From 46fdb5c3ada989e4f99627df2952ddeadb12b59d Mon Sep 17 00:00:00 2001 From: Juha Kosonen Date: Tue, 2 Jul 2019 13:49:55 +0300 Subject: [PATCH] Add Docker Bench for Security The Docker Bench for Security [1] is a script that checks for common best-practices around deploying Docker containers. The Robot test case added uploads the test script on all nodes of the cluster, runs all available CIS tests and downloads produced execution logs. [1] https://github.com/docker/docker-bench-security/tree/master JIRA: VAL-35 Change-Id: I107673363453f38344fd9db3c88b88ea70f1074a Signed-off-by: Juha Kosonen --- tests/security/docker/docker_bench.resource | 75 +++++++++++++++++++++++++++++ tests/security/docker/docker_bench.robot | 35 ++++++++++++++ tests/variables.yaml | 1 + 3 files changed, 111 insertions(+) create mode 100644 tests/security/docker/docker_bench.resource create mode 100644 tests/security/docker/docker_bench.robot diff --git a/tests/security/docker/docker_bench.resource b/tests/security/docker/docker_bench.resource new file mode 100644 index 0000000..f4b9336 --- /dev/null +++ b/tests/security/docker/docker_bench.resource @@ -0,0 +1,75 @@ +############################################################################## +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you maynot use this file except in compliance with the License. # +# # +# You may obtain a copy of the License at # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +############################################################################## + + +*** Settings *** +Library BuiltIn +Library OperatingSystem +Library Process +Library SSHLibrary +Library String + + +*** Variables *** +${REPORTDIR} ${LOG_PATH}${/}${SUITE_NAME.replace(' ','_')} +${SRCDIR} ./docker-bench-security +${DESTDIR} /tmp/docker-bench-security +${NODEDIR} /tmp/docker-bench-security-run +${SSH_OPTS} -o StrictHostKeyChecking=no + + +*** Keywords *** +Open Connection And Log In + Open Connection ${HOST} + Login With Public Key ${USERNAME} ${SSH_KEYFILE} + +Download Docker Bench Software + Remove Docker Bench Software + Run Process git clone + ... https://github.com/docker/docker-bench-security.git ${SRCDIR} + +Upload Test Software To Nodes + Put Directory ${SRCDIR} ${DESTDIR} recursive=True + Get Node Addresses + Copy Test Software To All Nodes + +Run Test Software On Nodes + :FOR ${node} IN @{nodes} + \ Execute Command ssh ${SSH_OPTS} ${node} "cd ${NODEDIR}; sudo ./docker-bench-security.sh -b -l bench.log" + \ Execute Command scp ${SSH_OPTS} ${node}:${NODEDIR}/bench.log ${DESTDIR}/docker-bench-${node}.log + \ Execute Command scp ${SSH_OPTS} ${node}:${NODEDIR}/bench.log.json ${DESTDIR}/docker-bench-${node}.json + \ SSHLibrary.Get File ${DESTDIR}/docker-bench-${node}.log ${REPORTDIR}/ + \ SSHLibrary.Get File ${DESTDIR}/docker-bench-${node}.json ${REPORTDIR}/ + +Get Node Addresses + ${stdout}= Execute Command + ... kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="InternalIP")].address'} + @{nodes}= Split String ${stdout} + Set Test Variable @{nodes} + +Copy Test Software To All Nodes + :FOR ${node} IN @{nodes} + \ Execute Command ssh ${SSH_OPTS} ${node} "mkdir -p ${NODEDIR}" + \ Execute Command scp ${SSH_OPTS} -rp ${DESTDIR}/. ${node}:${NODEDIR} + +Remove Docker Bench Software + Remove Directory ${SRCDIR} recursive=True + +Remove Test Software From Nodes + :FOR ${node} IN @{nodes} + \ Execute Command ssh ${SSH_OPTS} ${node} "rm -rf ${NODEDIR}" + Execute Command rm -rf ${DESTDIR} diff --git a/tests/security/docker/docker_bench.robot b/tests/security/docker/docker_bench.robot new file mode 100644 index 0000000..591c6cc --- /dev/null +++ b/tests/security/docker/docker_bench.robot @@ -0,0 +1,35 @@ +############################################################################## +# Copyright (c) 2019 AT&T Intellectual Property. # +# Copyright (c) 2019 Nokia. # +# # +# Licensed under the Apache License, Version 2.0 (the "License"); # +# you maynot use this file except in compliance with the License. # +# # +# You may obtain a copy of the License at # +# http://www.apache.org/licenses/LICENSE-2.0 # +# # +# Unless required by applicable law or agreed to in writing, software # +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # +# See the License for the specific language governing permissions and # +# limitations under the License. # +############################################################################## + + +*** Settings *** +Documentation Runs the Docker Bench for Security script which checks for +... dozens of common best-practices around deploying Docker +... containers in production. +Library BuiltIn +Resource docker_bench.resource +Suite Setup Run Keywords Open Connection And Log In +... Download Docker Bench Software +Suite Teardown Run Keywords Remove Docker Bench Software +... Close All Connections +Test Setup Upload Test Software To Nodes +Test Teardown Remove Test Software From Nodes + + +*** Test Cases *** +Security Check By Docker Bench + Run Test Software On Nodes diff --git a/tests/variables.yaml b/tests/variables.yaml index 2949440..aef860f 100644 --- a/tests/variables.yaml +++ b/tests/variables.yaml @@ -27,6 +27,7 @@ host: aknode109 # cluster's master host address username: mm747b # user credentials home: /home/mm747b # Public keys location +ssh_keyfile: ~/.ssh/id_rsa # Identity file for authentication ### Input variables for bios_version_dell.robot sysinfo: PowerEdge R740xd -- 2.16.6