Merge pull request #547 from dev-sec/vm_tests

add VM tests for os_hardening

Author: schurzi

.github/workflows/os_hardening_vm.yml

@@ -0,0 +1,51 @@
+---
+name: "devsec.os_hardening VM"
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  push:
+    paths:
+      - 'roles/os_hardening/**'
+      - 'molecule/os_hardening_vm/**'
+      - '.github/workflows/os_hardening_vm.yml'
+  pull_request:
+    paths:
+      - 'roles/os_hardening/**'
+      - 'molecule/os_hardening_vm/**'
+      - '.github/workflows/os_hardening_vm.yml'
+jobs:
+  build:
+    runs-on: self-hosted
+    env:
+      PY_COLORS: 1
+      ANSIBLE_FORCE_COLOR: 1
+    strategy:
+      fail-fast: false
+      matrix:
+        molecule_distro:
+          - centos7
+          - rocky8
+          - ubuntu1804
+          - ubuntu2004
+          - debian9
+          - debian10
+          # - opensuse42  # opensuse currently cannot get an ip address
+          # - arch  - arch is currently not supported by cinc-auditor
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          path: ansible_collections/devsec/hardening
+          submodules: true
+
+      - name: Create default collection path symlink
+        run: |
+          mkdir -p /home/runner/.ansible
+          ln -fs /opt/actions-runner/_work/ansible-collection-hardening/ansible-collection-hardening/ansible_collections /home/runner/.ansible/collections
+
+      - name: Test with molecule
+        run: |
+          molecule --version
+          molecule test -s os_hardening_vm
+        env:
+          MOLECULE_DISTRO: ${{ matrix.molecule_distro }}
+        working-directory: ansible_collections/devsec/hardening

README.md

@@ -1,6 +1,7 @@
 # Ansible Collection - devsec.hardening
 
 ![devsec.os_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening/badge.svg)
+![devsec.os_hardening VM](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.os_hardening%20VM/badge.svg)
 ![devsec.ssh_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.ssh_hardening/badge.svg)
 ![devsec.nginx_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.nginx_hardening/badge.svg)
 ![devsec.mysql_hardening](https://github.com/dev-sec/ansible-os-hardening/workflows/devsec.mysql_hardening/badge.svg)

molecule/os_hardening/converge.yml

@@ -26,7 +26,6 @@
     os_security_suid_sgid_blacklist: ['/bin/umount']
     os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
     os_filesystem_whitelist: []
-    os_ctrlaltdel_disabled: true
     os_yum_repo_file_whitelist: ['foo.repo']
     sysctl_config:
       net.ipv4.ip_forward: 0

molecule/os_hardening/verify.yml

@@ -55,7 +55,7 @@
       shell: "bash /tmp/install.sh -s -- -P cinc-auditor -v 4"
 
     - name: Execute cinc-auditor tests  # noqa ignore-errors
-      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit  --waiver-file waivers.yaml https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
+      command: "/opt/cinc-auditor/bin/cinc-auditor exec --no-show-progress --no-color --no-distinct-exit https://github.com/dev-sec/linux-baseline/archive/refs/heads/master.zip"
       register: test_results
       changed_when: false
       ignore_errors: true

molecule/os_hardening_vm/INSTALL.rst

@@ -0,0 +1,22 @@
+*******
+Docker driver installation guide
+*******
+
+Requirements
+============
+
+* Docker Engine
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ python3 -m pip install 'molecule[docker]'

molecule/os_hardening_vm/converge.yml

@@ -0,0 +1,23 @@
+---
+- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
+  hosts: all
+  become: true
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  collections:
+    - devsec.hardening
+  tasks:
+    - name: override for arch
+      set_fact: 
+        os_mnt_boot_enabled: false
+      when: ansible_facts.os_family == 'Archlinux'
+    - include_role:
+        name: os_hardening
+  vars:
+    os_auth_pam_passwdqc_enable: false
+    os_auth_lockout_time: 15
+    os_yum_repo_file_whitelist: ['foo.repo']
+    os_mnt_boot_enabled: true
+    os_mnt_boot_src: "/dev/vda1"

molecule/os_hardening_vm/molecule.yml

@@ -0,0 +1,57 @@
+---
+dependency:
+  name: galaxy
+  options:
+    role-file: molecule/os_hardening/requirements.yml
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+platforms:
+  - name: instance
+    box: "generic/${MOLECULE_DISTRO}"
+    memory: 1024
+    cpus: 2
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_PIPELINING: "True"
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+      callback_whitelist: profile_tasks, timer, yaml
+verifier:
+  name: ansible
+  env:
+    ANSIBLE_PIPELINING: "True"
+
+scenario:
+  create_sequence:
+    - dependency
+    - create
+    - prepare
+  check_sequence:
+    - dependency
+    - destroy
+    - create
+    - prepare
+    - converge
+    - check
+    - destroy
+  converge_sequence:
+    - dependency
+    - create
+    - prepare
+    - converge
+  destroy_sequence:
+    - destroy
+  test_sequence:
+    - dependency
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - verify
+    - destroy

molecule/os_hardening_vm/prepare.yml

@@ -0,0 +1,60 @@
+---
+- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
+  hosts: all
+  become: true
+  collections:
+    - devsec.hardening
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
+  tasks:
+    - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora
+      set_fact:
+        ansible_python_interpreter: "/usr/bin/python3"
+      when: ansible_facts.distribution == 'Fedora'
+
+    - name: Run the equivalent of "apt-get update && apt-get upgrade"
+      apt:
+        name: "*"
+        state: latest
+        update_cache: true
+      when: ansible_os_family == 'Debian'
+
+    - name: install required tools on SuSE
+      # cannot use zypper module, since it depends on python-xml
+      shell: "zypper -n install python-xml"
+      when: ansible_facts.os_family == 'Suse'
+
+    - name: install required tools on fedora
+      dnf:
+        name:
+          - python
+          - findutils
+          - procps-ng
+      when: ansible_facts.distribution == 'Fedora'
+
+    - name: install required tools on Arch
+      community.general.pacman:
+        name:
+          - awk
+        state: present
+        update_cache: true
+      when: ansible_facts.os_family == 'Archlinux'
+
+    - name: install required tools on RHEL  # noqa ignore-errors
+      yum:
+        name:
+          - openssh-clients
+          - openssh
+        state: present
+        update_cache: true
+      ignore_errors: true
+
+    - name: create recursing symlink to test minimize access
+      shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz"
+      changed_when: false
+
+    - name: include YUM prepare tasks
+      include_tasks: prepare_tasks/yum.yml
+      when: ansible_facts.os_family == 'RedHat'

molecule/os_hardening_vm/prepare_tasks/yum.yml

@@ -0,0 +1,16 @@
+---
+- name: create 'foo' repository
+  ansible.builtin.yum_repository:
+    name: foo
+    description: mandatory description
+    baseurl: file:///mandatory-url
+    enabled: false
+    gpgcheck: false
+
+- name: create 'bar' repository
+  ansible.builtin.yum_repository:
+    name: bar
+    description: mandatory description
+    baseurl: file:///mandatory-url
+    enabled: false
+    gpgcheck: false

molecule/os_hardening_vm/requirements.yml

@@ -0,0 +1,3 @@
+---
+roles:
+  - geerlingguy.git