Skip to content

Commit

Permalink
(SIMP-4579) simp: prelink acceptance tests fail in FIPS mode (#143)
Browse files Browse the repository at this point in the history 
The prelink acceptance tests were failing when the server was in
FIPS mode because FIPS and prelink are incompatible!  So, to
prevent an uninformed user from making this mistake, updated
simp::prelink to ensure prelinking is disabled when the server
is in FIPS mode.

SIMP-4579 #close
  • Loading branch information
@lnemsick-simp @trevor-vaughan
lnemsick-simp authored and trevor-vaughan committed Mar 27, 2018
1 parent 35a71f0 commit b792a67
Show file tree
Hide file tree
Showing 5 changed files with 102 additions and 42 deletions.
12 changes: 12 additions & 0 deletions .gitlab-ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,18 @@ default:
script:
- bundle exec rake beaker:suites[default]

default-fips:
stage: acceptance
tags:
- beaker
<<: *cache_bundler
<<: *setup_bundler_env
variables:
PUPPET_VERSION: '4.10'
BEAKER_fips: 'yes'
script:
- bundle exec rake beaker:suites[default]

default-puppet5:
stage: acceptance
tags:
Expand Down
6 changes: 5 additions & 1 deletion CHANGELOG
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
* Tue Mar 27 2018 Liz Nemsick <[email protected]> - 4.4.0-0
- In simp::prelink, ensure prelinking is disabled when the server is
in FIPS mode, as FIPS is incompatible with prelinking.

* Fri Mar 16 2018 Jeanne Greulich <[email protected]> - 4.4.0-0
- updated metadata.json to include trlinkin/nsswitch
- Updated metadata.json to include trlinkin/nsswitch

* Wed Mar 14 2018 Nick Miller <[email protected]> - 4.4.0-0
- Fixed a bug where if the `puppet_settings` fact did not exist, users in the
Expand Down
19 changes: 11 additions & 8 deletions manifests/prelink.pp
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,22 @@
# Manage prelinking
#
# @param enable
# Whether to enable prelinking.
# Whether to enable prelinking. Prelinking can only be enabled if
# the server is *NOT* in FIPS mode.
#
# * When ``$enable`` is ``true``, ensures the prelink package
# is installed and prelinking has been enabled.
# * When ``$enable`` is ``true`` and ``$facts['fips_enabled']`` is
# ``false``, ensures the prelink package is installed and
# prelinking has been enabled.
#
# * When ``$enable`` is ``false``, ensures the prelink package
# is not installed, undoing any existing prelinking, if needed.
# This satisfies the SCAP Security Guide's OVAL check
# * When ``$enable`` is ``false`` or ``$facts['fips_enabled']`` is
# ``true``, ensures the prelink package is not installed, undoing
# any existing prelinking, if needed. This satisfies the SCAP
# Security Guide's OVAL check
# xccdf_org.ssgproject.content_rule_disable_prelink.
#
# @param ensure
# The ``$ensure`` status of the prelink package, when ``$enable``
# is ``true``.
# is ``true`` and ``$facts['fips_enabled']`` is ``false``.
#
# @author https://github.com/simp/pupmod-simp-simp/graphs/contributors
#
Expand All @@ -23,7 +26,7 @@
) {
simplib::assert_metadata( $module_name )

if $enable {
if ( $enable and ! $facts['fips_enabled'] ) {
package { 'prelink': ensure => $ensure }

shellvar { 'enable prelink':
Expand Down
40 changes: 27 additions & 13 deletions spec/acceptance/suites/default/01_prelink_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,24 +43,38 @@
apply_manifest_on(host, manifest, :catch_changes => true)
end

it 'should install prelink package' do
expect( check_for_package(host, 'prelink') ).to be true
it 'should install prelink package only if not in FIPS mode' do
facts = JSON.load(on(host, 'puppet facts').stdout)
if facts['values']['fips_enabled']
expect( check_for_package(host, 'prelink') ).to be false
else
expect( check_for_package(host, 'prelink') ).to be true
end
end

it 'should enable prelink' do
it 'should enable prelink only if not in FIPS mode' do
facts = JSON.load(on(host, 'puppet facts').stdout)
expect( facts['values']['prelink'] ).to_not be nil
expect( facts['values']['prelink']['enabled'] ).to be true
if facts['values']['fips_enabled']
expect( facts['values']['prelink'] ).to be nil
else
expect( facts['values']['prelink'] ).to_not be nil
expect( facts['values']['prelink']['enabled'] ).to be true
end
end

it 'should run prelink' do
# first see if prelink cron job has already run
result = on(host, 'ls /etc/prelink.cache', :acceptable_exit_codes => [0,2])

if result.exit_code == 2
# prelink cron job has not yet been run, so try to run it
on(host, '/etc/cron.daily/prelink')
on(host, 'ls /etc/prelink.cache')
it 'should run prelink only if not in FIPS mode' do
facts = JSON.load(on(host, 'puppet facts').stdout)
if facts['values']['fips_enabled']
result = on(host, 'ls /etc/prelink.cache', :acceptable_exit_codes => [2])
else
# first see if prelink cron job has already run
result = on(host, 'ls /etc/prelink.cache', :acceptable_exit_codes => [0,2])

if result.exit_code == 2
# prelink cron job has not yet been run, so try to run it
on(host, '/etc/cron.daily/prelink')
on(host, 'ls /etc/prelink.cache')
end
end
end
end
Expand Down
67 changes: 47 additions & 20 deletions spec/classes/prelink_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,15 +16,15 @@

context 'when prelink is installed and disabled' do
let(:facts) do
os_facts.merge( {:prelink => { :enabled => false } } )
os_facts.merge( { :prelink => { :enabled => false } } )
end

it { is_expected.to compile.with_all_deps }
it { is_expected.to create_class('simp::prelink') }
it {
is_expected.to contain_exec('remove prelinking').with( {
:command => '/etc/cron.daily/prelink',
:before =>'Package[prelink]'
:command => '/etc/cron.daily/prelink',
:before =>'Package[prelink]'
} )
}

Expand All @@ -33,7 +33,12 @@

context 'when prelink is installed and enabled' do
let(:facts) do
os_facts.merge( {:prelink => { :enabled => true } } )
os_facts.merge( {
:prelink => { :enabled => true },
# if prelink is on, FIPS cannot be enabled, because the
# system would be broken in that configuration
:fips_enabled => false
} )
end

it { is_expected.to compile.with_all_deps }
Expand All @@ -57,27 +62,49 @@

it { is_expected.to contain_package('prelink').with_ensure('absent') }
end

end

context 'when enable=true' do
let(:facts) do
os_facts
context 'when FIPS mode is not enabled' do
let(:facts) do
os_facts.merge( { :fips_enabled => false } )
end

let(:params) {{ :enable => true }}

it { is_expected.to compile.with_all_deps }
it { is_expected.to create_class('simp::prelink') }
it { is_expected.to contain_package('prelink').that_comes_before('Shellvar[enable prelink]') }
it {
is_expected.to contain_shellvar('enable prelink').with( {
:ensure => 'present',
:target => '/etc/sysconfig/prelink',
:variable => 'PRELINKING',
:value => 'yes'
} )
}
end

context 'when FIPS mode is enabled and prelink is installed' do
let(:facts) do
os_facts.merge( {
:prelink => { :enabled => false },
:fips_enabled => true
} )
end

it { is_expected.to compile.with_all_deps }
it { is_expected.to create_class('simp::prelink') }
it {
is_expected.to contain_exec('remove prelinking').with( {
:command => '/etc/cron.daily/prelink',
:before =>'Package[prelink]'
} )
}

it { is_expected.to contain_package('prelink').with_ensure('absent') }
end

let(:params) {{ :enable => true }}

it { is_expected.to compile.with_all_deps }
it { is_expected.to create_class('simp::prelink') }
it { is_expected.to contain_package('prelink').that_comes_before('Shellvar[enable prelink]') }
it {
is_expected.to contain_shellvar('enable prelink').with( {
:ensure => 'present',
:target => '/etc/sysconfig/prelink',
:variable => 'PRELINKING',
:value => 'yes'
} )
}
end
end
end
Expand Down

0 comments on commit b792a67

Please sign in to comment.