mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-09-20 05:11:53 +00:00
fix lint findings
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
This commit is contained in:
parent
6ce8b68650
commit
e00716df62
35 changed files with 161 additions and 167 deletions
2
.github/ISSUE_TEMPLATE/bug_report.yml
vendored
2
.github/ISSUE_TEMPLATE/bug_report.yml
vendored
|
@ -31,7 +31,7 @@ body:
|
|||
attributes:
|
||||
label: "Reproduction steps"
|
||||
render: Shell
|
||||
description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, so no need for backticks.
|
||||
description: Paste an example playbook that can be used to reproduce the problem. This will be automatically formatted into code, no need for backticks.
|
||||
value: |
|
||||
...
|
||||
validations:
|
||||
|
|
3
.github/workflows/mysql_hardening.yml
vendored
3
.github/workflows/mysql_hardening.yml
vendored
|
@ -89,7 +89,8 @@ jobs:
|
|||
- name: Temporary fix for roles
|
||||
run: |
|
||||
mkdir -p /home/runner/.ansible
|
||||
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
|
||||
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
|
||||
/home/runner/.ansible/roles
|
||||
|
||||
- name: Test with molecule
|
||||
run: |
|
||||
|
|
3
.github/workflows/nginx_hardening.yml
vendored
3
.github/workflows/nginx_hardening.yml
vendored
|
@ -78,7 +78,8 @@ jobs:
|
|||
- name: Temporary fix for roles
|
||||
run: |
|
||||
mkdir -p /home/runner/.ansible
|
||||
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles /home/runner/.ansible/roles
|
||||
ln -s /home/runner/work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections/devsec/hardening/roles \
|
||||
/home/runner/.ansible/roles
|
||||
|
||||
- name: Test with molecule
|
||||
run: |
|
||||
|
|
|
@ -1,16 +1,14 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
|
||||
- name: Wrapper playbook for kitchen testing "ansible-mysql-hardening"
|
||||
hosts: all
|
||||
become: true
|
||||
collections:
|
||||
- devsec.hardening
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
mysql_python_package_debian: "python3-pymysql"
|
||||
when:
|
||||
- mysql_python_package_debian is not defined
|
||||
|
@ -18,7 +16,7 @@
|
|||
- ansible_distribution_major_version|int > 19
|
||||
|
||||
- name: Determine required MySQL Python libraries.
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
|
||||
when:
|
||||
- mysql_python_package_debian is not defined
|
||||
|
@ -26,13 +24,14 @@
|
|||
- ansible_distribution_major_version|int < 20
|
||||
|
||||
- name: Use Python 3 on Suse
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
when:
|
||||
- ansible_os_family == 'Suse'
|
||||
|
||||
- include_role:
|
||||
name: mysql_hardening
|
||||
- name: Include mysql_hardening role
|
||||
ansible.builtin.include_role:
|
||||
name: devsec.hardening.mysql_hardening
|
||||
vars:
|
||||
overwrite_global_mycnf: false
|
||||
mysql_root_password: iloverandompasswordsbutthiswilldo
|
||||
|
|
|
@ -1,35 +1,40 @@
|
|||
---
|
||||
|
||||
- name: wrapper playbook for kitchen testing "ansible-mysql-hardening"
|
||||
- name: Wrapper playbook for kitchen testing "ansible-mysql-hardening"
|
||||
hosts: all
|
||||
become: true
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
vars:
|
||||
overwrite_global_mycnf: false
|
||||
mysql_root_password: iloverandompasswordsbutthiswilldo
|
||||
mysql_user_password: iloverandompasswordsbutthiswilldo
|
||||
mysql_config_file: /etc/mysql/mariadb.cnf
|
||||
mysql_root_password_update: true
|
||||
tasks:
|
||||
- name: Use Python 3 on Debian 11
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
when:
|
||||
- ansible_distribution == 'Debian'
|
||||
- ansible_distribution_major_version|int >= 11
|
||||
|
||||
- name: Use Python 3 on Suse
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
when:
|
||||
- ansible_os_family == 'Suse'
|
||||
|
||||
- name: Use Python 2 on Debian 10
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python
|
||||
when:
|
||||
- ansible_distribution == 'Debian'
|
||||
- ansible_distribution_major_version|int == 10
|
||||
|
||||
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: "*"
|
||||
state: latest
|
||||
update_cache: true
|
||||
|
@ -39,13 +44,13 @@
|
|||
ansible.builtin.shell: zypper -n install python-xml python3-rpm python3-PyMySQL
|
||||
when: ansible_os_family == 'Suse'
|
||||
|
||||
- name: create missing directory
|
||||
- name: Create missing directory
|
||||
file:
|
||||
path: "/etc/mysql/conf.d"
|
||||
state: directory
|
||||
|
||||
- name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
mysql_python_package_debian: "python3-pymysql"
|
||||
when:
|
||||
- mysql_python_package_debian is not defined
|
||||
|
@ -53,7 +58,7 @@
|
|||
- ansible_distribution_major_version|int > 19
|
||||
|
||||
- name: Determine required MySQL Python libraries.
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
|
||||
when:
|
||||
- mysql_python_package_debian is not defined
|
||||
|
@ -61,20 +66,14 @@
|
|||
- ansible_distribution_major_version|int < 20
|
||||
|
||||
- name: Install required MySQL Python libraries on RHEL
|
||||
yum:
|
||||
ansible.builtin.yum:
|
||||
name: "{% if 'python3' in ansible_python_interpreter|default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}"
|
||||
when:
|
||||
- ansible_os_family == "RedHat"
|
||||
- ansible_distribution_major_version == "7"
|
||||
|
||||
- include_role:
|
||||
|
||||
- ansible.builtin.include_role:
|
||||
name: dev-sec.mysql
|
||||
|
||||
- name: include MySQL user prepare tasks
|
||||
include_tasks: prepare_tasks/mysql_users.yml
|
||||
vars:
|
||||
overwrite_global_mycnf: false
|
||||
mysql_root_password: iloverandompasswordsbutthiswilldo
|
||||
mysql_user_password: iloverandompasswordsbutthiswilldo
|
||||
mysql_config_file: /etc/mysql/mariadb.cnf
|
||||
mysql_root_password_update: true
|
||||
- name: Include MySQL user prepare tasks
|
||||
ansible.builtin.include_tasks: prepare_tasks/mysql_users.yml
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: create users for test
|
||||
- name: Create users for test
|
||||
community.mysql.mysql_query:
|
||||
query:
|
||||
- "CREATE USER 'user'@'delete';"
|
||||
|
@ -23,10 +23,10 @@
|
|||
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||
register: mysql_role_support
|
||||
|
||||
- name: create roles for test
|
||||
- name: Create roles for test
|
||||
community.mysql.mysql_query:
|
||||
query:
|
||||
- "CREATE ROLE 'role_keep';"
|
||||
- "CREATE ROLE 'role_keep';"
|
||||
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||
when:
|
||||
- mysql_role_support.rowcount[0] > 0
|
||||
|
|
|
@ -8,23 +8,23 @@
|
|||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: Use Python 3 on Suse
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
when:
|
||||
- ansible_os_family == 'Suse'
|
||||
|
||||
- name: install procps for debian systems
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: procps
|
||||
state: present
|
||||
update_cache: true
|
||||
when: ansible_distribution == 'Debian'
|
||||
|
||||
- name: include tests for the service
|
||||
include_tasks: verify_tasks/service.yml
|
||||
ansible.builtin.include_tasks: verify_tasks/service.yml
|
||||
|
||||
- name: include tests for MySQL user
|
||||
include_tasks: verify_tasks/mysql_users.yml
|
||||
ansible.builtin.include_tasks: verify_tasks/mysql_users.yml
|
||||
|
||||
- name: Verify
|
||||
hosts: localhost
|
||||
|
@ -34,7 +34,7 @@
|
|||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: Execute cinc-auditor tests
|
||||
command: >
|
||||
ansible.builtin.command: >
|
||||
docker run
|
||||
--volume /run/docker.sock:/run/docker.sock
|
||||
docker.io/cincproject/auditor exec
|
||||
|
@ -46,10 +46,10 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: Display details about the cinc-auditor results
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ test_results.stdout_lines }}"
|
||||
|
||||
- name: Fail when tests fail
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: "Inspec failed to validate"
|
||||
when: test_results.rc != 0
|
||||
|
|
|
@ -6,11 +6,11 @@
|
|||
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||
register: mysql_users
|
||||
|
||||
- name: create list of users from mysql query
|
||||
set_fact:
|
||||
- name: Create list of users from mysql query
|
||||
ansible.builtin.set_fact:
|
||||
mysql_users_list: "{{ mysql_users.query_result.0 | json_query('[*].users') | list }}"
|
||||
|
||||
- name: assert that only accounts with password remain
|
||||
- name: Assert that only accounts with password remain
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- '"user@delete" not in mysql_users_list'
|
||||
|
@ -33,9 +33,9 @@
|
|||
login_unix_socket: "{{ login_unix_socket | default(omit) }}"
|
||||
register: mysql_role_support
|
||||
|
||||
- name: assert that roles remain
|
||||
- name: Assert that roles remain
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- '"role_keep@" in mysql_users_list'
|
||||
- '"role_keep@" in mysql_users_list'
|
||||
when:
|
||||
- mysql_role_support.rowcount[0] > 0
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
ansible.builtin.service_facts:
|
||||
|
||||
- name: Check if MySQL is running and enabled
|
||||
assert:
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "ansible_facts.services[mysql_daemon + '.service'].state == 'running'"
|
||||
- "ansible_facts.services[mysql_daemon + '.service'].status == 'enabled'"
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
|
||||
- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
|
||||
become: true
|
||||
hosts: all
|
||||
collections:
|
||||
- devsec.hardening
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
|
@ -13,4 +11,4 @@
|
|||
- nginx_ppa_version: stable
|
||||
tasks:
|
||||
- include_role:
|
||||
name: nginx_hardening
|
||||
name: devsec.hardening.nginx_hardening
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
|
||||
- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
|
||||
hosts: localhost
|
||||
vars:
|
||||
- nginx_main_template_enable: true
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
|
||||
- name: Wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
|
||||
hosts: localhost
|
||||
roles:
|
||||
- nginxinc.nginx
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
ignore_errors: true # noqa ignore-errors
|
||||
|
||||
- name: Set correct distribution Version for Amazon Linux
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_distribution_major_version: 7
|
||||
when: ansible_distribution == 'Amazon'
|
||||
|
||||
|
|
|
@ -7,8 +7,8 @@
|
|||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: install procps for debian systems
|
||||
apt:
|
||||
- name: Install procps for debian systems
|
||||
ansible.builtin.apt:
|
||||
name: procps
|
||||
state: present
|
||||
update_cache: true
|
||||
|
@ -22,7 +22,7 @@
|
|||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: Execute cinc-auditor tests
|
||||
command: >
|
||||
ansible.builtin.command: >
|
||||
docker run
|
||||
--volume /run/docker.sock:/run/docker.sock
|
||||
docker.io/cincproject/auditor exec
|
||||
|
@ -34,10 +34,10 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: Display details about the cinc-auditor results
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ test_results.stdout_lines }}"
|
||||
|
||||
- name: Fail when tests fail
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: "Inspec failed to validate"
|
||||
when: test_results.rc != 0
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
- devsec.hardening
|
||||
tasks:
|
||||
- name: workaround for https://github.com/ansible/ansible/issues/66304
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_virtualization_type: "docker"
|
||||
- include_role:
|
||||
name: os_hardening
|
||||
|
@ -84,7 +84,7 @@
|
|||
# when: ansible_facts.distribution == 'Fedora'
|
||||
#
|
||||
# - name: Run the equivalent of "apt-get update" as a separate step
|
||||
# apt:
|
||||
# ansible.builtin.apt:
|
||||
# update_cache: yes
|
||||
# when: ansible_facts.os_family == 'Debian'
|
||||
#
|
||||
|
|
|
@ -8,12 +8,12 @@
|
|||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name: "*"
|
||||
state: latest
|
||||
update_cache: true
|
||||
|
@ -21,11 +21,11 @@
|
|||
|
||||
- name: install required tools on SuSE
|
||||
# cannot use zypper module, since it depends on python-xml
|
||||
shell: "zypper -n install python-xml awk"
|
||||
ansible.builtin.shell: "zypper -n install python-xml awk"
|
||||
when: ansible_facts.os_family == 'Suse'
|
||||
|
||||
- name: install required tools on fedora
|
||||
dnf:
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
- python
|
||||
- findutils
|
||||
|
@ -41,7 +41,7 @@
|
|||
when: ansible_facts.os_family == 'Archlinux'
|
||||
|
||||
- name: install required tools on RHEL # noqa ignore-errors
|
||||
yum:
|
||||
ansible.builtin.yum:
|
||||
name:
|
||||
- openssh-clients
|
||||
- openssh
|
||||
|
@ -50,11 +50,11 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: create recursing symlink to test minimize access
|
||||
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
|
||||
ansible.builtin.shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
|
||||
changed_when: false
|
||||
|
||||
- name: include YUM prepare tasks
|
||||
include_tasks: prepare_tasks/yum.yml
|
||||
ansible.builtin.include_tasks: prepare_tasks/yum.yml
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: include preparation tasks
|
||||
|
|
|
@ -7,12 +7,12 @@
|
|||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: set ansible_python_interpreter to "/usr/bin/python3"
|
||||
set_fact:
|
||||
- name: Set ansible_python_interpreter to "/usr/bin/python3"
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: include verification tasks
|
||||
- name: Include verification tasks
|
||||
ansible.builtin.include_tasks:
|
||||
file: "{{ item }}"
|
||||
loop:
|
||||
|
@ -22,12 +22,12 @@
|
|||
- verify_tasks/ignore_home_folders.yml
|
||||
|
||||
# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
|
||||
# - name: include PAM tests
|
||||
# include_tasks: verify_tasks/pam.yml
|
||||
# - name: Include PAM tests
|
||||
# ansible.builtin.include_tasks: verify_tasks/pam.yml
|
||||
# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: include YUM tests
|
||||
include_tasks: verify_tasks/yum.yml
|
||||
- name: Include YUM tests
|
||||
ansible.builtin.include_tasks: verify_tasks/yum.yml
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: Verify
|
||||
|
@ -38,7 +38,7 @@
|
|||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: Execute cinc-auditor tests
|
||||
command: >
|
||||
ansible.builtin.command: >
|
||||
docker run
|
||||
--volume /run/docker.sock:/run/docker.sock
|
||||
--volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml
|
||||
|
@ -52,11 +52,11 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: Display details about the cinc-auditor results
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ test_results.stdout_lines }}"
|
||||
|
||||
- name: Fail when tests fail
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: "Inspec failed to validate"
|
||||
when: test_results.rc != 0
|
||||
|
||||
|
@ -72,7 +72,7 @@
|
|||
tasks:
|
||||
# test if variable can be overridden
|
||||
- name: workaround for https://github.com/ansible/ansible/issues/66304
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_virtualization_type: "docker"
|
||||
os_env_umask: "027 #override"
|
||||
|
||||
|
@ -80,6 +80,6 @@
|
|||
name: os_hardening
|
||||
|
||||
- name: verify os_env_umask
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "grep '027 #override' /etc/login.defs"
|
||||
changed_when: false
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
---
|
||||
- name: test that .netrc in root homedir exists
|
||||
- name: Test that .netrc in root homedir exists
|
||||
ansible.builtin.file:
|
||||
path: '/root/.netrc'
|
||||
state: file
|
||||
register: result_test_netrc
|
||||
|
||||
- name: output result if .netrc for user root exists
|
||||
- name: Output result if .netrc for user root exists
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "result_test_netrc.state == 'file'"
|
||||
fail_msg: ".netrc in /root/ not present"
|
||||
success_msg: ".netrc exists in /root/"
|
||||
|
||||
- name: delete '.netrc' in /root
|
||||
- name: Delete '.netrc' in /root
|
||||
ansible.builtin.file:
|
||||
path: '/root/.netrc'
|
||||
state: absent
|
||||
|
|
|
@ -14,11 +14,11 @@
|
|||
executable: /usr/bin/pip3
|
||||
|
||||
- name: set password for test
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
test_pw: "myTest!pw"
|
||||
|
||||
- name: set locale for test
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
locale: "en_US.UTF-8"
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
|
@ -30,7 +30,7 @@
|
|||
password: "{{ test_pw | password_hash('sha512') }}"
|
||||
|
||||
- name: check successful login with correct password
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
|
@ -38,7 +38,7 @@
|
|||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
|
||||
- name: check unsuccessful login with incorrect password
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
|
@ -47,7 +47,7 @@
|
|||
with_sequence: count=6
|
||||
|
||||
- name: check unsuccessful login, with correct password (lockout)
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
|
@ -59,7 +59,7 @@
|
|||
seconds: 20
|
||||
|
||||
- name: check successful login
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
|
|
|
@ -3,6 +3,6 @@
|
|||
database: passwd
|
||||
|
||||
- name: Check that shell_sys_acc's shell is still bash
|
||||
assert:
|
||||
asansible.builtin.assertsert:
|
||||
that:
|
||||
- getent_passwd['shell_sys_acc'][5] == "/bin/bash"
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
- name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
|
||||
- name: Verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
|
||||
command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
|
||||
changed_when: false
|
||||
|
||||
- name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
|
||||
- name: Verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
|
||||
command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
|
||||
changed_when: false
|
||||
|
|
|
@ -10,14 +10,14 @@
|
|||
- devsec.hardening
|
||||
tasks:
|
||||
- name: override for arch
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
os_mnt_boot_enabled: false
|
||||
os_mnt_tmp_enabled: true
|
||||
os_mnt_tmp_src: "tmpfs"
|
||||
os_mnt_tmp_filesystem: "tmpfs"
|
||||
when: ansible_facts.os_family == 'Archlinux'
|
||||
- name: overrides for Fedora image
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
os_mnt_tmp_enabled: true
|
||||
os_mnt_tmp_src: "tmpfs"
|
||||
os_mnt_tmp_filesystem: "tmpfs"
|
||||
|
|
|
@ -8,22 +8,22 @@
|
|||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- name: install required tools on SuSE
|
||||
# cannot use zypper module, since it depends on python-xml
|
||||
shell: "zypper -n install python-xml"
|
||||
ansible.builtin.shell: "zypper -n install python-xml"
|
||||
when: ansible_facts.os_family == 'Suse'
|
||||
|
||||
- name: install required tools on fedora
|
||||
dnf:
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
- python
|
||||
- findutils
|
||||
|
@ -39,7 +39,7 @@
|
|||
when: ansible_facts.os_family == 'Archlinux'
|
||||
|
||||
- name: install required tools on RHEL # noqa ignore-errors
|
||||
yum:
|
||||
ansible.builtin.yum:
|
||||
name:
|
||||
- openssh-clients
|
||||
- openssh
|
||||
|
@ -48,7 +48,7 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: create recursing symlink to test minimize access
|
||||
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
|
||||
sheansible.builtin.shellll: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
|
||||
changed_when: false
|
||||
|
||||
- name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
|
||||
|
@ -58,5 +58,5 @@
|
|||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: include YUM prepare tasks
|
||||
include_tasks: prepare_tasks/yum.yml
|
||||
ansible.builtin.include_tasks: prepare_tasks/yum.yml
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: create 'foo' repository
|
||||
- name: Create 'foo' repository
|
||||
ansible.builtin.yum_repository:
|
||||
name: foo
|
||||
description: mandatory description
|
||||
|
@ -7,7 +7,7 @@
|
|||
enabled: false
|
||||
gpgcheck: false
|
||||
|
||||
- name: create 'bar' repository
|
||||
- name: Create 'bar' repository
|
||||
ansible.builtin.yum_repository:
|
||||
name: bar
|
||||
description: mandatory description
|
||||
|
|
|
@ -9,12 +9,12 @@
|
|||
tasks:
|
||||
|
||||
# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690
|
||||
# - name: include PAM tests
|
||||
# include_tasks: verify_tasks/pam.yml
|
||||
# - name: Include PAM tests
|
||||
# ansible.builtin.include_tasks: verify_tasks/pam.yml
|
||||
# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: include YUM tests
|
||||
include_tasks: verify_tasks/yum.yml
|
||||
- name: Include YUM tests
|
||||
ansible.builtin.include_tasks: verify_tasks/yum.yml
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: Verify
|
||||
|
@ -24,21 +24,21 @@
|
|||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: get ssh-config
|
||||
command:
|
||||
- name: Get ssh-config
|
||||
ansible.builtin.command:
|
||||
cmd: "vagrant ssh-config"
|
||||
chdir: "{{ molecule_ephemeral_directory }}"
|
||||
register: ssh_config
|
||||
changed_when: false
|
||||
|
||||
- name: create ssh-config file
|
||||
- name: Create ssh-config file
|
||||
copy:
|
||||
content: "{{ ssh_config.stdout_lines | join ('\n') }}"
|
||||
dest: "{{ molecule_ephemeral_directory }}/ssh-config"
|
||||
changed_when: false
|
||||
|
||||
- name: Execute cinc-auditor tests
|
||||
command: >
|
||||
ansible.builtin.command: >
|
||||
docker run
|
||||
--volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
|
||||
docker.io/cincproject/auditor exec
|
||||
|
@ -51,10 +51,10 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: Display details about the cinc-auditor results
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ test_results.stdout_lines }}"
|
||||
|
||||
- name: Fail when tests fail
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: "Inspec failed to validate"
|
||||
when: test_results.rc != 0
|
||||
|
|
|
@ -12,11 +12,11 @@
|
|||
state: present
|
||||
|
||||
- name: set password for test
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
test_pw: "myTest!pw"
|
||||
|
||||
- name: set locale for test
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
locale: "en_US.UTF-8"
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
|
@ -28,7 +28,7 @@
|
|||
password: "{{ test_pw | password_hash('sha512') }}"
|
||||
|
||||
- name: check successful login with correct password
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
|
@ -36,7 +36,7 @@
|
|||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
|
||||
- name: check unsuccessful login with incorrect password
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
|
@ -45,7 +45,7 @@
|
|||
with_sequence: count=6
|
||||
|
||||
- name: check unsuccessful login, with correct password (lockout)
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
|
@ -57,7 +57,7 @@
|
|||
seconds: 20
|
||||
|
||||
- name: check successful login
|
||||
shell:
|
||||
ansible.builtin.shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
- name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
|
||||
command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
|
||||
ansible.builtin.command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
|
||||
changed_when: false
|
||||
|
||||
- name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
|
||||
command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
|
||||
ansible.builtin.command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
|
||||
changed_when: false
|
||||
|
|
|
@ -1,14 +1,12 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
hosts: all
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
collections:
|
||||
- devsec.hardening
|
||||
tasks:
|
||||
- include_role:
|
||||
name: ssh_hardening
|
||||
name: devsec.hardening.ssh_hardening
|
||||
vars:
|
||||
sftp_enabled: false
|
||||
|
|
|
@ -8,12 +8,12 @@
|
|||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: use python3
|
||||
set_fact:
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: install packages # noqa ignore-errors
|
||||
yum:
|
||||
ansible.builtin.yum:
|
||||
name:
|
||||
- openssh-clients
|
||||
- openssh-server
|
||||
|
@ -23,7 +23,7 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: install packages # noqa ignore-errors
|
||||
dnf:
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
- openssh-clients
|
||||
- openssh-server
|
||||
|
@ -33,7 +33,7 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: install packages # noqa ignore-errors
|
||||
apt:
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- openssh-client
|
||||
- openssh-server
|
||||
|
@ -43,7 +43,7 @@
|
|||
|
||||
- name: install required tools on SuSE
|
||||
# cannot use zypper module, since it depends on python-xml
|
||||
shell: "zypper -n install python-xml"
|
||||
ansible.builtin.shell: "zypper -n install python-xml"
|
||||
when: ansible_facts.os_family == 'Suse'
|
||||
|
||||
- name: install packages
|
||||
|
@ -67,7 +67,7 @@
|
|||
state: directory
|
||||
|
||||
- name: create ssh host keys # noqa ignore-errors
|
||||
command: "ssh-keygen -A"
|
||||
ansible.builtin.command: "ssh-keygen -A"
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
|
||||
ansible_facts.distribution == "Fedora" or
|
||||
ansible_facts.distribution == "Amazon" or
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: Execute cinc-auditor tests
|
||||
command: >
|
||||
ansible.builtin.command: >
|
||||
docker run
|
||||
--volume /run/docker.sock:/run/docker.sock
|
||||
docker.io/cincproject/auditor exec
|
||||
|
@ -19,10 +19,10 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: Display details about the cinc-auditor results
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ test_results.stdout_lines }}"
|
||||
|
||||
- name: Fail when tests fail
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: "Inspec failed to validate"
|
||||
when: test_results.rc != 0
|
||||
|
|
|
@ -1,14 +1,12 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
hosts: all
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
collections:
|
||||
- devsec.hardening
|
||||
tasks:
|
||||
- include_role:
|
||||
name: ssh_hardening
|
||||
name: devsec.hardening.ssh_hardening
|
||||
vars:
|
||||
sftp_enabled: false
|
||||
|
|
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
- name: prepare OpenBSD host
|
||||
- name: Prepare OpenBSD host
|
||||
hosts: all
|
||||
become: true
|
||||
gather_facts: false
|
||||
tasks:
|
||||
- name: install python
|
||||
- name: Install python
|
||||
# BSDs are special for Ansible - https://docs.ansible.com/ansible/latest/os_guide/intro_bsd.html
|
||||
raw: "pkg_add python%3.10"
|
||||
when: "lookup('env', 'MOLECULE_DISTRO') == 'openbsd7'"
|
||||
|
||||
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
hosts: all
|
||||
become: true
|
||||
environment:
|
||||
|
@ -17,13 +17,13 @@
|
|||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: created needed directory
|
||||
- name: Created needed directory
|
||||
file:
|
||||
path: "/var/run/sshd"
|
||||
state: directory
|
||||
|
||||
- name: create ssh host keys # noqa ignore-errors
|
||||
command: "ssh-keygen -A"
|
||||
- name: Create ssh host keys # noqa ignore-errors
|
||||
ansible.builtin.command: "ssh-keygen -A"
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
|
||||
ansible_facts.distribution == "Fedora" or
|
||||
ansible_facts.distribution == "Amazon" or
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
hosts: all
|
||||
become: true
|
||||
tasks:
|
||||
- name: use the type command instead of which to detect existing commands
|
||||
- name: Use the type command instead of which to detect existing commands
|
||||
file:
|
||||
src: "/usr/bin/which"
|
||||
dest: "/usr/bin/type"
|
||||
|
@ -17,21 +17,21 @@
|
|||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: get ssh-config
|
||||
command:
|
||||
- name: Get ssh-config
|
||||
ansible.builtin.command:
|
||||
cmd: "vagrant ssh-config"
|
||||
chdir: "{{ molecule_ephemeral_directory }}"
|
||||
register: ssh_config
|
||||
changed_when: false
|
||||
|
||||
- name: create ssh-config file
|
||||
- name: Create ssh-config file
|
||||
copy:
|
||||
content: "{{ ssh_config.stdout_lines | join ('\n') }}"
|
||||
dest: "{{ molecule_ephemeral_directory }}/ssh-config"
|
||||
changed_when: false
|
||||
|
||||
- name: Execute cinc-auditor tests
|
||||
command: >
|
||||
ansible.builtin.command: >
|
||||
docker run
|
||||
--volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }}
|
||||
--volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') }}.yaml:/waivers.yaml
|
||||
|
@ -46,10 +46,10 @@
|
|||
ignore_errors: true
|
||||
|
||||
- name: Display details about the cinc-auditor results
|
||||
debug:
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ test_results.stdout_lines }}"
|
||||
|
||||
- name: Fail when tests fail
|
||||
fail:
|
||||
ansible.builtin.fail:
|
||||
msg: "Inspec failed to validate"
|
||||
when: test_results.rc != 0
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
- name: Wrapper playbook for kitchen testing "ansible-ssh-hardening" with default settings
|
||||
hosts: all
|
||||
become: true
|
||||
environment:
|
||||
|
@ -7,13 +7,13 @@
|
|||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: use python3
|
||||
set_fact:
|
||||
- name: Use python3
|
||||
ansible.builtin.set_fact:
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: install packages # noqa ignore-errors
|
||||
yum:
|
||||
- name: Install packages # noqa ignore-errors
|
||||
ansible.builtin.yum:
|
||||
name:
|
||||
- openssh-clients
|
||||
- openssh-server
|
||||
|
@ -22,8 +22,8 @@
|
|||
update_cache: true
|
||||
ignore_errors: true
|
||||
|
||||
- name: install packages # noqa ignore-errors
|
||||
dnf:
|
||||
- name: Install packages # noqa ignore-errors
|
||||
ansible.builtin.dnf:
|
||||
name:
|
||||
- openssh-clients
|
||||
- openssh-server
|
||||
|
@ -32,8 +32,8 @@
|
|||
update_cache: true
|
||||
ignore_errors: true
|
||||
|
||||
- name: install packages # noqa ignore-errors
|
||||
apt:
|
||||
- name: Install packages # noqa ignore-errors
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- openssh-client
|
||||
- openssh-server
|
||||
|
@ -41,18 +41,18 @@
|
|||
update_cache: true
|
||||
ignore_errors: true
|
||||
|
||||
- name: install required tools on SuSE
|
||||
- name: Install required tools on SuSE
|
||||
# cannot use zypper module, since it depends on python-xml
|
||||
shell: "zypper -n install python-xml"
|
||||
ansible.builtin.shell: "zypper -n install python-xml"
|
||||
when: ansible_facts.os_family == 'Suse'
|
||||
|
||||
- name: install packages
|
||||
- name: Install packages
|
||||
zypper:
|
||||
name:
|
||||
- "openssh"
|
||||
when: ansible_facts.os_family == 'Suse'
|
||||
|
||||
- name: install required tools on Arch
|
||||
- name: Install required tools on Arch
|
||||
pacman:
|
||||
name:
|
||||
- openssh
|
||||
|
@ -61,13 +61,13 @@
|
|||
update_cache: true
|
||||
when: ansible_facts.os_family == 'Archlinux'
|
||||
|
||||
- name: created needed directory
|
||||
- name: Created needed directory
|
||||
file:
|
||||
path: "/var/run/sshd"
|
||||
state: directory
|
||||
|
||||
- name: create ssh host keys # noqa ignore-errors
|
||||
command: "ssh-keygen -A"
|
||||
- name: Create ssh host keys # noqa ignore-errors
|
||||
ansible.builtin.command: "ssh-keygen -A"
|
||||
when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7') or
|
||||
ansible_facts.distribution == "Fedora" or
|
||||
ansible_facts.distribution == "Amazon" or
|
||||
|
|
Loading…
Reference in a new issue