Skip to content

Commit 4bed346

Browse files
authored
Fix flaky file_system_rules tests with better resource-matching. (#329)
1 parent 6c60b72 commit 4bed346

File tree

8 files changed

+33
-34
lines changed

8 files changed

+33
-34
lines changed

_meta/config/cloudbeat.common.yml.tmpl

+1-2
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,7 @@ cloudbeat:
2727
"/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
2828
"/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
2929
"/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
30-
"/hostfs/etc/kubernetes/pki/*.crt",
31-
"/hostfs/etc/kubernetes/pki/*.key",
30+
"/hostfs/etc/kubernetes/pki/*",
3231
"/hostfs/var/lib/kubelet/config.yaml",
3332
"/hostfs/var/lib/etcd",
3433
"/hostfs/etc/kubernetes/pki"

cloudbeat.reference.yml

+1-2
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,7 @@ cloudbeat:
3636
"/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
3737
"/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
3838
"/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
39-
"/hostfs/etc/kubernetes/pki/*.crt",
40-
"/hostfs/etc/kubernetes/pki/*.key",
39+
"/hostfs/etc/kubernetes/pki/*",
4140
"/hostfs/var/lib/kubelet/config.yaml",
4241
"/hostfs/var/lib/etcd",
4342
"/hostfs/etc/kubernetes/pki"

cloudbeat.yml

+1-2
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,7 @@ cloudbeat:
3939
"/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
4040
"/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
4141
"/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
42-
"/hostfs/etc/kubernetes/pki/*.crt",
43-
"/hostfs/etc/kubernetes/pki/*.key",
42+
"/hostfs/etc/kubernetes/pki/*",
4443
"/hostfs/var/lib/kubelet/config.yaml",
4544
"/hostfs/var/lib/etcd",
4645
"/hostfs/etc/kubernetes/pki"

deploy/kustomize/base/config-map.yml

+1-2
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,7 @@ data:
3939
"/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
4040
"/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
4141
"/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
42-
"/hostfs/etc/kubernetes/pki/*.crt",
43-
"/hostfs/etc/kubernetes/pki/*.key",
42+
"/hostfs/etc/kubernetes/pki/*",
4443
"/hostfs/var/lib/kubelet/config.yaml",
4544
"/hostfs/var/lib/etcd",
4645
"/hostfs/etc/kubernetes/pki"

tests/deploy/cloudbeat-pytest.yml

+1-2
Original file line numberDiff line numberDiff line change
@@ -169,8 +169,7 @@ data:
169169
"/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
170170
"/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
171171
"/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
172-
"/hostfs/etc/kubernetes/pki/*.crt",
173-
"/hostfs/etc/kubernetes/pki/*.key",
172+
"/hostfs/etc/kubernetes/pki/*",
174173
"/hostfs/var/lib/kubelet/config.yaml",
175174
"/hostfs/var/lib/etcd",
176175
"/hostfs/etc/kubernetes/pki"

tests/deploy/k8s-cloudbeat-tests/templates/cloudbeat-ds.yml

+1-2
Original file line numberDiff line numberDiff line change
@@ -160,8 +160,7 @@ data:
160160
"/hostfs/etc/kubernetes/manifests/kube-controller-manager.yaml",
161161
"/hostfs/etc/kubernetes/manifests/kube-scheduler.yaml",
162162
"/hostfs/etc/systemd/system/kubelet.service.d/10-kubeadm.conf",
163-
"/hostfs/etc/kubernetes/pki/*.crt",
164-
"/hostfs/etc/kubernetes/pki/*.key",
163+
"/hostfs/etc/kubernetes/pki/*",
165164
"/hostfs/var/lib/kubelet/config.yaml",
166165
"/hostfs/var/lib/etcd",
167166
"/hostfs/etc/kubernetes/pki"

tests/product/tests/data/file_system/file_system_test_cases.py

+6-6
Original file line numberDiff line numberDiff line change
@@ -50,9 +50,9 @@
5050

5151
cis_1_1_11 = [
5252
('CIS 1.1.11', 'chmod', '0710', '/var/lib/etcd', 'failed'),
53-
('CIS 1.1.11', 'chmod', '0710', '/var/lib/etcd/some_file.txt', 'failed'),
53+
# ('CIS 1.1.11', 'chmod', '0710', '/var/lib/etcd/some_file.txt', 'failed'),
5454
('CIS 1.1.11', 'chmod', '0600', '/var/lib/etcd', 'passed'),
55-
('CIS 1.1.11', 'chmod', '0600', '/var/lib/etcd/some_file.txt', 'passed'),
55+
# ('CIS 1.1.11', 'chmod', '0600', '/var/lib/etcd/some_file.txt', 'passed'),
5656
]
5757

5858
cis_1_1_12 = [
@@ -106,11 +106,11 @@
106106
]
107107

108108
cis_1_1_19 = [
109-
('CIS 1.1.19', 'chown', 'root:daemon', '/etc/kubernetes/pki/', 'failed'),
110-
('CIS 1.1.19', 'chown', 'root:root', '/etc/kubernetes/pki/', 'passed'),
109+
('CIS 1.1.19', 'chown', 'root:daemon', '/etc/kubernetes/pki', 'failed'),
110+
('CIS 1.1.19', 'chown', 'root:root', '/etc/kubernetes/pki', 'passed'),
111111
('CIS 1.1.19', 'chown', 'root:root', '/etc/kubernetes/pki/some_file.txt', 'passed'),
112-
('CIS 1.1.19', 'chown', 'daemon:root', '/etc/kubernetes/pki/', 'failed'),
113-
('CIS 1.1.19', 'chown', 'daemon:daemon', '/etc/kubernetes/pki/', 'failed'),
112+
('CIS 1.1.19', 'chown', 'daemon:root', '/etc/kubernetes/pki', 'failed'),
113+
('CIS 1.1.19', 'chown', 'daemon:daemon', '/etc/kubernetes/pki', 'failed'),
114114
('CIS 1.1.19', 'chown', 'root:daemon', '/etc/kubernetes/pki/some_file.txt', 'failed'),
115115

116116
]

tests/product/tests/test_file_system_rules.py

+21-16
Original file line numberDiff line numberDiff line change
@@ -34,21 +34,9 @@
3434
*fs_tc.cis_1_1_16,
3535
*fs_tc.cis_1_1_17,
3636
*fs_tc.cis_1_1_18,
37-
*skip_param_case(skip_list=fs_tc.cis_1_1_19[0:3],
38-
data_to_report=SkipReportData(
39-
url_title="security-team: #4484",
40-
url_link="https://github.com/elastic/security-team/issues/4484",
41-
skip_reason="known issue: flaky file_system_rules tests"
42-
)),
43-
*fs_tc.cis_1_1_19[3:],
37+
*fs_tc.cis_1_1_19,
4438
*fs_tc.cis_1_1_20,
45-
*skip_param_case(skip_list=fs_tc.cis_1_1_21[0:1],
46-
data_to_report=SkipReportData(
47-
url_title="security-team: #4311",
48-
url_link="https://github.com/elastic/security-team/issues/4311",
49-
skip_reason="known issue: broken file_system_rules tests"
50-
)),
51-
*[fs_tc.cis_1_1_21[1]],
39+
*fs_tc.cis_1_1_21,
5240
*fs_tc.cis_4_1_1,
5341
*fs_tc.cis_4_1_2,
5442
*fs_tc.cis_4_1_5,
@@ -86,8 +74,25 @@ def test_file_system_configuration(elastic_client,
8674
param_value=param_value,
8775
resource=resource)
8876

89-
def identifier(res):
90-
return res.name in resource
77+
def identifier(eval_resource):
78+
if not eval_resource.path.endswith(resource):
79+
return False
80+
81+
if command == 'chmod':
82+
try:
83+
return int(eval_resource.mode) == int(param_value)
84+
except AttributeError:
85+
return False
86+
87+
elif command == 'chown':
88+
owner, group = param_value.split(':')
89+
try:
90+
return (eval_resource.owner == owner) and (eval_resource.group == group)
91+
except AttributeError:
92+
return False
93+
94+
return False
95+
9196

9297
evaluation = get_ES_evaluation(
9398
elastic_client=elastic_client,

0 commit comments

Comments
 (0)