Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-09-20 05:11:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix lint findings

Browse source 
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
This commit is contained in:
Martin Schurz 2023-12-06 11:18:56 +01:00
parent 6ce8b68650
commit e00716df62
35 changed files with 161 additions and 167 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE/bug_report.yml vendored
View file

@ -31,7 +31,7 @@ body:
attributes:
label: "Reproduction steps"
render: Shell
description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, so no need for backticks.
description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, no need for backticks.
value: |
...
validations:

0
.github/workflows/galaxy.yml → .github/workflows/galaxy-publish.yml vendored
View file

3
.github/workflows/mysql_hardening.yml vendored
View file

@ -89,7 +89,8 @@ jobs:
- name: Temporary fix for roles
run: |
mkdir -p /home/runner/.ansible
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
/home/runner/.ansible/roles
- name: Test with molecule
run: |

3
.github/workflows/nginx_hardening.yml vendored
View file

@ -78,7 +78,8 @@ jobs:
- name: Temporary fix for roles
run: |
mkdir -p /home/runner/.ansible
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
/home/runner/.ansible/roles
- name: Test with molecule
run: |

15
molecule/mysql_hardening/converge.yml
View file

@ -1,16 +1,14 @@
---
- name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
- name: Wrapper playbook for kitchen testing "ansible-mysql-hardening"
hosts: all
become: true
collections:
- devsec.hardening
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
set_fact:
ansible.builtin.set_fact:
mysql_python_package_debian: "python3-pymysql"
when:
- mysql_python_package_debian is not defined
@ -18,7 +16,7 @@
- ansible_distribution_major_version|int > 19
- name: Determine required MySQL Python libraries.
set_fact:
ansible.builtin.set_fact:
mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
when:
- mysql_python_package_debian is not defined
@ -26,13 +24,14 @@
- ansible_distribution_major_version|int < 20
- name: Use Python 3 on Suse
set_fact:
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
when:
- ansible_os_family == 'Suse'
- include_role:
name: mysql_hardening
- name: Include mysql_hardening role
ansible.builtin.include_role:
name: devsec.hardening.mysql_hardening
vars:
overwrite_global_mycnf: false
mysql_root_password: iloverandompasswordsbutthiswilldo

39
molecule/mysql_hardening/prepare.yml
View file

@ -1,35 +1,40 @@
---
- name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
- name: Wrapper playbook for kitchen testing "ansible-mysql-hardening"
hosts: all
become: true
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
vars:
overwrite_global_mycnf: false
mysql_root_password: iloverandompasswordsbutthiswilldo
mysql_user_password: iloverandompasswordsbutthiswilldo
mysql_config_file: /etc/mysql/mariadb.cnf
mysql_root_password_update: true
tasks:
- name: Use Python 3 on Debian 11
set_fact:
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
when:
- ansible_distribution == 'Debian'
- ansible_distribution_major_version|int >= 11
- name: Use Python 3 on Suse
set_fact:
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
when:
- ansible_os_family == 'Suse'
- name: Use Python 2 on Debian 10
set_fact:
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python
when:
- ansible_distribution == 'Debian'
- ansible_distribution_major_version|int == 10
- name: Run the equivalent of "apt-get update && apt-get upgrade"
apt:
ansible.builtin.apt:
name: "*"
state: latest
update_cache: true
@ -39,13 +44,13 @@
ansible.builtin.shell: zypper -n install python-xml python3-rpm python3-PyMySQL
when: ansible_os_family == 'Suse'
- name: create missing directory
- name: Create missing directory
file:
path: "/etc/mysql/conf.d"
state: directory
- name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
set_fact:
ansible.builtin.set_fact:
mysql_python_package_debian: "python3-pymysql"
when:
- mysql_python_package_debian is not defined
@ -53,7 +58,7 @@
- ansible_distribution_major_version|int > 19
- name: Determine required MySQL Python libraries.
set_fact:
ansible.builtin.set_fact:
mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
when:
- mysql_python_package_debian is not defined
@ -61,20 +66,14 @@
- ansible_distribution_major_version|int < 20
- name: Install required MySQL Python libraries on RHEL
yum:
ansible.builtin.yum:
name: "{% if 'python3' in ansible_python_interpreter|default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}"
when:
- ansible_os_family == "RedHat"
- ansible_distribution_major_version == "7"
- include_role:
- ansible.builtin.include_role:
name: dev-sec.mysql
- name: include MySQL user prepare tasks
include_tasks: prepare_tasks/mysql_users.yml
vars:
overwrite_global_mycnf: false
mysql_root_password: iloverandompasswordsbutthiswilldo
mysql_user_password: iloverandompasswordsbutthiswilldo
mysql_config_file: /etc/mysql/mariadb.cnf
mysql_root_password_update: true
- name: Include MySQL user prepare tasks
ansible.builtin.include_tasks: prepare_tasks/mysql_users.yml

6
molecule/mysql_hardening/prepare_tasks/mysql_users.yml
View file

@ -1,5 +1,5 @@
---
- name: create users for test
- name: Create users for test
community.mysql.mysql_query:
query:
- "CREATE USER 'user'@'delete';"
@ -23,10 +23,10 @@
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
register: mysql_role_support
- name: create roles for test
- name: Create roles for test
community.mysql.mysql_query:
query:
- "CREATE ROLE 'role_keep';"
- "CREATE ROLE 'role_keep';"
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
when:
- mysql_role_support.rowcount[0] > 0

14
molecule/mysql_hardening/verify.yml
View file

@ -8,23 +8,23 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Use Python 3 on Suse
set_fact:
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
when:
- ansible_os_family == 'Suse'
- name: install procps for debian systems
apt:
ansible.builtin.apt:
name: procps
state: present
update_cache: true
when: ansible_distribution == 'Debian'
- name: include tests for the service
include_tasks: verify_tasks/service.yml
ansible.builtin.include_tasks: verify_tasks/service.yml
- name: include tests for MySQL user
include_tasks: verify_tasks/mysql_users.yml
ansible.builtin.include_tasks: verify_tasks/mysql_users.yml
- name: Verify
hosts: localhost
@ -34,7 +34,7 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Execute cinc-auditor tests
command: >
ansible.builtin.command: >
docker run
--volume /run/docker.sock:/run/docker.sock
docker.io/cincproject/auditor exec
@ -46,10 +46,10 @@
ignore_errors: true
- name: Display details about the cinc-auditor results
debug:
ansible.builtin.debug:
msg: "{{ test_results.stdout_lines }}"
- name: Fail when tests fail
fail:
ansible.builtin.fail:
msg: "Inspec failed to validate"
when: test_results.rc != 0

10
molecule/mysql_hardening/verify_tasks/mysql_users.yml
View file

@ -6,11 +6,11 @@
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
register: mysql_users
- name: create list of users from mysql query
set_fact:
- name: Create list of users from mysql query
ansible.builtin.set_fact:
mysql_users_list: "{{ mysql_users.query_result.0 | json_query('[*].users') | list }}"
- name: assert that only accounts with password remain
- name: Assert that only accounts with password remain
ansible.builtin.assert:
that:
- '"user@delete" not in mysql_users_list'
@ -33,9 +33,9 @@
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
register: mysql_role_support
- name: assert that roles remain
- name: Assert that roles remain
ansible.builtin.assert:
that:
- '"role_keep@" in mysql_users_list'
- '"role_keep@" in mysql_users_list'
when:
- mysql_role_support.rowcount[0] > 0

2
molecule/mysql_hardening/verify_tasks/service.yml
View file

@ -10,7 +10,7 @@
ansible.builtin.service_facts:
- name: Check if MySQL is running and enabled
assert:
ansible.builtin.assert:
that:
- "ansible_facts.services[mysql_daemon + '.service'].state == 'running'"
- "ansible_facts.services[mysql_daemon + '.service'].status == 'enabled'"

6
molecule/nginx_hardening/converge.yml
View file

@ -1,9 +1,7 @@
---
- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
become: true
hosts: all
collections:
- devsec.hardening
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
@ -13,4 +11,4 @@
- nginx_ppa_version: stable
tasks:
- include_role:
name: nginx_hardening
name: devsec.hardening.nginx_hardening

2
molecule/nginx_hardening/official-nginx-role-debian.yml
View file

@ -1,5 +1,5 @@
---
- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
hosts: localhost
vars:
- nginx_main_template_enable: true

2
molecule/nginx_hardening/official-nginx-role-redhat.yml
View file

@ -1,5 +1,5 @@
---
- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
hosts: localhost
roles:
- nginxinc.nginx

2
molecule/nginx_hardening/prepare.yml
View file

@ -20,7 +20,7 @@
ignore_errors: true # noqa ignore-errors
- name: Set correct distribution Version for Amazon Linux
set_fact:
ansible.builtin.set_fact:
ansible_distribution_major_version: 7
when: ansible_distribution == 'Amazon'

10
molecule/nginx_hardening/verify.yml
View file

@ -7,8 +7,8 @@
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: install procps for debian systems
apt:
- name: Install procps for debian systems
ansible.builtin.apt:
name: procps
state: present
update_cache: true
@ -22,7 +22,7 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Execute cinc-auditor tests
command: >
ansible.builtin.command: >
docker run
--volume /run/docker.sock:/run/docker.sock
docker.io/cincproject/auditor exec
@ -34,10 +34,10 @@
ignore_errors: true
- name: Display details about the cinc-auditor results
debug:
ansible.builtin.debug:
msg: "{{ test_results.stdout_lines }}"
- name: Fail when tests fail
fail:
ansible.builtin.fail:
msg: "Inspec failed to validate"
when: test_results.rc != 0

4
molecule/os_hardening/converge.yml
View file

@ -10,7 +10,7 @@
- devsec.hardening
tasks:
- name: workaround for https://github.com/ansible/ansible/issues/66304
set_fact:
ansible.builtin.set_fact:
ansible_virtualization_type: "docker"
- include_role:
name: os_hardening
@ -84,7 +84,7 @@
# when: ansible_facts.distribution == 'Fedora'
#
# - name: Run the equivalent of "apt-get update" as a separate step
# apt:
# ansible.builtin.apt:
# update_cache: yes
# when: ansible_facts.os_family == 'Debian'
#

14
molecule/os_hardening/prepare.yml
View file

@ -8,12 +8,12 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
set_fact:
ansible.builtin.set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'
- name: Run the equivalent of "apt-get update && apt-get upgrade"
apt:
ansible.builtin.apt:
name: "*"
state: latest
update_cache: true
@ -21,11 +21,11 @@
- name: install required tools on SuSE
# cannot use zypper module, since it depends on python-xml
shell: "zypper -n install python-xml awk"
ansible.builtin.shell: "zypper -n install python-xml awk"
when: ansible_facts.os_family == 'Suse'
- name: install required tools on fedora
dnf:
ansible.builtin.dnf:
name:
- python
- findutils
@ -41,7 +41,7 @@
when: ansible_facts.os_family == 'Archlinux'
- name: install required tools on RHEL # noqa ignore-errors
yum:
ansible.builtin.yum:
name:
- openssh-clients
- openssh
@ -50,11 +50,11 @@
ignore_errors: true
- name: create recursing symlink to test minimize access
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
ansible.builtin.shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
changed_when: false
- name: include YUM prepare tasks
include_tasks: prepare_tasks/yum.yml
ansible.builtin.include_tasks: prepare_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'
- name: include preparation tasks

24
molecule/os_hardening/verify.yml
View file

@ -7,12 +7,12 @@
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3"
set_fact:
- name: Set ansible_python_interpreter to "/usr/bin/python3"
ansible.builtin.set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'
- name: include verification tasks
- name: Include verification tasks
ansible.builtin.include_tasks:
file: "{{ item }}"
loop:
@ -22,12 +22,12 @@
- verify_tasks/ignore_home_folders.yml
# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
# - name: include PAM tests
# include_tasks: verify_tasks/pam.yml
# - name: Include PAM tests
# ansible.builtin.include_tasks: verify_tasks/pam.yml
# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
- name: include YUM tests
include_tasks: verify_tasks/yum.yml
- name: Include YUM tests
ansible.builtin.include_tasks: verify_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'
- name: Verify
@ -38,7 +38,7 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Execute cinc-auditor tests
command: >
ansible.builtin.command: >
docker run
--volume /run/docker.sock:/run/docker.sock
--volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
@ -52,11 +52,11 @@
ignore_errors: true
- name: Display details about the cinc-auditor results
debug:
ansible.builtin.debug:
msg: "{{ test_results.stdout_lines }}"
- name: Fail when tests fail
fail:
ansible.builtin.fail:
msg: "Inspec failed to validate"
when: test_results.rc != 0
@ -72,7 +72,7 @@
tasks:
# test if variable can be overridden
- name: workaround for https://github.com/ansible/ansible/issues/66304
set_fact:
ansible.builtin.set_fact:
ansible_virtualization_type: "docker"
os_env_umask: "027 #override"
@ -80,6 +80,6 @@
name: os_hardening
- name: verify os_env_umask
shell:
ansible.builtin.shell:
cmd: "grep '027 #override' /etc/login.defs"
changed_when: false

6
molecule/os_hardening/verify_tasks/netrc.yml
View file

@ -1,18 +1,18 @@
---
- name: test that .netrc in root homedir exists
- name: Test that .netrc in root homedir exists
ansible.builtin.file:
path: '/root/.netrc'
state: file
register: result_test_netrc
- name: output result if .netrc for user root exists
- name: Output result if .netrc for user root exists
ansible.builtin.assert:
that:
- "result_test_netrc.state == 'file'"
fail_msg: ".netrc in /root/ not present"
success_msg: ".netrc exists in /root/"
- name: delete '.netrc' in /root
- name: Delete '.netrc' in /root
ansible.builtin.file:
path: '/root/.netrc'
state: absent

12
molecule/os_hardening/verify_tasks/pam.yml
View file

@ -14,11 +14,11 @@
executable: /usr/bin/pip3
- name: set password for test
set_fact:
ansible.builtin.set_fact:
test_pw: "myTest!pw"
- name: set locale for test
set_fact:
ansible.builtin.set_fact:
locale: "en_US.UTF-8"
when:
- ansible_facts.os_family == 'RedHat'
@ -30,7 +30,7 @@
password: "{{ test_pw | password_hash('sha512') }}"
- name: check successful login with correct password
shell:
ansible.builtin.shell:
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
environment:
TMPDIR: /var/tmp
@ -38,7 +38,7 @@
LANG: "{{ locale | default('C.UTF-8') }}"
- name: check unsuccessful login with incorrect password
shell:
ansible.builtin.shell:
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
environment:
TMPDIR: /var/tmp
@ -47,7 +47,7 @@
with_sequence: count=6
- name: check unsuccessful login, with correct password (lockout)
shell:
ansible.builtin.shell:
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
environment:
TMPDIR: /var/tmp
@ -59,7 +59,7 @@
seconds: 20
- name: check successful login
shell:
ansible.builtin.shell:
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
environment:
TMPDIR: /var/tmp

2
molecule/os_hardening/verify_tasks/sys_account_shell.yml
View file

@ -3,6 +3,6 @@
database: passwd
- name: Check that shell_sys_acc's shell is still bash
assert:
asansible.builtin.assertsert:
that:
- getent_passwd['shell_sys_acc'][5] == "/bin/bash"

4
molecule/os_hardening/verify_tasks/yum.yml
View file

@ -1,8 +1,8 @@
---
- name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
- name: Verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
changed_when: false
- name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
- name: Verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
changed_when: false

4
molecule/os_hardening_vm/converge.yml
View file

@ -10,14 +10,14 @@
- devsec.hardening
tasks:
- name: override for arch
set_fact:
ansible.builtin.set_fact:
os_mnt_boot_enabled: false
os_mnt_tmp_enabled: true
os_mnt_tmp_src: "tmpfs"
os_mnt_tmp_filesystem: "tmpfs"
when: ansible_facts.os_family == 'Archlinux'
- name: overrides for Fedora image
set_fact:
ansible.builtin.set_fact:
os_mnt_tmp_enabled: true
os_mnt_tmp_src: "tmpfs"
os_mnt_tmp_filesystem: "tmpfs"

14
molecule/os_hardening_vm/prepare.yml
View file

@ -8,22 +8,22 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
set_fact:
ansible.builtin.set_fact:
ansible_python_interpreter: "/usr/bin/python3"
when: ansible_facts.distribution == 'Fedora'
- name: Run the equivalent of "apt-get update && apt-get upgrade"
apt:
ansible.builtin.apt:
update_cache: true
when: ansible_os_family == 'Debian'
- name: install required tools on SuSE
# cannot use zypper module, since it depends on python-xml
shell: "zypper -n install python-xml"
ansible.builtin.shell: "zypper -n install python-xml"
when: ansible_facts.os_family == 'Suse'
- name: install required tools on fedora
dnf:
ansible.builtin.dnf:
name:
- python
- findutils
@ -39,7 +39,7 @@
when: ansible_facts.os_family == 'Archlinux'
- name: install required tools on RHEL # noqa ignore-errors
yum:
ansible.builtin.yum:
name:
- openssh-clients
- openssh
@ -48,7 +48,7 @@
ignore_errors: true
- name: create recursing symlink to test minimize access
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
sheansible.builtin.shellll: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
changed_when: false
- name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
@ -58,5 +58,5 @@
when: ansible_facts.distribution == 'Fedora'
- name: include YUM prepare tasks
include_tasks: prepare_tasks/yum.yml
ansible.builtin.include_tasks: prepare_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'

4
molecule/os_hardening_vm/prepare_tasks/yum.yml
View file

@ -1,5 +1,5 @@
---
- name: create 'foo' repository
- name: Create 'foo' repository
ansible.builtin.yum_repository:
name: foo
description: mandatory description
@ -7,7 +7,7 @@
enabled: false
gpgcheck: false
- name: create 'bar' repository
- name: Create 'bar' repository
ansible.builtin.yum_repository:
name: bar
description: mandatory description

20
molecule/os_hardening_vm/verify.yml
View file

@ -9,12 +9,12 @@
tasks:
# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
# - name: include PAM tests
# include_tasks: verify_tasks/pam.yml
# - name: Include PAM tests
# ansible.builtin.include_tasks: verify_tasks/pam.yml
# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
- name: include YUM tests
include_tasks: verify_tasks/yum.yml
- name: Include YUM tests
ansible.builtin.include_tasks: verify_tasks/yum.yml
when: ansible_facts.os_family == 'RedHat'
- name: Verify
@ -24,21 +24,21 @@
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: get ssh-config
command:
- name: Get ssh-config
ansible.builtin.command:
cmd: "vagrant ssh-config"
chdir: "{{ molecule_ephemeral_directory }}"
register: ssh_config
changed_when: false
- name: create ssh-config file
- name: Create ssh-config file
copy:
content: "{{ ssh_config.stdout_lines | join ('\n') }}"
dest: "{{ molecule_ephemeral_directory }}/ssh-config"
changed_when: false
- name: Execute cinc-auditor tests
command: >
ansible.builtin.command: >
docker run
--volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
docker.io/cincproject/auditor exec
@ -51,10 +51,10 @@
ignore_errors: true
- name: Display details about the cinc-auditor results
debug:
ansible.builtin.debug:
msg: "{{ test_results.stdout_lines }}"
- name: Fail when tests fail
fail:
ansible.builtin.fail:
msg: "Inspec failed to validate"
when: test_results.rc != 0

12
molecule/os_hardening_vm/verify_tasks/pam.yml
View file

@ -12,11 +12,11 @@
state: present
- name: set password for test
set_fact:
ansible.builtin.set_fact:
test_pw: "myTest!pw"
- name: set locale for test
set_fact:
ansible.builtin.set_fact:
locale: "en_US.UTF-8"
when:
- ansible_facts.os_family == 'RedHat'
@ -28,7 +28,7 @@
password: "{{ test_pw | password_hash('sha512') }}"
- name: check successful login with correct password
shell:
ansible.builtin.shell:
cmd: "pam-tester --user testuser --password {{ test_pw }}"
environment:
TMPDIR: /var/tmp
@ -36,7 +36,7 @@
LANG: "{{ locale | default('C.UTF-8') }}"
- name: check unsuccessful login with incorrect password
shell:
ansible.builtin.shell:
cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
environment:
TMPDIR: /var/tmp
@ -45,7 +45,7 @@
with_sequence: count=6
- name: check unsuccessful login, with correct password (lockout)
shell:
ansible.builtin.shell:
cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
environment:
TMPDIR: /var/tmp
@ -57,7 +57,7 @@
seconds: 20
- name: check successful login
shell:
ansible.builtin.shell:
cmd: "pam-tester --user testuser --password {{ test_pw }}"
environment:
TMPDIR: /var/tmp

4
molecule/os_hardening_vm/verify_tasks/yum.yml
View file

@ -1,8 +1,8 @@
---
- name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
ansible.builtin.command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
changed_when: false
- name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
ansible.builtin.command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
changed_when: false

6
molecule/ssh_hardening/converge.yml
View file

@ -1,14 +1,12 @@
---
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
hosts: all
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
collections:
- devsec.hardening
tasks:
- include_role:
name: ssh_hardening
name: devsec.hardening.ssh_hardening
vars:
sftp_enabled: false

12
molecule/ssh_hardening/prepare.yml
View file

@ -8,12 +8,12 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: use python3
set_fact:
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora'
- name: install packages # noqa ignore-errors
yum:
ansible.builtin.yum:
name:
- openssh-clients
- openssh-server
@ -23,7 +23,7 @@
ignore_errors: true
- name: install packages # noqa ignore-errors
dnf:
ansible.builtin.dnf:
name:
- openssh-clients
- openssh-server
@ -33,7 +33,7 @@
ignore_errors: true
- name: install packages # noqa ignore-errors
apt:
ansible.builtin.apt:
name:
- openssh-client
- openssh-server
@ -43,7 +43,7 @@
- name: install required tools on SuSE
# cannot use zypper module, since it depends on python-xml
shell: "zypper -n install python-xml"
ansible.builtin.shell: "zypper -n install python-xml"
when: ansible_facts.os_family == 'Suse'
- name: install packages
@ -67,7 +67,7 @@
state: directory
- name: create ssh host keys # noqa ignore-errors
command: "ssh-keygen -A"
ansible.builtin.command: "ssh-keygen -A"
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon" or

6
molecule/ssh_hardening/verify.yml
View file

@ -7,7 +7,7 @@
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Execute cinc-auditor tests
command: >
ansible.builtin.command: >
docker run
--volume /run/docker.sock:/run/docker.sock
docker.io/cincproject/auditor exec
@ -19,10 +19,10 @@
ignore_errors: true
- name: Display details about the cinc-auditor results
debug:
ansible.builtin.debug:
msg: "{{ test_results.stdout_lines }}"
- name: Fail when tests fail
fail:
ansible.builtin.fail:
msg: "Inspec failed to validate"
when: test_results.rc != 0

6
molecule/ssh_hardening_bsd/converge.yml
View file

@ -1,14 +1,12 @@
---
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
hosts: all
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
collections:
- devsec.hardening
tasks:
- include_role:
name: ssh_hardening
name: devsec.hardening.ssh_hardening
vars:
sftp_enabled: false

12
molecule/ssh_hardening_bsd/prepare.yml
View file

@ -1,15 +1,15 @@
---
- name: prepare OpenBSD host
- name: Prepare OpenBSD host
hosts: all
become: true
gather_facts: false
tasks:
- name: install python
- name: Install python
# BSDs are special for Ansible - https://docs.ansible.com/ansible/latest/os_guide/intro_bsd.html
raw: "pkg_add python%3.10"
when: "lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'"
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
hosts: all
become: true
environment:
@ -17,13 +17,13 @@
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: created needed directory
- name: Created needed directory
file:
path: "/var/run/sshd"
state: directory
- name: create ssh host keys # noqa ignore-errors
command: "ssh-keygen -A"
- name: Create ssh host keys # noqa ignore-errors
ansible.builtin.command: "ssh-keygen -A"
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon" or

14
molecule/ssh_hardening_bsd/verify.yml
View file

@ -3,7 +3,7 @@
hosts: all
become: true
tasks:
- name: use the type command instead of which to detect existing commands
- name: Use the type command instead of which to detect existing commands
file:
src: "/usr/bin/which"
dest: "/usr/bin/type"
@ -17,21 +17,21 @@
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: get ssh-config
command:
- name: Get ssh-config
ansible.builtin.command:
cmd: "vagrant ssh-config"
chdir: "{{ molecule_ephemeral_directory }}"
register: ssh_config
changed_when: false
- name: create ssh-config file
- name: Create ssh-config file
copy:
content: "{{ ssh_config.stdout_lines | join ('\n') }}"
dest: "{{ molecule_ephemeral_directory }}/ssh-config"
changed_when: false
- name: Execute cinc-auditor tests
command: >
ansible.builtin.command: >
docker run
--volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
--volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') }}.yaml:/waivers.yaml
@ -46,10 +46,10 @@
ignore_errors: true
- name: Display details about the cinc-auditor results
debug:
ansible.builtin.debug:
msg: "{{ test_results.stdout_lines }}"
- name: Fail when tests fail
fail:
ansible.builtin.fail:
msg: "Inspec failed to validate"
when: test_results.rc != 0

32
molecule/ssh_hardening_custom_tests/prepare.yml
View file

@ -1,5 +1,5 @@
---
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
hosts: all
become: true
environment:
@ -7,13 +7,13 @@
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: use python3
set_fact:
- name: Use python3
ansible.builtin.set_fact:
ansible_python_interpreter: /usr/bin/python3
when: ansible_facts.distribution == 'Fedora'
- name: install packages # noqa ignore-errors
yum:
- name: Install packages # noqa ignore-errors
ansible.builtin.yum:
name:
- openssh-clients
- openssh-server
@ -22,8 +22,8 @@
update_cache: true
ignore_errors: true
- name: install packages # noqa ignore-errors
dnf:
- name: Install packages # noqa ignore-errors
ansible.builtin.dnf:
name:
- openssh-clients
- openssh-server
@ -32,8 +32,8 @@
update_cache: true
ignore_errors: true
- name: install packages # noqa ignore-errors
apt:
- name: Install packages # noqa ignore-errors
ansible.builtin.apt:
name:
- openssh-client
- openssh-server
@ -41,18 +41,18 @@
update_cache: true
ignore_errors: true
- name: install required tools on SuSE
- name: Install required tools on SuSE
# cannot use zypper module, since it depends on python-xml
shell: "zypper -n install python-xml"
ansible.builtin.shell: "zypper -n install python-xml"
when: ansible_facts.os_family == 'Suse'
- name: install packages
- name: Install packages
zypper:
name:
- "openssh"
when: ansible_facts.os_family == 'Suse'
- name: install required tools on Arch
- name: Install required tools on Arch
pacman:
name:
- openssh
@ -61,13 +61,13 @@
update_cache: true
when: ansible_facts.os_family == 'Archlinux'
- name: created needed directory
- name: Created needed directory
file:
path: "/var/run/sshd"
state: directory
- name: create ssh host keys # noqa ignore-errors
command: "ssh-keygen -A"
- name: Create ssh host keys # noqa ignore-errors
ansible.builtin.command: "ssh-keygen -A"
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
ansible_facts.distribution == "Fedora" or
ansible_facts.distribution == "Amazon" or