Presentation at SuperSec 2018!
I've got a slot at SuperSec 2018 (https://supersec.es/): Congress on secure software development, happening in Almería, Spain on the weekend on 12-13 May.
I'll be presenting on 13th may at 10:50, and the slide deck to be used is at https://github.com/citellusorg/citellus/blob/master/doc/supersec2018-presentation-ES.md and I'll be updating this once I get the recording URL.
Some data about the event:
About the topics, the main focus was security on software from design phase to production and maintenance.
Some of the presentations insisted on the costs not only for your brand, reputation or business damage, but also on the actual cost of fixing issues later on vs doing a secure development.
For the secure development approach, where most of the bugs are introduced and can be fixed for cheap, some tools were presented that help to early detect known coding mistakes, hilighting them in automated, and later, working on static code analysis and code review.
It was also interesting to see the EU focus via FOSSA-2 project to promote Open Source and hear about legal implications and intended roadmap for security in software, both for Spain and EU.
Common Criteria was also one of the topics as well as the code audits, penetration testing, etc (with over 20 slots you can imagine :) )
On our side, we were presenting about how Citellus can help in detecting current or future issues that affect your environment and how easily it can be extended to cover your use cases while contributing it back to community.
Of course we were also hilighting how collaboration got Citellus enhanced with feedback from RDO Project users to cover not only RHEL6 and RHEL7 but also Fedora, CentOS and other distributions via more generic tests and functios that covers them.
PD: Hilighted in Citellus blog at https://citellus.org/blog/2018/04/16/supersec/
Click to read and post comments
During recent weeks we've been coding and performing several changes to Citellus and Magui.
Checking the latest logs or list of issues open and closed on github is probably not an easy task or the best way to get 'up-to-date' with changes, so I'll try to compile a few here.
First of all, we're going to present it at Devconf.cz 2018, so come stop-by if assisting :-)
Some of the changes include...
- New functions for bash scripts!
- We've created lot of functions to check different things:
- installed rpm
- rpm over specific version
- compare dates over X days
- regexp in file
- Functions do allow to do quicker plugin development.
- save/restore options so they can be loaded automatically for each execution
- Think of enabled filters, excluded, etc
- metadata added for plugins and returned as dictionary
- plugin has a unique ID for all installations based on plugin relative path and plugin name
- We do use that ID in magui to select the plugin data we'll be acting on
- plugin priority!
- Plugins are assigned a number between 0 and 1000 that represents how likely it's going to affect your environment, and you can filter also on it with
- extended via 'extensions' to provide support for other plugins
- moved prior plugins to be
- ansible playbook support via
- metadata plugins that just generate metadata (hostname, date for sosreport, etc)
- Web Interface!!
- David Valee Delisle did a great job on preparing an html that loads citellus.json and shows it graphically.
- Thanks to his work, we did extended some other features like priority, categories, etc that are calculated via citellus and consumed via citellus-www.
- Interface can also load
?json=magui.json) and show it's output.
- We did extend citellus to take
--web to automatically create the json named
citellus.json on the folder specified with
-o and copy the
citellus.html file there. So if you provide sosreports over http, you can point to citellus.html to see graphical status! (check latest image at citellus website as www.png )
- Increased plugin count!
- Now we do have more than 119 across different categories
- A new plugin in python
reboot.py that checks for unexpected reboots
- Spectre/Meltdown security checks!
- If there's an existing
citellus.json magui does load it to speed it up process across multiple sosreports.
- Magui can also use
ansible-playbook to copy citellus program to remote host and run there the command, and bring back the generated
citellus.json so you can quickly run citellus across several hosts without having to manually perform operations or generate sosreports.
- Moved prior data to two plugins:
- Citellus plugins output arranged by plugin and sosreport
- Outputs metadata gathered by
metadata plugins in citellus arranged by plugin and sosreport
- First plugins that compare data received from citellus on global level
- Plugins are written in python and use each plugin
id to just work on the data they know how to process
- Checks if pipeline.yaml and warns if is different across hosts
- Checks latest galera seqno on hosts
- Reports RHEL release across hosts and warns if is different across hosts
quiet mode on the data received from citellus as well as local plugins, so only outputs with ERROR or different output on sosreports is shown, even on magui plugins.
As you can see we've been busy trying to improve plugins, Citellus framework and Magui as well.
We've been also busy demonstrating to others it's value and raising lot of new issues and closing them with our commits (294 requests closed so far).
So, come and tell us what else are you missing or how can we improve it to suit your needs (or code them yourself and submit a review!)
Click to read and post comments
While working on Citellus and Magui it soon became evident that Unit testing for validating the changes was a requirement.
Initially, using a
.travis.yml file contained in the repo and the free service provided by https://travis-ci.org we soon got https://github.com repo providing information about if the builds succeded or not.
When it was decided to move to https://gerrithub.io to work in a more similar way to what is being done in upstream, we improved on the code comenting (peer review), but we lost the ability to run the tests in an automated way until the change was merged into github.
After some research, it became more or less evident that another tool, like Jenkins was required to automate the UT process and report to individual reviews about the status.
Some initial steps are required for integration:
- Create ssh keypair for jenkins to use
- Creating github account to be used by jenkins and configuring above ssh keypair
- Login into gerrithub with that account
- Setup Jenkins and build jobs
- Allow on the parent project, access to jenkins github account permission to +1/-1 on Verify
In order to setup the Jenkins environment a new VM was spawned in one of our RHV servers.
This VM was installed with:
- 20 Gb of HDD
- 2 Gb of RAM
- 2 VCPU
- Red Hat Enterprise Linux 7 'base install'
Tuning the OS
RHEL7 provides a stable environment for run on, but at the same time we were lacking some of the latest tools we're using for the builds.
As a dirty hack, it was altered in what is not a recomended way, but helped to quickly check as proof of concept if it would work or not.
Once OS was installed, some commands (do not run in production) were used:
pip install pip # to upgrade pip
pip install -U tox # To upgrade to 2.x version
# Install python 3.5 on the system
yum -y install openssl-devel gcc
tar xvzf Python-3.5-0.tgz
# This will install in alternate folder in system not to replace user-wide python version
# this is required to later allow tox to find the command as 'jenkins' user
ln -s /usr/local/bin/python3.5 /usr/bin/
For the jenkins installation it's easier, there's a 'stable' repo for RHEL and the procedure is documented:
wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat-stable/jenkins.repo
rpm --import https://jenkins-ci.org/redhat/jenkins-ci.org.key
yum install jenkins java
chkconfig jenkins on
service jenkins start
firewall-cmd --zone=public --add-port=8080/tcp --permanent
firewall-cmd --zone=public --add-service=http --permanent
This will install and start jenkins and enable the firewall to access it.
If you can get to the url of your server at the port 8080, you'll be presented an initial procedure for installing Jenkins.
During it, you'll be asked for a password on a file on disk and you'll be prompted to create an user we'll be using from now on to configure.
Also, we'll be offered to deploy the most common set of plugins, choose that option, and later we'll add the
gerrit plugin and
Once we can login into gerrit, we need to enter the administration area, and install new plugins and install Gerrit Trigger.
Above link details how to do most of the setup, in this case, for gerrithub, we required:
- Hostname: our hostname
- Frontend URL: https://review.gerrithub.io
- SSH Port: 29418
- Username: our-github-jenkins-user
- SSH keyfile: path_to_private_sshkey
Once done, click on
Test Connection and validate if it worked.
At the time of this writing, version reported by plugin was
2.13.6-3044-g7e9c06d when connected to gerrithub.io.
Creating a Job
Now, we need to create a Job (first option in Jenkins list of jobs).
- Name: Citellus
- Discard older executions:
- Max number of executions to keep: 10
- Source code Origin: Git
- URL: ssh://@review.gerrithub.io:29418/citellusorg/citellus
- Credentials: jenkins (Created based on the ssh keypair defined above)
- Branches to build: $GERRIT_BRANCH
- Add additional behaviours
- Strategy for choosing what to build:
- Choosing strategy Gerrit Trigger
- Triggers for launch:
- Change Merged
- Commend added with regexp: .recheck.
- Patchset created
- Ref Updated
- Gerrit Project:
- Type: plain
- Pattern: citellusorg/citellus
# environment is selected by ``TOXENV`` env variable
From this point, any new push (review) made against gerrit will trigger a Jenkins build (in this case, running
tox). Additionally, a manual trigger of the job can be executed to validate the behavior.
In our project, tox checks some UT's on
python 2.7, and
python 3.5, as well as python's
Now, Jenkins will build, and post messages on the review, stating that the build has started and the results of it, setting also the 'Verified' flag.
Enjoy having automated validation of new reviews before accepting them into your code!
Click to read and post comments