ${NODEDIR}"
+    \   Execute Command   scp ${SSH_OPTS} -rp ${DESTDIR}/. ${node}:${NODEDIR}
+
+Remove Docker Bench Software
+    Remove Directory       ${SRCDIR}  recursive=True
+
+Remove Test Software From Nodes
+    :FOR  ${node}  IN  @{nodes}
+    \   Execute Command   ssh ${SSH_OPTS} ${node} "rm -rf ${NODEDIR}"
+    Execute Command       rm -rf ${DESTDIR}

diff --git a/tests/security/docker/docker_bench.robot b/tests/security/docker/docker_bench.robot
new file mode 100644 (file)
index 0000000..591c6cc
--- /dev/null
+++ b/tests/security/docker/docker_bench.robot
@@ -0,0 +1,35 @@
+##############################################################################
+# Copyright (c) 2019 AT&T Intellectual Property.                             #
+# Copyright (c) 2019 Nokia.                                                  #
+#                                                                            #
+# Licensed under the Apache License, Version 2.0 (the "License");            #
+# you maynot use this file except in compliance with the License.            #
+#                                                                            #
+# You may obtain a copy of the License at                                    #
+#       http://www.apache.org/licenses/LICENSE-2.0                           #
+#                                                                            #
+# Unless required by applicable law or agreed to in writing, software        #
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT  #
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.           #
+# See the License for the specific language governing permissions and        #
+# limitations under the License.                                             #
+##############################################################################
+
+
+*** Settings ***
+Documentation     Runs the Docker Bench for Security script which checks for
+...               dozens of common best-practices around deploying Docker
+...               containers in production.
+Library           BuiltIn
+Resource          docker_bench.resource
+Suite Setup       Run Keywords  Open Connection And Log In
+...                             Download Docker Bench Software
+Suite Teardown    Run Keywords  Remove Docker Bench Software
+...                             Close All Connections
+Test Setup        Upload Test Software To Nodes
+Test Teardown     Remove Test Software From Nodes
+
+
+*** Test Cases ***
+Security Check By Docker Bench
+    Run Test Software On Nodes

diff --git a/tests/variables.yaml b/tests/variables.yaml
index 2949440..aef860f 100644 (file)
--- a/tests/variables.yaml
+++ b/tests/variables.yaml
@@ -27,6 +27,7 @@
 host: aknode109             # cluster's master host address
 username: mm747b            # user credentials
 home: /home/mm747b          # Public keys location
+ssh_keyfile: ~/.ssh/id_rsa  # Identity file for authentication
 
 ### Input variables for bios_version_dell.robot
 sysinfo: PowerEdge R740xd