| | 1 | [[PageOutline]] |
| | 2 | |
| | 3 | = Detailed test plan for EG-ADM-2: Rack Administrator Access Test = |
| | 4 | |
| | 5 | ''This page is GPO's working page for performing EG-ADM-2. It is public for informational purposes, but it is not an official status report. See [wiki:GENIRacksHome/ExogeniRacks/AcceptanceTestStatus] for the current status of ExoGENI acceptance tests.'' |
| | 6 | |
| | 7 | ''Last substantive edit of this page: 2012-05-03'' |
| | 8 | |
| | 9 | == Page format == |
| | 10 | |
| | 11 | * The status chart summarizes the state of this test |
| | 12 | * The high-level description from test plan contains text copied exactly from the public test plan and acceptance criteria pages. |
| | 13 | * The steps contain things i will actually do/verify: |
| | 14 | * Steps may be composed of related substeps where i find this useful for clarity |
| | 15 | * Each step is identified as either "(prep)" or "(verify)": |
| | 16 | * Prep steps are just things we have to do. They're not tests of the rack, but are prerequisites for subsequent verification steps |
| | 17 | * Verify steps are steps in which we will actually look at rack output and make sure it is as expected. They contain a '''Using:''' block, which lists the steps to run the verification, and an '''Expect:''' block which lists what outcome is expected for the test to pass. |
| | 18 | |
| | 19 | == Status of test == |
| | 20 | |
| | 21 | Meaning of states: |
| | 22 | * [[Color(green,okay)]]: Step is completed and passed (for a verification step), or is completed (for a prep step) |
| | 23 | * [[Color(red,failed)]]: Step is completed and failed, and is not being revisited |
| | 24 | * in progress: We are currently testing or iterating on this step |
| | 25 | * [[Color(orange,waiting)]]: Step is blocked by some other step or activity |
| | 26 | |
| | 27 | || '''Step''' || '''State''' || '''Date completed''' || '''Comments''' || |
| | 28 | || 1A || || || || |
| | 29 | || 1B || || || || |
| | 30 | || 1C || || || || |
| | 31 | || 2A || || || || |
| | 32 | || 2B || || || || |
| | 33 | || 2C || || || || |
| | 34 | || 3A || || || || |
| | 35 | || 3B || || || || |
| | 36 | || 3C || || || || |
| | 37 | || 3D || || || || |
| | 38 | || 4A || || || || |
| | 39 | || 4B || || || || |
| | 40 | || 4C || || || || |
| | 41 | || 4D || || || || |
| | 42 | || 5 || || || || |
| | 43 | |
| | 44 | == High-level description from test plan == |
| | 45 | |
| | 46 | === EG-ADM-2: Rack Administrator Access Test === |
| | 47 | |
| | 48 | This test verifies local and remote administrative access to rack devices. |
| | 49 | |
| | 50 | === Procedure === |
| | 51 | |
| | 52 | 1. For each type of rack infrastructure node, including the head node and a worker node configured for !OpenStack, use a site administrator account to test: |
| | 53 | * Login to the node using public-key SSH. |
| | 54 | * Verify that you cannot login to the node using password-based SSH, nor via any unencrypted login protocol. |
| | 55 | * When logged in, run a command via sudo to verify root privileges. |
| | 56 | 2. For each rack infrastructure device (switches, remote PDUs if any), use a site administrator account to test: |
| | 57 | * Login via SSH. |
| | 58 | * Login via a serial console (if the device has one). |
| | 59 | * Verify that you cannot login to the device via an unencrypted login protocol. |
| | 60 | * Use the "enable" command or equivalent to verify privileged access. |
| | 61 | 3. Test that IMM (the ExoGENI remote console solution for rack hosts) can be used to access the consoles of the head node and a worker node: |
| | 62 | * Login via SSH or other encrypted protocol. |
| | 63 | * Verify that you cannot login via an unencrypted login protocol. |
| | 64 | |
| | 65 | === Criteria to verify as part of this test === |
| | 66 | |
| | 67 | * V.01. For all rack infrastructure Unix hosts, including rack servers (both physical and VM) and experimental VM servers, site administrators should be able to login at a console (physical or virtual). (C.3.a) |
| | 68 | * V.02. Site administrators can login to all rack infrastructure Unix hosts using public-key SSH. (C.3.a, C.3.b) |
| | 69 | * V.03. Site administrators cannot login to any rack infrastructure Unix hosts using password-based SSH, nor via any unencrypted login protocol. (C.3.a) |
| | 70 | * V.04. Site administrators can run any command with root privileges on all rack infrastructure Unix hosts. (C.3.a) |
| | 71 | * V.05. Site administrators can login to all network-accessible rack infrastructure devices (network devices, remote KVMs, remote PDUs, etc) via serial console and via SSH. (C.3.a, C.3.b) |
| | 72 | * V.06. Site administrators cannot login to any network-accessible rack device via an unencrypted login protocol. (C.3.a) |
| | 73 | |
| | 74 | == Step 1: verify access to rack head node == |
| | 75 | |
| | 76 | === Step 1A: verify that SSH to bbn-hn succeeds and allows public keys only === |
| | 77 | |
| | 78 | '''Using:''' |
| | 79 | * SSH to `chaos@bbn-hn.exogeni.gpolab.bbn.com` from outside of the rack using public-key SSH |
| | 80 | * SSH to `chaos@bbn-hn.exogeni.gpolab.bbn.com` from outside of the rack using password-based SSH |
| | 81 | |
| | 82 | '''Verify:''' |
| | 83 | * Public-key SSH succeeds |
| | 84 | * Password-based SSH does not succeed |
| | 85 | |
| | 86 | === Step 1B: verify the absence of common unencrypted login protocols === |
| | 87 | |
| | 88 | '''Using:''' |
| | 89 | * Use netstat to enumerate the network-listening processes running on bbn-hn |
| | 90 | * Identify each process and determine whether it is a common unencrypted login protocol |
| | 91 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| | 92 | |
| | 93 | '''Verify:''' |
| | 94 | * No unencrypted login protocols are listening on accessible networks |
| | 95 | * Login does not succeed via any unencrypted login protocol |
| | 96 | |
| | 97 | === Step 1C: verify sudo and sudo logging === |
| | 98 | |
| | 99 | '''Using:''' |
| | 100 | * On bbn-hn, run: `sudo whoami` |
| | 101 | * Look for a syslog file containing a record of the sudo command which was run |
| | 102 | |
| | 103 | '''Verify:''' |
| | 104 | * The sudo command should succeed |
| | 105 | * The command which was run should be recorded in a log |
| | 106 | |
| | 107 | == Step 2: verify access to rack worker node == |
| | 108 | |
| | 109 | === Step 2A: verify that SSH to bbn-hn succeeds and allows public keys only on public IPs === |
| | 110 | |
| | 111 | '''Using:''' |
| | 112 | * SSH to `chaos@bbn-w1` from bbn-hn using public-key SSH |
| | 113 | * Determine whether any routable IP addresses are defined on bbn-w1 at the time of testing |
| | 114 | * If so, SSH to `chaos@bbn-w1` using password-based SSH from outside of the rack |
| | 115 | |
| | 116 | '''Verify:''' |
| | 117 | * Public-key SSH succeeds from bbn-hn |
| | 118 | * Password-based SSH does not succeed from outside of the rack |
| | 119 | |
| | 120 | === Step 2B: verify the absence of common unencrypted login protocols === |
| | 121 | |
| | 122 | '''Using:''' |
| | 123 | * Use netstat to enumerate the network-listening processes running on bbn-w1 |
| | 124 | * Identify each process and determine whether it is a common unencrypted login protocol |
| | 125 | * For any unencrypted login protocols found to be listening, try to access the relevant port remotely and determine whether login is possible |
| | 126 | |
| | 127 | '''Verify:''' |
| | 128 | * No unencrypted login protocols are listening on accessible networks |
| | 129 | * Login does not succeed via any unencrypted login protocol |
| | 130 | |
| | 131 | === Step 2C: verify sudo and sudo logging === |
| | 132 | |
| | 133 | '''Using:''' |
| | 134 | * On bbn-w1, run: `sudo whoami` |
| | 135 | * Look for a syslog file containing a record of the sudo command which was run |
| | 136 | |
| | 137 | '''Verify:''' |
| | 138 | * The sudo command should succeed |
| | 139 | * The command which was run should be recorded in a log |
| | 140 | |
| | 141 | == Step 3: verify access to 8052 (management) switch == |
| | 142 | |
| | 143 | === Step 3A: verify SSH access === |
| | 144 | |
| | 145 | '''Using:''' |
| | 146 | * From bbn-hn, login to `chaos@8052` via SSH |
| | 147 | |
| | 148 | '''Verify:''' |
| | 149 | * SSH login succeeds |
| | 150 | |
| | 151 | === Step 3B: verify privileged access to the 8052 switch === |
| | 152 | |
| | 153 | '''Using:''' |
| | 154 | * On the 8052, run the enable command to enter privileged mode |
| | 155 | * On the 8052, view the running configuration |
| | 156 | * On the 8052, view the MAC address table |
| | 157 | |
| | 158 | '''Verify:''' |
| | 159 | * Entering privileged mode should succeed |
| | 160 | * Viewing the running configuration should succeed |
| | 161 | * Viewing the MAC address table should succeed |
| | 162 | |
| | 163 | === Step 3C: verify absence of unencrypted login access === |
| | 164 | |
| | 165 | '''Using:''' |
| | 166 | * From bbn-hn, attempt to connect via telnet (port 23) to the 8052 |
| | 167 | * From bbn-hn, attempt to connect via http (port 80) to the 8052 |
| | 168 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| | 169 | * Look at the 8052 running configuration, and identify any configuration lines which might represent login services |
| | 170 | * Determine whether any such services are encrypted or disabled |
| | 171 | |
| | 172 | '''Verify:''' |
| | 173 | * The device does not allow telnet access on the standard port |
| | 174 | * The device does not allow unencrypted http authentication |
| | 175 | * No other services appear to allow remote unencrypted authentication |
| | 176 | |
| | 177 | === Step 3D: verify serial console access to the device === |
| | 178 | |
| | 179 | '''Using:''' |
| | 180 | * From bbn-hn, access the 8264 via the serial console |
| | 181 | * Authenticate to the 8264 if necessary |
| | 182 | * Enter enable mode if necessary |
| | 183 | * View the running configuration of the 8264 |
| | 184 | |
| | 185 | '''Verify:''' |
| | 186 | * The 8264 should be accessible via serial console |
| | 187 | * It should be possible to perform privileged operations via the serial console |
| | 188 | * It should be possible to view the running configuration via the serial console |
| | 189 | |
| | 190 | == Step 4: verify access to 8264 (management) switch == |
| | 191 | |
| | 192 | === Step 4A: verify SSH access === |
| | 193 | |
| | 194 | '''Using:''' |
| | 195 | * From bbn-hn, login to `chaos@8264` via SSH |
| | 196 | |
| | 197 | '''Verify:''' |
| | 198 | * SSH login succeeds |
| | 199 | |
| | 200 | === Step 4B: verify privileged access to the 8264 switch === |
| | 201 | |
| | 202 | '''Using:''' |
| | 203 | * On the 8264, run the enable command to enter privileged mode |
| | 204 | * On the 8264, view the running configuration |
| | 205 | * On the 8264, view the MAC address table |
| | 206 | |
| | 207 | '''Verify:''' |
| | 208 | * Entering privileged mode should succeed |
| | 209 | * Viewing the running configuration should succeed |
| | 210 | * Viewing the MAC address table should succeed |
| | 211 | |
| | 212 | === Step 4C: verify absence of unencrypted login access === |
| | 213 | |
| | 214 | '''Using:''' |
| | 215 | * From bbn-hn, attempt to connect via telnet (port 23) to the 8264 |
| | 216 | * From bbn-hn, attempt to connect via http (port 80) to the 8264 |
| | 217 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| | 218 | * Look at the 8264 running configuration, and identify any configuration lines which might represent login services |
| | 219 | * Determine whether any such services are encrypted or disabled |
| | 220 | |
| | 221 | '''Verify:''' |
| | 222 | * The device does not allow telnet access on the standard port |
| | 223 | * The device does not allow unencrypted http authentication |
| | 224 | * No other services appear to allow remote unencrypted authentication |
| | 225 | |
| | 226 | === Step 4D: verify serial console access to the device === |
| | 227 | |
| | 228 | '''Using:''' |
| | 229 | * From bbn-hn, access the 8264 via the serial console |
| | 230 | * Authenticate to the 8264 if necessary |
| | 231 | * Enter enable mode if necessary |
| | 232 | * View the running configuration of the 8264 |
| | 233 | |
| | 234 | '''Verify:''' |
| | 235 | * The 8264 should be accessible via serial console |
| | 236 | * It should be possible to perform privileged operations via the serial console |
| | 237 | * It should be possible to view the running configuration via the serial console |
| | 238 | |
| | 239 | == Step 5: verify that IMM/IPMI is not accessible without the VPN == |
| | 240 | |
| | 241 | '''Using:''' |
| | 242 | * From bbn-hn, attempt to connect via telnet (port 23) to the bbn-w1 IMM IP |
| | 243 | * From bbn-hn, attempt to connect via http (port 80) to the the bbn-w1 IMM IP |
| | 244 | * If a port 80 connection is successful, determine whether login is allowed via that interface |
| | 245 | * If any prospective unencrypted protocols were identified in the IMM configurations during EG-ADM-1 step 3D, attempt to connect to those ports from bbn-hn |
| | 246 | |
| | 247 | '''Verify:''' |
| | 248 | * The bbn-w1 IMM does not allow telnet access on the standard port |
| | 249 | * The device does not allow unencrypted http authentication |
| | 250 | * No other services appear to allow remote unencrypted authentication |
| | 251 | |
