Skip to content

Commit

Permalink
Merge branch 'master' into min_ansible_ver
Browse files Browse the repository at this point in the history
  • Loading branch information
schurzi committed Apr 12, 2023
2 parents a5a065f + 4a21ec0 commit eb47f4d
Show file tree
Hide file tree
Showing 31 changed files with 144 additions and 284 deletions.
15 changes: 5 additions & 10 deletions .github/workflows/mysql_hardening.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ concurrency:

jobs:
build:
runs-on: ubuntu-18.04
runs-on: ubuntu-latest
env:
PY_COLORS: 1
ANSIBLE_FORCE_COLOR: 1
Expand All @@ -46,8 +46,8 @@ jobs:
- debian10
- debian11
# - amazon # geerlingguy.mysql does not support fedora
# - arch # needs to be fixed
- opensuse_tumbleweed # needs to be fixed
# - arch # geerlingguy.mysql does not support arch
- opensuse_tumbleweed
# - fedora # geerlingguy.mysql does not support fedora
steps:
- name: Checkout repo
Expand All @@ -56,10 +56,10 @@ jobs:
path: ansible_collections/devsec/hardening
submodules: true

- name: Set up Python 3.7
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.11

- name: Install dependencies
run: |
Expand All @@ -68,11 +68,6 @@ jobs:
pip install -r requirements.txt
working-directory: ansible_collections/devsec/hardening

- name: Create default collection path symlink
run: |
mkdir -p /home/runner/.ansible
ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
# that was a hard one to fix. robert did it thankfully
# https://github.com/robertdebock/ansible-role-mysql/commit/7562e99099b06282391ab7ed102b393a0406d212
- name: disable apparmor on debian systems
Expand Down
13 changes: 4 additions & 9 deletions .github/workflows/nginx_hardening.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ concurrency:

jobs:
build:
runs-on: ubuntu-18.04
runs-on: ubuntu-latest
env:
PY_COLORS: 1
ANSIBLE_FORCE_COLOR: 1
Expand All @@ -44,7 +44,7 @@ jobs:
- ubuntu2204
- debian10
- debian11
- amazon
- amazon2023
# - arch # needs to be fixed
# - opensuse_tumbleweed # needs to be fixed
# - fedora # no support from geerlingguy role
Expand All @@ -55,10 +55,10 @@ jobs:
path: ansible_collections/devsec/hardening
submodules: true

- name: Set up Python 3.7
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.11

- name: Install dependencies
run: |
Expand All @@ -67,11 +67,6 @@ jobs:
pip install -r requirements.txt
working-directory: ansible_collections/devsec/hardening

- name: Create default collection path symlink
run: |
mkdir -p /home/runner/.ansible
ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
- name: Test with molecule
run: |
molecule --version
Expand Down
16 changes: 6 additions & 10 deletions .github/workflows/os_hardening.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ concurrency:

jobs:
build:
runs-on: ubuntu-18.04
runs-on: ubuntu-latest
env:
PY_COLORS: 1
ANSIBLE_FORCE_COLOR: 1
Expand All @@ -39,25 +39,26 @@ jobs:
- centosstream9
- rocky8
- rocky9
- fedora
- ubuntu1804
- ubuntu2004
- ubuntu2204
- debian10
- debian11
- amazon
- amazon2023
- opensuse_tumbleweed
# - arch # needs to be fixed
- arch
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
path: ansible_collections/devsec/hardening
submodules: true

- name: Set up Python 3.7
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.11

- name: Install dependencies
run: |
Expand All @@ -66,11 +67,6 @@ jobs:
pip install -r requirements.txt
working-directory: ansible_collections/devsec/hardening

- name: Create default collection path symlink
run: |
mkdir -p /home/runner/.ansible
ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
- name: Test with molecule
run: |
if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/os_hardening_vm.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,15 @@ jobs:
- centos9s
- rocky8
- rocky9
- fedora36
- fedora37
- ubuntu1804
- ubuntu2004
- ubuntu2204
- debian10
- debian11
- opensuse15
# - arch # arch is currently not supported by cinc-auditor
# - arch # needs fix for audit
steps:
- name: Checkout repo
uses: actions/checkout@v3
Expand Down
17 changes: 6 additions & 11 deletions .github/workflows/ssh_hardening.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ concurrency:

jobs:
build:
runs-on: ubuntu-18.04
runs-on: ubuntu-latest
env:
PY_COLORS: 1
ANSIBLE_FORCE_COLOR: 1
Expand All @@ -45,20 +45,20 @@ jobs:
- ubuntu2204
- debian10
- debian11
- amazon
# - arch # needs to be fixed
# - opensuse_tumbleweed # baseline is not compatible with suse
- amazon2023
- arch
# - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
path: ansible_collections/devsec/hardening
submodules: true

- name: Set up Python 3.7
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.11

- name: Install dependencies
run: |
Expand All @@ -67,11 +67,6 @@ jobs:
pip install -r requirements.txt
working-directory: ansible_collections/devsec/hardening

- name: Create default collection path symlink
run: |
mkdir -p /home/runner/.ansible
ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
- name: Test with molecule
run: |
if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
Expand Down
17 changes: 6 additions & 11 deletions .github/workflows/ssh_hardening_custom_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ concurrency:

jobs:
build:
runs-on: ubuntu-18.04
runs-on: ubuntu-latest
env:
PY_COLORS: 1
ANSIBLE_FORCE_COLOR: 1
Expand All @@ -45,20 +45,20 @@ jobs:
- ubuntu2204
- debian10
- debian11
- amazon
# - arch # needs to be fixed
# - opensuse_tumbleweed # baseline is not compatible with suse
- amazon2023
- arch
# - opensuse_tumbleweed # needs fix - opensuse has different file location for conf and pam (/usr/etc/ssh/?, /usr/lib/pam.d/?)
steps:
- name: Checkout repo
uses: actions/checkout@v3
with:
path: ansible_collections/devsec/hardening
submodules: true

- name: Set up Python 3.7
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: 3.7
python-version: 3.11

- name: Install dependencies
run: |
Expand All @@ -67,11 +67,6 @@ jobs:
pip install -r requirements.txt
working-directory: ansible_collections/devsec/hardening

- name: Create default collection path symlink
run: |
mkdir -p /home/runner/.ansible
ln -s /home/runner/work/ansible-os-hardening/ansible-os-hardening /home/runner/.ansible/collections
- name: Test with molecule
run: |
if [ "$MOLECULE_DISTRO" = "opensuse_tumbleweed" ]; then
Expand Down
2 changes: 1 addition & 1 deletion molecule/mysql_hardening/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ provisioner:
config_options:
defaults:
interpreter_python: auto_silent
callback_whitelist: profile_tasks, timer, yaml
callbacks_enabled: profile_tasks, timer, yaml
verifier:
name: ansible

Expand Down
2 changes: 0 additions & 2 deletions molecule/mysql_hardening/requirements.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
---
roles:
- name: geerlingguy.git
version: 3.0.1
- name: dev-sec.mysql
version: master

Expand Down
54 changes: 19 additions & 35 deletions molecule/mysql_hardening/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,26 +6,12 @@
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
roles:
- geerlingguy.git
tasks:
- name: install fake SuSE-release for cinc compatibility
copy:
content: |
openSUSE Faked Enterprise 2020 (x86_64)
VERSION = 2020
CODENAME = Faked Feature
dest: /etc/SuSE-release
owner: root
group: root
mode: '0444'
when: ansible_facts.os_family == 'Suse'

- name: install git for SuSE since geerlinguy.git does not support it
zypper:
name: git
state: present
when: ansible_facts.os_family == 'Suse'
- name: Use Python 3 on Suse
set_fact:
ansible_python_interpreter: /usr/bin/python3
when:
- ansible_os_family == 'Suse'

- name: install procps for debian systems
apt:
Expand All @@ -34,29 +20,27 @@
update_cache: true
when: ansible_distribution == 'Debian'

- name: Use Python 3 on Suse
set_fact:
ansible_python_interpreter: /usr/bin/python3
when:
- ansible_os_family == 'Suse'

- name: include tests for the service
include_tasks: verify_tasks/service.yml

- name: include tests for MySQL user
include_tasks: verify_tasks/mysql_users.yml

- name: download cinc-auditor
get_url:
url: https://omnitruck.cinc.sh/install.sh
dest: /tmp/install.sh
mode: '0775'

- name: install cinc-auditor
shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"

- name: Verify
hosts: localhost
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
tasks:
- name: Execute cinc-auditor tests
command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip"
command: >
docker run
--volume /run/docker.sock:/run/docker.sock
docker.io/cincproject/auditor exec
-t docker://instance
--no-show-progress --no-color
--no-distinct-exit https://github.com/dev-sec/mysql-baseline/archive/refs/heads/master.zip
register: test_results
changed_when: false
ignore_errors: true
Expand Down
2 changes: 2 additions & 0 deletions molecule/nginx_hardening/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
- name: wrapper playbook for kitchen testing "ansible-nginx-hardening" with custom settings
become: true
hosts: all
collections:
- devsec.hardening
environment:
http_proxy: "{{ lookup('env', 'http_proxy') | default(omit) }}"
https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
Expand Down
2 changes: 1 addition & 1 deletion molecule/nginx_hardening/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ provisioner:
config_options:
defaults:
interpreter_python: auto_silent
callback_whitelist: profile_tasks, timer, yaml
callbacks_enabled: profile_tasks, timer, yaml
verifier:
name: ansible

Expand Down
1 change: 0 additions & 1 deletion molecule/nginx_hardening/requirements.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
---
roles:
- geerlingguy.git
- geerlingguy.nginx
Loading

0 comments on commit eb47f4d

Please sign in to comment.