Skip to content

Instantly share code, notes, and snippets.

@redshiftzero

redshiftzero/app-staging

Created March 14, 2017 21:33
Show Gist options
  • Save redshiftzero/15d935976002f701b9acac3c67f7a46f to your computer and use it in GitHub Desktop.
Save redshiftzero/15d935976002f701b9acac3c67f7a46f to your computer and use it in GitHub Desktop.
Download ZIP
SecureDrop testinfra test failures
Raw
app-staging
===================================================================== FAILURES ======================================================================
_______________________________________________ test_ip6tables_drop_everything[ansible://app-staging] _______________________________________________
[gw3] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7
Command = <command>, Sudo = <sudo>
def test_ip6tables_drop_everything(Command, Sudo):
"""
Ensure that all IPv6 packets are dropped by default.
The IPv4 rules are more complicated, and tested separately.
"""
desired_ip6tables_output = """
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
""".lstrip().rstrip()
with Sudo():
c = Command("ip6tables -S")
> assert c.stdout == desired_ip6tables_output
E assert '-P INPUT ACC...OUTPUT ACCEPT' == '-P INPUT DROP...P OUTPUT DROP'
E - -P INPUT ACCEPT
E + -P INPUT DROP
E - -P FORWARD ACCEPT
E ? ^^^^ -
E + -P FORWARD DROP
E ? ^^^
E - -P OUTPUT ACCEPT
E + -P OUTPUT DROP
testinfra/common/test_ip6tables.py:14: AssertionError
--------------------------------------------------------------- Captured stderr call ----------------------------------------------------------------
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'ip6tables -S'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'ip6tables -S'",
u'delta': u'0:00:00.086394',
u'end': u'2017-03-14 21:30:35.569725',
'invocation': {'module_args': u"sudo /bin/sh -c 'ip6tables -S'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:30:35.483331',
u'stderr': u'',
u'stdout': u'-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'ip6tables -S'", exit_status=0, stdout='-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT', stderr=u'')
____________________________________________________ test_iptables_rules[ansible://app-staging] _____________________________________________________
[gw1] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7
Command = <command>, Sudo = <sudo>
def test_iptables_rules(Command, Sudo):
"""
Ensure the correct iptables rules are checked. Using a single string
equivalency check for the entirety of the iptables output, since
rule order is critical. Testinfra will provide diffed output on failure.
"""
# This approach will only work with the local Vagrant environment.
# The hardcoded rules in per-host vars files contain static IPv4 addresses
# that won't work in CI. TODO: update to use dynamic vars for real IPv4
# addresses. There's a test in `mon/test_network` currently marked as "skip"
# that includes most of the logic necessary for dynamic vars.
with Sudo():
c = Command("iptables -S")
> assert c.stdout == securedrop_test_vars.iptables_complete_ruleset
E assert '-P INPUT ACC...OUTPUT ACCEPT' == '-P INPUT DROP...NDROP -j DROP'
E - -P INPUT ACCEPT
E + -P INPUT DROP
E - -P FORWARD ACCEPT
E ? ^^^^ -
E + -P FORWARD DROP
E ? ^^^
E - -P OUTPUT ACCEPT
E + -P OUTPUT DROP
E + -N LOGNDROP
E + -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT
E + -A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT
E + -A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT
E + -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT
E + -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
E + -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
E + -A INPUT -s 10.0.1.3/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT
E + -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
E + -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP
E + -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP
E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT
E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP
E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT
E + -A OUTPUT -p tcp -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT
E + -A OUTPUT -m owner --uid-owner 107 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP
E + -A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT
E + -A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT
E + -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner 33 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT
E + -A OUTPUT -m owner --uid-owner 33 -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP
E + -A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP
E + -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
E + -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
E + -A OUTPUT -d 10.0.1.3/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT
E + -A OUTPUT -o eth0 -p tcp -m owner --uid-owner 0 -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
E + -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP
E + -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid
E + -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
E + -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
E + -A LOGNDROP -j DROP
testinfra/common/test_ip4tables.py:20: AssertionError
--------------------------------------------------------------- Captured stderr call ----------------------------------------------------------------
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'iptables -S'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'iptables -S'",
u'delta': u'0:00:00.055518',
u'end': u'2017-03-14 21:30:35.884533',
'invocation': {'module_args': u"sudo /bin/sh -c 'iptables -S'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:30:35.829015',
u'stderr': u'',
u'stdout': u'-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'iptables -S'", exit_status=0, stdout='-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT', stderr=u'')
============================================ 2 failed, 272 passed, 1 skipped, 6 xfailed in 65.15 seconds ============================================
Traceback (most recent call last):
File "./testinfra/test.py", line 125, in <module>
run_testinfra(target_host)
File "./testinfra/test.py", line 122, in run_testinfra
subprocess.check_call(testinfra_command)
File "/usr/local/Cellar/python/2.7.12/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['testinfra', '-vv', '-n', 'auto', '--connection', 'ansible', '--ansible-inventory', '.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory', '--hosts', 'app-staging', 'testinfra/app', 'testinfra/app-code', 'testinfra/common', 'testinfra/development/test_xvfb.py']' returned non-zero exit status 1
Raw
mon-staging
===================================================================== FAILURES ======================================================================
____________________________________________ test_listening_ports[ansible://mon-staging-ossec_service2] _____________________________________________
[gw2] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7
Socket = <class 'testinfra.modules.base.LinuxSocket'>, Sudo = <sudo>
ossec_service = {'host': '0.0.0.0', 'port': 1514, 'proto': 'udp'}
@pytest.mark.parametrize('ossec_service', [
dict(host="0.0.0.0", proto="tcp", port=22),
dict(host="127.0.0.1", proto="tcp", port=25),
dict(host="0.0.0.0", proto="udp", port=1514),
])
def test_listening_ports(Socket, Sudo, ossec_service):
"""
Ensure the OSSEC-related services are listening on the
expected sockets. Services to check include ossec, mail, and ssh.
"""
socket = "{proto}://{host}:{port}".format(**ossec_service)
with Sudo():
> assert Socket(socket).is_listening
E assert <socket udp://0.0.0.0:1514>.is_listening
E + where <socket udp://0.0.0.0:1514> = <class 'testinfra.modules.base.LinuxSocket'>('udp://0.0.0.0:1514')
testinfra/mon/test_network.py:73: AssertionError
--------------------------------------------------------------- Captured stderr setup ---------------------------------------------------------------
INFO:testinfra:RUN Ansible(u'shell', u'uname -s', {}): {u'changed': True,
u'cmd': u'uname -s',
u'delta': u'0:00:00.016381',
u'end': u'2017-03-14 21:32:10.844767',
'invocation': {'module_args': u'uname -s', 'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:10.828386',
u'stderr': u'',
u'stdout': u'Linux',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u'uname -s', exit_status=0, stdout='Linux', stderr=u'')
INFO:testinfra:RUN Ansible(u'shell', u'lsb_release -a', {}): {u'changed': True,
u'cmd': u'lsb_release -a',
u'delta': u'0:00:00.348618',
u'end': u'2017-03-14 21:32:12.471156',
'invocation': {'module_args': u'lsb_release -a', 'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:12.122538',
u'stderr': u'No LSB modules are available.',
u'stdout': u'Distributor ID:\tUbuntu\nDescription:\tUbuntu 14.04.5 LTS\nRelease:\t14.04\nCodename:\ttrusty',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u'lsb_release -a', exit_status=0, stdout='Distributor ID:\tUbuntu\nDescription:\tUbuntu 14.04.5 LTS\nRelease:\t14.04\nCodename:\ttrusty', stderr='No LSB modules are available.')
--------------------------------------------------------------- Captured stderr call ----------------------------------------------------------------
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'netstat -n -l -u'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'netstat -n -l -u'",
u'delta': u'0:00:00.041461',
u'end': u'2017-03-14 21:32:12.809087',
'invocation': {'module_args': u"sudo /bin/sh -c 'netstat -n -l -u'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:12.767626',
u'stderr': u'',
u'stdout': u'Active Internet connections (only servers)\nProto Recv-Q Send-Q Local Address Foreign Address State \nudp 0 0 10.0.1.3:123 0.0.0.0:* \nudp 0 0 10.0.2.15:123 0.0.0.0:* \nudp 0 0 127.0.0.1:123 0.0.0.0:* \nudp 0 0 0.0.0.0:123 0.0.0.0:* \nudp 0 0 0.0.0.0:58060 0.0.0.0:* \nudp 0 0 0.0.0.0:789 0.0.0.0:* \nudp 0 0 0.0.0.0:34863 0.0.0.0:* \nudp 0 0 0.0.0.0:68 0.0.0.0:* \nudp 0 0 127.0.0.1:851 0.0.0.0:* \nudp 0 0 0.0.0.0:111 0.0.0.0:* \nudp6 0 0 :::123 :::* \nudp6 0 0 :::33688 :::* \nudp6 0 0 :::50337 :::* \nudp6 0 0 :::789 :::* \nudp6 0 0 :::111 :::* ',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'netstat -n -l -u'", exit_status=0, stdout='Active Internet connections (only servers)\nProto Recv-Q Send-Q Local Address Foreign Address State \nudp 0 0 10.0.1.3:123 0.0.0.0:* \nudp 0 0 10.0.2.15:123 0.0.0.0:* \nudp 0 0 127.0.0.1:123 0.0.0.0:* \nudp 0 0 0.0.0.0:123 0.0.0.0:* \nudp 0 0 0.0.0.0:58060 0.0.0.0:* \nudp 0 0 0.0.0.0:789 0.0.0.0:* \nudp 0 0 0.0.0.0:34863 0.0.0.0:* \nudp 0 0 0.0.0.0:68 0.0.0.0:* \nudp 0 0 127.0.0.1:851 0.0.0.0:* \nudp 0 0 0.0.0.0:111 0.0.0.0:* \nudp6 0 0 :::123 :::* \nudp6 0 0 :::33688 :::* \nudp6 0 0 :::50337 :::* \nudp6 0 0 :::789 :::* \nudp6 0 0 :::111 :::* ', stderr=u'')
__________________________________________________ test_ossec_connectivity[ansible://mon-staging] ___________________________________________________
[gw2] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7
Command = <command>, Sudo = <sudo>
def test_ossec_connectivity(Command, Sudo):
"""
Ensure ossec-server machine has active connection to the ossec-agent.
The ossec service will report all available agents, and we can inspect
that list to make sure it's the host we expect.
"""
desired_output = "{}-{} is available.".format(securedrop_test_vars.app_hostname,
securedrop_test_vars.app_ip)
with Sudo():
c = Command("/var/ossec/bin/list_agents -a")
> assert c.stdout == desired_output
E assert '** No agent available.' == 'app-staging-10.0.1.2 is available.'
E - ** No agent available.
E + app-staging-10.0.1.2 is available.
testinfra/mon/test_ossec.py:94: AssertionError
--------------------------------------------------------------- Captured stderr call ----------------------------------------------------------------
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c '/var/ossec/bin/list_agents -a'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c '/var/ossec/bin/list_agents -a'",
u'delta': u'0:00:00.038483',
u'end': u'2017-03-14 21:32:13.197885',
'invocation': {'module_args': u"sudo /bin/sh -c '/var/ossec/bin/list_agents -a'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:13.159402',
u'stderr': u'',
u'stdout': u'** No agent available.',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c '/var/ossec/bin/list_agents -a'", exit_status=0, stdout='** No agent available.', stderr=u'')
____________________________________________________ test_iptables_rules[ansible://mon-staging] _____________________________________________________
[gw1] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7
Command = <command>, Sudo = <sudo>
def test_iptables_rules(Command, Sudo):
"""
Ensure the correct iptables rules are checked. Using a single string
equivalency check for the entirety of the iptables output, since
rule order is critical. Testinfra will provide diffed output on failure.
"""
# This approach will only work with the local Vagrant environment.
# The hardcoded rules in per-host vars files contain static IPv4 addresses
# that won't work in CI. TODO: update to use dynamic vars for real IPv4
# addresses. There's a test in `mon/test_network` currently marked as "skip"
# that includes most of the logic necessary for dynamic vars.
with Sudo():
c = Command("iptables -S")
> assert c.stdout == securedrop_test_vars.iptables_complete_ruleset
E assert '-P INPUT ACC...OUTPUT ACCEPT' == '-P INPUT DROP...NDROP -j DROP'
E - -P INPUT ACCEPT
E + -P INPUT DROP
E - -P FORWARD ACCEPT
E ? ^^^^ -
E + -P FORWARD DROP
E ? ^^^
E - -P OUTPUT ACCEPT
E + -P OUTPUT DROP
E + -N LOGNDROP
E + -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT
E + -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
E + -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
E + -A INPUT -s 10.0.1.2/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT
E + -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT
E + -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
E + -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP
E + -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP
E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT
E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP
E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT
E + -A OUTPUT -p tcp -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT
E + -A OUTPUT -m owner --uid-owner 107 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP
E + -A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP
E + -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
E + -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
E + -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
E + -A OUTPUT -d 10.0.1.2/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT
E + -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT
E + -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT
E + -A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT
E + -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
E + -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
E + -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP
E + -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid
E + -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
E + -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
E + -A LOGNDROP -j DROP
testinfra/common/test_ip4tables.py:20: AssertionError
--------------------------------------------------------------- Captured stderr call ----------------------------------------------------------------
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'iptables -S'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'iptables -S'",
u'delta': u'0:00:00.065854',
u'end': u'2017-03-14 21:32:35.603351',
'invocation': {'module_args': u"sudo /bin/sh -c 'iptables -S'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:35.537497',
u'stderr': u'',
u'stdout': u'-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'iptables -S'", exit_status=0, stdout='-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT', stderr=u'')
_______________________________________________ test_ip6tables_drop_everything[ansible://mon-staging] _______________________________________________
[gw1] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7
Command = <command>, Sudo = <sudo>
def test_ip6tables_drop_everything(Command, Sudo):
"""
Ensure that all IPv6 packets are dropped by default.
The IPv4 rules are more complicated, and tested separately.
"""
desired_ip6tables_output = """
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
""".lstrip().rstrip()
with Sudo():
c = Command("ip6tables -S")
> assert c.stdout == desired_ip6tables_output
E assert '-P INPUT ACC...OUTPUT ACCEPT' == '-P INPUT DROP...P OUTPUT DROP'
E - -P INPUT ACCEPT
E + -P INPUT DROP
E - -P FORWARD ACCEPT
E ? ^^^^ -
E + -P FORWARD DROP
E ? ^^^
E - -P OUTPUT ACCEPT
E + -P OUTPUT DROP
testinfra/common/test_ip6tables.py:14: AssertionError
--------------------------------------------------------------- Captured stderr call ----------------------------------------------------------------
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'ip6tables -S'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'ip6tables -S'",
u'delta': u'0:00:00.049154',
u'end': u'2017-03-14 21:32:36.214350',
'invocation': {'module_args': u"sudo /bin/sh -c 'ip6tables -S'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:36.165196',
u'stderr': u'',
u'stdout': u'-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'ip6tables -S'", exit_status=0, stdout='-P INPUT ACCEPT\n-P FORWARD ACCEPT\n-P OUTPUT ACCEPT', stderr=u'')
__________________________________________ test_tor_service_hostnames[ansible://mon-staging-tor_service0] ___________________________________________
[gw3] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7
File = <class 'testinfra.modules.base.GNUFile'>, Sudo = <sudo>
tor_service = {'authenticated': True, 'client': 'admin', 'name': 'ssh', 'ports': ['22']}
@pytest.mark.parametrize('tor_service', sdvars.tor_services)
def test_tor_service_hostnames(File, Sudo, tor_service):
"""
Check contents of tor service hostname file. For normal Hidden Services,
the file should contain only hostname (.onion URL). For Authenticated
Hidden Services, it should also contain the HidServAuth cookie.
"""
# Declare regex only for THS; we'll build regex for ATHS only if
# necessary, since we won't have the required values otherwise.
ths_hostname_regex = "[a-z0-9]{16}\.onion"
with Sudo():
f = File("/var/lib/tor/services/{}/hostname".format(tor_service['name']))
assert f.is_file
assert oct(f.mode) == "0600"
assert f.user == "debian-tor"
assert f.group == "debian-tor"
# All hostnames should contain at *least* the hostname.
assert re.search(ths_hostname_regex, f.content)
if tor_service['authenticated']:
aths_hostname_regex = ths_hostname_regex+" [a-zA-Z0-9/]{22} # client: "+tor_service['client']
> assert re.search("^{}$".format(aths_hostname_regex), f.content)
E assert None
E + where None = <function search at 0x107ff4cf8>('^[a-z0-9]{16}\\.onion [a-zA-Z0-9/]{22} # client: admin$', 'a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin')
E + where <function search at 0x107ff4cf8> = re.search
E + and '^[a-z0-9]{16}\\.onion [a-zA-Z0-9/]{22} # client: admin$' = <built-in method format of str object at 0x109200c90>('[a-z0-9]{16}\\.onion [a-zA-Z0-9/]{22} # client: admin')
E + where <built-in method format of str object at 0x109200c90> = '^{}$'.format
E + and 'a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin' = <file /var/lib/tor/services/ssh/hostname>.content
testinfra/common/test_tor_hidden_services.py:46: AssertionError
--------------------------------------------------------------- Captured stderr call ----------------------------------------------------------------
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'test -f /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'test -f /var/lib/tor/services/ssh/hostname'",
u'delta': u'0:00:00.036816',
u'end': u'2017-03-14 21:32:40.985408',
'invocation': {'module_args': u"sudo /bin/sh -c 'test -f /var/lib/tor/services/ssh/hostname'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:40.948592',
u'stderr': u'',
u'stdout': u'',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'test -f /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout=u'', stderr=u'')
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'stat -c %a /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'stat -c %a /var/lib/tor/services/ssh/hostname'",
u'delta': u'0:00:00.038821',
u'end': u'2017-03-14 21:32:41.246197',
'invocation': {'module_args': u"sudo /bin/sh -c 'stat -c %a /var/lib/tor/services/ssh/hostname'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:41.207376',
u'stderr': u'',
u'stdout': u'600',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'stat -c %a /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='600', stderr=u'')
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'stat -c %U /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'stat -c %U /var/lib/tor/services/ssh/hostname'",
u'delta': u'0:00:00.055513',
u'end': u'2017-03-14 21:32:41.536533',
'invocation': {'module_args': u"sudo /bin/sh -c 'stat -c %U /var/lib/tor/services/ssh/hostname'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:41.481020',
u'stderr': u'',
u'stdout': u'debian-tor',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'stat -c %U /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='debian-tor', stderr=u'')
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'stat -c %G /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'stat -c %G /var/lib/tor/services/ssh/hostname'",
u'delta': u'0:00:00.040076',
u'end': u'2017-03-14 21:32:41.825237',
'invocation': {'module_args': u"sudo /bin/sh -c 'stat -c %G /var/lib/tor/services/ssh/hostname'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:41.785161',
u'stderr': u'',
u'stdout': u'debian-tor',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'stat -c %G /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='debian-tor', stderr=u'')
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'",
u'delta': u'0:00:00.019628',
u'end': u'2017-03-14 21:32:42.001035',
'invocation': {'module_args': u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:41.981407',
u'stderr': u'',
u'stdout': u'a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin', stderr=u'')
INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True,
u'cmd': u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'",
u'delta': u'0:00:00.018883',
u'end': u'2017-03-14 21:32:42.151313',
'invocation': {'module_args': u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'",
'module_name': u'shell'},
u'rc': 0,
u'start': u'2017-03-14 21:32:42.132430',
u'stderr': u'',
u'stdout': u'a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin',
u'warnings': []}
INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin', stderr=u'')
============================================ 5 failed, 141 passed, 1 skipped, 4 xfailed in 34.75 seconds ============================================
Traceback (most recent call last):
File "./testinfra/test.py", line 125, in <module>
run_testinfra(target_host)
File "./testinfra/test.py", line 122, in run_testinfra
subprocess.check_call(testinfra_command)
File "/usr/local/Cellar/python/2.7.12/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 541, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['testinfra', '-vv', '-n', 'auto', '--connection', 'ansible', '--ansible-inventory', '.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory', '--hosts', 'mon-staging', 'testinfra/mon', 'testinfra/common']' returned non-zero exit status 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment