12. В чем проблема?
• Версии OS
• Версии пакетов
• Расположение на диске
• Пользователи и права файлов
• Настройки приложения
• Параметры sysctl (открытые файлы и т.п.)
19. Зачем тестировать?
package 'redis' do
action :install
end
service 'redis' do
action :enable
end
describe package('redis') do
it { should be_installed }
end
describe service('redis') do
it { should be_enabled }
end
20. Вот зачем
control 'redis01' do
describe package('redis') do
it { should be_installed }
end
describe service('redis') do
it { should be_enabled }
end
describe command(
'redis-cli config get bind') do
its('stdout') {
should match /^192.168./
}
end
end
21. Вот зачем
control 'redis-sysctl' do
title 'Redis requires vm.overcommit_memory = 1 for BGSAVE'
tag 'production'
impact 0.8
ref 'Redis FAQ', url: 'http://redis.io/topics/
faq#background-saving-is-failing-with-a-fork-error-under-
linux-even-if-i39ve-a-lot-of-free-ram'
ref 'Redis Admin Guide', url: 'http://redis.io/topics/admin'
describe kernel_parameter('vm.overcommit_memory') do
its(:value) { should eq 1 }
end
end
23. Политики
control 'os-03' do
impact 1.0
title 'Check owner and permissions for /etc/passwd'
desc 'Check periodically the owner and permissions for /etc/passwd'
describe file('/etc/passwd') do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
its('group') { should eq 'root' }
it { should_not be_executable }
it { should be_writable.by('owner') }
it { should_not be_writable.by('group') }
it { should_not be_writable.by('other') }
it { should be_readable.by('owner') }
it { should be_readable.by('group') }
it { should be_readable.by('other') }
end
end
https://github.com/dev-sec/tests-os-hardening
24. Политики
control 'package-01' do
impact 1.0
title 'Do not run deprecated inetd or xinetd'
desc 'http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-
i731.pdf, Chapter 3.2.1’
describe package('inetd') do
it { should_not be_installed }
end
describe package('xinetd') do
it { should_not be_installed }
end
end
https://github.com/dev-sec/tests-os-hardening
25. Политики
control 'nginx-04' do
impact 1.0
title 'Check for multiple instances'
desc 'Different instances of the nginx webserver should
run in separate environments'
describe command('ps aux | egrep "nginx: master" | egrep -
v "grep" | wc -l') do
its(:stdout) { should match(/^1$/) }
end
end
https://github.com/dev-sec/tests-nginx-hardening
26. Итоги
• Тесты как инструмент коммуникации
• Компенсируем сложность
• Ловим ошибки людей