Skip to content

Commit

Permalink
Merge pull request #1 from ansible-lockdown/v3_updates
Browse files Browse the repository at this point in the history 
V3 updates
  • Loading branch information
@uk-bolly
uk-bolly authored Jun 6, 2024
2 parents 6bf65cd + 49d4df7 commit 69a1c91
Show file tree
Hide file tree
Showing 10 changed files with 126 additions and 100 deletions.
77 changes: 41 additions & 36 deletions .github/workflows/devel_pipeline_validation.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---

name: Devel pipeline
name: Devel pipeline (tofu)

on: # yamllint disable-line rule:truthy
pull_request_target:
Expand All @@ -13,13 +13,21 @@
- '**.j2'
- '**.ps1'
- '**.cfg'
# Allow manual running of workflow
workflow_dispatch:

# Allow permissions for AWS auth
permissions:
id-token: write
contents: read
pull-requests: read

# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: ubuntu-latest
runs-on: self-hosted

steps:
- uses: actions/first-interaction@main
Expand All @@ -32,39 +40,44 @@
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
runs-on: self-hosted
env:
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
TF_VAR_repository: ${{ github.event.repository.name }}
AWS_REGION : "us-east-1"
defaults:
run:
shell: bash
working-directory: .github/workflows/github_linux_IaC
# working-directory: .github/workflows

steps:
- name: Clone ${{ github.event.repository.name }}

- name: Git clone the lockdown repository to test
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
ref: self_hosted

- name: Add_ssh_key
working-directory: .github/workflows
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
run: |
mkdir .ssh
chmod 700 .ssh
echo $PRIVATE_KEY > .ssh/github_actions.pem
chmod 600 .ssh/github_actions.pem
# Uses dedicated restricted role and policy to enable this only for this task
# No credentials are part of github for AWS auth
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@main
with:
role-to-assume: arn:aws:iam::817651307868:role/Ansible_Lockdown_Environment
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}

- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
Expand All @@ -78,30 +91,28 @@
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
- name: Tofu init
id: init
run: terraform init
run: tofu init
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
- name: Tofu validate
id: validate
run: terraform validate
run: tofu validate
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Apply
- name: Tofu apply
id: apply
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false

## Debug Section
- name: DEBUG - Show Ansible hostfile
Expand All @@ -110,29 +121,23 @@

# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep for 60 seconds
- name: Sleep period of time
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the Ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/github_linux_IaC/hosts.yml
galaxy_file: collections/requirements.yml
private_key: ${{ secrets.SSH_PRV_KEY }}
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
ANSIBLE_VERSION: "2.16.6"
run: |
/opt/ansible_"${ANSIBLE_VERSION}"_venv/bin/ansible-playbook -i .github/workflows/hosts.yml --private-key ~/.ssh/le_runner site.yml
# Remove test system - User secrets to keep if necessary

- name: Terraform_Destroy
- name: Tofu Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
82 changes: 48 additions & 34 deletions .github/workflows/main_pipeline_validation.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,46 +14,68 @@
- '**.ps1'
- '**.cfg'

# Allow permissions for AWS auth
permissions:
id-token: write
contents: read
pull-requests: read

# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: self-hosted

steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
runs-on: self-hosted
env:
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
TF_VAR_repository: ${{ github.event.repository.name }}
AWS_REGION : "us-east-1"
defaults:
run:
shell: bash
working-directory: .github/workflows/github_linux_IaC
# working-directory: .github/workflows

steps:
- name: Clone ${{ github.event.repository.name }}

- name: Git clone the lockdown repository to test
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
ref: self_hosted

- name: Add_ssh_key
working-directory: .github/workflows
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
run: |
mkdir .ssh
chmod 700 .ssh
echo $PRIVATE_KEY > .ssh/github_actions.pem
chmod 600 .ssh/github_actions.pem
# Uses dedicated restricted role and policy to enable this only for this task
# No credentials are part of github for AWS auth
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@main
with:
role-to-assume: arn:aws:iam::817651307868:role/Ansible_Lockdown_Environment
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ env.AWS_REGION }}

- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
Expand All @@ -67,30 +89,28 @@
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
- name: Tofu init
id: init
run: terraform init
run: tofu init
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
- name: Tofu validate
id: validate
run: terraform validate
run: tofu validate
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Apply
- name: Tofu apply
id: apply
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false

## Debug Section
- name: DEBUG - Show Ansible hostfile
Expand All @@ -99,29 +119,23 @@

# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep for 60 seconds
- name: Sleep period of time
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the Ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/github_linux_IaC/hosts.yml
galaxy_file: collections/requirements.yml
private_key: ${{ secrets.SSH_PRV_KEY }}
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
ANSIBLE_VERSION: "2.16.6"
run: |
/opt/ansible_"${ANSIBLE_VERSION}"_venv/bin/ansible-playbook -i .github/workflows/hosts.yml --private-key ~/.ssh/le_runner site.yml
# Remove test system - User secrets to keep if necessary

- name: Terraform_Destroy
- name: Tofu Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ Further details can be seen in the [Changelog](./ChangeLog.md)

- Running Ansible/Tower setup (this role is tested against Ansible version 2.11.1 and newer)
- Python3 Ansible run environment
- python-def (should be included in RHEL/CentOS 7) - First task sets up the prerequisites (Tag pre-reqs)for python3 and python2 (where required)
- python-def - First task sets up the prerequisites (Tag pre-reqs)for python3 and python2 (where required)
- libselinux-python
- python3-rpm (package used by py3 to use the rpm pkg)
- jmespath
Expand Down
10 changes: 9 additions & 1 deletion defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,10 @@ amazon2cis_disruption_high: true
amazon2cis_level_1: true
amazon2cis_level_2: true

###
### Settings for associated Audit role using Goss
###

###########################################
### Goss is required on the remote host ###
### vars/auditd.yml for other settings ###
Expand Down Expand Up @@ -709,7 +713,7 @@ amazon2cis_encryption: sha512
amazon2cis_force_user_passwd_change: false
# Accounts listed below will not have INACTIVE field set in shadow file

# Allow synmic discovery of user accounts minimum and maximun from /etc/login.defs
# Allow dynamic discovery of user accounts minimum and maximun from /etc/login.defs
# findings will override the uid_min|max below
amazon2cis_uid_info_dynamic: true
amazon2cis_uid_min: 1000
Expand All @@ -719,6 +723,10 @@ amazon2cis_inactive_whitelist:
- root
- vagrant

## 4.5.1.2 Add users to be skipped if required
amazon2cis_user_skip_list:
root

amazon2cis_pass:
max_days: 365
min_days: 1
Expand Down
2 changes: 1 addition & 1 deletion handlers/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
name: /var/log/audit
state: remounted

- name: systemd daemon reload
- name: Systemd_daemon_reload
ansible.builtin.systemd:
daemon_reload: true

Expand Down
19 changes: 0 additions & 19 deletions tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,25 +68,6 @@
- prelim_tasks
- always

- name: Include audit specific variables
when:
- run_audit or audit_only
- setup_audit
tags:
- setup_audit
- run_audit
ansible.builtin.include_vars:
file: audit.yml

- name: Include pre-remediation audit tasks
when:
- run_audit or audit_only
- setup_audit
tags:
- run_audit
ansible.builtin.import_tasks:
file: pre_remediation_audit.yml

- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
Expand Down
Loading

0 comments on commit 69a1c91

Please sign in to comment.