import testinfra.utils.ansible_runner testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( '.molecule/ansible_inventory').get_hosts('all') testinfra_hosts.remove("helper") def test_pam_umask(File): """ Tests configuration of PAM umask module. """ pam_auth_update_config = File('/usr/share/pam-configs/umask') assert pam_auth_update_config.exists assert pam_auth_update_config.user == 'root' assert pam_auth_update_config.group == 'root' assert pam_auth_update_config.mode == 0o644 assert File('/etc/pam.d/common-session').contains('session[[:blank:]]\+required[[:blank:]]\+pam_umask.so') assert File('/etc/pam.d/common-session-noninteractive').contains('session[[:blank:]]\+required[[:blank:]]\+pam_umask.so') def test_login_umask(File): """ Tests set-up of default UMASK via /etc/login.defs. """ assert File('/etc/login.defs').contains('UMASK[[:blank:]]\+027') def test_adduser_umask(File): """ Tests UMASK configuration used for creating user home directory. """ assert File('/etc/adduser.conf').contains('DIR_MODE=0750') def test_bash_prompt(File): """ Tests file permissions on custom bash prompt configuration. """ bash_prompt = File('/etc/profile.d/bash_prompt.sh') assert bash_prompt.exists assert bash_prompt.user == 'root' assert bash_prompt.group == 'root' assert bash_prompt.mode == 0o644 def test_home_profile_d(File): """ Tests deployment of special profile file used for enabling profile.d-like capability in user's home directory. """ home_profile_d = File('/etc/profile.d/z99-user_profile_d.sh') assert home_profile_d.is_file assert home_profile_d.user == 'root' assert home_profile_d.group == 'root' assert home_profile_d.mode == 0o644 def test_home_skeleton_bashrc(File): """ Tests deployment of home directory skeleton bashrc. """ bashrc = File('/etc/skel/.bashrc') assert bashrc.is_file assert bashrc.user == 'root' assert bashrc.group == 'root' assert bashrc.mode == 0o644 assert bashrc.sha256sum == '4f946fb387a413c8d7633787d8e8a7785c256d77f7c6a692822ffdb439c78277' def test_default_bashrc(File): """ Tests deployment of default bashrc file. """ bashrc = File('/etc/bash.bashrc') assert bashrc.is_file assert bashrc.user == 'root' assert bashrc.group == 'root' assert bashrc.mode == 0o644 def test_root_bashrc(File, Sudo): """ Tests overwriting of root's bashrc configuration with default one. """ with Sudo(): bashrc = File('/root/.bashrc') assert bashrc.is_file assert bashrc.user == 'root' assert bashrc.group == 'root' assert bashrc.mode == 0o640 assert bashrc.sha256sum == '4f946fb387a413c8d7633787d8e8a7785c256d77f7c6a692822ffdb439c78277' def test_installed_packages(Package): """ Tests installation of required packages. """ assert Package('sudo').is_installed assert Package('ssl-cert').is_installed assert Package('rcconf').is_installed assert Package('ferm').is_installed assert Package('apticron').is_installed assert Package('virtualenv').is_installed def test_root_remote_login_disabled(File): """ Tests if SSH server has been configured to prevent remote root logins. """ assert 'PermitRootLogin no' in File('/etc/ssh/sshd_config').content def test_remote_login_via_password_disabled(File): """ Tests if SSH server has been configured to disable password-based authentication. """ assert 'PasswordAuthentication no' in File('/etc/ssh/sshd_config').content def test_ferm_service_configuration(File): ferm_service_config = File('/etc/default/ferm') assert ferm_service_config.is_file assert ferm_service_config.user == 'root' assert ferm_service_config.group == 'root' assert ferm_service_config.mode == 0o644 assert 'FAST=yes' in ferm_service_config.content assert 'CACHE=no' in ferm_service_config.content assert 'ENABLED="yes"' in ferm_service_config.content def test_ferm_configuration_directory(File, Sudo): """ Tests creation of ferm configuration directory. """ with Sudo(): ferm_dir = File('/etc/ferm/conf.d') assert ferm_dir.is_directory assert ferm_dir.user == 'root' assert ferm_dir.group == 'root' assert ferm_dir.mode == 0o750 def test_ferm_configuration(File, Sudo): """ Tests deployment of basic ferm configuration files. """ with Sudo(): ferm_configuration = File('/etc/ferm/ferm.conf') assert ferm_configuration.is_file assert ferm_configuration.user == 'root' assert ferm_configuration.group == 'root' assert ferm_configuration.mode == 0o640 assert "@include '/etc/ferm/conf.d/';" in ferm_configuration.content ferm_base = File('/etc/ferm/conf.d/00-base.conf') assert ferm_base.is_file assert ferm_base.user == 'root' assert ferm_base.group == 'root' assert ferm_base.mode == 0o640 def test_ferm_service(Service): """ Tests if ferm is started and enabled to start automatically on boot. """ ferm = Service('ferm') assert ferm.is_running assert ferm.is_enabled def test_check_certificate_script(File): check_certificate = File('/usr/local/bin/check_certificate.sh') assert check_certificate.is_file assert check_certificate.user == 'root' assert check_certificate.group == 'root' assert check_certificate.mode == 0o755 def test_check_certificate_directory(File): check_certificate_dir = File('/etc/check_certificate') assert check_certificate_dir.is_directory assert check_certificate_dir.user == 'root' assert check_certificate_dir.group == 'root' assert check_certificate_dir.mode == 0o755 def test_check_certificate_crontab(File): """ Tests deployment of cron job for checking certificates. """ check_certificate_crontab = File('/etc/cron.d/check_certificate') assert check_certificate_crontab.is_file assert check_certificate_crontab.user == 'root' assert check_certificate_crontab.group == 'root' assert check_certificate_crontab.mode == 0o644 assert "0 0 * * * nobody /usr/local/bin/check_certificate.sh expiration" in check_certificate_crontab.content def test_pipreqcheck_virtualenv(File, Sudo): """ Tests creation of Python virtual environment used for performing pip requirements upgrade checks. """ with Sudo(): virtualenv_activate = File('/var/lib/pipreqcheck/virtualenv/bin/activate') assert virtualenv_activate.is_file assert virtualenv_activate.user == 'pipreqcheck' assert virtualenv_activate.group == 'pipreqcheck' assert virtualenv_activate.mode == 0o644 def test_pipreqcheck_directories(File, Sudo): """ Tests creation of directories used for storing configuration used by script that performs pip requirements upgrade checks. """ with Sudo(): pipreqcheck_config_directory = File('/etc/pip_check_requirements_upgrades') assert pipreqcheck_config_directory.is_directory assert pipreqcheck_config_directory.user == 'root' assert pipreqcheck_config_directory.group == 'pipreqcheck' assert pipreqcheck_config_directory.mode == 0o750 pipreqcheck_config_directory_pipreqcheck = File('/etc/pip_check_requirements_upgrades/pipreqcheck') assert pipreqcheck_config_directory_pipreqcheck.is_directory assert pipreqcheck_config_directory_pipreqcheck.user == 'root' assert pipreqcheck_config_directory_pipreqcheck.group == 'pipreqcheck' assert pipreqcheck_config_directory_pipreqcheck.mode == 0o750 def test_pipreqcheck_requirements(File, Sudo): """ Tests deployment of requirements input and text file used for virtual environment utilised by script that perform pip requirements upgrade checks. """ with Sudo(): requirements_in = File('/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in') assert requirements_in.is_file assert requirements_in.user == 'root' assert requirements_in.group == 'pipreqcheck' assert requirements_in.mode == 0o640 requirements_txt = File('/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt') requirements_txt.is_file assert requirements_txt.user == 'root' assert requirements_txt.group == 'pipreqcheck' assert requirements_txt.mode == 0o640 def test_pipreqcheck_packages(PipPackage, Sudo): """ Tests if Python virtual environment used for running the pip requirements upgrade checks has correct version of pip installed. """ with Sudo(): packages = PipPackage.get_packages(pip_path='/var/lib/pipreqcheck/virtualenv/bin/pip') assert packages['pip']['version'].rsplit('.', 1)[0] == '9.0' assert 'pip-tools' in packages def test_pipreqcheck_script(File): """ Tests script used for performing pip requirements upgrade checks. """ pipreqcheck_script = File('/usr/local/bin/pip_check_requirements_upgrades.sh') assert pipreqcheck_script.is_file assert pipreqcheck_script.user == 'root' assert pipreqcheck_script.group == 'root' assert pipreqcheck_script.mode == 0o755 def test_pipreqcheck_crontab(File): """ Tests if crontab entry is set-up correctly for running the pip requirements upgrade checks. """ crontab = File('/etc/cron.d/check_pip_requirements') assert crontab.is_file assert crontab.user == 'root' assert crontab.group == 'root' assert crontab.mode == 0o644 assert "MAILTO=root" in crontab.content