| 1 | [[PageOutline]] |
| 2 | |
| 3 | = Detailed test plan for IG-ADM-2: Rack Administrator Access Test = |
| 4 | |
| 5 | ''This page is GPO's working page for performing IG-ADM-2. It is public for informational purposes, but it is not an official status report. See [wiki:GENIRacksHome/ExogeniRacks/AcceptanceTestStatus] for the current status of ExoGENI acceptance tests.'' |
| 6 | |
| 7 | ''Last substantive edit of this page: 2012-05-08'' |
| 8 | |
| 9 | == Page format == |
| 10 | |
| 11 | * The status chart summarizes the state of this test |
| 12 | * The high-level description from test plan contains text copied exactly from the public test plan and acceptance criteria pages. |
| 13 | * The steps contain things i will actually do/verify: |
| 14 | * Steps may be composed of related substeps where i find this useful for clarity |
| 15 | * Each step is identified as either "(prep)" or "(verify)": |
| 16 | * Prep steps are just things we have to do. They're not tests of the rack, but are prerequisites for subsequent verification steps |
| 17 | * Verify steps are steps in which we will actually look at rack output and make sure it is as expected. They contain a '''Using:''' block, which lists the steps to run the verification, and an '''Expect:''' block which lists what outcome is expected for the test to pass. |
| 18 | |
| 19 | == Status of test == |
| 20 | |
| 21 | Meaning of states: |
| 22 | * [[Color(green,Pass)]]: Step is completed and passed (for a verification step), or is completed (for a prep step) |
| 23 | * [[Color(red,Fail)]]: Step is completed and failed, and is not being revisited |
| 24 | * in progress: We are currently testing or iterating on this step |
| 25 | * [[Color(orange,Blocked)]]: Step is blocked by some other step or activity |
| 26 | |
| 27 | || '''Step''' || '''State''' || '''Date completed''' || '''Tickets''' || '''Comments''' || |
| 28 | || 1A || || || || ready to test || |
| 29 | || 1B || || || || ready to test || |
| 30 | || 1C || [[Color(orange,Blocked)]] || || || blocked on sudo access to boss || |
| 31 | || 2A || || || || ready to test || |
| 32 | || 2B || || || || ready to test || |
| 33 | || 2C || [[Color(orange,Blocked)]] || || || blocked on sudo access to ops || |
| 34 | || 3A || [[Color(orange,Blocked)]] || || || blocked on access to FOAM VM || |
| 35 | || 3B || [[Color(orange,Blocked)]] || || || blocked on 3A || |
| 36 | || 3C || [[Color(orange,Blocked)]] || || || blocked on 3A || |
| 37 | || 4A || [[Color(orange,Blocked)]] || || || blocked on access to infrastructure VM server || |
| 38 | || 4B || [[Color(orange,Blocked)]] || || || blocked on 4A || |
| 39 | || 4C || [[Color(orange,Blocked)]] || || || blocked on 4A || |
| 40 | || 5A || [[Color(orange,Blocked)]] || || || blocked on sudo access to boss; allocation of OpenVZ node || |
| 41 | || 5B || [[Color(orange,Blocked)]] || || || blocked on 5A || |
| 42 | || 5C || [[Color(orange,Blocked)]] || || || blocked on 5A || |
| 43 | || 6A || [[Color(orange,Blocked)]] || || || blocked on access to switches || |
| 44 | || 6B || [[Color(orange,Blocked)]] || || || blocked on 6A || |
| 45 | || 6C || [[Color(orange,Blocked)]] || || || blocked on 6A || |
| 46 | || 6D || [[Color(orange,Blocked)]] || || || blocked on serial access to switches || |
| 47 | || 7A || [[Color(orange,Blocked)]] || || || blocked on access to switches || |
| 48 | || 7B || [[Color(orange,Blocked)]] || || || blocked on 7A || |
| 49 | || 7C || [[Color(orange,Blocked)]] || || || blocked on 7A || |
| 50 | || 7D || [[Color(orange,Blocked)]] || || || blocked on serial access to switches || |
| 51 | || 8 || [[Color(orange,Blocked)]] || || || blocked on access to rack iLO || |
| 52 | |
| 53 | == High-level description from test plan == |
| 54 | |
| 55 | This test verifies local and remote administrative access to rack devices. |
| 56 | |
| 57 | ==== Procedure ==== |
| 58 | |
| 59 | 1. For each type of rack infrastructure node, including the server host itself, the boss VM, the ops VM, the FOAM VM and an experimental host configured for OpenVZ, use a site administrator account to test: |
| 60 | * Login to the node using public-key SSH. |
| 61 | * Verify that you cannot login to the node using password-based SSH, nor via any unencrypted login protocol. |
| 62 | * When logged in, run a command via sudo to verify root privileges. |
| 63 | 2. For each rack infrastructure device (switches, remote PDUs if any), use a site administrator account to test: |
| 64 | * Login via SSH. |
| 65 | * Login via a serial console (if the device has one). |
| 66 | * Verify that you cannot login to the device via an unencrypted login protocol. |
| 67 | * Use the "enable" command or equivalent to verify privileged access. |
| 68 | 3. Test that iLO (the InstaGENI remote console solution for rack hosts) can be used to access the consoles of the server host and an experimental host: |
| 69 | * Login via SSH or other encrypted protocol. |
| 70 | * Verify that you cannot login via an unencrypted login protocol. |
| 71 | |
| 72 | === Criteria to verify as part of this test === |
| 73 | |
| 74 | * V.01. For all rack infrastructure Unix hosts, including rack servers (both physical and VM) and experimental VM servers, site administrators should be able to login at a console (physical or virtual). (C.3.a) |
| 75 | * V.02. Site administrators can login to all rack infrastructure Unix hosts using public-key SSH. (C.3.a, C.3.b) |
| 76 | * V.03. Site administrators cannot login to any rack infrastructure Unix hosts using password-based SSH, nor via any unencrypted login protocol. (C.3.a) |
| 77 | * V.04. Site administrators can run any command with root privileges on all rack infrastructure Unix hosts. (C.3.a) |
| 78 | * V.05. Site administrators can login to all network-accessible rack infrastructure devices (network devices, remote KVMs, remote PDUs, etc) via serial console and via SSH. (C.3.a, C.3.b) |
| 79 | * V.06. Site administrators cannot login to any network-accessible rack device via an unencrypted login protocol. (C.3.a) |
| 80 | |
| 81 | == Step 1: verify access to rack boss node == |
| 82 | |
| 83 | === Step 1A: verify that SSH to boss succeeds and allows public keys only === |
| 84 | |
| 85 | '''Using:''' |
| 86 | * SSH to `chaos@boss.instageni.gpolab.bbn.com` from outside of the rack using public-key SSH |
| 87 | * SSH to `chaos@boss.instageni.gpolab.bbn.com` from outside of the rack using password-based SSH |
| 88 | |
| 89 | '''Verify:''' |
| 90 | * Public-key SSH succeeds |
| 91 | * Password-based SSH does not succeed |
| 92 | |
| 93 | === Step 1B: verify the absence of common unencrypted login protocols === |
| 94 | |
| 95 | '''Using:''' |
| 96 | * Use netstat to enumerate the network-listening processes running on boss |
| 97 | * Identify each process and determine whether it is a common unencrypted login protocol |
| 98 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| 99 | |
| 100 | '''Verify:''' |
| 101 | * No unencrypted login protocols are listening on accessible networks |
| 102 | * Login does not succeed via any unencrypted login protocol |
| 103 | |
| 104 | === Step 1C: verify sudo and sudo logging === |
| 105 | |
| 106 | '''Using:''' |
| 107 | * On boss, run: `sudo whoami` |
| 108 | * Look for a syslog file containing a record of the sudo command which was run |
| 109 | |
| 110 | '''Verify:''' |
| 111 | * The sudo command should succeed |
| 112 | * The command which was run should be recorded in a log |
| 113 | |
| 114 | == Step 2: verify access to rack ops node == |
| 115 | |
| 116 | === Step 2A: verify that SSH to ops succeeds and allows public keys only === |
| 117 | |
| 118 | '''Using:''' |
| 119 | * SSH to `chaos@ops.instageni.gpolab.bbn.com` from outside of the rack using public-key SSH |
| 120 | * SSH to `chaos@ops.instageni.gpolab.bbn.com` from outside of the rack using password-based SSH |
| 121 | |
| 122 | '''Verify:''' |
| 123 | * Public-key SSH succeeds |
| 124 | * Password-based SSH does not succeed |
| 125 | |
| 126 | === Step 2B: verify the absence of common unencrypted login protocols === |
| 127 | |
| 128 | '''Using:''' |
| 129 | * Use netstat to enumerate the network-listening processes running on ops |
| 130 | * Identify each process and determine whether it is a common unencrypted login protocol |
| 131 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| 132 | |
| 133 | '''Verify:''' |
| 134 | * No unencrypted login protocols are listening on accessible networks |
| 135 | * Login does not succeed via any unencrypted login protocol |
| 136 | |
| 137 | === Step 2C: verify sudo and sudo logging === |
| 138 | |
| 139 | '''Using:''' |
| 140 | * On ops, run: `sudo whoami` |
| 141 | * Look for a syslog file containing a record of the sudo command which was run |
| 142 | |
| 143 | '''Verify:''' |
| 144 | * The sudo command should succeed |
| 145 | * The command which was run should be recorded in a log |
| 146 | |
| 147 | == Step 3: verify access to rack foam node == |
| 148 | |
| 149 | === Step 3A: verify that SSH to foam succeeds and allows public keys only === |
| 150 | |
| 151 | '''Using:''' |
| 152 | * SSH to `chaos@foam.instageni.gpolab.bbn.com` from outside of the rack using public-key SSH |
| 153 | * SSH to `chaos@foam.instageni.gpolab.bbn.com` from outside of the rack using password-based SSH |
| 154 | |
| 155 | '''Verify:''' |
| 156 | * Public-key SSH succeeds |
| 157 | * Password-based SSH does not succeed |
| 158 | |
| 159 | === Step 3B: verify the absence of common unencrypted login protocols === |
| 160 | |
| 161 | '''Using:''' |
| 162 | * Use netstat to enumerate the network-listening processes running on foam |
| 163 | * Identify each process and determine whether it is a common unencrypted login protocol |
| 164 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| 165 | |
| 166 | '''Verify:''' |
| 167 | * No unencrypted login protocols are listening on accessible networks |
| 168 | * Login does not succeed via any unencrypted login protocol |
| 169 | |
| 170 | === Step 3C: verify sudo and sudo logging === |
| 171 | |
| 172 | '''Using:''' |
| 173 | * On foam, run: `sudo whoami` |
| 174 | * Look for a syslog file containing a record of the sudo command which was run |
| 175 | |
| 176 | '''Verify:''' |
| 177 | * The sudo command should succeed |
| 178 | * The command which was run should be recorded in a log |
| 179 | |
| 180 | == Step 4: verify access to rack infrastructure VM server host == |
| 181 | |
| 182 | === Step 4A: verify that SSH to foam succeeds and allows public keys only === |
| 183 | |
| 184 | '''Using:''' |
| 185 | * SSH to `chaos` account on rack infrastructure server from outside of the rack using public-key SSH |
| 186 | * SSH to `chaos` account on rack infrastructure server from outside of the rack using password-based SSH |
| 187 | |
| 188 | '''Verify:''' |
| 189 | * Public-key SSH succeeds |
| 190 | * Password-based SSH does not succeed |
| 191 | |
| 192 | === Step 4B: verify the absence of common unencrypted login protocols === |
| 193 | |
| 194 | '''Using:''' |
| 195 | * Use netstat to enumerate the network-listening processes running on the infrastructure VM server |
| 196 | * Identify each process and determine whether it is a common unencrypted login protocol |
| 197 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| 198 | |
| 199 | '''Verify:''' |
| 200 | * No unencrypted login protocols are listening on accessible networks |
| 201 | * Login does not succeed via any unencrypted login protocol |
| 202 | |
| 203 | === Step 4C: verify sudo and sudo logging === |
| 204 | |
| 205 | '''Using:''' |
| 206 | * On the infrastructure VM server, run: `sudo whoami` |
| 207 | * Look for a syslog file containing a record of the sudo command which was run |
| 208 | |
| 209 | '''Verify:''' |
| 210 | * The sudo command should succeed |
| 211 | * The command which was run should be recorded in a log |
| 212 | |
| 213 | == Step 5: verify access to experimental OpenVZ node == |
| 214 | |
| 215 | === Step 5A: verify that SSH to experimental OpenVZ node succeeds and allows public keys only on public IPs === |
| 216 | |
| 217 | '''Using:''' |
| 218 | * SSH to `root` on the experimental node from boss using public-key SSH |
| 219 | * View `sshd_config` file and determine whether password-based login is allowed |
| 220 | |
| 221 | '''Verify:''' |
| 222 | * Public-key SSH succeeds from boss |
| 223 | * Password-based SSH does not succeed from outside of the rack |
| 224 | |
| 225 | === Step 5B: verify the absence of common unencrypted login protocols === |
| 226 | |
| 227 | '''Using:''' |
| 228 | * Use netstat to enumerate the network-listening processes running on the OpenVZ node |
| 229 | * Identify each process and determine whether it is a common unencrypted login protocol |
| 230 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| 231 | |
| 232 | '''Verify:''' |
| 233 | * No unencrypted login protocols are listening on accessible networks |
| 234 | * Login does not succeed via any unencrypted login protocol |
| 235 | |
| 236 | === Step 5C: verify sudo and sudo logging === |
| 237 | |
| 238 | '''Using:''' |
| 239 | * On the OpenVZ node, run: `sudo whoami` |
| 240 | * Look for a syslog file containing a record of the sudo command which was run |
| 241 | |
| 242 | '''Verify:''' |
| 243 | * The sudo command should succeed |
| 244 | * The command which was run should be recorded in a log |
| 245 | |
| 246 | == Step 6: verify access to control network switch == |
| 247 | |
| 248 | === Step 6A: verify SSH access === |
| 249 | |
| 250 | '''Using:''' |
| 251 | * Login to the control network switch via SSH |
| 252 | |
| 253 | '''Verify:''' |
| 254 | * SSH login succeeds |
| 255 | |
| 256 | === Step 6B: verify privileged access to the control network switch === |
| 257 | |
| 258 | '''Using:''' |
| 259 | * On the control network switch, run the enable command to enter privileged mode |
| 260 | * On the control network switch, view the running configuration |
| 261 | * On the control network switch, view the MAC address table |
| 262 | |
| 263 | '''Verify:''' |
| 264 | * Entering privileged mode should succeed |
| 265 | * Viewing the running configuration should succeed |
| 266 | * Viewing the MAC address table should succeed |
| 267 | |
| 268 | === Step 6C: verify absence of unencrypted login access === |
| 269 | |
| 270 | '''Using:''' |
| 271 | * From boss, attempt to connect via telnet (port 23) to the control network switch |
| 272 | * From boss, attempt to connect via http (port 80) to the control network switch |
| 273 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| 274 | * Look at the control switch running configuration, and identify any configuration lines which might represent login services |
| 275 | * Determine whether any such services are encrypted or disabled |
| 276 | |
| 277 | '''Verify:''' |
| 278 | * The device does not allow telnet access on the standard port |
| 279 | * The device does not allow unencrypted http authentication |
| 280 | * No other services appear to allow remote unencrypted authentication |
| 281 | |
| 282 | === Step 6D: verify serial console access to the device === |
| 283 | |
| 284 | '''Using:''' |
| 285 | * Access the control network switch via the serial console |
| 286 | * Authenticate to the control network switch if necessary |
| 287 | * Enter enable mode if necessary |
| 288 | * View the running configuration of the control network switch |
| 289 | |
| 290 | '''Verify:''' |
| 291 | * The control network switch should be accessible via serial console |
| 292 | * It should be possible to perform privileged operations via the serial console |
| 293 | * It should be possible to view the running configuration via the serial console |
| 294 | |
| 295 | == Step 7: verify access to dataplane switch == |
| 296 | |
| 297 | === Step 7A: verify SSH access === |
| 298 | |
| 299 | '''Using:''' |
| 300 | * Login to the dataplane switch via SSH |
| 301 | |
| 302 | '''Verify:''' |
| 303 | * SSH login succeeds |
| 304 | |
| 305 | === Step 7B: verify privileged access to the dataplane switch === |
| 306 | |
| 307 | '''Using:''' |
| 308 | * On the dataplane switch, run the enable command to enter privileged mode |
| 309 | * On the dataplane switch, view the running configuration |
| 310 | * On the dataplane switch, view the MAC address table |
| 311 | |
| 312 | '''Verify:''' |
| 313 | * Entering privileged mode should succeed |
| 314 | * Viewing the running configuration should succeed |
| 315 | * Viewing the MAC address table should succeed |
| 316 | |
| 317 | === Step 7C: verify absence of unencrypted login access === |
| 318 | |
| 319 | '''Using:''' |
| 320 | * From boss, attempt to connect via telnet (port 23) to the dataplane switch |
| 321 | * From boss, attempt to connect via http (port 80) to the dataplane switch |
| 322 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| 323 | * Look at the dataplane switch running configuration, and identify any configuration lines which might represent login services |
| 324 | * Determine whether any such services are encrypted or disabled |
| 325 | |
| 326 | '''Verify:''' |
| 327 | * The device does not allow telnet access on the standard port |
| 328 | * The device does not allow unencrypted http authentication |
| 329 | * No other services appear to allow remote unencrypted authentication |
| 330 | |
| 331 | === Step 7D: verify serial console access to the device === |
| 332 | |
| 333 | '''Using:''' |
| 334 | * Access the dataplane switch via the serial console |
| 335 | * Authenticate to the dataplane switch if necessary |
| 336 | * Enter enable mode if necessary |
| 337 | * View the running configuration of the dataplane switch |
| 338 | |
| 339 | '''Verify:''' |
| 340 | * The dataplane switch should be accessible via serial console |
| 341 | * It should be possible to perform privileged operations via the serial console |
| 342 | * It should be possible to view the running configuration via the serial console |
| 343 | |
| 344 | == Step 8: verify that iLO is not accessible via unencrypted protocols == |
| 345 | |
| 346 | '''Using:''' |
| 347 | * From boss, attempt to connect via telnet (port 23) to the pc1 iLO IP |
| 348 | * From boss, attempt to connect via http (port 80) to the the pc1 iLO IP |
| 349 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| 350 | * If any prospective unencrypted protocols were identified in the iLO configurations during IG-ADM-1 step 3F, attempt to connect to those ports from boss |
| 351 | |
| 352 | '''Verify:''' |
| 353 | * The pc1 iLO does not allow telnet access on the standard port |
| 354 | * The device does not allow unencrypted http authentication |
| 355 | * No other services appear to allow remote unencrypted authentication |
| 356 | |