issue_768 added TC to verify entropy status

aristanetworks · Aug 7, 2024 · ac7b03c · ac7b03c
1 parent 1d89ded
commit ac7b03c
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 0 deletions.
diff --git a/anta/tests/security.py b/anta/tests/security.py
@@ -820,3 +820,41 @@ def test(self) -> None:
                     self.result.is_failure(
                         f"IPv4 security connection `source:{source_input} destination:{destination_input} vrf:{vrf}` for peer `{peer}` is not found."
                     )
+
+
+class VerifyHardwareEntropy(AntaTest):
+    """
+    Verifies hardware entropy generation is enabled on device.
+
+    Expected Results
+    ----------------
+    * Success: The test will pass if hardware entropy generation is enabled.
+    * Failure: The test will fail if hardware entropy generation is not enabled.
+
+    Examples
+    --------
+    ```yaml
+    anta.tests.security:
+      - VerifyHardwareEntropy:
+    ```
+    """
+
+    name = "VerifyHardwareEntropy"
+    description = "Verifies hardware entropy generation."
+    categories: ClassVar[list[str]] = ["security"]
+    commands: ClassVar[list[AntaCommand | AntaTemplate]] = [AntaCommand(command="show management security")]
+
+    @AntaTest.anta_test
+    def test(self) -> None:
+        """Main test function for VerifyHardwareEntropy."""
+        self.result.is_success()
+
+        command_output = self.instance_commands[0].json_output
+
+        # Check if security parameters are configured
+        if not command_output:
+            self.result.is_failure("No cryptographic algorithm is configured.")
+            return
+
+        if not command_output.get("hardwareEntropyEnabled"):
+            self.result.is_failure("Hardware entropy generation is disabled.")
diff --git a/examples/tests.yaml b/examples/tests.yaml
@@ -343,6 +343,7 @@ anta.tests.security:
               destination_address: 100.64.2.2
             - source_address: 172.18.3.2
               destination_address: 172.18.2.2
+  - VerifyHardwareEntropy:
 
 anta.tests.services:
   - VerifyHostname:

diff --git a/tests/units/anta_tests/test_security.py b/tests/units/anta_tests/test_security.py
@@ -15,6 +15,7 @@
     VerifyAPISSLCertificate,
     VerifyBannerLogin,
     VerifyBannerMotd,
+    VerifyHardwareEntropy,
     VerifyIPSecConnHealth,
     VerifyIPv4ACL,
     VerifySpecificIPSecConn,
@@ -1213,4 +1214,25 @@
             ],
         },
     },
+    {
+        "name": "success",
+        "test": VerifyHardwareEntropy,
+        "eos_data": [{"cpuModel": "2.20GHz", "cryptoModule": "Crypto Module v3.0", "hardwareEntropyEnabled": True, "blockedNetworkProtocols": []}],
+        "inputs": {},
+        "expected": {"result": "success"},
+    },
+    {
+        "name": "failure",
+        "test": VerifyHardwareEntropy,
+        "eos_data": [{"cpuModel": "2.20GHz", "cryptoModule": "Crypto Module v3.0", "hardwareEntropyEnabled": False, "blockedNetworkProtocols": []}],
+        "inputs": {},
+        "expected": {"result": "failure", "messages": ["Hardware entropy generation is disabled."]},
+    },
+    {
+        "name": "failure-not-found",
+        "test": VerifyHardwareEntropy,
+        "eos_data": [{}],
+        "inputs": {},
+        "expected": {"result": "failure", "messages": ["No cryptographic algorithm is configured."]},
+    },
 ]