Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cis v3 #35

Merged
merged 75 commits into from
Jun 17, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
75 commits
Select commit Hold shift + click to select a range
8863b52
tidy up workflow and variables
uk-bolly Feb 26, 2024
5055f80
updated git files
uk-bolly Feb 26, 2024
13021cb
removed arg warn
uk-bolly Feb 26, 2024
c31fd92
lint fqcn
uk-bolly Feb 26, 2024
71c63e6
reboot option and warning
uk-bolly Feb 26, 2024
c82b079
update checks and reboot added
uk-bolly Feb 26, 2024
87fb55c
section1 and 2 updates
uk-bolly Feb 27, 2024
6ae08b3
updated and aligned for v3
uk-bolly Feb 28, 2024
5aa4a13
v3_updates
uk-bolly Feb 29, 2024
615a594
audit_only_updates
uk-bolly Feb 29, 2024
620cdc6
updated audit
uk-bolly Feb 29, 2024
1310ee4
Added auditd post file
uk-bolly Feb 29, 2024
a091ad4
lint
uk-bolly Feb 29, 2024
b04665e
fix firewall variable
uk-bolly Feb 29, 2024
b404200
fix layout 4.2.16
uk-bolly Feb 29, 2024
9b96b9e
updated requirements
uk-bolly Feb 29, 2024
5125d72
improve idempotency
uk-bolly Feb 29, 2024
05964f6
fix rule numbers
uk-bolly Feb 29, 2024
7ca66aa
fix logic
uk-bolly Feb 29, 2024
855344f
updated control
uk-bolly Feb 29, 2024
85ef725
updated
uk-bolly Feb 29, 2024
8c63696
updated 4.5.1.1
uk-bolly Feb 29, 2024
60cbf6e
fix loop
uk-bolly Feb 29, 2024
5056ba2
updated authtok
uk-bolly Feb 29, 2024
6e0652b
fix typo
uk-bolly Feb 29, 2024
19c2d0b
updated grub handler
uk-bolly Feb 29, 2024
e441188
updated prelim passwd parse
uk-bolly Feb 29, 2024
05d7dc0
fixed
uk-bolly Feb 29, 2024
7eae1ec
updated
uk-bolly Feb 29, 2024
14897b1
aligned
uk-bolly Feb 29, 2024
e51cf1e
disruption high added
uk-bolly Mar 1, 2024
3f8ba31
remove skip lint var update
uk-bolly Mar 1, 2024
9fb1b84
fix notify
uk-bolly Mar 1, 2024
2f4f9fe
Updated README
uk-bolly Mar 1, 2024
536fb0c
Enabled 2.11 compatible
uk-bolly Mar 1, 2024
7b76f47
updated optional controls
uk-bolly Mar 1, 2024
80fe150
removed container
uk-bolly Mar 1, 2024
f3611a3
updated
uk-bolly Mar 1, 2024
562d164
improve idempotency
uk-bolly Mar 1, 2024
81c0ad9
removed container checks
uk-bolly Mar 1, 2024
1796359
updated for galaxy_ng reqs
uk-bolly Mar 4, 2024
8308ad9
updated Credits
uk-bolly Mar 4, 2024
51a87f4
tidy up
uk-bolly Mar 11, 2024
52e26f6
fixed 5.2.4.x sections and prelim
uk-bolly Mar 12, 2024
0b97ec7
fixed vars for arch naming for bin
uk-bolly Mar 12, 2024
8dfc933
add levels and audit setting
uk-bolly Mar 14, 2024
2bd36ed
improve controls
uk-bolly Mar 14, 2024
74921cc
aligned with audit
uk-bolly Mar 14, 2024
ae6e4e9
remove audit entries moved to vars
uk-bolly Mar 18, 2024
9f5ba29
file not required
uk-bolly Mar 18, 2024
0334eeb
updated
uk-bolly Mar 18, 2024
42e6160
updated 4.5.1.1
uk-bolly Mar 18, 2024
1dac122
changed default not to force passwd change
uk-bolly Mar 18, 2024
d30df1d
updated workflow for v3
uk-bolly Mar 20, 2024
92a411d
updated maks logic and values
uk-bolly Mar 22, 2024
7bb0c2f
lint updates
uk-bolly Mar 22, 2024
9fcb558
updates
uk-bolly Mar 22, 2024
6bf65cd
updated audit
uk-bolly Apr 15, 2024
ab0dfb7
pipelineupdates
uk-bolly Jun 6, 2024
c415011
typo tidyup
uk-bolly Jun 6, 2024
623319b
audit moved to prelim
uk-bolly Jun 6, 2024
49d4df7
control tidy up
uk-bolly Jun 6, 2024
69a1c91
Merge pull request #1 from ansible-lockdown/v3_updates
uk-bolly Jun 6, 2024
92e8581
updated file
uk-bolly Jun 7, 2024
6bf9641
updated with correct handler name
uk-bolly Jun 7, 2024
96e3b6b
Merge pull request #2 from ansible-lockdown/v3_updates
uk-bolly Jun 7, 2024
d8002e8
V3 updates - workflow updates (#3)
uk-bolly Jun 7, 2024
d675ccc
Merge branch 'devel' into cis_v3
uk-bolly Jun 10, 2024
38f53b8
added for legacy pipeline while new pipeline implemented
uk-bolly Jun 10, 2024
273aa22
added for legacy pipeline while new pipeline implemented
uk-bolly Jun 10, 2024
fb622bf
added for legacy pipeline while new pipeline implemented
uk-bolly Jun 10, 2024
420e62b
added vars to skip
uk-bolly Jun 11, 2024
3e24f07
lint
uk-bolly Jun 11, 2024
566c2f0
Tidy up and lint
uk-bolly Jun 11, 2024
e6ce41c
fix title of 5.2.3.6
uk-bolly Jun 11, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
---

parseable: true
quiet: true
skip_list:
- 'schema'
- 'no-changed-when'
- 'var-spacing'
- 'fqcn-builtins'
- 'experimental'
- 'name[play]'
- 'name[casing]'
- 'name[template]'
- 'fqcn[action]'
- 'key-order[task]'
- '204'
- '305'
- '303'
Expand Down
33 changes: 0 additions & 33 deletions .github/ISSUE_TEMPLATE/bug_report.md

This file was deleted.

21 changes: 0 additions & 21 deletions .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md

This file was deleted.

18 changes: 0 additions & 18 deletions .github/ISSUE_TEMPLATE/question.md

This file was deleted.

12 changes: 0 additions & 12 deletions .github/pull_request_template.md

This file was deleted.

9 changes: 9 additions & 0 deletions .github/workflows/AMAZON2.tfvars
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Amazon Linux 2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why don't you use the centralized repo for testing ?
https://github.com/ansible-lockdown/github_linux_IaC

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be moved to that workflow and a new config we have, due to the way we have restricted direct changes to the workflow files we have to go through a few PRs ensuring pipelines pass before files are commited. Its on its way. :)

ami_id = "ami-03e0b06f01d45a4eb"
ami_os = "AmazonLinux2"
ami_username = "ec2-user"
ami_user_home = "/home/ec2-user"
benchmark_os = "Amazon2"
privsubnet_id = "subnet-0ce2cd3c739f6421c"
vpc_secgrp_id = "sg-0c0593968712e684d"
benchmark_type = "CIS"
159 changes: 159 additions & 0 deletions .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
---

name: Devel pipeline

on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# Allow manual running of workflow
workflow_dispatch:

# Allow permissions for AWS auth
permissions:
id-token: write
contents: read
pull-requests: read

# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: self-hosted

steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.

# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: self-hosted
env:
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
TF_VAR_repository: ${{ github.event.repository.name }}
AWS_REGION: "us-east-1"
ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_linux_IaC
# working-directory: .github/workflows

steps:

- name: Git clone the lockdown repository to test
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: If a variable for IAC_BRANCH is set use that branch
working-directory: .github/workflows
run: |
if [ ${{ vars.IAC_BRANCH }} != '' ]; then
echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
else
echo IAC_BRANCH=main >> $GITHUB_ENV
fi


# Pull in terraform code for linux servers
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
ref: ${{ env.IAC_BRANCH }}

# Uses dedicated restricted role and policy to enable this only for this task
# No credentials are part of github for AWS auth
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@main
with:
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
aws-region: ${{ env.AWS_REGION }}

- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID"
echo "VPC_ID" = $AWS_VPC_SECGRP_ID"
pwd
ls
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}
PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}

- name: Tofu init
id: init
run: tofu init
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Tofu validate
id: validate
run: tofu validate
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Tofu apply
id: apply
env:
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false

## Debug Section
- name: DEBUG - Show Ansible hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml

# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep to allow system to come up
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the Ansible playbook
- name: Run_Ansible_Playbook
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
run: |
/opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml

# Remove test system - User secrets to keep if necessary

- name: Tofu Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
resource "aws_vpc" "Main" {
cidr_block = var.main_vpc_cidr
instance_tenancy = "default"
tags = {
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-VPC"
}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/github_vars.tfvars
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
// github_actions variables
// Resourced in github_networks.tf
// Declared in variables.tf
//
//

namespace = "github_actions"
environment = "lockdown_github_repo_workflow"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/linux_benchmark_testing.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# This is a basic workflow to help you get started with Actions
i# This is a basic workflow to help you get started with Actions

name: linux_benchmark_pipeline

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ resource "aws_security_group" "github_actions" {
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

ingress {
from_port = 80
to_port = 80
Expand Down Expand Up @@ -77,6 +77,6 @@ resource "local_file" "inventory" {
setup_audit: true
run_audit: true
system_is_ec2: true
amazon2cis_rule_4_5_2_4: false # Don't set root password
EOF
}

Loading
Loading