forked from osism/ansible-collection-commons
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlynis.py
76 lines (53 loc) · 2.73 KB
/
lynis.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import pytest
from .util.util import get_ansible, get_variable, get_from_url, jinja_replacement
testinfra_runner, testinfra_hosts = get_ansible()
def test_apt_transport_https_installed(host):
"""Check if the apt-transport-https package is installed."""
lynis_configure_repository = get_variable(host, "lynis_configure_repository")
if not lynis_configure_repository:
pytest.skip("lynis_configure_repository is not defined")
pkg = host.package("apt-transport-https")
assert pkg.is_installed
def test_lynis_gpg_key_present(host):
"""Check if the GPG key for the lynis repository is correctly added."""
lynis_configure_repository = get_variable(host, "lynis_configure_repository")
if not lynis_configure_repository:
pytest.skip("lynis_configure_repository is not defined")
lynis_repository_key_url = get_variable(host, "lynis_debian_repository_key")
# Fetch the GPG key content from the URL
key_content = get_from_url(f"{lynis_repository_key_url}")
# Validate the permissions and ownership of the GPG key file
key_file = host.file("/etc/apt/trusted.gpg.d/lynis.asc")
assert key_file.exists
assert key_file.user == "root"
assert key_file.group == "root"
assert key_file.mode == 0o644
assert key_file.content_string == key_content
def test_lynis_repository_configured(host):
"""Check if the lynis repository is correctly configured."""
lynis_configure_repository = get_variable(host, "lynis_configure_repository")
if not lynis_configure_repository:
pytest.skip("lynis_configure_repository is not defined")
# Fetch the necessary variables from Ansible
lynis_configure_repository = get_variable(host, "lynis_configure_repository")
lynis_repository_arch = get_variable(host, "lynis_debian_repository_arch")
lynis_repository = get_variable(host, "lynis_debian_repository")
lynis_repository = jinja_replacement(
lynis_repository, {"lynis_debian_repository_arch": lynis_repository_arch}
)
# Validate the permissions and ownership of the repository file
repo_file = host.file("/etc/apt/sources.list.d/lynis.list")
assert repo_file.exists
assert repo_file.user == "root"
assert repo_file.group == "root"
assert repo_file.mode == 0o600
# Use sudo to read the content of the file
with host.sudo("root"):
repo_file_content = host.check_output("cat /etc/apt/sources.list.d/lynis.list")
# Validate the content of the file
assert lynis_repository in repo_file_content
def test_lynis_package_installed(host):
"""Check if the lynis package is installed."""
lynis_pkg_name = get_variable(host, "lynis_package_name")
lynis_pkg = host.package(lynis_pkg_name)
assert lynis_pkg.is_installed