mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-09-20 05:11:53 +00:00
add testing of os_hardning on vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
This commit is contained in:
parent
b00b38ece6
commit
e742330a41
10 changed files with 384 additions and 0 deletions
44
.github/workflows/os_hardening_vm.yml
vendored
Normal file
44
.github/workflows/os_hardening_vm.yml
vendored
Normal file
|
@ -0,0 +1,44 @@
|
|||
---
|
||||
name: "devsec.os_hardening"
|
||||
on: # yamllint disable-line rule:truthy
|
||||
workflow_dispatch:
|
||||
push:
|
||||
paths:
|
||||
- 'roles/os_hardening/**'
|
||||
- 'molecule/os_hardening_vm/**'
|
||||
- '.github/workflows/os_hardening_vm.yml'
|
||||
pull_request:
|
||||
paths:
|
||||
- 'roles/os_hardening/**'
|
||||
- 'molecule/os_hardening_vm/**'
|
||||
- '.github/workflows/os_hardening_vm.yml'
|
||||
jobs:
|
||||
build:
|
||||
runs-on: self-hosted
|
||||
env:
|
||||
PY_COLORS: 1
|
||||
ANSIBLE_FORCE_COLOR: 1
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
molecule_distro:
|
||||
- ubuntu1804
|
||||
steps:
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
path: ansible_collections/devsec/hardening
|
||||
submodules: true
|
||||
|
||||
- name: Create default collection path symlink
|
||||
run: |
|
||||
mkdir -p /home/runner/.ansible
|
||||
ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
|
||||
|
||||
- name: Test with molecule
|
||||
run: |
|
||||
molecule --version
|
||||
molecule test -s os_hardening
|
||||
env:
|
||||
MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
|
||||
working-directory: ansible_collections/devsec/hardening
|
22
molecule/os_hardening_vm/INSTALL.rst
Normal file
22
molecule/os_hardening_vm/INSTALL.rst
Normal file
|
@ -0,0 +1,22 @@
|
|||
*******
|
||||
Docker driver installation guide
|
||||
*******
|
||||
|
||||
Requirements
|
||||
============
|
||||
|
||||
* Docker Engine
|
||||
|
||||
Install
|
||||
=======
|
||||
|
||||
Please refer to the `Virtual environment`_ documentation for installation best
|
||||
practices. If not using a virtual environment, please consider passing the
|
||||
widely recommended `'--user' flag`_ when invoking ``pip``.
|
||||
|
||||
.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
|
||||
.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ python3 -m pip install 'molecule[docker]'
|
38
molecule/os_hardening_vm/converge.yml
Normal file
38
molecule/os_hardening_vm/converge.yml
Normal file
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
|
||||
hosts: all
|
||||
become: true
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
collections:
|
||||
- devsec.hardening
|
||||
tasks:
|
||||
- include_role:
|
||||
name: os_hardening
|
||||
vars:
|
||||
os_auth_pam_passwdqc_enable: false
|
||||
os_auth_lockout_time: 15
|
||||
os_yum_repo_file_whitelist: ['foo.repo']
|
||||
|
||||
# - name: wrapper playbook for kitchen testing "ansible-os-hardening"
|
||||
# hosts: all
|
||||
# become: true
|
||||
# collections:
|
||||
# - devsec.hardening
|
||||
# vars:
|
||||
# os_auditd_enabled: false
|
||||
# tasks:
|
||||
# - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
|
||||
# set_fact:
|
||||
# ansible_python_interpreter: "/usr/bin/python3"
|
||||
# when: ansible_facts.distribution == 'Fedora'
|
||||
#
|
||||
# - name: Run the equivalent of "apt-get update" as a separate step
|
||||
# apt:
|
||||
# update_cache: yes
|
||||
# when: ansible_facts.os_family == 'Debian'
|
||||
#
|
||||
# - include_role:
|
||||
# name: os_hardening
|
51
molecule/os_hardening_vm/molecule.yml
Normal file
51
molecule/os_hardening_vm/molecule.yml
Normal file
|
@ -0,0 +1,51 @@
|
|||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
role-file: molecule/os_hardening/requirements.yml
|
||||
driver:
|
||||
name: vagrant
|
||||
provider:
|
||||
name: libvirt
|
||||
platforms:
|
||||
- name: instance
|
||||
image: "generic/${MOLECULE_DISTRO}"
|
||||
provisioner:
|
||||
name: ansible
|
||||
config_options:
|
||||
defaults:
|
||||
interpreter_python: auto_silent
|
||||
callback_whitelist: profile_tasks, timer, yaml
|
||||
verifier:
|
||||
name: ansible
|
||||
|
||||
scenario:
|
||||
create_sequence:
|
||||
- dependency
|
||||
- create
|
||||
- prepare
|
||||
check_sequence:
|
||||
- dependency
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- check
|
||||
- destroy
|
||||
converge_sequence:
|
||||
- dependency
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
destroy_sequence:
|
||||
- destroy
|
||||
test_sequence:
|
||||
- dependency
|
||||
- destroy
|
||||
- syntax
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- idempotence
|
||||
- verify
|
||||
- destroy
|
60
molecule/os_hardening_vm/prepare.yml
Normal file
60
molecule/os_hardening_vm/prepare.yml
Normal file
|
@ -0,0 +1,60 @@
|
|||
---
|
||||
- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
|
||||
hosts: all
|
||||
become: true
|
||||
collections:
|
||||
- devsec.hardening
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
tasks:
|
||||
- name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
|
||||
set_fact:
|
||||
ansible_python_interpreter: "/usr/bin/python3"
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: Run the equivalent of "apt-get update && apt-get upgrade"
|
||||
apt:
|
||||
name: "*"
|
||||
state: latest
|
||||
update_cache: true
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- name: install required tools on SuSE
|
||||
# cannot use zypper module, since it depends on python-xml
|
||||
shell: "zypper -n install python-xml"
|
||||
when: ansible_facts.os_family == 'Suse'
|
||||
|
||||
- name: install required tools on fedora
|
||||
dnf:
|
||||
name:
|
||||
- python
|
||||
- findutils
|
||||
- procps-ng
|
||||
when: ansible_facts.distribution == 'Fedora'
|
||||
|
||||
- name: install required tools on Arch
|
||||
community.general.pacman:
|
||||
name:
|
||||
- awk
|
||||
state: present
|
||||
update_cache: true
|
||||
when: ansible_facts.os_family == 'Archlinux'
|
||||
|
||||
- name: install required tools on RHEL # noqa ignore-errors
|
||||
yum:
|
||||
name:
|
||||
- openssh-clients
|
||||
- openssh
|
||||
state: present
|
||||
update_cache: true
|
||||
ignore_errors: true
|
||||
|
||||
- name: create recursing symlink to test minimize access
|
||||
shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
|
||||
changed_when: false
|
||||
|
||||
- name: include YUM prepare tasks
|
||||
include_tasks: prepare_tasks/yum.yml
|
||||
when: ansible_facts.os_family == 'RedHat'
|
16
molecule/os_hardening_vm/prepare_tasks/yum.yml
Normal file
16
molecule/os_hardening_vm/prepare_tasks/yum.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
- name: create 'foo' repository
|
||||
ansible.builtin.yum_repository:
|
||||
name: foo
|
||||
description: mandatory description
|
||||
baseurl: file:///mandatory-url
|
||||
enabled: false
|
||||
gpgcheck: false
|
||||
|
||||
- name: create 'bar' repository
|
||||
ansible.builtin.yum_repository:
|
||||
name: bar
|
||||
description: mandatory description
|
||||
baseurl: file:///mandatory-url
|
||||
enabled: false
|
||||
gpgcheck: false
|
3
molecule/os_hardening_vm/requirements.yml
Normal file
3
molecule/os_hardening_vm/requirements.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
roles:
|
||||
- geerlingguy.git
|
83
molecule/os_hardening_vm/verify.yml
Normal file
83
molecule/os_hardening_vm/verify.yml
Normal file
|
@ -0,0 +1,83 @@
|
|||
---
|
||||
- name: Verify
|
||||
hosts: all
|
||||
become: true
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
|
||||
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
|
||||
roles:
|
||||
- geerlingguy.git
|
||||
tasks:
|
||||
- name: install fake SuSE-release for cinc compatibility
|
||||
copy:
|
||||
content: |
|
||||
openSUSE Faked Enterprise 2020 (x86_64)
|
||||
VERSION = 2020
|
||||
CODENAME = Faked Feature
|
||||
dest: /etc/SuSE-release
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0444'
|
||||
when: ansible_facts.os_family == 'Suse'
|
||||
|
||||
- name: install git for SuSE since geerlinguy.git does not support it
|
||||
zypper:
|
||||
name: git
|
||||
state: present
|
||||
when: ansible_facts.os_family == 'Suse'
|
||||
|
||||
- name: Run the equivalent of "apt-get update" as a separate step
|
||||
apt:
|
||||
update_cache: true
|
||||
when: ansible_facts.os_family == 'Debian'
|
||||
|
||||
- name: install required tools on debian
|
||||
apt:
|
||||
name: procps
|
||||
when: ansible_facts.os_family == 'Debian'
|
||||
|
||||
- name: include PAM tests
|
||||
include_tasks: verify_tasks/pam.yml
|
||||
when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: include YUM tests
|
||||
include_tasks: verify_tasks/yum.yml
|
||||
when: ansible_facts.os_family == 'RedHat'
|
||||
|
||||
- name: download cinc-auditor
|
||||
get_url:
|
||||
url: https://omnitruck.cinc.sh/install.sh
|
||||
dest: /tmp/install.sh
|
||||
mode: '0775'
|
||||
|
||||
- name: install cinc-auditor
|
||||
shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
|
||||
|
||||
- name: Execute cinc-auditor tests # noqa ignore-errors
|
||||
command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
|
||||
register: test_results
|
||||
changed_when: false
|
||||
ignore_errors: true
|
||||
|
||||
- name: Display details about the cinc-auditor results
|
||||
debug:
|
||||
msg: "{{ test_results.stdout_lines }}"
|
||||
|
||||
- name: Fail when tests fail
|
||||
fail:
|
||||
msg: "Inspec failed to validate"
|
||||
when: test_results.rc != 0
|
||||
|
||||
# test if variable can be overridden
|
||||
- name: workaround for https://github.com/ansible/ansible/issues/66304
|
||||
set_fact:
|
||||
os_env_umask: "027 #override"
|
||||
|
||||
- include_role:
|
||||
name: os_hardening
|
||||
|
||||
- name: verify os_env_umask
|
||||
shell:
|
||||
cmd: "grep '027 #override' /etc/login.defs"
|
||||
changed_when: false
|
59
molecule/os_hardening_vm/verify_tasks/pam.yml
Normal file
59
molecule/os_hardening_vm/verify_tasks/pam.yml
Normal file
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
- name: download pam-tester
|
||||
get_url:
|
||||
url: https://github.com/schurzi/pam-tester/releases/download/latest/pam-tester
|
||||
dest: /bin/pam-tester
|
||||
mode: 0555
|
||||
|
||||
- name: set password for test
|
||||
set_fact:
|
||||
test_pw: "myTest!pw"
|
||||
|
||||
- name: set locale for test
|
||||
set_fact:
|
||||
locale: "en_US.UTF-8"
|
||||
when:
|
||||
- ansible_facts.os_family == 'RedHat'
|
||||
- ansible_facts.distribution_major_version < '8'
|
||||
|
||||
- name: create testuser
|
||||
user:
|
||||
name: testuser
|
||||
password: "{{ test_pw | password_hash('sha512') }}"
|
||||
|
||||
- name: check successfull login with correct password
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
LC_ALL: "{{ locale | default('C.UTF-8') }}"
|
||||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
|
||||
- name: check unsuccessfull login with incorrect password
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
LC_ALL: "{{ locale | default('C.UTF-8') }}"
|
||||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
with_sequence: count=6
|
||||
|
||||
- name: check unsuccessfull login, with correct password (lockout)
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
LC_ALL: "{{ locale | default('C.UTF-8') }}"
|
||||
LANG: "{{ locale | default('C.UTF-8') }}"
|
||||
|
||||
- name: wait for account to unlock
|
||||
pause:
|
||||
seconds: 20
|
||||
|
||||
- name: check successfull login
|
||||
shell:
|
||||
cmd: "pam-tester --user testuser --password {{ test_pw }}"
|
||||
environment:
|
||||
TMPDIR: /var/tmp
|
||||
LC_ALL: "{{ locale | default('C.UTF-8') }}"
|
||||
LANG: "{{ locale | default('C.UTF-8') }}"
|
8
molecule/os_hardening_vm/verify_tasks/yum.yml
Normal file
8
molecule/os_hardening_vm/verify_tasks/yum.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist)
|
||||
command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo
|
||||
changed_when: false
|
||||
|
||||
- name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist)
|
||||
command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo
|
||||
changed_when: false
|
Loading…
Reference in a new issue