Commit graph

79 commits

Author SHA1 Message Date
schurzi
9b32aca0ca
run our CI tests periodically (#634)
* allow multiple instances for os vm tests

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add scheduled trigger to all test actions

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use different scenario names

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use different scenario names

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use different scenario names

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use username to create uniqe vms

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use compatible name

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add explaination

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

---------

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-02-07 09:27:46 +01:00
Sebastian Gumprich
c2e9c9a8dd
try to fix molecule local tests (#632)
these settings are probably not necessary (geerlingguys images dont have them either)

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-02-06 14:01:40 +01:00
Norman Ziegner
c594a1fe6a
os_hardening: Add test for setting password warning days via variable os_auth_pw_warn_age
Signed-off-by: Norman Ziegner <norman.ziegner@ufz.de>
2023-02-03 14:47:27 +01:00
DonEstefan
16e00b02db
rewrite user home dir hardening (#584)
* rewrite user home dir hardening

* delete duplicate var that was missed in a merge conflict

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add tests for home rewrites

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Apply suggestions from code review

Co-authored-by: schurzi <github@drachen-server.de>

---------

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <github@drachen-server.de>
2023-01-28 21:59:19 +01:00
Sebastian Gumprich
89138be4ec
Rewrite system account detection and hardening and create tests (#621)
* rewrite system account detection and hardening

* resolve failures created when resolving merge conflicts

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add tests for shell removal tasks

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Update molecule/os_hardening/prepare.yml

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* split tasks for locking and setting shell

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix some more linting

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
Co-authored-by: donestefan <donestefan@users.noreply.github.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
2023-01-27 11:01:03 +01:00
Sebastian Gumprich
281d706660 add waiver to not test mounts
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-24 13:03:04 +01:00
Sebastian Gumprich
d386bf36d2 Revert "manage tmp dir in tests"
This reverts commit 966f2fe137.
2023-01-24 12:53:39 +01:00
Sebastian Gumprich
966f2fe137 manage tmp dir in tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-24 12:36:09 +01:00
Sebastian Gumprich
fa2e90c6f2 mount cgroup rw, as suse seems to need it
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-23 15:59:06 +01:00
Sebastian Gumprich
ed1cb1c2a7 add cgroupns: host mode to molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-23 15:59:06 +01:00
Sebastian Gumprich
a0d11faa8a Fixed problems with running molecule locally with cgroup v2
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-23 15:59:06 +01:00
DonEstefan
674be6dc6f
apply password age settings to exisiting regular users (#582)
* apply password age settings to regular users

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add debugging vars

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* add tests for password ageing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Apply suggestions from code review

Co-authored-by: schurzi <github@drachen-server.de>

* add additional condtion for regular users

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: DonEstefan <donestefan@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: schurzi <github@drachen-server.de>
2023-01-23 10:50:05 +01:00
Sebastian Gumprich
142782bad6 add diff to molecule
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2023-01-19 13:46:16 +01:00
Sebastian Gumprich
be0642bcfb
add verify-task to check if mysql is running and enabled (#608)
* add verify-task to check if mysql is running and enabled

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* Update molecule/mysql_hardening/verify_tasks/service.yml

Co-authored-by: schurzi <Martin.Schurz@t-systems.com>

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: schurzi <Martin.Schurz@t-systems.com>
2022-12-07 08:49:07 +01:00
Sebastian Gumprich
e66c2eb6bb
Add OpenSUSE support (#605)
* Add variables for mariadb on opensuse

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* enable pipeline

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* add a note about the reuirement of the jmespath library.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* Use python3 on opensuse

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* use right ansible variable

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* Suse requires python-rpm

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* try zypper

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* python-xml

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try at fixing the install

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* another try now with rpm.

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix my yml...

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* typo

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* do the test for Suse on the shell and not in ansible

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* specify to use bash

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* specify to use bash

* try the removes keyword of builtin.shell

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix ansible syntax

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* fix zypper syntax

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* ensure pymysql is present

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>

* set ansible python interpreter in converge-step, too

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* move install task to prepare

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Florian Goth <fgoth@physik.uni-wuerzburg.de>
2022-11-29 15:09:27 +01:00
Sebastian Gumprich
e2b963d711 change baselines back to master
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-10-25 18:59:11 +02:00
Sebastian Gumprich
414efd6125 use correct centos stream images, try to fix prepare step for debian tests
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-10-25 18:59:11 +02:00
Sebastian Gumprich
87a461fc57 use forked mysql-baseline
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-10-25 18:59:11 +02:00
Sebastian Gumprich
9d75e3b00e test crypto changes from ssh-baseline
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-10-24 10:03:07 +02:00
schurzi
c1cd6c5ac3
change default to allow SFTP (#564)
* change default to allow SFTP

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* diasble sftp for default tests

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* extend documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix typo

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* correct ssh version

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-08-22 10:03:37 +02:00
PhilippFunk
fd3fc1cfba
add option to bypass .netrc check function (#563)
add option to whitelist specific user that need a .netrc file in there home dirs
add test for .netrc files if option os_netrc_enabled is false

Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>

Signed-off-by: Philipp Funk <philipp.funk@t-systems.com>
Co-authored-by: Philipp Funk <philipp.funk@t-systems.com>
2022-08-17 09:09:00 +02:00
Daya Adianto
eef8708918
Add full support for Debian 11 (#538)
* Include Debian 11 into Molecule test suites (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Fix Ansible Lint GitHub Action version (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Update .gitignore

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* mysql_hardening: Use Python 3 as Ansible interpreter (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Note Debian 11 support for os_hardening & nginx_hardening (#527)

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Fix lint issues & Ansible Lint configuration in CI

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* Try to fix YAML lint issues, again

Re-ordered YAML comments at the end of `.yamllint` file.

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>

* rm debian9 from tests, add debian 11 where missing

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

* fix mysql molecule tests

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>

Signed-off-by: Daya Adianto <dayaadianto@cs.ui.ac.id>
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
Co-authored-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-08-16 15:02:27 +02:00
schurzi
a806ec8598
add posibility to run ssh_hardening as unprivileged user (#561)
* add VM tests for ssh_hardening

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove VM tests from ssh_hardening

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* run ssh_hardening test as unprivileged user

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add link for documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* use different config

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* remove become

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* re-add become

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* move become into role

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* indentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* try args apply

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* fix linting

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* add documentation

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-08-15 13:19:07 +02:00
Martin Schurz
27d091e871 reduce testing on vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 16:08:35 +02:00
Martin Schurz
c81ce23ed7 disable ctrl+alt+del for vm tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 13:04:14 +02:00
Martin Schurz
72cb97c8d5 remove waivers file from docker test config
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 12:36:48 +02:00
Martin Schurz
edda7075a2 add badge for tests
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 12:17:34 +02:00
Martin Schurz
1825eba27a exclude opensuse
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-10 21:08:50 +02:00
Martin Schurz
fa7f8597d9 fix bug in check for /boot
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-10 13:36:19 +02:00
Martin Schurz
b6b2d45f09 speedup ansible
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 15:43:59 +02:00
Martin Schurz
9cfe1f2b9a also harden /boot
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 15:43:11 +02:00
Martin Schurz
e49eacd8ec icrease ressources for test vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 10:42:20 +02:00
Martin Schurz
7535abd882 remove waiver
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 02:22:35 +02:00
Martin Schurz
400e576984 use correct parameter
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 01:47:59 +02:00
Martin Schurz
e742330a41 add testing of os_hardning on vm
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-09 00:52:58 +02:00
Martin Schurz
21df60a71f fix includes
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-08 17:24:07 +02:00
Sebastian Gumprich
bf372f8493 rename tasks file and remove redundant 'verify'
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-08 16:04:24 +02:00
Sebastian Gumprich
ef89d52f98 remove duplicate file
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-07 16:22:10 +02:00
Sebastian Gumprich
9b50392d8a fix linting
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-07-07 16:12:06 +02:00
Sebastian Gumprich
215c50709b tempt 2022-07-07 15:34:28 +02:00
Sebastian Gumprich
af14af5954
add waivers to skip controls (#529)
Signed-off-by: rndmh3ro <github@gumpri.ch>
2022-02-21 13:58:39 +01:00
Sebastian Gumprich
8f22ce788c
Feature coredump (#513)
* restructure limits-tasks

* disable coredumps in tests

* use notify-task for systemd-reload

Signed-off-by: rndmh3ro <github@gumpri.ch>

* add notify to another task

Signed-off-by: rndmh3ro <github@gumpri.ch>

* rm obsolete task and rename handler

Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-12-10 22:10:14 +01:00
René Scheibe
0609cf729a Improve installing packages on Arch Linux
This prevents annoying task errors (even though they are ignored)
when testing on non-Arch distributions.

Running the "prepare" command, this was always visible:
> fatal: [instance]: FAILED! => {"changed": false, "msg": "Failed to find required executable \"pacman\" in paths: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"}

Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
2021-11-07 13:53:03 +01:00
René Scheibe
bbe4ce16a1
Add whitelist option for yum repository files (#487)
Files in this whitelist should not be altered.

Currently this is only relevant for enforcing the gpg check.

Signed-off-by: René Scheibe <rene.scheibe@gmail.com>
2021-11-07 11:56:59 +01:00
lbayerlein
1bf31a197b
disable ctrl-alt-del key combination (#496)
* new function to disable ctrl-alt-del to avooid reboot virtual machines f.e.

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* fix variable documentation for ctrlaltdel

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* added ctrlaltdel variable for molecule

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* optimize ctrlaltdel function with a 'when' query. thanks to rndmh3ro

Signed-off-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>

* fix typo in new file

Co-authored-by: Ludwig Bayerlein <bayerlein@bayerlein-networks.com>
Co-authored-by: Sebastian Gumprich <rndmh3ro@users.noreply.github.com>
2021-10-28 10:31:58 +02:00
schurzi
12c1f3dd78
Merge pull request #491 from dev-sec/recreate_tests
revive old tests with custom ssh settings
2021-10-25 11:12:10 +02:00
rndmh3ro
7f17f9b8b2 remove unused verify file
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-25 11:04:47 +02:00
rndmh3ro
f32b2c2c5e fix match address test 2021-10-20 15:18:01 +02:00
rndmh3ro
3877a9bab1 fix comment
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 22:00:01 +02:00
rndmh3ro
cb7f447d9f fix comment
Signed-off-by: rndmh3ro <github@gumpri.ch>
2021-10-18 21:55:01 +02:00