| 1 | [[PageOutline]] |
| 2 | |
| 3 | = Detailed test plan for EG-ADM-2: Rack Administrator Access Test = |
| 4 | |
| 5 | ''This page is GPO's working page for performing EG-ADM-2. It is public for informational purposes, but it is not an official status report. See [wiki:GENIRacksHome/ExogeniRacks/AcceptanceTestStatus] for the current status of ExoGENI acceptance tests.'' |
| 6 | |
| 7 | ''Last substantive edit of this page: 2012-05-03'' |
| 8 | |
| 9 | == Page format == |
| 10 | |
| 11 | * The status chart summarizes the state of this test |
| 12 | * The high-level description from test plan contains text copied exactly from the public test plan and acceptance criteria pages. |
| 13 | * The steps contain things i will actually do/verify: |
| 14 | * Steps may be composed of related substeps where i find this useful for clarity |
| 15 | * Each step is identified as either "(prep)" or "(verify)": |
| 16 | * Prep steps are just things we have to do. They're not tests of the rack, but are prerequisites for subsequent verification steps |
| 17 | * Verify steps are steps in which we will actually look at rack output and make sure it is as expected. They contain a '''Using:''' block, which lists the steps to run the verification, and an '''Expect:''' block which lists what outcome is expected for the test to pass. |
| 18 | |
| 19 | == Status of test == |
| 20 | |
| 21 | Meaning of states: |
| 22 | * [[Color(green,okay)]]: Step is completed and passed (for a verification step), or is completed (for a prep step) |
| 23 | * [[Color(red,failed)]]: Step is completed and failed, and is not being revisited |
| 24 | * in progress: We are currently testing or iterating on this step |
| 25 | * [[Color(orange,waiting)]]: Step is blocked by some other step or activity |
| 26 | |
| 27 | || '''Step''' || '''State''' || '''Date completed''' || '''Comments''' || |
| 28 | || 1A || || || || |
| 29 | || 1B || || || || |
| 30 | || 1C || || || || |
| 31 | || 2A || || || || |
| 32 | || 2B || || || || |
| 33 | || 2C || || || || |
| 34 | || 3A || || || || |
| 35 | || 3B || || || || |
| 36 | || 3C || || || || |
| 37 | || 3D || || || || |
| 38 | || 4A || || || || |
| 39 | || 4B || || || || |
| 40 | || 4C || || || || |
| 41 | || 4D || || || || |
| 42 | || 5 || || || || |
| 43 | |
| 44 | == High-level description from test plan == |
| 45 | |
| 46 | === EG-ADM-2: Rack Administrator Access Test === |
| 47 | |
| 48 | This test verifies local and remote administrative access to rack devices. |
| 49 | |
| 50 | === Procedure === |
| 51 | |
| 52 | 1. For each type of rack infrastructure node, including the head node and a worker node configured for !OpenStack, use a site administrator account to test: |
| 53 | * Login to the node using public-key SSH. |
| 54 | * Verify that you cannot login to the node using password-based SSH, nor via any unencrypted login protocol. |
| 55 | * When logged in, run a command via sudo to verify root privileges. |
| 56 | 2. For each rack infrastructure device (switches, remote PDUs if any), use a site administrator account to test: |
| 57 | * Login via SSH. |
| 58 | * Login via a serial console (if the device has one). |
| 59 | * Verify that you cannot login to the device via an unencrypted login protocol. |
| 60 | * Use the "enable" command or equivalent to verify privileged access. |
| 61 | 3. Test that IMM (the ExoGENI remote console solution for rack hosts) can be used to access the consoles of the head node and a worker node: |
| 62 | * Login via SSH or other encrypted protocol. |
| 63 | * Verify that you cannot login via an unencrypted login protocol. |
| 64 | |
| 65 | === Criteria to verify as part of this test === |
| 66 | |
| 67 | * V.01. For all rack infrastructure Unix hosts, including rack servers (both physical and VM) and experimental VM servers, site administrators should be able to login at a console (physical or virtual). (C.3.a) |
| 68 | * V.02. Site administrators can login to all rack infrastructure Unix hosts using public-key SSH. (C.3.a, C.3.b) |
| 69 | * V.03. Site administrators cannot login to any rack infrastructure Unix hosts using password-based SSH, nor via any unencrypted login protocol. (C.3.a) |
| 70 | * V.04. Site administrators can run any command with root privileges on all rack infrastructure Unix hosts. (C.3.a) |
| 71 | * V.05. Site administrators can login to all network-accessible rack infrastructure devices (network devices, remote KVMs, remote PDUs, etc) via serial console and via SSH. (C.3.a, C.3.b) |
| 72 | * V.06. Site administrators cannot login to any network-accessible rack device via an unencrypted login protocol. (C.3.a) |
| 73 | |
| 74 | == Step 1: verify access to rack head node == |
| 75 | |
| 76 | === Step 1A: verify that SSH to bbn-hn succeeds and allows public keys only === |
| 77 | |
| 78 | '''Using:''' |
| 79 | * SSH to `chaos@bbn-hn.exogeni.gpolab.bbn.com` from outside of the rack using public-key SSH |
| 80 | * SSH to `chaos@bbn-hn.exogeni.gpolab.bbn.com` from outside of the rack using password-based SSH |
| 81 | |
| 82 | '''Verify:''' |
| 83 | * Public-key SSH succeeds |
| 84 | * Password-based SSH does not succeed |
| 85 | |
| 86 | === Step 1B: verify the absence of common unencrypted login protocols === |
| 87 | |
| 88 | '''Using:''' |
| 89 | * Use netstat to enumerate the network-listening processes running on bbn-hn |
| 90 | * Identify each process and determine whether it is a common unencrypted login protocol |
| 91 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| 92 | |
| 93 | '''Verify:''' |
| 94 | * No unencrypted login protocols are listening on accessible networks |
| 95 | * Login does not succeed via any unencrypted login protocol |
| 96 | |
| 97 | === Step 1C: verify sudo and sudo logging === |
| 98 | |
| 99 | '''Using:''' |
| 100 | * On bbn-hn, run: `sudo whoami` |
| 101 | * Look for a syslog file containing a record of the sudo command which was run |
| 102 | |
| 103 | '''Verify:''' |
| 104 | * The sudo command should succeed |
| 105 | * The command which was run should be recorded in a log |
| 106 | |
| 107 | == Step 2: verify access to rack worker node == |
| 108 | |
| 109 | === Step 2A: verify that SSH to bbn-hn succeeds and allows public keys only on public IPs === |
| 110 | |
| 111 | '''Using:''' |
| 112 | * SSH to `chaos@bbn-w1` from bbn-hn using public-key SSH |
| 113 | * Determine whether any routable IP addresses are defined on bbn-w1 at the time of testing |
| 114 | * If so, SSH to `chaos@bbn-w1` using password-based SSH from outside of the rack |
| 115 | |
| 116 | '''Verify:''' |
| 117 | * Public-key SSH succeeds from bbn-hn |
| 118 | * Password-based SSH does not succeed from outside of the rack |
| 119 | |
| 120 | === Step 2B: verify the absence of common unencrypted login protocols === |
| 121 | |
| 122 | '''Using:''' |
| 123 | * Use netstat to enumerate the network-listening processes running on bbn-w1 |
| 124 | * Identify each process and determine whether it is a common unencrypted login protocol |
| 125 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| 126 | |
| 127 | '''Verify:''' |
| 128 | * No unencrypted login protocols are listening on accessible networks |
| 129 | * Login does not succeed via any unencrypted login protocol |
| 130 | |
| 131 | === Step 2C: verify sudo and sudo logging === |
| 132 | |
| 133 | '''Using:''' |
| 134 | * On bbn-w1, run: `sudo whoami` |
| 135 | * Look for a syslog file containing a record of the sudo command which was run |
| 136 | |
| 137 | '''Verify:''' |
| 138 | * The sudo command should succeed |
| 139 | * The command which was run should be recorded in a log |
| 140 | |
| 141 | == Step 3: verify access to 8052 (management) switch == |
| 142 | |
| 143 | === Step 3A: verify SSH access === |
| 144 | |
| 145 | '''Using:''' |
| 146 | * From bbn-hn, login to `chaos@8052` via SSH |
| 147 | |
| 148 | '''Verify:''' |
| 149 | * SSH login succeeds |
| 150 | |
| 151 | === Step 3B: verify privileged access to the 8052 switch === |
| 152 | |
| 153 | '''Using:''' |
| 154 | * On the 8052, run the enable command to enter privileged mode |
| 155 | * On the 8052, view the running configuration |
| 156 | * On the 8052, view the MAC address table |
| 157 | |
| 158 | '''Verify:''' |
| 159 | * Entering privileged mode should succeed |
| 160 | * Viewing the running configuration should succeed |
| 161 | * Viewing the MAC address table should succeed |
| 162 | |
| 163 | === Step 3C: verify absence of unencrypted login access === |
| 164 | |
| 165 | '''Using:''' |
| 166 | * From bbn-hn, attempt to connect via telnet (port 23) to the 8052 |
| 167 | * From bbn-hn, attempt to connect via http (port 80) to the 8052 |
| 168 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| 169 | * Look at the 8052 running configuration, and identify any configuration lines which might represent login services |
| 170 | * Determine whether any such services are encrypted or disabled |
| 171 | |
| 172 | '''Verify:''' |
| 173 | * The device does not allow telnet access on the standard port |
| 174 | * The device does not allow unencrypted http authentication |
| 175 | * No other services appear to allow remote unencrypted authentication |
| 176 | |
| 177 | === Step 3D: verify serial console access to the device === |
| 178 | |
| 179 | '''Using:''' |
| 180 | * From bbn-hn, access the 8264 via the serial console |
| 181 | * Authenticate to the 8264 if necessary |
| 182 | * Enter enable mode if necessary |
| 183 | * View the running configuration of the 8264 |
| 184 | |
| 185 | '''Verify:''' |
| 186 | * The 8264 should be accessible via serial console |
| 187 | * It should be possible to perform privileged operations via the serial console |
| 188 | * It should be possible to view the running configuration via the serial console |
| 189 | |
| 190 | == Step 4: verify access to 8264 (management) switch == |
| 191 | |
| 192 | === Step 4A: verify SSH access === |
| 193 | |
| 194 | '''Using:''' |
| 195 | * From bbn-hn, login to `chaos@8264` via SSH |
| 196 | |
| 197 | '''Verify:''' |
| 198 | * SSH login succeeds |
| 199 | |
| 200 | === Step 4B: verify privileged access to the 8264 switch === |
| 201 | |
| 202 | '''Using:''' |
| 203 | * On the 8264, run the enable command to enter privileged mode |
| 204 | * On the 8264, view the running configuration |
| 205 | * On the 8264, view the MAC address table |
| 206 | |
| 207 | '''Verify:''' |
| 208 | * Entering privileged mode should succeed |
| 209 | * Viewing the running configuration should succeed |
| 210 | * Viewing the MAC address table should succeed |
| 211 | |
| 212 | === Step 4C: verify absence of unencrypted login access === |
| 213 | |
| 214 | '''Using:''' |
| 215 | * From bbn-hn, attempt to connect via telnet (port 23) to the 8264 |
| 216 | * From bbn-hn, attempt to connect via http (port 80) to the 8264 |
| 217 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| 218 | * Look at the 8264 running configuration, and identify any configuration lines which might represent login services |
| 219 | * Determine whether any such services are encrypted or disabled |
| 220 | |
| 221 | '''Verify:''' |
| 222 | * The device does not allow telnet access on the standard port |
| 223 | * The device does not allow unencrypted http authentication |
| 224 | * No other services appear to allow remote unencrypted authentication |
| 225 | |
| 226 | === Step 4D: verify serial console access to the device === |
| 227 | |
| 228 | '''Using:''' |
| 229 | * From bbn-hn, access the 8264 via the serial console |
| 230 | * Authenticate to the 8264 if necessary |
| 231 | * Enter enable mode if necessary |
| 232 | * View the running configuration of the 8264 |
| 233 | |
| 234 | '''Verify:''' |
| 235 | * The 8264 should be accessible via serial console |
| 236 | * It should be possible to perform privileged operations via the serial console |
| 237 | * It should be possible to view the running configuration via the serial console |
| 238 | |
| 239 | == Step 5: verify that IMM/IPMI is not accessible without the VPN == |
| 240 | |
| 241 | '''Using:''' |
| 242 | * From bbn-hn, attempt to connect via telnet (port 23) to the bbn-w1 IMM IP |
| 243 | * From bbn-hn, attempt to connect via http (port 80) to the the bbn-w1 IMM IP |
| 244 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| 245 | * If any prospective unencrypted protocols were identified in the IMM configurations during EG-ADM-1 step 3D, attempt to connect to those ports from bbn-hn |
| 246 | |
| 247 | '''Verify:''' |
| 248 | * The bbn-w1 IMM does not allow telnet access on the standard port |
| 249 | * The device does not allow unencrypted http authentication |
| 250 | * No other services appear to allow remote unencrypted authentication |
| 251 | |