Agamotto is a module that provides helper functions for testing the configuration of a running server
Project description
Agamotto
========
Agamotto is a helper module to make it easier to test a running system with
Python.
Why not use serverspec? I work in a Python shop and want our devs to be able
to easily write their own tests. Making the test suite use the same language
they use daily removes a potential friction point.
Installation
============
```bash
python setup.py install
```
TODO: Make this pip installable
Usage
=====
```python
import agamotto
import unittest2 as unittest
class TestKnownSecurityIssues(unittest.TestCase):
def testBashHasCVE_2014_6271Fix(self):
"""Confirm that fix has been installed for CVE-2014-6271 Bash Code
Injection Vulnerability via Specially Crafted Environment Variables
"""
self.assertFalse(agamotto.process.stdoutContains("(env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\") 2>&1",
'vulnerable'), 'Bash is vulnerable to CVE-2014-6271')
def testBashHasCVE_2014_7169Fix(self):
"""Confirm that fix has been installed for CVE-2014-7169 Bash Code
Injection Vulnerability via Specially Crafted Environment Variables
"""
self.assertFalse(agamotto.process.stdoutContains("env X='() { (a)=>\' bash -c \"echo echo vuln\"; [[ \"$(cat echo)\" == \"vuln\" ]] && echo \"still vulnerable :(\" 2>&1",
'still vulnerable'), 'Bash is vulnerable to CVE-2014-7169')
def testNoAccountsHaveEmptyPasswords(self):
"""/etc/shadow has : separated fields. Check the password field ($2) and
make sure no accounts have a blank password.
"""
self.assertEquals(agamotto.process.execute(
'sudo awk -F: \'($2 == "") {print}\' /etc/shadow | wc -l').strip(), '0',
"found accounts with blank password")
def testRootIsTheOnlyUidZeroAccount(self):
"""/etc/passwd stores the UID in field 3. Make sure only one account entry
has uid 0.
"""
self.assertEquals(agamotto.process.execute(
'awk -F: \'($3 == "0") {print}\' /etc/passwd').strip(),
'root:x:0:0:root:/root:/bin/bash')
if __name__ == '__main__':
unittest.main()
```
Then run py.test.
Caveats
=======
We're a CentOS shop. This hasn't even been tested on stock RHEL, let alone
Debian or Ubuntu. Pull requests adding that functionality are welcome, of course.
========
Agamotto is a helper module to make it easier to test a running system with
Python.
Why not use serverspec? I work in a Python shop and want our devs to be able
to easily write their own tests. Making the test suite use the same language
they use daily removes a potential friction point.
Installation
============
```bash
python setup.py install
```
TODO: Make this pip installable
Usage
=====
```python
import agamotto
import unittest2 as unittest
class TestKnownSecurityIssues(unittest.TestCase):
def testBashHasCVE_2014_6271Fix(self):
"""Confirm that fix has been installed for CVE-2014-6271 Bash Code
Injection Vulnerability via Specially Crafted Environment Variables
"""
self.assertFalse(agamotto.process.stdoutContains("(env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\") 2>&1",
'vulnerable'), 'Bash is vulnerable to CVE-2014-6271')
def testBashHasCVE_2014_7169Fix(self):
"""Confirm that fix has been installed for CVE-2014-7169 Bash Code
Injection Vulnerability via Specially Crafted Environment Variables
"""
self.assertFalse(agamotto.process.stdoutContains("env X='() { (a)=>\' bash -c \"echo echo vuln\"; [[ \"$(cat echo)\" == \"vuln\" ]] && echo \"still vulnerable :(\" 2>&1",
'still vulnerable'), 'Bash is vulnerable to CVE-2014-7169')
def testNoAccountsHaveEmptyPasswords(self):
"""/etc/shadow has : separated fields. Check the password field ($2) and
make sure no accounts have a blank password.
"""
self.assertEquals(agamotto.process.execute(
'sudo awk -F: \'($2 == "") {print}\' /etc/shadow | wc -l').strip(), '0',
"found accounts with blank password")
def testRootIsTheOnlyUidZeroAccount(self):
"""/etc/passwd stores the UID in field 3. Make sure only one account entry
has uid 0.
"""
self.assertEquals(agamotto.process.execute(
'awk -F: \'($3 == "0") {print}\' /etc/passwd').strip(),
'root:x:0:0:root:/root:/bin/bash')
if __name__ == '__main__':
unittest.main()
```
Then run py.test.
Caveats
=======
We're a CentOS shop. This hasn't even been tested on stock RHEL, let alone
Debian or Ubuntu. Pull requests adding that functionality are welcome, of course.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
agamotto-0.5.0.tar.gz
(8.9 kB
view hashes)
Built Distribution
Close
Hashes for agamotto-0.5.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3ff9ab0d64f6452325f60bfcbb30b81d88f34f1e80cbf45b6c95a9022151cb1f |
|
MD5 | e211b29a3860d20b0b051f82b34c7f87 |
|
BLAKE2b-256 | e2a013b79b24a00df9468c913f8b87629c6fa47186f29abf398b12223959168a |