test/doc/source/manual_tests/security/security_file_access.rst

Appropriate File Access

SECURITY_Appro_File_Access_01

Test ID

SECURITY_Appro_File_Access_01

Test Title

File permission after initial install.

Tags

Security

Testcase Objective

Verify "opt/platform" and "etc/(system)-config" file permission after initial install.

Test Pre-Conditions

New Starlingx configuration lab install with all nodes up and running.

Test Steps

1. Go to active controller and make sure that all config files have at least this kind of permission by root ""-rw-r--r--"". If there are some other config files with less permissions is ok.

$ ls -la /etc/*.conf
i.e.
controller-0:/etc$ ls -la /etc/*.conf
  -rw-r--r--. 1 root root   55 Apr 10  2018 /etc/asound.conf
  -rw-r--r--  1 root root 3661 Feb  8 15:23 /etc/collectd.conf
  -rw-r-----  1 root root 2643 Feb  8 15:23 /etc/dnsmasq.conf
  -rw-r--r--. 1 root root 1285 Apr 11  2018 /etc/dracut.conf
  -rw-r-----  1 root root   71 Feb  8 15:19 /etc/drbd.conf
  ...

2. Go to active controller and make sure that /opt/platform/* files have following permission (If there are some other files with less permissions is ok), use following command to get /opt/platform file tree.

i.e.
controller-0:/opt/platform# ls -R | grep "":$"" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/   /' -e 's/-/|/'
|-config
|---18.10
|-----branding
|-----postgresql
|-----pxelinux.cfg
|-----ssh_config
|-lost+found
|-nfv
|---vim
|-----18.10
|-puppet
|---18.10
|-----hieradata
|-sysinv
|---18.10

Use the following command to get all file permissions.

i.e.
controller-0:/opt/platform# ls -ll -R
.:
total 32
drwxr-xr-x 3 root   root  4096 Feb  8 15:20 config
-rw-r--r-- 1 root   root     0 Feb 11 13:09 files.txt
drwx------ 2 root   root 16384 Feb  8 15:19 lost+found
drwxr-xr-x 3 root   root  4096 Feb  8 15:32 nfv
drwxr-xr-x 3 root   root  4096 Feb  8 15:20 puppet
drwxr-xr-x 3 sysinv root  4096 Feb  8 15:20 sysinv

./config:
total 4
drwxr-xr-x 6 root root 4096 Feb  8 15:54 18.10

./config/18.10:
total 44
drwxr-xr-x 2 root root 4096 Feb  8 15:20 branding
-rw-r--r-- 1 root root 1895 Feb  8 15:18 cgcs_config
-rw-r--r-- 1 root root  338 Feb  8 15:43 dnsmasq.addn_hosts
-rw-r--r-- 1 root root    1 Feb  8 15:20 dnsmasq.addn_hosts_dc
-rw-r--r-- 1 root root  338 Feb  8 16:03 dnsmasq.addn_hosts.temp
-rw-r--r-- 1 root root  222 Feb  8 15:54 dnsmasq.hosts
-rw-r--r-- 1 root root  222 Feb  8 16:03 dnsmasq.hosts.temp
-rw-r--r-- 1 root root    0 Feb  9 16:04 dnsmasq.leases
-rw-r--r-- 1 root root  526 Feb  8 15:30 hosts
drwxr-xr-x 2 root root 4096 Feb  8 15:20 postgresql
drwxr-xr-x 2 root root 4096 Feb  8 16:03 pxelinux.cfg
drwxr-xr-x 2 root root 4096 Feb  8 15:18 ssh_config

./config/18.10/branding:
total 4
-rwxr-xr-x 1 root root 525 Oct  3 14:37 horizon-region-exclusions.csv

./config/18.10/postgresql:
total 28
-rw-r----- 1 postgres postgres   929 Feb  8 15:19 pg_hba.conf
-rw-r----- 1 postgres postgres    47 Feb  8 15:19 pg_ident.conf
-rw------- 1 postgres postgres 20195 Feb  8 15:19 postgresql.conf

./config/18.10/pxelinux.cfg:
total 16
-rw-r--r-- 1 root root 861 Feb  8 16:03 01-52-54-00-c8-5c-10
-rw-r--r-- 1 root root 939 Feb  8 15:46 01-52-54-00-c8-84-5c
lrwxrwxrwx 1 root root  35 Feb  8 15:31 default -> /var/pxeboot/pxelinux.cfg.files/default
-rw-r--r-- 1 root root 684 Feb  8 16:03 efi-01-52-54-00-c8-5c-10
-rw-r--r-- 1 root root 762 Feb  8 15:46 efi-01-52-54-00-c8-84-5c
lrwxrwxrwx 1 root root  36 Feb  8 15:31 grub.cfg -> /var/pxeboot/pxelinux.cfg.files/grub.cfg

./config/18.10/ssh_config:
total 16
-rw------- 1 root root 1679 Feb  8 15:18 nova_migration_key
-rw-r--r-- 1 root root  396 Feb  8 15:18 nova_migration_key.pub
-rw------- 1 root root  227 Feb  8 15:18 system_host_key
-rw-r--r-- 1 root root  176 Feb  8 15:18 system_host_key.pub

./lost+found:
total 0

./nfv:
total 4
drwxr-xr-x 3 root root 4096 Feb  8 15:32 vim

./nfv/vim:
total 4
drwxr-xr-x 2 root root 4096 Feb  8 15:54 18.10

./nfv/vim/18.10:
total 1112
-rw-r--r-- 1 root root   49152 Feb 11 13:03 vim_db_v1
-rw-r--r-- 1 root root   32768 Feb 11 13:08 vim_db_v1-shm
-rw-r--r-- 1 root root 1049080 Feb 11 13:08 vim_db_v1-wal

./puppet:
total 4
drwxr-xr-x 3 root root 4096 Feb  8 15:20 18.10

./puppet/18.10:
total 4
drwxr-xr-x 2 root root 4096 Feb  8 16:03 hieradata

./puppet/18.10/hieradata:
total 92
-rw------- 1 root root  9627 Feb  8 15:54 192.168.204.3.yaml
-rw------- 1 root root  9620 Feb  8 16:03 192.168.204.4.yaml
-rw------- 1 root root  8494 Feb  8 15:18 secure_static.yaml
-rw------- 1 root root  3196 Feb  8 16:03 secure_system.yaml
-rw------- 1 root root  1968 Feb  8 15:18 static.yaml
-rw------- 1 root root 45299 Feb  8 16:03 system.yaml

./sysinv:
total 4
drwxr-xr-x 2 sysinv root 4096 Feb  8 15:26 18.10

./sysinv/18.10:
total 4
-rw-r--r-- 1 root root 1505 Feb  8 15:26 sysinv.conf.default

Expected Behavior

1. All ls -la /etc/*.conf config files have at least -rw-r--r-- permissions.
2. All /opt/platform files have proper permissions.

SECURITY_Appro_File_Access_02

Test ID

SECURITY_Appro_File_Access_02

Test Title

File permission after reboot nodes.

Tags

Security

Testcase Objective

Verify "opt/platform" and "etc/(system)-config" file permission after reboot nodes.

Test Pre-Conditions

Any Starlingx configuration lab with all nodes rebooted, up and running.

Test Steps

1. Go to active controller and make sure that all config files have at least this kind of permission by root ""-rw-r--r--"". If there are some other config files with less permissions is ok.

$ ls -la /etc/*.conf
i.e.

controller-0:/etc$ ls -la /etc/*.conf
-rw-r--r--. 1 root root   55 Apr 10  2018 /etc/asound.conf
-rw-r--r--  1 root root 3661 Feb  8 15:23 /etc/collectd.conf
-rw-r-----  1 root root 2643 Feb  8 15:23 /etc/dnsmasq.conf
-rw-r--r--. 1 root root 1285 Apr 11  2018 /etc/dracut.conf
-rw-r-----  1 root root   71 Feb  8 15:19 /etc/drbd.conf
...

2. Go to active controller and make sure that /opt/platform/* files have following permission (If there are some other files with less permissions is ok), use following command to get /opt/platform file tree.

i.e.

controller-0:/opt/platform# ls -R | grep "":$"" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/   /' -e 's/-/|/'
 .
 |-config
 |---18.10
 |-----branding
 |-----postgresql
 |-----pxelinux.cfg
 |-----ssh_config
 |-lost+found
 |-nfv
 |---vim
 |-----18.10
 |-puppet
 |---18.10
 |-----hieradata
 |-sysinv
 |---18.10

 Use the following command to get all file permissions.
 i.e.
 controller-0:/opt/platform# ls -ll -R
.:
total 32
drwxr-xr-x 3 root   root  4096 Feb  8 15:20 config
-rw-r--r-- 1 root   root     0 Feb 11 13:09 files.txt
drwx------ 2 root   root 16384 Feb  8 15:19 lost+found
drwxr-xr-x 3 root   root  4096 Feb  8 15:32 nfv
drwxr-xr-x 3 root   root  4096 Feb  8 15:20 puppet
drwxr-xr-x 3 sysinv root  4096 Feb  8 15:20 sysinv

./config:
total 4
drwxr-xr-x 6 root root 4096 Feb  8 15:54 18.10

./config/18.10:
total 44
drwxr-xr-x 2 root root 4096 Feb  8 15:20 branding
-rw-r--r-- 1 root root 1895 Feb  8 15:18 cgcs_config
-rw-r--r-- 1 root root  338 Feb  8 15:43 dnsmasq.addn_hosts
-rw-r--r-- 1 root root    1 Feb  8 15:20 dnsmasq.addn_hosts_dc
-rw-r--r-- 1 root root  338 Feb  8 16:03 dnsmasq.addn_hosts.temp
-rw-r--r-- 1 root root  222 Feb  8 15:54 dnsmasq.hosts
-rw-r--r-- 1 root root  222 Feb  8 16:03 dnsmasq.hosts.temp
-rw-r--r-- 1 root root    0 Feb  9 16:04 dnsmasq.leases
-rw-r--r-- 1 root root  526 Feb  8 15:30 hosts
drwxr-xr-x 2 root root 4096 Feb  8 15:20 postgresql
drwxr-xr-x 2 root root 4096 Feb  8 16:03 pxelinux.cfg
drwxr-xr-x 2 root root 4096 Feb  8 15:18 ssh_config

./config/18.10/branding:
total 4
-rwxr-xr-x 1 root root 525 Oct  3 14:37 horizon-region-exclusions.csv

./config/18.10/postgresql:
total 28
-rw-r----- 1 postgres postgres   929 Feb  8 15:19 pg_hba.conf
-rw-r----- 1 postgres postgres    47 Feb  8 15:19 pg_ident.conf
-rw------- 1 postgres postgres 20195 Feb  8 15:19 postgresql.conf

./config/18.10/pxelinux.cfg:
total 16
-rw-r--r-- 1 root root 861 Feb  8 16:03 01-52-54-00-c8-5c-10
-rw-r--r-- 1 root root 939 Feb  8 15:46 01-52-54-00-c8-84-5c
lrwxrwxrwx 1 root root  35 Feb  8 15:31 default -> /var/pxeboot/pxelinux.cfg.files/default
-rw-r--r-- 1 root root 684 Feb  8 16:03 efi-01-52-54-00-c8-5c-10
-rw-r--r-- 1 root root 762 Feb  8 15:46 efi-01-52-54-00-c8-84-5c
lrwxrwxrwx 1 root root  36 Feb  8 15:31 grub.cfg -> /var/pxeboot/pxelinux.cfg.files/grub.cfg

./config/18.10/ssh_config:
total 16
-rw------- 1 root root 1679 Feb  8 15:18 nova_migration_key
-rw-r--r-- 1 root root  396 Feb  8 15:18 nova_migration_key.pub
-rw------- 1 root root  227 Feb  8 15:18 system_host_key
-rw-r--r-- 1 root root  176 Feb  8 15:18 system_host_key.pub

./lost+found:
total 0

./nfv:
total 4
drwxr-xr-x 3 root root 4096 Feb  8 15:32 vim

./nfv/vim:
total 4
drwxr-xr-x 2 root root 4096 Feb  8 15:54 18.10

./nfv/vim/18.10:
total 1112
-rw-r--r-- 1 root root   49152 Feb 11 13:03 vim_db_v1
-rw-r--r-- 1 root root   32768 Feb 11 13:08 vim_db_v1-shm
-rw-r--r-- 1 root root 1049080 Feb 11 13:08 vim_db_v1-wal

./puppet:
total 4
drwxr-xr-x 3 root root 4096 Feb  8 15:20 18.10

./puppet/18.10:
total 4
drwxr-xr-x 2 root root 4096 Feb  8 16:03 hieradata

./puppet/18.10/hieradata:
total 92
-rw------- 1 root root  9627 Feb  8 15:54 192.168.204.3.yaml
-rw------- 1 root root  9620 Feb  8 16:03 192.168.204.4.yaml
-rw------- 1 root root  8494 Feb  8 15:18 secure_static.yaml
-rw------- 1 root root  3196 Feb  8 16:03 secure_system.yaml
-rw------- 1 root root  1968 Feb  8 15:18 static.yaml
-rw------- 1 root root 45299 Feb  8 16:03 system.yaml

./sysinv:
total 4
drwxr-xr-x 2 sysinv root 4096 Feb  8 15:26 18.10

./sysinv/18.10:
total 4
-rw-r--r-- 1 root root 1505 Feb  8 15:26 sysinv.conf.default

Expected Behavior

1. All "ls -la /etc/*.conf" config files have at least "-rw-r--r--" permissions.

2. All /opt/platform files have proper permissions.

SECURITY_Appro_File_Access_03

Test ID

SECURITY_Appro_File_Access_03

Test Title

bash.log behaviour on node.

Tags

Security

Testcase Objective

Validate bash.log behavior on node.

Test Pre-Conditions

At least 1 Controller + 1 compute + 1 Storage

Test Steps

1. On node type:

$ sudo lsattr /var/log/bash.log

and confirm that bash.log is set to append only.

-----a-------e-- bash.log <-- append-only attr on

2- On node type

$ sudo lsattr /var/log/user.log

and confirm that bash.log is set to append only.

-------------e-- user.log <-- append-only attr off""

3- Attempt to edit bash.log, modify the existing data and save the file.

$ sudo vim /var/log/bash.log

::

Hit ´i´ to change to INSERT mode Edit the file Hit Escape, :wq! ""

4- Attempt to remove the append-only attribute of bash.log

$ sudo chattr -a bash.log in order to

Repeat steps on a compute and storage nodes.

Expected Behavior

• Confirm append-only attribute ON of bash.log
• Confirm append-only attribute OFF of user.log
• Validate that this is blocked and system gets back with

"/var/log/bash.log ERROR:: Can´t open file for writing remove the append-only attribute."

• Validate this is rejected.
• Steps validated on compute and storage nodes.

References: