You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Automatus tests fail with "Environment failed to prepare" when rules, which are not applicable to containers (e.g. platform is machine,system_with_kernel,systemd,...), are tested in a container environment, and which try to manipulate a component which is not applicable to containers (kernel modules, sysctl, systemd services, apparmor profiles, ...).
An example rule which tests fine in a VM but fails to test in a container is all_apparmor_profiles_in_enforce_complain_mode
$ tests/test_rule_in_container.sh --no-make-applicable-in-containers --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream build/ssg-ubuntu2204-ds.xml all_apparmor_profiles_in_enforce_complain_mode
ERROR - Rule 'all_apparmor_profiles_in_enforce_complain_mode' test setup script 'correct_all_apparmor_profiles_in_enforce.pass.sh' failed with exit code 1
ERROR - Environment failed to prepare, skipping test
By adding the following to the test scenario, the issue is resolved:
if [ -f /.dockerenv ] || [ -f /run/.containerenv ]; then
exit 0
fi
The ssg test suite does not take into account the various applicability definitions in the rule, when deciding which tests to run. The evaluation of applicability (machine vs container) is performed only after the test environment is already prepared, which can result in the test failing if the environment is not setup correctly in a non-supported environment.
mpurg
changed the title
SSG test suite fails when rules marked with 'platform: machine' are run in container environment
Automatus tests fail when rules marked with 'platform: machine' are run in a container environment
Dec 11, 2024
Description of problem:
Automatus tests fail with "Environment failed to prepare" when rules, which are not applicable to containers (e.g. platform is machine,system_with_kernel,systemd,...), are tested in a container environment, and which try to manipulate a component which is not applicable to containers (kernel modules, sysctl, systemd services, apparmor profiles, ...).
An example rule which tests fine in a VM but fails to test in a container is
all_apparmor_profiles_in_enforce_complain_mode
By adding the following to the test scenario, the issue is resolved:
Reason:
The ssg test suite does not take into account the various applicability definitions in the rule, when deciding which tests to run. The evaluation of applicability (machine vs container) is performed only after the test environment is already prepared, which can result in the test failing if the environment is not setup correctly in a non-supported environment.
SCAP Security Guide Version:
master branch (a11711d)
Operating System Version:
Steps to Reproduce:
platform: machine
to ruleall_apparmor_profiles_in_enforce_complain_mode
./build_product ubuntu2204
podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f Dockefiles/test_suite-ubuntu2204
tests/test_rule_in_container.sh --no-make-applicable-in-containers --dontclean --logdir logs_bash --remediate-using bash --name ssg_test_suite --datastream build/ssg-ubuntu2204-ds.xml all_apparmor_profiles_in_enforce_complain_mode
Actual Results:
See error above
Expected Results:
The expected result is that the tests pass when inside a container because the rule should not be evaluated.
Additional Information/Debugging Steps:
Possible solutions that come to mind:
The text was updated successfully, but these errors were encountered: