search

simp / inspec-profile-disa_stig-el7

InSpec Profile for the EL7 DISA STIG
Apache License 2.0
22 stars 46 forks source link

Combine checks for number of 'cert_policy' lines and inclusion of 'os… #72

Closed Bialogs closed 4 years ago

Bialogs commented 5 years ago

…cp_on' option in V-72433

Closes #56

aaronlippold commented 5 years ago

If it doesn't exist, then do we jump to a 'skip' case or it is NA? Didn't read, but agree that we need to cover this and build in the logic.

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Mon, Mar 11, 2019 at 1:04 PM Trevor Vaughan notifications@github.com wrote:

@trevor-vaughan requested changes on this pull request.

In controls/V-72433.rb https://github.com/simp/inspec-profile-disa_stig-el7/pull/72#discussion_r264333825 :

  • describe command("grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | wc -l") do
  • its('stdout.strip.to_i') { should cmp >= 3 }
  • end if smart_card_status.eql?('enabled')
  • describe "The system is not smartcard enabled" do
  • skip "The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable."
  • end if !smart_card_status.eql?('enabled')
  • if smart_card_status.eql?('enabled')
  • cert_policy_lines = file('/etc/pam_pkcs11/pam_pkcs11.conf').content.lines.grep(%r{^(?!.+#).*cert_policy}i)

This will fail if /etc/pam_pkcs11/pam_pkcs11.conf does not exist.

Probably need a test just before all of this to ensure that the file exists at all since, if it doesn't, the whole things fails anyway.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/simp/inspec-profile-disa_stig-el7/pull/72#pullrequestreview-212965296, or mute the thread https://github.com/notifications/unsubscribe-auth/ABauaO1kEiZ8HZqrKPezOdk8IpLpQ071ks5vVoyNgaJpZM4bdc4P .

trevor-vaughan commented 5 years ago

@aaronlippold If it doesn't exist, it would be a failure, yes?

aaronlippold commented 5 years ago

Yes, if smart_card_enabled and for whatever reason the file doesn't exist then we would fail the tests - but rather than failing with confusing nil expect to match something, we should just throw a resource failure exception.

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Mon, Mar 11, 2019 at 4:13 PM Trevor Vaughan notifications@github.com wrote:

@aaronlippold https://github.com/aaronlippold If it doesn't exist, it would be a failure, yes?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/simp/inspec-profile-disa_stig-el7/pull/72#issuecomment-471708621, or mute the thread https://github.com/notifications/unsubscribe-auth/ABauaLyzWkHiqpVg40LPzr9tLMwWepjcks5vVrkBgaJpZM4bdc4P .

aaronlippold commented 5 years ago

So after chatting with Jerry ... if we 'wrap' this test set in a file(...) { should exist } and make it fail fast then we should report as expected.

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Mon, Mar 11, 2019 at 4:53 PM Aaron Lippold lippold@gmail.com wrote:

Yes, if smart_card_enabled and for whatever reason the file doesn't exist then we would fail the tests - but rather than failing with confusing nil expect to match something, we should just throw a resource failure exception.

Aaron Lippold

lippold@gmail.com

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Mon, Mar 11, 2019 at 4:13 PM Trevor Vaughan notifications@github.com wrote:

@aaronlippold https://github.com/aaronlippold If it doesn't exist, it would be a failure, yes?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/simp/inspec-profile-disa_stig-el7/pull/72#issuecomment-471708621, or mute the thread https://github.com/notifications/unsubscribe-auth/ABauaLyzWkHiqpVg40LPzr9tLMwWepjcks5vVrkBgaJpZM4bdc4P .

djhaynes commented 4 years ago

I think this can be closed out because of PR #109.