Created
March 15, 2017 02:22
-
-
Save redshiftzero/b3b6c51eb4e051be1b8c66611b9e0f80 to your computer and use it in GitHub Desktop.
testinfra part 2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ============================================================================================= FAILURES ============================================================================================== | |
| ____________________________________________________________________________ test_iptables_rules[ansible://app-staging] _____________________________________________________________________________ | |
| [gw2] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7 | |
| Command = <command>, Sudo = <sudo> | |
| def test_iptables_rules(Command, Sudo): | |
| """ | |
| Ensure the correct iptables rules are checked. Using a single string | |
| equivalency check for the entirety of the iptables output, since | |
| rule order is critical. Testinfra will provide diffed output on failure. | |
| """ | |
| # This approach will only work with the local Vagrant environment. | |
| # The hardcoded rules in per-host vars files contain static IPv4 addresses | |
| # that won't work in CI. TODO: update to use dynamic vars for real IPv4 | |
| # addresses. There's a test in `mon/test_network` currently marked as "skip" | |
| # that includes most of the logic necessary for dynamic vars. | |
| with Sudo(): | |
| c = Command("iptables -S") | |
| > assert c.stdout == securedrop_test_vars.iptables_complete_ruleset | |
| E assert '-P INPUT DRO...NDROP -j DROP' == '-P INPUT DROP...NDROP -j DROP' | |
| E -P INPUT DROP | |
| E -P FORWARD DROP | |
| E -P OUTPUT DROP | |
| E -N LOGNDROP | |
| E -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT | |
| E -A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT | |
| E -A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT | |
| E -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT | |
| E -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT | |
| E -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT | |
| E -A INPUT -s 10.0.1.3/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT | |
| E -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT | |
| E -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP | |
| E -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP | |
| E - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT | |
| E ? ^^^^^^^^^^^^^^^^^^ | |
| E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT | |
| E ? ^^^^^^^^^^^^^^^^^^ | |
| E - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP | |
| E ? ^ | |
| E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP | |
| E ? ^ | |
| E - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT | |
| E ? ^ | |
| E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT | |
| E ? ^ | |
| E - -A OUTPUT -p tcp -m owner --uid-owner 106 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT | |
| E ? ^ | |
| E + -A OUTPUT -p tcp -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT | |
| E ? ^ | |
| E - -A OUTPUT -m owner --uid-owner 106 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP | |
| E ? ^ | |
| E + -A OUTPUT -m owner --uid-owner 107 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP | |
| E ? ^ | |
| E -A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT | |
| E -A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT | |
| E -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner 33 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT | |
| E -A OUTPUT -m owner --uid-owner 33 -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP | |
| E -A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP | |
| E -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT | |
| E -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT | |
| E -A OUTPUT -d 10.0.1.3/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT | |
| E -A OUTPUT -o eth0 -p tcp -m owner --uid-owner 0 -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT | |
| E -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP | |
| E -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid | |
| E -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid | |
| E -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid | |
| E -A LOGNDROP -j DROP | |
| testinfra/common/test_ip4tables.py:20: AssertionError | |
| --------------------------------------------------------------------------------------- Captured stderr call ---------------------------------------------------------------------------------------- | |
| INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'iptables -S'", {}): {u'changed': True, | |
| u'cmd': u"sudo /bin/sh -c 'iptables -S'", | |
| u'delta': u'0:00:00.053308', | |
| u'end': u'2017-03-15 02:20:17.628144', | |
| 'invocation': {'module_args': u"sudo /bin/sh -c 'iptables -S'", | |
| 'module_name': u'shell'}, | |
| u'rc': 0, | |
| u'start': u'2017-03-15 02:20:17.574836', | |
| u'stderr': u'', | |
| u'stdout': u'-P INPUT DROP\n-P FORWARD DROP\n-P OUTPUT DROP\n-N LOGNDROP\n-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT\n-A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT\n-A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT\n-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT\n-A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT\n-A INPUT -s 10.0.1.3/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT\n-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT\n-A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP\n-A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT\n-A OUTPUT -p tcp -m owner --uid-owner 106 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT\n-A OUTPUT -m owner --uid-owner 106 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT\n-A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT\n-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner 33 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT\n-A OUTPUT -m owner --uid-owner 33 -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP\n-A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP\n-A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT\n-A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT\n-A OUTPUT -d 10.0.1.3/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT\n-A OUTPUT -o eth0 -p tcp -m owner --uid-owner 0 -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT\n-A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP\n-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid\n-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid\n-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid\n-A LOGNDROP -j DROP', | |
| u'warnings': []} | |
| INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'iptables -S'", exit_status=0, stdout='-P INPUT DROP\n-P FORWARD DROP\n-P OUTPUT DROP\n-N LOGNDROP\n-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT\n-A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT\n-A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT\n-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT\n-A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT\n-A INPUT -s 10.0.1.3/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT\n-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT\n-A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP\n-A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT\n-A OUTPUT -p tcp -m owner --uid-owner 106 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT\n-A OUTPUT -m owner --uid-owner 106 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT\n-A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT\n-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner 33 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT\n-A OUTPUT -m owner --uid-owner 33 -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP\n-A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP\n-A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT\n-A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT\n-A OUTPUT -d 10.0.1.3/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT\n-A OUTPUT -o eth0 -p tcp -m owner --uid-owner 0 -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -o eth0 -p tcp -m tcp --sport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -o eth0 -p tcp -m tcp --sport 8080 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT\n-A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP\n-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid\n-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid\n-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid\n-A LOGNDROP -j DROP', stderr=u'') | |
| ==================================================================== 1 failed, 273 passed, 1 skipped, 6 xfailed in 72.22 seconds ==================================================================== |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ________________________________________________________________ test_iptables_rules[ansible://mon-staging] ________________________________________________________________ | |
| [gw2] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7 | |
| Command = <command>, Sudo = <sudo> | |
| def test_iptables_rules(Command, Sudo): | |
| """ | |
| Ensure the correct iptables rules are checked. Using a single string | |
| equivalency check for the entirety of the iptables output, since | |
| rule order is critical. Testinfra will provide diffed output on failure. | |
| """ | |
| # This approach will only work with the local Vagrant environment. | |
| # The hardcoded rules in per-host vars files contain static IPv4 addresses | |
| # that won't work in CI. TODO: update to use dynamic vars for real IPv4 | |
| # addresses. There's a test in `mon/test_network` currently marked as "skip" | |
| # that includes most of the logic necessary for dynamic vars. | |
| with Sudo(): | |
| c = Command("iptables -S") | |
| > assert c.stdout == securedrop_test_vars.iptables_complete_ruleset | |
| E assert '-P INPUT DRO...NDROP -j DROP' == '-P INPUT DROP...NDROP -j DROP' | |
| E -P INPUT DROP | |
| E -P FORWARD DROP | |
| E -P OUTPUT DROP | |
| E -N LOGNDROP | |
| E -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT | |
| E -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT | |
| E -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT | |
| E -A INPUT -s 10.0.1.2/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT | |
| E -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT | |
| E -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT | |
| E -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP | |
| E -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP | |
| E - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT | |
| E ? ^^^^^^^^^^^^^^^^^^ | |
| E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT | |
| E ? ^^^^^^^^^^^^^^^^^^ | |
| E - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP | |
| E ? ^ | |
| E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP | |
| E ? ^ | |
| E - -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT | |
| E ? ^ | |
| E + -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 107 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT | |
| E ? ^ | |
| E - -A OUTPUT -p tcp -m owner --uid-owner 106 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT | |
| E ? ^ | |
| E + -A OUTPUT -p tcp -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT | |
| E ? ^ | |
| E - -A OUTPUT -m owner --uid-owner 106 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP | |
| E ? ^ | |
| E + -A OUTPUT -m owner --uid-owner 107 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP | |
| E ? ^ | |
| E -A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP | |
| E -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT | |
| E -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT | |
| E -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT | |
| E -A OUTPUT -d 10.0.1.2/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT | |
| E - -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT | |
| E ? ^ | |
| E + -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT | |
| E ? ^ | |
| E - -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT | |
| E ? ^ | |
| E + -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT | |
| E ? ^ | |
| E - -A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT | |
| E ? ^ | |
| E + -A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner 108 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT | |
| E ? ^ | |
| E -A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | |
| E -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT | |
| E -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP | |
| E -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid | |
| E -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid | |
| E -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid | |
| E -A LOGNDROP -j DROP | |
| testinfra/common/test_ip4tables.py:20: AssertionError | |
| --------------------------------------------------------------------------- Captured stderr call --------------------------------------------------------------------------- | |
| INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'iptables -S'", {}): {u'changed': True, | |
| u'cmd': u"sudo /bin/sh -c 'iptables -S'", | |
| u'delta': u'0:00:00.137485', | |
| u'end': u'2017-03-15 02:05:29.126637', | |
| 'invocation': {'module_args': u"sudo /bin/sh -c 'iptables -S'", | |
| 'module_name': u'shell'}, | |
| u'rc': 0, | |
| u'start': u'2017-03-15 02:05:28.989152', | |
| u'stderr': u'', | |
| u'stdout': u'-P INPUT DROP\n-P FORWARD DROP\n-P OUTPUT DROP\n-N LOGNDROP\n-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT\n-A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT\n-A INPUT -s 10.0.1.2/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT\n-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT\n-A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP\n-A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT\n-A OUTPUT -p tcp -m owner --uid-owner 106 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT\n-A OUTPUT -m owner --uid-owner 106 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP\n-A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP\n-A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT\n-A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT\n-A OUTPUT -d 10.0.1.2/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT\n-A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT\n-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT\n-A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT\n-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT\n-A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP\n-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid\n-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid\n-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid\n-A LOGNDROP -j DROP', | |
| u'warnings': []} | |
| INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'iptables -S'", exit_status=0, stdout='-P INPUT DROP\n-P FORWARD DROP\n-P OUTPUT DROP\n-N LOGNDROP\n-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT\n-A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT\n-A INPUT -s 10.0.1.2/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT\n-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -p udp -m udp --sport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT\n-A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP\n-A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP\n-A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 106 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT\n-A OUTPUT -p tcp -m owner --uid-owner 106 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tor instance that provides ssh access" -j ACCEPT\n-A OUTPUT -m owner --uid-owner 106 -m comment --comment "Drop all other traffic for the tor instance used for ssh" -j LOGNDROP\n-A OUTPUT -m owner --gid-owner 108 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP\n-A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT\n-A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT\n-A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT\n-A OUTPUT -d 10.0.1.2/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT\n-A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT\n-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT\n-A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner 107 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT\n-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT\n-A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT\n-A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP\n-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid\n-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid\n-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid\n-A LOGNDROP -j DROP', stderr=u'') | |
| ______________________________________________________ test_tor_service_hostnames[ansible://mon-staging-tor_service0] ______________________________________________________ | |
| [gw2] darwin -- Python 2.7.12 /usr/local/opt/python/bin/python2.7 | |
| File = <class 'testinfra.modules.base.GNUFile'>, Sudo = <sudo> | |
| tor_service = {'authenticated': True, 'client': 'admin', 'name': 'ssh', 'ports': ['22']} | |
| @pytest.mark.parametrize('tor_service', sdvars.tor_services) | |
| def test_tor_service_hostnames(File, Sudo, tor_service): | |
| """ | |
| Check contents of tor service hostname file. For normal Hidden Services, | |
| the file should contain only hostname (.onion URL). For Authenticated | |
| Hidden Services, it should also contain the HidServAuth cookie. | |
| """ | |
| # Declare regex only for THS; we'll build regex for ATHS only if | |
| # necessary, since we won't have the required values otherwise. | |
| ths_hostname_regex = "[a-z0-9]{16}\.onion" | |
| with Sudo(): | |
| f = File("/var/lib/tor/services/{}/hostname".format(tor_service['name'])) | |
| assert f.is_file | |
| assert oct(f.mode) == "0600" | |
| assert f.user == "debian-tor" | |
| assert f.group == "debian-tor" | |
| # All hostnames should contain at *least* the hostname. | |
| assert re.search(ths_hostname_regex, f.content) | |
| if tor_service['authenticated']: | |
| aths_hostname_regex = ths_hostname_regex+" [a-zA-Z0-9/]{22} # client: "+tor_service['client'] | |
| > assert re.search("^{}$".format(aths_hostname_regex), f.content) | |
| E assert None | |
| E + where None = <function search at 0x10262ccf8>('^[a-z0-9]{16}\\.onion [a-zA-Z0-9/]{22} # client: admin$', 'a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin') | |
| E + where <function search at 0x10262ccf8> = re.search | |
| E + and '^[a-z0-9]{16}\\.onion [a-zA-Z0-9/]{22} # client: admin$' = <built-in method format of str object at 0x103838c90>('[a-z0-9]{16}\\.onion [a-zA-Z0-9/]{22} # client: admin') | |
| E + where <built-in method format of str object at 0x103838c90> = '^{}$'.format | |
| E + and 'a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin' = <file /var/lib/tor/services/ssh/hostname>.content | |
| testinfra/common/test_tor_hidden_services.py:46: AssertionError | |
| --------------------------------------------------------------------------- Captured stderr call --------------------------------------------------------------------------- | |
| INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'test -f /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True, | |
| u'cmd': u"sudo /bin/sh -c 'test -f /var/lib/tor/services/ssh/hostname'", | |
| u'delta': u'0:00:00.032081', | |
| u'end': u'2017-03-15 02:05:34.015667', | |
| 'invocation': {'module_args': u"sudo /bin/sh -c 'test -f /var/lib/tor/services/ssh/hostname'", | |
| 'module_name': u'shell'}, | |
| u'rc': 0, | |
| u'start': u'2017-03-15 02:05:33.983586', | |
| u'stderr': u'', | |
| u'stdout': u'', | |
| u'warnings': []} | |
| INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'test -f /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout=u'', stderr=u'') | |
| INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'stat -c %a /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True, | |
| u'cmd': u"sudo /bin/sh -c 'stat -c %a /var/lib/tor/services/ssh/hostname'", | |
| u'delta': u'0:00:00.044177', | |
| u'end': u'2017-03-15 02:05:34.308590', | |
| 'invocation': {'module_args': u"sudo /bin/sh -c 'stat -c %a /var/lib/tor/services/ssh/hostname'", | |
| 'module_name': u'shell'}, | |
| u'rc': 0, | |
| u'start': u'2017-03-15 02:05:34.264413', | |
| u'stderr': u'', | |
| u'stdout': u'600', | |
| u'warnings': []} | |
| INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'stat -c %a /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='600', stderr=u'') | |
| INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'stat -c %U /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True, | |
| u'cmd': u"sudo /bin/sh -c 'stat -c %U /var/lib/tor/services/ssh/hostname'", | |
| u'delta': u'0:00:00.028162', | |
| u'end': u'2017-03-15 02:05:34.559728', | |
| 'invocation': {'module_args': u"sudo /bin/sh -c 'stat -c %U /var/lib/tor/services/ssh/hostname'", | |
| 'module_name': u'shell'}, | |
| u'rc': 0, | |
| u'start': u'2017-03-15 02:05:34.531566', | |
| u'stderr': u'', | |
| u'stdout': u'debian-tor', | |
| u'warnings': []} | |
| INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'stat -c %U /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='debian-tor', stderr=u'') | |
| INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'stat -c %G /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True, | |
| u'cmd': u"sudo /bin/sh -c 'stat -c %G /var/lib/tor/services/ssh/hostname'", | |
| u'delta': u'0:00:00.026023', | |
| u'end': u'2017-03-15 02:05:34.765896', | |
| 'invocation': {'module_args': u"sudo /bin/sh -c 'stat -c %G /var/lib/tor/services/ssh/hostname'", | |
| 'module_name': u'shell'}, | |
| u'rc': 0, | |
| u'start': u'2017-03-15 02:05:34.739873', | |
| u'stderr': u'', | |
| u'stdout': u'debian-tor', | |
| u'warnings': []} | |
| INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'stat -c %G /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='debian-tor', stderr=u'') | |
| INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True, | |
| u'cmd': u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", | |
| u'delta': u'0:00:00.012212', | |
| u'end': u'2017-03-15 02:05:34.876858', | |
| 'invocation': {'module_args': u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", | |
| 'module_name': u'shell'}, | |
| u'rc': 0, | |
| u'start': u'2017-03-15 02:05:34.864646', | |
| u'stderr': u'', | |
| u'stdout': u'a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin', | |
| u'warnings': []} | |
| INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin', stderr=u'') | |
| INFO:testinfra:RUN Ansible(u'shell', u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", {}): {u'changed': True, | |
| u'cmd': u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", | |
| u'delta': u'0:00:00.012140', | |
| u'end': u'2017-03-15 02:05:34.987555', | |
| 'invocation': {'module_args': u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", | |
| 'module_name': u'shell'}, | |
| u'rc': 0, | |
| u'start': u'2017-03-15 02:05:34.975415', | |
| u'stderr': u'', | |
| u'stdout': u'a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin', | |
| u'warnings': []} | |
| INFO:testinfra:RUN CommandResult(command=u"sudo /bin/sh -c 'cat -- /var/lib/tor/services/ssh/hostname'", exit_status=0, stdout='a5yaq23kszdeghbb.onion yyZP+S5bhwyRBt0I7I7QeB # client: admin', stderr=u'') | |
| ======================================================= 2 failed, 144 passed, 1 skipped, 4 xfailed in 30.42 seconds ======================================================== | |
| Traceback (most recent call last): | |
| File "./testinfra/test.py", line 125, in <module> | |
| run_testinfra(target_host) | |
| File "./testinfra/test.py", line 122, in run_testinfra | |
| subprocess.check_call(testinfra_command) | |
| File "/usr/local/Cellar/python/2.7.12/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 541, in check_call | |
| raise CalledProcessError(retcode, cmd) | |
| subprocess.CalledProcessError: Command '['testinfra', '-vv', '-n', 'auto', '--connection', 'ansible', '--ansible-inventory', '.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory', '--hosts', 'mon-staging', 'testinfra/mon', 'testinfra/common']' returned non-zero exit status 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment