diff --git a/.github/workflows/ssh_hardening.yml b/.github/workflows/ssh_hardening.yml index f5722705..df755ce5 100644 --- a/.github/workflows/ssh_hardening.yml +++ b/.github/workflows/ssh_hardening.yml @@ -63,7 +63,6 @@ jobs: export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd" fi molecule --version - molecule test -s ssh_hardening_custom_tests molecule test -s ssh_hardening env: MOLECULE_DISTRO: ${{ matrix.molecule_distro }} diff --git a/.github/workflows/ssh_hardening_custom_tests.yml b/.github/workflows/ssh_hardening_custom_tests.yml new file mode 100644 index 00000000..71be0d5e --- /dev/null +++ b/.github/workflows/ssh_hardening_custom_tests.yml @@ -0,0 +1,69 @@ +--- +name: "devsec.ssh_hardening with custom tests" +on: # yamllint disable-line rule:truthy + workflow_dispatch: + push: + paths: + - 'roles/ssh_hardening/**' + - 'molecule/ssh_hardening_custom_tests/**' + - '.github/workflows/ssh_hardening_custom_tests.yml' + pull_request: + paths: + - 'roles/ssh_hardening/**' + - 'molecule/ssh_hardening_custom_tests/**' + - '.github/workflows/ssh_hardening_custom_tests.yml' +jobs: + build: + runs-on: ubuntu-18.04 + env: + PY_COLORS: 1 + ANSIBLE_FORCE_COLOR: 1 + strategy: + fail-fast: false + matrix: + molecule_distro: + - centos7 + - centos8 + - rocky8 + - fedora + - ubuntu1804 + - ubuntu2004 + - debian9 + - debian10 + - amazon + # - arch # needs to be fixed + # - opensuse_tumbleweed # baseline is not compatible with suse + steps: + - name: Checkout repo + uses: actions/checkout@v2 + with: + path: ansible_collections/devsec/hardening + submodules: true + + - name: Set up Python 3.7 + uses: actions/setup-python@v1 + with: + python-version: 3.7 + + - name: Install dependencies + run: | + sudo apt install git + python -m pip install --no-cache-dir --upgrade pip + pip install -r requirements.txt + working-directory: ansible_collections/devsec/hardening + + - name: Create default collection path symlink + run: | + mkdir -p /home/runner/.ansible + ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections + + - name: Test with molecule + run: | + if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then + export MOLECULE_DOCKER_COMMAND="/usr/lib/systemd/systemd" + fi + molecule --version + mol --base-config molecule/ssh_hardening/molecule.yml converge -s ssh_hardening_custom_tests + env: + MOLECULE_DISTRO: ${{ matrix.molecule_distro }} + working-directory: ansible_collections/devsec/hardening diff --git a/molecule/ssh_hardening_custom_tests/INSTALL.rst b/molecule/ssh_hardening_custom_tests/INSTALL.rst deleted file mode 100644 index d926ca25..00000000 --- a/molecule/ssh_hardening_custom_tests/INSTALL.rst +++ /dev/null @@ -1,22 +0,0 @@ -******* -Docker driver installation guide -******* - -Requirements -============ - -* Docker Engine - -Install -======= - -Please refer to the `Virtual environment`_ documentation for installation best -practices. If not using a virtual environment, please consider passing the -widely recommended `'--user' flag`_ when invoking ``pip``. - -.. _Virtual environment: https://virtualenv.pypa.io/en/latest/ -.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site - -.. code-block:: bash - - $ python3 -m pip install 'molecule[docker]' diff --git a/molecule/ssh_hardening_custom_tests/converge.yml b/molecule/ssh_hardening_custom_tests/converge.yml index 9c3a961d..214def74 100644 --- a/molecule/ssh_hardening_custom_tests/converge.yml +++ b/molecule/ssh_hardening_custom_tests/converge.yml @@ -2,9 +2,6 @@ - name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with custom settings hosts: all become: true - tags: - - custom_tests - - never environment: http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" diff --git a/molecule/ssh_hardening_custom_tests/molecule.yml b/molecule/ssh_hardening_custom_tests/molecule.yml index fb5cd511..0a9375c3 100644 --- a/molecule/ssh_hardening_custom_tests/molecule.yml +++ b/molecule/ssh_hardening_custom_tests/molecule.yml @@ -1,64 +1,5 @@ --- -dependency: - name: galaxy - options: - role-file: molecule/ssh_hardening/requirements.yml -driver: - name: docker -platforms: - - name: instance - image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest" - command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd} - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup:ro - privileged: true - tmpfs: - - /tmp - - /run - capabilities: - - SYS_ADMIN - tty: true - env: - http_proxy: "${http_proxy}" - https_proxy: "${https_proxy}" - no_proxy: "${no_proxy}" - container: docker -provisioner: - name: ansible - config_options: - defaults: - interpreter_python: auto_silent - callback_whitelist: profile_tasks, timer, yaml -verifier: - name: ansible - -scenario: - create_sequence: - - dependency - - create - - prepare - check_sequence: - - dependency - - destroy - - create - - prepare - - converge - - check - - destroy - converge_sequence: - - dependency - - create - - prepare - - converge - destroy_sequence: - - destroy - test_sequence: - - dependency - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - destroy +# this file inherits molecule.yml from the ssh_hardening scenario when used like this: +``` +molecule --base-config molecule/ssh_hardening/molecule.yml converge -s ssh_hardening_custom_tests +``` diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml deleted file mode 100644 index 28a4d77e..00000000 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings - hosts: all - become: true - environment: - http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" - https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" - no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" - tasks: - - name: use python3 - set_fact: - ansible_python_interpreter: /usr/bin/python3 - when: ansible_facts.distribution == 'Fedora' - - - name: install packages - yum: - name: - - openssh-clients - - openssh-server - - libselinux-python - state: present - update_cache: true - ignore_errors: true - - - name: install packages - dnf: - name: - - openssh-clients - - openssh-server - - procps-ng - state: present - update_cache: true - ignore_errors: true - - - name: install packages - apt: - name: - - openssh-client - - openssh-server - state: present - update_cache: true - ignore_errors: true - - - name: install required tools on SuSE - # cannot use zypper module, since it depends on python-xml - shell: "zypper -n install python-xml" - when: ansible_facts.os_family == 'Suse' - - - name: install packages - zypper: - name: - - "openssh" - when: ansible_facts.os_family == 'Suse' - - - name: install packages - pacman: - name: - - "openssh" - - "awk" - state: present - update_cache: true - ignore_errors: true - - - name: created needed directory - file: - path: "/var/run/sshd" - state: directory - - - name: create ssh host keys - command: "ssh-keygen -A" - when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or - ansible_facts.distribution == "Fedora" or - ansible_facts.distribution == "Amazon" or - ansible_facts.os_family == "Suse" - changed_when: false - ignore_errors: true diff --git a/molecule/ssh_hardening_custom_tests/requirements.yml b/molecule/ssh_hardening_custom_tests/requirements.yml deleted file mode 100644 index 53fa9b49..00000000 --- a/molecule/ssh_hardening_custom_tests/requirements.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -roles: - - geerlingguy.git diff --git a/molecule/ssh_hardening_custom_tests/verify.yml b/molecule/ssh_hardening_custom_tests/verify.yml deleted file mode 100644 index 159c7617..00000000 --- a/molecule/ssh_hardening_custom_tests/verify.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -- name: Verify - hosts: all - become: true - environment: - http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}" - https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" - no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" - roles: - - geerlingguy.git - tasks: - - name: install fake SuSE-release for cinc compatibility - copy: - content: | - openSUSE Faked Enterprise 2020 (x86_64) - VERSION = 2020 - CODENAME = Faked Feature - dest: /etc/SuSE-release - owner: root - group: root - mode: '0444' - when: ansible_facts.os_family == 'Suse' - - - name: install git for SuSE since geerlinguy.git does not support it - zypper: - name: git - state: present - when: ansible_facts.os_family == 'Suse' - - - name: install crypto compat modules on fedora - dnf: - name: libxcrypt-compat - when: ansible_facts.distribution == 'Fedora' - - - name: download cinc-auditor - get_url: - url: https://omnitruck.cinc.sh/install.sh - dest: /tmp/install.sh - mode: '0775' - - - name: install cinc-auditor - shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4" - - - name: Execute cinc-auditor tests - command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/ssh-baseline/archive/refs/heads/master.zip" - register: test_results - changed_when: false - ignore_errors: true - - - name: Display details about the cinc-auditor results - debug: - msg: "{{ test_results.stdout_lines }}" - - - name: Fail when tests fail - fail: - msg: "Inspec failed to validate" - when: test_results.rc != 0