Nova (hubble.py)

Loader and primary interface for nova modules

See README for documentation

Configuration:
  • hubblestack:nova:module_dir
  • hubblestack:nova:profile_dir
  • hubblestack:nova:saltenv
  • hubblestack:nova:autoload
  • hubblestack:nova:autosync
hubblestack.extmods.modules.hubble.audit(configs=None, tags='*', verbose=None, show_success=None, show_compliance=None, show_profile=None, called_from_top=None, debug=None, labels=None, **kwargs)[source]

Primary entry point for audit calls.

configs

List (comma-separated or python list) of yaml configs/directories to search for audit data. Directories are dot-separated, much in the same way as Salt states. For individual config names, leave the .yaml extension off. If a given path resolves to a python file, it will be treated as a single config. Otherwise it will be treated as a directory. All configs found in a recursive search of the specified directories will be included in the audit.

If configs is not provided, this function will call hubble.top instead.

tags
Glob pattern string for tags to include in the audit. This way you can give a directory, and tell the system to only run the CIS*-tagged audits, for example.
verbose
Whether to show additional information about audits, including description, remediation instructions, etc. The data returned depends on the audit module. Defaults to False. Configurable via hubblestack:nova:verbose in minion config/pillar.
show_success
Whether to show successful audits in addition to failed audits. Defaults to True. Configurable via hubblestack:nova:show_success in minion config/pillar.
show_compliance
Whether to show compliance as a percentage (successful checks divided by total checks). Defaults to True. Configurable via hubblestack:nova:show_compliance in minion config/pillar.
show_profile
DEPRECATED
called_from_top
Ignore this argument. It is used for distinguishing between user-calls of this function and calls from hubble.top.
debug
Whether to log additional information to help debug nova. Defaults to False. Configurable via hubblestack:nova:debug in minion config/pillar.
labels
Tests with matching labels are executed. If multiple labels are passed, then tests which have all those labels are executed.
**kwargs
Any parameters & values that are not explicitly defined will be passed directly through to the Nova module(s).

CLI Examples:

salt '*' hubble.audit foo
salt '*' hubble.audit foo,bar tags='CIS*'
salt '*' hubble.audit foo,bar.baz verbose=True
hubblestack.extmods.modules.hubble.top(topfile='top.nova', verbose=None, show_success=None, show_compliance=None, show_profile=None, debug=None, labels=None)[source]

Compile and run all yaml data from the specified nova topfile.

Nova topfiles look very similar to saltstack topfiles, except the top-level key is always nova, as nova doesn’t have a concept of environments.

nova:
  '*':
    - cve_scan
    - cis_gen
  'web*':
    - firewall
    - cis-centos-7-l2-scored
    - cis-centos-7-apache24-l1-scored
  'G@os_family:debian':
    - netstat
    - cis-debian-7-l2-scored: 'CIS*'
    - cis-debian-7-mysql57-l1-scored: 'CIS 2.1.2'

Additionally, all nova topfile matches are compound matches, so you never need to define a match type like you do in saltstack topfiles.

Each list item is a string representing the dot-separated location of a yaml file which will be run with hubble.audit. You can also specify a tag glob to use as a filter for just that yaml file, using a colon after the yaml file (turning it into a dictionary). See the last two lines in the yaml above for examples.

Arguments:

topfile
The path of the topfile, relative to your hubblestack_nova_profiles directory.
verbose
Whether to show additional information about audits, including description, remediation instructions, etc. The data returned depends on the audit module. Defaults to False. Configurable via hubblestack:nova:verbose in minion config/pillar.
show_success
Whether to show successful audits in addition to failed audits. Defaults to True. Configurable via hubblestack:nova:show_success in minion config/pillar.
show_compliance
Whether to show compliance as a percentage (successful checks divided by total checks). Defaults to True. Configurable via hubblestack:nova:show_compliance in minion config/pillar.
show_profile
DEPRECATED
debug
Whether to log additional information to help debug nova. Defaults to False. Configurable via hubblestack:nova:debug in minion config/pillar.

CLI Examples:

salt '*' hubble.top
salt '*' hubble.top foo/bar/top.nova
salt '*' hubble.top foo/bar.nova verbose=True