Fix flaky file_system_rules tests with better resource-matching. (#329)

yashtewari · web-flow · commit 4bed346dc5f6 · 2022-08-23T18:56:24.000+05:30
diff --git a/_meta/config/cloudbeat.common.yml.tmpl b/_meta/config/cloudbeat.common.yml.tmpl
@@ -27,8 +27,7 @@ cloudbeat:
           "/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
           "/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
           "/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
-          "/hostfs/etc/kubernetes/pki/*.crt",
-          "/hostfs/etc/kubernetes/pki/*.key",
+          "/hostfs/etc/kubernetes/pki/*",
           "/hostfs/var/lib/kubelet/config.yaml",
           "/hostfs/var/lib/etcd",
           "/hostfs/etc/kubernetes/pki"
diff --git a/cloudbeat.reference.yml b/cloudbeat.reference.yml
@@ -36,8 +36,7 @@ cloudbeat:
           "/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
           "/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
           "/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
-          "/hostfs/etc/kubernetes/pki/*.crt",
-          "/hostfs/etc/kubernetes/pki/*.key",
+          "/hostfs/etc/kubernetes/pki/*",
           "/hostfs/var/lib/kubelet/config.yaml",
           "/hostfs/var/lib/etcd",
           "/hostfs/etc/kubernetes/pki"
diff --git a/cloudbeat.yml b/cloudbeat.yml
@@ -39,8 +39,7 @@ cloudbeat:
           "/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
           "/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
           "/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
-          "/hostfs/etc/kubernetes/pki/*.crt",
-          "/hostfs/etc/kubernetes/pki/*.key",
+          "/hostfs/etc/kubernetes/pki/*",
           "/hostfs/var/lib/kubelet/config.yaml",
           "/hostfs/var/lib/etcd",
           "/hostfs/etc/kubernetes/pki"
diff --git a/deploy/kustomize/base/config-map.yml b/deploy/kustomize/base/config-map.yml
@@ -39,8 +39,7 @@ data:
               "/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
               "/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
               "/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
-              "/hostfs/etc/kubernetes/pki/*.crt",
-              "/hostfs/etc/kubernetes/pki/*.key",
+              "/hostfs/etc/kubernetes/pki/*",
               "/hostfs/var/lib/kubelet/config.yaml",
               "/hostfs/var/lib/etcd",
               "/hostfs/etc/kubernetes/pki"
diff --git a/tests/deploy/cloudbeat-pytest.yml b/tests/deploy/cloudbeat-pytest.yml
@@ -169,8 +169,7 @@ data:
               "/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
               "/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
               "/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
-              "/hostfs/etc/kubernetes/pki/*.crt",
-              "/hostfs/etc/kubernetes/pki/*.key",
+              "/hostfs/etc/kubernetes/pki/*",
               "/hostfs/var/lib/kubelet/config.yaml",
               "/hostfs/var/lib/etcd",
               "/hostfs/etc/kubernetes/pki"
diff --git a/tests/deploy/k8s-cloudbeat-tests/templates/cloudbeat-ds.yml b/tests/deploy/k8s-cloudbeat-tests/templates/cloudbeat-ds.yml
@@ -160,8 +160,7 @@ data:
               "/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
               "/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
               "/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
-              "/hostfs/etc/kubernetes/pki/*.crt",
-              "/hostfs/etc/kubernetes/pki/*.key",
+              "/hostfs/etc/kubernetes/pki/*",
               "/hostfs/var/lib/kubelet/config.yaml",
               "/hostfs/var/lib/etcd",
               "/hostfs/etc/kubernetes/pki"
diff --git a/tests/product/tests/data/file_system/file_system_test_cases.py b/tests/product/tests/data/file_system/file_system_test_cases.py
@@ -50,9 +50,9 @@
 
 cis_1_1_11 = [
     ('CIS 1.1.11', 'chmod', '0710', '/var/lib/etcd', 'failed'),
-    ('CIS 1.1.11', 'chmod', '0710', '/var/lib/etcd/some_file.txt', 'failed'),
+    # ('CIS 1.1.11', 'chmod', '0710', '/var/lib/etcd/some_file.txt', 'failed'),
     ('CIS 1.1.11', 'chmod', '0600', '/var/lib/etcd', 'passed'),
-    ('CIS 1.1.11', 'chmod', '0600', '/var/lib/etcd/some_file.txt', 'passed'),
+    # ('CIS 1.1.11', 'chmod', '0600', '/var/lib/etcd/some_file.txt', 'passed'),
 ]
 
 cis_1_1_12 = [
@@ -106,11 +106,11 @@
 ]
 
 cis_1_1_19 = [
-    ('CIS 1.1.19', 'chown', 'root:daemon', '/etc/kubernetes/pki/', 'failed'),
-    ('CIS 1.1.19', 'chown', 'root:root', '/etc/kubernetes/pki/', 'passed'),
+    ('CIS 1.1.19', 'chown', 'root:daemon', '/etc/kubernetes/pki', 'failed'),
+    ('CIS 1.1.19', 'chown', 'root:root', '/etc/kubernetes/pki', 'passed'),
     ('CIS 1.1.19', 'chown', 'root:root', '/etc/kubernetes/pki/some_file.txt', 'passed'),
-    ('CIS 1.1.19', 'chown', 'daemon:root', '/etc/kubernetes/pki/', 'failed'),
-    ('CIS 1.1.19', 'chown', 'daemon:daemon', '/etc/kubernetes/pki/', 'failed'),
+    ('CIS 1.1.19', 'chown', 'daemon:root', '/etc/kubernetes/pki', 'failed'),
+    ('CIS 1.1.19', 'chown', 'daemon:daemon', '/etc/kubernetes/pki', 'failed'),
     ('CIS 1.1.19', 'chown', 'root:daemon', '/etc/kubernetes/pki/some_file.txt', 'failed'),
 
 ]
diff --git a/tests/product/tests/test_file_system_rules.py b/tests/product/tests/test_file_system_rules.py
@@ -34,21 +34,9 @@
      *fs_tc.cis_1_1_16,
      *fs_tc.cis_1_1_17,
      *fs_tc.cis_1_1_18,
-     *skip_param_case(skip_list=fs_tc.cis_1_1_19[0:3],
-                      data_to_report=SkipReportData(
-                          url_title="security-team: #4484",
-                          url_link="https://github.com/elastic/security-team/issues/4484",
-                          skip_reason="known issue: flaky file_system_rules tests"
-                      )),
-     *fs_tc.cis_1_1_19[3:],
+     *fs_tc.cis_1_1_19,
      *fs_tc.cis_1_1_20,
-     *skip_param_case(skip_list=fs_tc.cis_1_1_21[0:1],
-                      data_to_report=SkipReportData(
-                          url_title="security-team: #4311",
-                          url_link="https://github.com/elastic/security-team/issues/4311",
-                          skip_reason="known issue: broken file_system_rules tests"
-                      )),
-     *[fs_tc.cis_1_1_21[1]],
+     *fs_tc.cis_1_1_21,
      *fs_tc.cis_4_1_1,
      *fs_tc.cis_4_1_2,
      *fs_tc.cis_4_1_5,
@@ -86,8 +74,25 @@ def test_file_system_configuration(elastic_client,
                             param_value=param_value,
                             resource=resource)
 
-    def identifier(res):
-        return res.name in resource
+    def identifier(eval_resource):
+        if not eval_resource.path.endswith(resource):
+            return False
+
+        if command == 'chmod':
+            try:
+                return int(eval_resource.mode) == int(param_value)
+            except AttributeError:
+                return False
+
+        elif command == 'chown':
+            owner, group = param_value.split(':')
+            try:
+                return (eval_resource.owner == owner) and (eval_resource.group == group)
+            except AttributeError:
+                return False
+
+        return False
+
 
     evaluation = get_ES_evaluation(
         elastic_client=elastic_client,
