Issue#848:Test Automation Script for security and monitoring-control plane

Signed-off-by: tamilarasansubrama1 <tamilarasan_subrama1@dellteam.com>

control_plane/input_params/security_vars.yml

@@ -50,3 +50,12 @@ session_timeout: 180
 # If this variable is left blank, authentication failure alerts will be disabled.
 # Required value
 alert_email_address: ""
+
+# This variable mentions the users to whom the access will be provided
+# format of user shall be username@ip or username 
+# Ex1- root@1.2.3.4 Ex2- root Ex3- root@1.2.3.4 root (if multiple user, provide space seperated values) by default empty
+user: ''
+
+# This variable provides the type of access
+# Accepted values 'Allow' or 'Deny' by default 'Allow'
+allow_deny: 'Allow'

control_plane/roles/control_plane_common/tasks/fetch_security_inputs.yml

@@ -159,3 +159,26 @@
     msg: "{{ alert_email_warning_msg }}"
   tags: security
   when: alert_email_address | length < 1
+
+- name: Prepare user list
+  set_fact:
+      user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
+  when: user | length > 1
+
+- name: validate user
+  assert:
+    that:
+      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
+        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
+    success_msg: "{{ user_success_msg }}"
+    fail_msg: "{{ user_fail_msg }}"
+  with_items: "{{ user_list }}"
+  when:
+    - user | length > 1
+
+- name: Validate allow_deny
+  assert:
+    that:
+      - allow_deny == 'Allow' or allow_deny == 'Deny'
+    success_msg: "{{ allow_deny_success_msg }}"
+    fail_msg: "{{ allow_deny_fail_msg }}"

control_plane/roles/control_plane_security/tasks/configure_sshd.yml

@@ -0,0 +1,71 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Check if AllowUsers entry exixts
+  shell: cat "{{ sshd_conf_file }}"
+  register: file_content
+  changed_when: false
+
+- name: Check if user is specified
+  debug:
+    msg: "Users not specified"
+  when: user | length < 1
+
+- name: Configure sshd_config
+  block:
+    - name: Configure sshd_config file when AllowUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'AllowUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') == -1
+
+    - name: Configure sshd_config file when DenyUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'DenyUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') == -1
+
+    - name: Configure sshd_config file when AllowUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(AllowUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') != -1
+
+    - name: Configure sshd_config file when DenyUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(DenyUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') != -1
+
+  when:
+    - user | length > 1

control_plane/roles/control_plane_security/tasks/main.yml

@@ -53,6 +53,9 @@
     - name: Alert configuration
       include_tasks: configure_alerting.yml
       when: alert_email_address | length > 1
+
+    - name: Configure ssh access to login node
+      include_tasks: configure_sshd.yml
      
     - name: Session timeout configuration
       include_tasks: session_timeout.yml

control_plane/test/test_acct.yml

@@ -0,0 +1,174 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+- name: OMNIA_1.2_MS_TC_001
+  hosts: localhost
+  connection: local
+  vars_files:
+    - ../input_params/base_vars.yml
+    - test_vars/test_acct_vars.yml
+
+  gather_subset:
+    - 'min'
+  tags: VERIFY_OMNIA_02
+
+  tasks:
+    - name: Check OS Version
+      assert:
+        that:
+          - 'ansible_distribution == "{{ os_name_leap }}"'
+        success_msg: "{{ check_os_success_msg }}"
+        fail_msg: "{{ check_os_fail_msg }}"
+      tags: Check_OS
+
+# OMNIA_1.2_acct_TC_001
+# Test case to Verify the enable acct service
+
+    - name: Enable the acct service
+      shell: systemctl enable --now acct
+      register: acct_enable
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Verify acct service whether enabled or not
+      assert:
+        that:
+          - acct_enable.stderr | regex_search( "{{ acct_enabled }}")
+        success_msg: "{{ acct_enable_success_msg }}"
+        fail_msg: "{{ acct_disable_fail_msg }}"
+
+# OMNIA_1.2_acct_TC_002
+# Test case to Check and Start acct Service
+
+    - name: Check the acct service status
+      shell: systemctl status acct.service
+      register: acct_status
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Verify acct service is started or not
+      assert:
+        that:
+          - acct_status.stdout | regex_search( "{{ acct_active }}")
+        success_msg: "{{ acct_service_success_msg }}"
+        fail_msg: "{{ acct_service_fail_msg }}"
+
+# OMNIA_1.2_acct_TC_003
+# Test case to Verify the Package Installation
+
+    - name: Check the acct Package Installation
+      shell: rpm -qa | grep -i acct
+      register: acct_package
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Verify acct Package whether installed or not
+      assert:
+        that:
+          - acct_package.stdout | regex_search( "acct-6.6.4-2.25.x86_64")
+        success_msg: "{{ acct_package_success_msg }}"
+        fail_msg: "{{ acct_package_fail_msg }}"
+
+# OMNIA_1.2_acct_TC_004
+# Test case to Verify the disable acct service
+
+    - name: Disable the acct service
+      shell: systemctl disable acct.service
+      register: acct_disable
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Enable the acct service
+      shell: systemctl enable --now acct
+      register: acct_enable
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Verify acct service whether disabled or not
+      assert:
+        that:
+          - acct_disable.stderr | regex_search( "{{ acct_disabled }}")
+        success_msg: "{{ acct_disable_success_msg }}"
+        fail_msg: "{{ acct_disable_fail_msg }}"
+
+
+# OMNIA_1.2_acct_TC_005
+# Test case to Verify ac and sa version
+
+    - name: Check the ac version
+      shell: ac -V
+      register: ac_version
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Check the as version
+      shell: sa -V
+      register: sa_version
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Verify ac version
+      assert:
+        that:
+          - ac_version.stdout | regex_search( "{{ acct_ac_version }}")
+        success_msg: "{{ acct_ac_version_success_msg }}"
+        fail_msg: "{{ acct_ac_version_fail_msg }}"
+
+    - name: Verify sa version
+      assert:
+        that:
+          - sa_version.stdout | regex_search( "{{ acct_sa_version }}")
+        success_msg: "{{ acct_sa_version_success_msg }}"
+        fail_msg: "{{ acct_sa_version_fail_msg }}"
+
+# OMNIA_1.2_acct_TC_006
+# Test case to Check Package details of ac and sa utility
+
+    - name: find the complete path of ac
+      shell: which ac
+      register: ac_path
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: check the package details of ac utility
+      shell: rpm -qf {{ ac_path.stdout }}
+      register: ac_utility
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Verify package details of ac utility
+      assert:
+        that:
+          - ac_utility.stdout | regex_search( "{{ acct_ac_sa_utility }}")
+        success_msg: "{{ acct_ac_utility_success_msg }}"
+        fail_msg: "{{ acct_ac_utility_fail_msg }}"
+
+    - name: find the complete path of sa
+      shell: which sa
+      register: sa_path
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: check the package details of sa utility
+      shell: rpm -qf {{ sa_path.stdout }}
+      register: sa_utility
+      when:
+        - 'ansible_distribution == "{{ os_name_leap }}"'
+
+    - name: Verify package details of sa utility
+      assert:
+        that:
+          - sa_utility.stdout | regex_search( "{{ acct_ac_sa_utility }}")
+        success_msg: "{{ acct_sa_utility_success_msg }}"
+        fail_msg: "{{ acct_sa_utility_fail_msg }}"

control_plane/test/test_control_plane_validation.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -268,4 +268,231 @@
         that:
           - cluster_ip_conn.status == 200
         success_msg: "{{ svc_conn_success_msg }} : {{ cluster_ip_info.stdout[1:-1] }}"
-        fail_msg: "{{ svc_conn_fail_msg }} : {{ cluster_ip_info.stdout[1:-1] }}"
+        fail_msg: "{{ svc_conn_fail_msg }} : {{ cluster_ip_info.stdout[1:-1] }}"
+
+# OMNIA_1.2_Grafana_TC_001
+# Validate Grafana k8s Loki pod and namespaces is running or not
+
+    - name: Get Pod info for Grafana k8s Loki
+      shell: |
+         crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "grafana") | "\(.id) \(.metadata.name) \(.state)"'
+      register: grafana_config_pod_info
+
+    - name: Get Pod Status for Grafana k8s Loki
+      assert:
+        that:
+          - grafana_config_pod_info.stdout_lines[{{ item }}] | regex_search( "{{ container_info }}")
+        success_msg: "{{ grafana_pod_success_msg }}"
+        fail_msg: "{{ grafana_pod_fail_msg }}"
+      ignore_errors: yes
+      with_sequence: start=0 end={{ grafana_config_pod_info.stdout_lines |length - 1 }}
+
+# OMNIA_1.2_Grafana_TC_002
+# Validate Grafana k8s Loki  pvc , svc and cluster IP
+
+    - name: Get grafana pvc stats
+      shell: |
+          kubectl get pvc -n grafana -o json |jq '.items[] | "\(.status.phase)"'
+      register: grafana_pvc_stats_info
+
+    - name: Verify if grafana pvc stats is running
+      assert:
+        that:
+          - "'Bound' in grafana_pvc_stats_info.stdout"
+        fail_msg: "{{ grafana_pvc_stat_fail_msg }}"
+        success_msg: "{{ grafana_pvc_stat_success_msg }}"
+      with_sequence: start=0 end={{ grafana_pvc_stats_info.stdout_lines |length|int - 1 }}
+
+    - name: Get grafana svc stats
+      shell: kubectl get svc -n grafana grafana -o json
+      register: grafana_svc_stats_info
+
+    - name: Verify if grafana svc is up and running
+      assert:
+        that:
+          - "'Error from server (NotFound):' not in grafana_svc_stats_info.stdout"
+        success_msg: "{{ grafana_svc_stat_success_msg }}"
+        fail_msg: "{{ grafana_svc_stat_fail_msg }}"
+
+    - name: Get grafana loki svc stats
+      shell: kubectl get svc -n grafana loki -o json
+      register: grafana_loki_svc_stats_info
+
+    - name: Verify if grafana loki svc is up and running
+      assert:
+        that:
+          - "'Error from server (NotFound):' not in grafana_loki_svc_stats_info.stdout"
+        success_msg: "{{ grafana_loki_svc_stat_success_msg }}"
+        fail_msg: "{{ grafana_loki_svc_stat_fail_msg }}"
+
+# OMNIA_1.2_Grafana_TC_003
+# Validate Grafana Loki Host IP connection
+
+    - name: Fetch Grafana Loki Cluster IP from svc
+      shell: |
+          kubectl get svc -n grafana -o json | jq '.items[] | select(.metadata.name == "loki") | "\(.spec.clusterIP)"'
+      register: grafana_loki_cluster_ip_info
+
+    - name: Check if connection to Grafana Loki svc Cluster IP is enabled
+      command: ping -c1 {{ grafana_loki_cluster_ip_info.stdout[1:-1] }}
+      register: validate_grafana_loki
+      changed_when: false
+      failed_when: false
+
+    - name: Verify connection to Grafana Loki svc cluster is working
+      assert:
+        that:
+          - "'ping' in validate_grafana_loki.stdout"
+        success_msg: "{{ grafana_svc_conn_success_msg }} : {{ grafana_loki_cluster_ip_info.stdout[1:-1] }}"
+        fail_msg: "{{ grafana_svc_conn_fail_msg }} : {{ grafana_loki_cluster_ip_info.stdout[1:-1] }}"
+
+    - name: Fetch Grafana Cluster IP from svc
+      shell: |
+        kubectl get svc -n grafana -o json | jq '.items[] | select(.metadata.name == "grafana") | "\(.spec.clusterIP)"'
+      register: grafana_cluster_ip_info
+
+    - name: Ping the grafana to validate connectivity
+      command: ping -c1 {{ grafana_cluster_ip_info.stdout[1:-1] }}
+      register: validate_grafana
+      changed_when: false
+      failed_when: false
+
+    - name: Verify connection to Grafana svc cluster is working
+      assert:
+        that:
+          - "'ping' in validate_grafana.stdout"
+        success_msg: "{{ grafana_svc_conn_success_msg }} : {{ grafana_cluster_ip_info.stdout[1:-1] }}"
+        fail_msg: "{{ grafana_svc_conn_fail_msg }} : {{ grafana_cluster_ip_info.stdout[1:-1] }}"
+
+
+# OMNIA_1.2_Grafana_TC_017
+# Validate Prometheus pod , pvc , svc and cluster IP
+
+    - name: Get monitoring Pod info for Prometheus alertmanager
+      shell: |
+         crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "monitoring" and .labels."io.kubernetes.container.name" == "alertmanager") | "\(.id) \(.metadata.name) \(.state)"'
+      register: monitoring_alertmanager_pod_info
+
+    - name: Get monitoring Pod Status for Prometheus alertmanager
+      assert:
+        that:
+          - monitoring_alertmanager_pod_info.stdout_lines | regex_search( "{{ container_info }}")
+        success_msg: "{{ prometheus_alertmanager_pod_success_msg }}"
+        fail_msg: "{{ prometheus_alertmanager_pod_fail_msg }}"
+
+    - name: Get monitoring Pod info for Prometheus node-exporter
+      shell: |
+         crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "monitoring" and .labels."io.kubernetes.container.name" == "node-exporter") | "\(.id) \(.metadata.name) \(.state)"'
+      register: monitoring_node_exporter_pod_info
+
+    - name: Get monitoring Pod Status for Prometheus node-exporter
+      assert:
+        that:
+          - monitoring_node_exporter_pod_info.stdout_lines | regex_search( "{{ container_info }}")
+        success_msg: "{{ prometheus_node_exporter_pod_success_msg }}"
+        fail_msg: "{{ prometheus_node_exporter_pod_fail_msg }}"
+
+    - name: Get Prometheus alertmanager svc stats
+      shell: kubectl get svc -n monitoring monitoring-kube-prometheus-alertmanager -o json
+      register: prometheus_alertmanager_svc_stats_info
+
+    - name: Verify if Prometheus alertmanager is up and running
+      assert:
+        that:
+          - "'Error from server (NotFound):' not in prometheus_alertmanager_svc_stats_info.stdout"
+        success_msg: "{{ prometheus_alertmanager_svc_stat_success_msg }}"
+        fail_msg: "{{ prometheus_alertmanager_svc_stat_fail_msg }}"
+
+    - name: Get Prometheus node-exporter svc stats
+      shell: kubectl get svc -n monitoring monitoring-prometheus-node-exporter -o json
+      register: prometheus_node_exporter_svc_stats_info
+
+    - name: Verify if Prometheus node-exporter svc is up and running
+      assert:
+        that:
+          - "'Error from server (NotFound):' not in prometheus_node_exporter_svc_stats_info.stdout"
+        success_msg: "{{ prometheus_node_exporter_svc_stat_success_msg }}"
+        fail_msg: "{{ prometheus_node_exporter_svc_stat_fail_msg }}"
+
+    - name: Get Prometheus monitoring svc stats
+      shell: kubectl get svc -n monitoring {{ item }} -o json
+      changed_when: false
+      ignore_errors: yes
+      register: monitoring_pod_svc_check
+      with_items:
+        - monitoring-prometheus-node-exporter
+        - monitoring-kube-prometheus-alertmanager
+        - monitoring-kube-prometheus-operator
+        - monitoring-kube-state-metrics
+        - monitoring-kube-prometheus-prometheus
+
+# Testcase OMNIA_1.2_AppArmor_TC_001
+# Test case to  Find out if AppArmor is enabled (returns Y if true)
+
+    - name: AppArmor is enabled Validation
+      shell: cat /sys/module/apparmor/parameters/enabled
+      register: apparmor_enabled
+
+    - name: Find out if AppArmor is enabled (returns Y if true)
+      assert:
+        that:
+          - apparmor_enabled.stdout | regex_search( "{{ apparmor_true }}" )
+        success_msg: "{{ apparmor_enabled_success_msg }}"
+        fail_msg: "{{ apparmor_enabled_fail_msg }}"
+
+# Testcase OMNIA_1.2_AppArmor_TC_002
+# Test case to List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined):
+
+    - name: AppArmor is List all loaded AppArmor profiles status
+      shell: aa-status
+      register: apparmor_status
+
+    - name: Verify the apparmor module shoule be return which all the profiles
+      assert:
+        that:
+          - apparmor_status.stdout | regex_search( "{{ apparmor_module }}" )
+        success_msg: "{{ apparmor_status_success_msg }}"
+        fail_msg: "{{ apparmor_status_fail_msg }}"
+
+# Testcase OMNIA_1.2_AppArmor_TC_003
+# Test case to validate available profiles in /extra-profiles/ path
+
+    - name: AppArmor is available profiles in /extra-profiles/ path
+      shell: ls /usr/share/apparmor/extra-profiles/ | grep 'usr.bin.passwd'
+      register: apparmor_profile
+
+    - name: Verify the usr.bin.passwd profiles in /extra-profiles/ path
+      assert:
+        that:
+          - apparmor_profile.stdout | regex_search( "{{ apparmor_passwd_profile }}" )
+        success_msg: "{{ apparmor_profile_success_msg }}"
+        fail_msg: "{{ apparmor_profile_fail_msg }}"
+
+# Testcase OMNIA_1.2_AppArmor_TC_004
+# Test case to running executables which are currently confined by an AppArmor profile
+
+    - name: AppArmor is running executables which are currently confined by an AppArmor profile
+      shell: ps auxZ | grep -v '^unconfined' | grep 'nscd'
+      register: apparmor_not_unconfined
+
+    - name: Verify the not unconfined AppArmor profiles with nscd
+      assert:
+        that:
+          - apparmor_not_unconfined.stdout | regex_search( "{{ apparmor_nscd }}" )
+        success_msg: "{{ apparmor_not_unconfined_success_msg }}"
+        fail_msg: "{{ apparmor_not_unconfined_fail_msg }}"
+
+# Testcase OMNIA_1.2_AppArmor_TC_005
+# Test case to processes with tcp or udp ports that do not have AppArmor profiles loaded
+
+    - name: A Processes with tcp or udp ports that do not have AppArmor profiles loaded
+      shell: aa-unconfined --paranoid | grep '/usr/sbin/auditd'
+      register: apparmor_unconfined
+
+    - name: Verify the unconfined AppArmor profiles with auditd
+      assert:
+        that:
+          - apparmor_unconfined.stdout | regex_search( "{{ apparmor_auditd }}" )
+        success_msg: "{{ apparmor_unconfined_success_msg }}"
+        fail_msg: "{{ apparmor_unconfined_fail_msg }}"
+

control_plane/test/test_grafana.yml

@@ -0,0 +1,278 @@
+# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+# Testcase OMNIA_1.2_Grafana_TC_005
+# Test case to Validate syslog.log on  grafana loki
+
+- name: OMNIA_1.2_Grafana_TC_005
+  hosts: localhost
+  connection: local
+  tags: TC_005
+  gather_subset:
+    - 'min'
+  vars_files:
+    - ../input_params/base_vars.yml
+    - test_vars/test_grafana_vars.yml
+  tasks:
+    - name: Check login_vars file is encrypted
+      command: cat {{ login_vars_path }}
+      changed_when: false
+      register: config_content
+      no_log: true
+      tags: always
+
+    - name: Validate login file is encypted or not
+      assert:
+        that: "'$ANSIBLE_VAULT;' in config_content.stdout"
+        fail_msg: "{{ login_vars_fail_msg }}"
+        success_msg: "{{ login_vars_success_msg }}"
+
+    - name: Installing jq (JSON Query)
+      package:
+        name: "{{ test_package }}"
+        state: present
+
+    - name: Decrpyt login_vars.yml
+      command: >-
+        ansible-vault decrypt {{ login_vars_path }}
+        --vault-password-file {{ login_vars_vault_path }}
+      changed_when: false
+      when: "'$ANSIBLE_VAULT;' in config_content.stdout"
+      no_log: true
+      tags: always
+
+    - name: Include variable file login_vars.yml
+      include_vars: "{{ login_vars_path }}"
+      no_log: true
+      tags: always
+
+    - name: Get auth string
+      shell: echo -n {{ grafana_username }}_{{ grafana_password }} | sha256sum
+      register: auth_string_output
+      changed_when: false
+      failed_when: false
+      no_log: true
+      tags: always
+
+    - name: Set the grafana username and password
+      set_fact:
+        grafana_username: "{{ grafana_username }}"
+        grafana_password: "{{ grafana_password }}"
+        auth_string: "{{ auth_string_output }}"
+      no_log: true
+      tags: always
+
+    - name: Encypt login file
+      command: >-
+        ansible-vault encrypt {{ login_vars_path }}
+        --vault-password-file {{ login_vars_vault_path }}
+      changed_when: false
+      no_log: true
+      tags: always
+
+    - name: Fetch Grafana Cluster IP
+      shell: |
+          kubectl get svc -n grafana -o json | jq '.items[] | select(.metadata.name == "loki") | "\(.spec.clusterIP)"'
+      register: grafanaloki_ip_info
+
+    - name: Ping the grafana device to validate connectivity
+      command: ping -c1 {{ grafanaloki_ip_info.stdout[1:-1] }}
+      register: validate_grafanaloki
+      changed_when: false
+      failed_when: false
+
+    - name: Validate the Grafana Loki connectivity
+      assert:
+        that:
+          - "'ping' in validate_grafanaloki.stdout"
+        success_msg: "{{ connectivity_success_msg }}"
+        fail_msg: "{{ connectivity_failure_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_005
+# Test case to Validate syslog.log on  grafana loki
+
+    - name: Execute get syslog
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="syslog"}' | jq
+      register: syslog_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if syslog status is success or not
+      assert:
+        that:
+          - syslog_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ syslog_success_msg }}"
+        fail_msg: "{{ syslog_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_006
+# Test case to Validate Grafana omnia.log
+
+    - name: Execute get job is omnia
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="Omnia"}' | jq
+      register: omnia_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if omnia log status is success or not
+      assert:
+        that:
+          - omnia_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ omnia_success_msg }}"
+        fail_msg: "{{ omnia_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_007(-)
+# Test case to Validate Rocky OS package log
+
+    - name: Execute get job is Package Rocky
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="Package Rocky.log"}' | jq
+      register: package_rocky_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if Package Rocky log status is success or not
+      assert:
+        that:
+          - package_rocky_info.stdout.status | regex_search( "{{ success }}" )
+          - package_rocky_info.stdout.data.result != None
+        success_msg: "{{ package_rocky_success_msg }}"
+        fail_msg: "{{ package_rocky_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_007
+# Test case to Validate Rocky OS package log
+
+    - name: Execute get job is Package Rocky
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="Package Rocky"}' | jq
+      register: package_rocky_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if Package Rocky log status is success or not
+      assert:
+        that:
+          - package_rocky_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ package_rocky_success_msg }}"
+        fail_msg: "{{ package_rocky_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_008
+# Test case to Validate K8s pods log
+
+    - name: Execute get job is K8s pods
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="K8s pods"}' | jq
+      register: k8s_pods_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if k8s pods log status is success or not
+      assert:
+        that:
+          - k8s_pods_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ k8s_pods_success_msg }}"
+        fail_msg: "{{ k8s_pods_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_009
+# Test case to Validate cron log
+
+    - name: Execute get job is cron logs
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="cron"}' | jq
+      register: cron_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if cron log status is success or not
+      assert:
+        that:
+          - cron_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ cron_success_msg }}"
+        fail_msg: "{{ cron_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_010
+# Test case to Validate Vars log
+
+    - name: Execute get job is var logs
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="varlogs"}' | jq
+      register: varlogs_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if var log status is success or not
+      assert:
+        that:
+          - varlogs_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ varlogs_success_msg }}"
+        fail_msg: "{{ varlogs_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_011
+# Test case to Validate Secure log
+
+    - name: Execute get job is secure logs
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="secure"}' | jq
+      register: secure_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if secure log status is success or not
+      assert:
+        that:
+          - secure_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ secure_success_msg }}"
+        fail_msg: "{{ secure_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_012
+# Test case to Validate audit log
+
+    - name: Execute get job is audit logs
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="audit"}' | jq
+      register: audit_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if audit log status is success or not
+      assert:
+        that:
+          - audit_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ audit_success_msg }}"
+        fail_msg: "{{ audit_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_013
+# Test case to Validate sssd log
+
+    - name: Execute get job is sssd logs
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="sssd"}' | jq
+      register: sssd_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if sssd log status is success or not
+      assert:
+        that:
+          - sssd_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ sssd_success_msg }}"
+        fail_msg: "{{ sssd_fail_msg }}"
+
+# Testcase OMNIA_1.2_Grafana_TC_014
+# Test case to Validate Grafana - /var/log/omnia.log
+
+    - name: Execute get job is Grafana - /var/log/omnia.log logs
+      shell: |
+          curl -G -s  "http://{{ grafanaloki_ip_info.stdout[1:-1] }}:{{ grafana_loki_port }}/loki/api/v1/query" --data-urlencode 'query={job="varlogs",filename="/var/log/omnia.log"}' | jq
+      register: varlog_omnia_info
+      when: "'ping' in validate_grafanaloki.stdout"
+
+    - name: Verify if varlog for file omnio.log status is success or not
+      assert:
+        that:
+          - varlog_omnia_info.stdout.status | regex_search( "{{ success }}" )
+        success_msg: "{{ varlog_omnia_success_msg }}"
+        fail_msg: "{{ varlog_omnia_fail_msg }}"

control_plane/test/test_psacct.yml

@@ -0,0 +1,175 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+- name: OMNIA_1.2_MS_TC_001
+  hosts: localhost
+  connection: local
+  gather_facts: true
+  vars_files:
+    - ../input_params/base_vars.yml
+    - test_vars/test_psacct_vars.yml
+
+  gather_subset:
+    - 'min'
+  tags: VERIFY_OMNIA_02
+
+  tasks:
+    - name: Check OS Version
+      assert:
+        that:
+          - 'ansible_distribution == "{{ os_name_rocky }}"'
+        success_msg: "{{ check_os_success_msg }}"
+        fail_msg: "{{ check_os_fail_msg }}"
+      tags: Check_OS
+
+# OMNIA_1.2_psacct_TC_001
+# Test case to Verify the enable psacct service
+
+    - name: Enable the psacct service
+        shell: systemctl enable --now psacct
+      register: psacct_enable
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Verify psacct service whether enabled or not
+      assert:
+        that:
+          - psacct_enable.stderr | regex_search( "{{ psacct_enabled }}")
+        success_msg: "{{ psacct_enable_success_msg }}"
+        fail_msg: "{{ psacct_disable_fail_msg }}"
+
+# OMNIA_1.2_psacct_TC_002
+# Test case to Check and Start psacct Service
+
+    - name: Check the psacct service status
+      shell: systemctl status psacct.service
+      register: psacct_status
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Verify psacct service is started or not
+      assert:
+        that:
+          - psacct_status.stdout | regex_search( "{{ psacct_active }}")
+        success_msg: "{{ psacct_service_success_msg }}"
+        fail_msg: "{{ psacct_service_fail_msg }}"
+
+# OMNIA_1.2_psacct_TC_003
+# Test case to Verify the Package Installation
+
+    - name: Check the psacct Package Installation
+      shell: rpm -qa | grep -i psacct
+      register: psacct_package
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Verify psacct Package whether installed or not
+      assert:
+        that:
+          - psacct_package.stdout | regex_search( "psacct-6.6.3-4.el8.x86_64")
+        success_msg: "{{ psacct_package_success_msg }}"
+        fail_msg: "{{ psacct_package_fail_msg }}"
+
+# OMNIA_1.2_psacct_TC_004
+# Test case to Verify the disable psacct service
+
+    - name: Disable the psacct service
+      shell: systemctl disable psacct.service
+      register: psacct_disable
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Enable the psacct service
+      shell: systemctl enable --now psacct
+      register: psacct_enable
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Verify psacct service whether disabled or not
+      assert:
+        that:
+          - psacct_disable.stderr | regex_search( "{{ psacct_disabled }}")
+        success_msg: "{{ psacct_disable_success_msg }}"
+        fail_msg: "{{ psacct_disable_fail_msg }}"
+
+
+# OMNIA_1.2_psacct_TC_005
+# Test case to Verify ac and sa version
+
+    - name: Check the ac version
+      shell: ac -V
+      register: ac_version
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Check the as version
+      shell: sa -V
+      register: sa_version
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Verify ac version
+      assert:
+        that:
+          - ac_version.stdout | regex_search( "{{ psacct_ac_version }}")
+        success_msg: "{{ psacct_ac_version_success_msg }}"
+        fail_msg: "{{ psacct_ac_version_fail_msg }}"
+
+    - name: Verify sa version
+      assert:
+        that:
+          - sa_version.stdout | regex_search( "{{ psacct_sa_version }}")
+        success_msg: "{{ psacct_sa_version_success_msg }}"
+        fail_msg: "{{ psacct_sa_version_fail_msg }}"
+
+# OMNIA_1.2_psacct_TC_006
+# Test case to Check Package details of ac and sa utility
+
+    - name: find the complete path of ac
+      shell: which ac
+      register: ac_path
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: check the package details of ac utility
+      shell: rpm -qf {{ ac_path.stdout }}
+      register: ac_utility
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Verify package details of ac utility
+      assert:
+        that:
+          - ac_utility.stdout | regex_search( "{{ psacct_ac_sa_utility }}")
+        success_msg: "{{ psacct_ac_utility_success_msg }}"
+        fail_msg: "{{ psacct_ac_utility_fail_msg }}"
+
+    - name: find the complete path of sa
+      shell: which sa
+      register: sa_path
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: check the package details of sa utility
+      shell: rpm -qf {{ sa_path.stdout }}
+      register: sa_utility
+      when:
+        - 'ansible_distribution == "{{ os_name_rocky }}"'
+
+    - name: Verify package details of sa utility
+      assert:
+        that:
+          - sa_utility.stdout | regex_search( "{{ psacct_ac_sa_utility }}")
+        success_msg: "{{ psacct_sa_utility_success_msg }}"
+        fail_msg: "{{ psacct_sa_utility_fail_msg }}"

control_plane/test/test_snoopy.yml

@@ -0,0 +1,121 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+- name: OMNIA_1.2_MS_TC_001
+  hosts: localhost
+  connection: local
+  vars_files:
+    - ../input_params/base_vars.yml
+    - test_vars/test_snoopy_vars.yml
+
+  gather_subset:
+    - 'min'
+  tags: VERIFY_OMNIA_02
+
+  tasks:
+    - name: Check OS Version
+      assert:
+        that:
+          - 'ansible_distribution == "{{ os_name_rocky }}"'
+        success_msg: "{{ check_os_success_msg }}"
+        fail_msg: "{{ check_os_fail_msg }}"
+      tags: Check_OS
+
+# OMNIA_1.2_snoopy_TC_001
+# Test case to Validate /var/log is available or not
+
+    - name: Find /var/log all directories, exclude nginx and mysql
+      find:
+        paths: /var/log
+        recurse: no
+        file_type: directory
+        excludes: 'nginx,mysql'
+      register: islog_available
+
+    - name: Verify log path and related directories available
+      assert:
+        that:
+          - "islog_available.matched > 0 "
+        success_msg: "{{ snoopy_log_path_success_msg }}"
+        fail_msg: "{{ snoopy_log_path_fail_msg }}"
+
+# OMNIA_1.2_snoopy_TC_002
+# Test case to Validate snoopy is enabled in /var/log/secure
+
+    - name: Test case to Validate snoopy is enabled in /var/log/secure
+      shell: cat /var/log/secure | grep snoopy | wc -l
+      register: secure_snoopy
+
+    - name: Verify snoopy is enabled in /var/log/secure
+      assert:
+        that:
+          - "secure_snoopy.stdout != 0"
+        success_msg: "{{ secure_snoopy_enable_success_msg }}"
+        fail_msg: "{{ secure_snoopy_enable_fail_msg }}"
+
+# OMNIA_1.2_snoopy_TC_003
+# Test case to Validate snoopy is enabled in /var/log/messages
+
+    - name: Test case to Validate snoopy is enabled in /var/log/messages
+      shell: cat /var/log/messages | grep snoopy | wc -l
+      register: messages_snoopy
+
+    - name: Verify snoopy is enabled in /var/log/messages
+      assert:
+        that:
+          - "messages_snoopy.stdout != 0"
+        success_msg: "{{ messages_snoopy_enable_success_msg }}"
+        fail_msg: "{{ messages_snoopy_enable_fail_msg }}"
+
+# OMNIA_1.2_snoopy_TC_004
+# Test case to validate snoopy is disabled in MS
+
+    - name: Disable the snoopy in log files
+      shell: snoopy-disable
+      register: snoopy_disable
+
+    - name: Verify snoopy is disabled or not
+      assert:
+        that:
+          - snoopy_disable.stdout | regex_search( "{{ Disabled }}")
+        success_msg: "{{ snoopy_disabled_success_msg }}"
+        fail_msg: "{{ snoopy_disabled_fail_msg }}"
+
+# OMNIA_1.2_snoopy_TC_005
+# Test case to Validate snoopy is disabled in /var/log/secure
+
+    - name: Test case to Validate snoopy is enabled in /var/log/secure
+      shell: cat /var/log/secure | grep snoopy | wc -l
+      register: secure_snoopy_disabled
+
+    - name: Verify snoopy is disabled in /var/log/secure
+      assert:
+        that:
+          - "secure_snoopy_disabled.stdout > secure_snoopy.stdout"
+        success_msg: "{{ secure_snoopy_disabled_success_msg }}"
+        fail_msg: "{{ secure_snoopy_disabled_fail_msg }}"
+
+# OMNIA_1.2_snoopy_TC_006
+# Test case to validate snoopy is enable in MS
+
+    - name: Enabled the snoopy in log files
+      shell: snoopy-enable
+      register: snoopy_enable
+
+    - name: Verify snoopy is Enabled or not
+      assert:
+        that:
+          - snoopy_enable.stdout | regex_search( "{{ Enabled }}")
+        success_msg: "{{ snoopy_enable_success_msg }}"
+        fail_msg: "{{ snoopy_enable_fail_msg }}"

control_plane/test/test_vars/test_acct_vars.yml

@@ -0,0 +1,45 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+#Usage: test_snoopy.yml
+os_name_leap: leap
+os_version: '8.5'
+check_os_success_msg: "OS and Version are supported"
+check_os_fail_msg: "Unsupported OS or OS version. OS should be {{ os_name_leap }} and Version should be {{ os_version }} or more"
+
+acct_service_success_msg: "acct is service is running"
+acct_service_fail_msg: "acct is service is not running"
+acct_package_success_msg: "acct package is available"
+acct_package_fail_msg: "acct package is not available"
+acct_disable_success_msg: "acct service is disabled"
+acct_disable_fail_msg: "acct service is not disabled"
+acct_enable_success_msg: "acct service is enabled"
+acct_enable_fail_msg: "acct service is not enabled"
+acct_ac_version_success_msg: "acct ac is found"
+acct_ac_version_fail_msg: "acct ac is not found"
+acct_sa_version_success_msg: "acct sa is found"
+acct_sa_version_fail_msg: "acct sa is not found"
+acct_ac_utility_success_msg: "acct ac utility is found"
+acct_ac_utility_fail_msg: "acct ac utility is not found"
+acct_sa_utility_success_msg: "acct sa utility is found"
+acct_sa_utility_fail_msg: "acct sa utility is not found"
+acct_active: "Active: active"
+acct_disabled: "Removed"
+acct_enabled: "Created symlink"
+acct_ac_version: "ac: GNU"
+acct_sa_version: "sa: GNU"
+acct_ac_sa_utility: "acct-6.6.4-2.25.x86_64"
+Disabled: "Disabled"
+Enabled: "Enabled"

control_plane/test/test_vars/test_control_plane_vars.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@
 
 port_no: 22
 os_name: CentOS
+os_name_rocky: rocky
+os_name_leap: leap
 os_version: '8.4'
 internet_status: "Failed. No Internet connection. Make sure network is up."
 check_os_success_msg: "OS and Version are supported"
@@ -91,4 +93,52 @@ infiniband_false: "ib_switch_support: false"
 docker_user: "User"
 docker_password: "Password"
 valid_docker_creds: "Credentials are valid"
-invalid_docker_creds: "Please input valid docker username and password in test_control_plane_vars.yml"
+invalid_docker_creds: "Please input valid docker username and password in test_control_plane_vars.yml"
+#Usage: Grafana Test Cases
+grafana_pod_success_msg: "grafana pod is up and running."
+grafana_pod_fail_msg: "grafana pod is not running"
+grafana_pvc_stat_success_msg: "grafana pvc stat is running"
+grafana_pvc_stat_fail_msg: "grafana pvc stat is not running"
+grafana_svc_stat_success_msg: "grafana svc stat is running"
+grafana_svc_stat_fail_msg: "grafana svc stat is not running"
+grafana_loki_svc_stat_success_msg: "grafana loki svc stat is running"
+grafana_loki_svc_stat_fail_msg: "grafana loki svc stat is not running"
+grafana_loki_svc_conn_success_msg: "Connection to grafana loki svc is successful at"
+grafana_loki_svc_conn_fail_msg: "Connection to grafana loki svc failed at: "
+grafana_svc_conn_success_msg: "Connection to grafana svc is successful at"
+grafana_svc_conn_fail_msg: "Connection to grafana svc failed at: "
+prometheus_alertmanager_pod_success_msg: "Prometheus alertmanager Pod is running"
+prometheus_alertmanager_pod_fail_msg: "Prometheus alertmanager Pod is not running"
+prometheus_node_exporter_pod_success_msg: "Prometheus node-exporter Pod is running"
+prometheus_node_exporter_pod_fail_msg: "Prometheus node-exporter Pod is not running"
+prometheus_alertmanager_svc_stat_success_msg: "prometheus alertmanager svc stat is running"
+prometheus_alertmanager_svc_stat_fail_msg: "prometheus alertmanager svc stat is not running"
+prometheus_node_exporter_svc_stat_success_msg: "prometheus node-exporter svc stat is running"
+prometheus_node_exporter_svc_stat_fail_msg: "prometheus node-exporter svc stat is not running"
+monitoring_pod_svc_success_msg: "monitoring pod svc stat is running"
+monitoring_pod_svc_fail_msg: "monitoring pod svc stat is not running"
+grafana_loki_port: 3100
+grafana_port: 5000
+#Usage: AppArmor Test Cases
+apparmor_true: "Y"
+apparmor_enabled_success_msg: "apparmor is enabled"
+apparmor_enabled_fail_msg: "apparmor is not enabled"
+apparmor_module: "apparmor module is loaded."
+apparmor_status_success_msg: "apparmor profiles are loaded."
+apparmor_status_fail_msg: "apparmor profiles are not loaded."
+apparmor_passwd_profile: "usr.bin.passwd"
+apparmor_profile_success_msg: "usr.bin.passwd profiles is available in /extra-profiles/"
+apparmor_profile_fail_msg: "usr.bin.passwd profiles is not available in /extra-profiles/"
+apparmor_nscd: "nscd"
+apparmor_not_unconfined_success_msg: "nscd running executables which are currently confined by an AppArmor profile"
+apparmor_not_unconfined_fail_msg: "nscd profile currently unconfined by an AppArmor profile"
+apparmor_auditd: "/usr/sbin/auditd (/sbin/auditd) not confined"
+apparmor_unconfined_success_msg: "auditd currently unconfined by an AppArmor profile"
+apparmor_unconfined_fail_msg: "(/sbin/auditd) currently not unconfined by an AppArmor profile"
+
+
+
+
+
+
+

control_plane/test/test_vars/test_grafana_vars.yml

@@ -0,0 +1,51 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+#Usage in test_grafana.yml
+login_vars_path: "../input_params/login_vars.yml"
+login_vars_vault_path: "../input_params/.login_vault_key"
+base_var_path: "../input_params/base_vars.yml"
+grafana_inventory_name: "test_grafana_inventory"
+
+syslog_success_msg: "syslog is not running"
+syslog_fail_msg: "syslog is running"
+omnia_success_msg: "omnia log is not running"
+omnia_fail_msg: "omnia log is running"
+package_rocky_success_msg: "package rocky log is not running"
+package_rocky_fail_msg: "package rocky log is running"
+k8s_pods_success_msg: "k8s pods logs is not running"
+k8s_pods_fail_msg: "k8s pods logs is running"
+cron_success_msg: "cron logs is not running"
+cron_fail_msg: "cron logs is running"
+varlogs_success_msg: "var logs is not running"
+varlogs_fail_msg: "var logs is running"
+secure_success_msg: "secure logs is not running"
+secure_fail_msg: "secure logs is running"
+audit_success_msg: "audit logs is not running"
+audit_fail_msg: "audit logs is running"
+sssd_success_msg: "sssd logs is not running"
+sssd_fail_msg: "sssd logs is running"
+connectivity_success_msg: "Grafana connection is success"
+connectivity_failure_msg: "Grafana connection is not success"
+varlog_omnia_success_msg: "var omnia logs is not running"
+varlog_omnia_fail_msg: "var omnia logs is running"
+grafana_loki_port: 3100
+grafana_port: 5000
+test_package: 'jq'
+login_vars_fail_msg: "Login vars is not encrypted"
+login_vars_success_msg: "Login vars is encrypted"
+success: "success"
+
+

control_plane/test/test_vars/test_psacct_vars.yml

@@ -0,0 +1,47 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+#Usage: test_snoopy.yml
+os_name_centos: CentOS
+os_name_rocky: rocky
+os_name_leap: leap
+os_version: '8.5'
+check_os_success_msg: "OS and Version are supported"
+check_os_fail_msg: "Unsupported OS or OS version. OS should be {{ os_name_rocky }} and Version should be {{ os_version }} or more"
+
+psacct_service_success_msg: "psacct is service is running"
+psacct_service_fail_msg: "psacct is service is not running"
+psacct_package_success_msg: "psacct package is available"
+psacct_package_fail_msg: "psacct package is not available"
+psacct_disable_success_msg: "psacct service is disabled"
+psacct_disable_fail_msg: "psacct service is not disabled"
+psacct_enable_success_msg: "psacct service is enabled"
+psacct_enable_fail_msg: "psacct service is not enabled"
+psacct_ac_version_success_msg: "psacct ac is found"
+psacct_ac_version_fail_msg: "psacct ac is not found"
+psacct_sa_version_success_msg: "psacct sa is found"
+psacct_sa_version_fail_msg: "psacct sa is not found"
+psacct_ac_utility_success_msg: "psacct ac utility is found"
+psacct_ac_utility_fail_msg: "psacct ac utility is not found"
+psacct_sa_utility_success_msg: "psacct sa utility is found"
+psacct_sa_utility_fail_msg: "psacct sa utility is not found"
+psacct_active: "Active: active"
+psacct_disabled: "Removed"
+psacct_enabled: "Created symlink"
+psacct_ac_version: "ac: GNU"
+psacct_sa_version: "sa: GNU"
+psacct_ac_sa_utility: "psacct-6.6.3-4.el8.x86_64"
+Disabled: "Disabled"
+Enabled: "Enabled"

control_plane/test/test_vars/test_snoopy_vars.yml

@@ -0,0 +1,35 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+#Usage: test_snoopy.yml
+os_name_centos: CentOS
+os_name_rocky: rocky
+os_name_leap: leap
+os_version: '8.5'
+check_os_success_msg: "OS and Version are supported"
+check_os_fail_msg: "Unsupported OS or OS version. OS should be {{ os_name_rocky }} and Version should be {{ os_version }} or more"
+
+snoopy_log_path_success_msg: "snoopy log path is available"
+snoopy_log_path_fail_msg: "snoopy log path is not available"
+secure_snoopy_enable_success_msg: "snoopy is enabled in secure log"
+secure_snoopy_enable_fail_msg: "snoopy is not enabled in secure log"
+messages_snoopy_enable_success_msg: "snoopy is enabled in messages log"
+messages_snoopy_enable_fail_msg: "snoopy is not enabled in messages log"
+snoopy_disabled_success_msg: "snoopy is disabled in log"
+snoopy_disabled_fail_msg: "snoopy is not disabled in log"
+secure_snoopy_disabled_success_msg: "snoopy is disabled in secure log"
+secure_snoopy_disabled_fail_msg: "snoopy is not disabled in secure log"
+snoopy_enable_success_msg: "snoopy is enabled in log"
+snoopy_enable_fail_msg: "snoopy is not enabled in log"

omnia_security_config.yml

@@ -40,3 +40,12 @@ session_timeout: 180
 # If this variable is left blank, authentication failure alerts will be disabled.
 # Required value
 alert_email_address: ""
+
+# This variable mentions the users to whom the access will be provided
+# format of user shall be username@ip or username 
+# Ex1- root@1.2.3.4 Ex2- root Ex3- root@1.2.3.4 root (if multiple user, provide space seperated values) by default empty
+user: ''
+
+# This variable provides the type of access
+# Accepted values 'Allow' or 'Deny' by default 'Allow'
+allow_deny: 'Allow'

roles/cluster_validation/tasks/fetch_security_inputs.yml

@@ -63,3 +63,26 @@
   debug:
     msg: "{{ alert_email_warning_msg }}"
   when: alert_email_address | length < 1
+
+- name: Prepare user list
+  set_fact:
+      user_list: "{{ lookup('vars', 'user').split()| unique | select| list }}"
+  when: user | length > 1
+
+- name: validate user
+  assert:
+    that:
+      - item is regex("^(?!-)[a-zA-Z]+[0-9-]*[@]((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$") or
+        item is regex("(?!-)[a-zA-Z]+[0-9-]*$")
+    success_msg: "{{ user_success_msg }}"
+    fail_msg: "{{ user_fail_msg }}"
+  with_items: "{{ user_list }}"
+  when:
+    - user | length > 1
+
+- name: Validate allow_deny
+  assert:
+    that:
+      - allow_deny == 'Allow' or allow_deny == 'Deny'
+    success_msg: "{{ allow_deny_success_msg }}"
+    fail_msg: "{{ allow_deny_fail_msg }}"

roles/login_node/tasks/configure_sshd.yml

@@ -0,0 +1,71 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Check if AllowUsers entry exixts
+  shell: cat "{{ sshd_conf_file }}"
+  register: file_content
+  changed_when: false
+
+- name: Check if user is specified
+  debug:
+    msg: "Users not specified"
+  when: user | length < 1
+
+- name: Configure sshd_config
+  block:
+    - name: Configure sshd_config file when AllowUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'AllowUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') == -1
+
+    - name: Configure sshd_config file when DenyUsers entry not exists
+      lineinfile:
+        path: "{{ sshd_conf_file }}"
+        line: 'DenyUsers {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') == -1
+
+    - name: Configure sshd_config file when AllowUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(AllowUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Allow'
+        - file_content.stdout.find('AllowUsers') != -1
+
+    - name: Configure sshd_config file when DenyUsers entry exists
+      replace:
+        path: "{{ sshd_conf_file }}"
+        regexp: '^(DenyUsers)(.*)'
+        replace: '\1\2 {{ user }}'
+      notify:
+        - Restart sshd
+      when:
+        - allow_deny == 'Deny'
+        - file_content.stdout.find('DenyUsers') != -1
+
+  when:
+    - user | length > 1

roles/login_node/tasks/main.yml

@@ -36,6 +36,9 @@
         - name: Alert configuration
           include_tasks: configure_alerting.yml
           when: hostvars['127.0.0.1']['alert_email_address'] | length > 1
+
+        - name: Configure ssh access to login node
+          include_tasks: configure_sshd.yml
         
         - name: Session timeout configuration
           include_tasks: session_timeout.yml