-
Notifications
You must be signed in to change notification settings - Fork 21
180 lines (176 loc) · 7 KB
/
default-bare.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
---
name: default-bare
on:
push:
pull_request:
workflow_dispatch:
schedule: # run weekly, every Wednesday 03:00
- cron: '0 3 * * 3'
permissions: {}
jobs:
build:
permissions:
contents: read
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
max-parallel: 4
matrix:
os: [ubuntu-24.04, ubuntu-22.04, ubuntu-20.04]
env:
ANSIBLE_CALLBACKS_ENABLED: profile_tasks
ANSIBLE_EXTRA_VARS: "-e harden_sshd_remote_src=yes -e harden_testing_privesc_upc=false -e harden_testing_privesc_lpc=false -e inspec_dir=/home/runner/work/ansible-harden/ansible-harden/juju4.harden/test/integration/default"
ANSIBLE_ROLE: juju4.harden
steps:
- uses: actions/checkout@v4
with:
path: ${{ env.ANSIBLE_ROLE }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: ACL
run: |
sudo apt-get install -y acl || true
mount
sudo mount -o remount,acl / || true
- name: Install dependencies
run: |
python3 -m pip install --upgrade pip
pip3 install ansible-lint flake8 yamllint
which ansible
pip3 install ansible
pip3 show ansible
ls -l $HOME/.local/bin || true
ls -l /opt/hostedtoolcache/Python/3.9.1/x64/bin || true
echo "/opt/hostedtoolcache/Python/3.9.1/x64/bin" >> $GITHUB_PATH
ansible --version
cd $GITHUB_WORKSPACE/juju4.harden
[ -f get-dependencies.sh ] && sh -x get-dependencies.sh
{ echo '[defaults]'; echo 'callbacks_enabled = profile_tasks, timer'; echo 'roles_path = ../'; echo 'ansible_python_interpreter: /usr/bin/python3'; } >> ansible.cfg
- name: Environment
run: |
set -x
pwd
env
find -ls
- name: lsattr
run: |
set -x
sudo apt-get install -y e2fsprogs || true
sudo lsattr / -R -a 2> /dev/null | grep "\----i" > /tmp/lsattr-i-1 || true
- name: run test
run: |
cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml ${ANSIBLE_EXTRA_VARS}
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
- name: idempotency run
run: |
cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml ${ANSIBLE_EXTRA_VARS} | tee /tmp/idempotency.log | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0)
- name: On failure
run: |
systemctl -l --no-pager status
systemctl -l --no-pager --failed
ls -l /usr/bin/ | egrep '(python|pip|ansible)'
pip freeze
pip3 freeze
ip addr
cat /etc/resolv.conf
host www.google.com
ping -c 1 www.google.com || true
ping -c 1 8.8.8.8 || true
if: ${{ failure() }}
continue-on-error: true
- name: After script - ansible setup
run: |
ansible -i inventory --connection=local -m setup localhost
if: ${{ always() }}
continue-on-error: true
- name: After script - systemd
run: |
systemctl -l --no-pager status iptables || true
systemctl -l --no-pager status netfilter-persistent || true
systemctl -l --no-pager status openntpd || true
systemctl -l --no-pager status ntpd || true
systemctl -l --no-pager status chronyd || true
systemctl -l --no-pager status monit
systemd-analyze --no-pager security || true
rsyslogd -v
if: ${{ always() }}
continue-on-error: true
- name: After script - network
run: |
sudo iptables -L -vn
sudo iptables-save
sudo ip6tables -L -vn
sudo ip6tables-save
if: ${{ always() }}
continue-on-error: true
- name: After script - scap
run: |
ls -la /usr/share/xml/scap/ssg/content/
perl -pi -e \"s@platform idref=\\\"cpe:/o:redhat:enterprise_linux:${version}\\\"@platform idref=\\\"cpe:/o:centos:centos:${version}\\\"@\" /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml"
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --results-arf arf-pci.xml --report report-pci.html /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml"
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel${version}-disa --results-arf arf-disa.xml --report report-disa.html /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml"
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive --results-arf arf.xml --report report.html /usr/share/scap-security-guide/ssg-ubuntu1604-ds.xml"
if: ${{ always() }}
continue-on-error: true
- name: After script - etc
run: |
set -x
cat /etc/passwd
cat /etc/rsyslog.conf
find /etc/rsyslog.d -type f -exec cat {} \;
cat /etc/ntp.conf /etc/sysconfig/ntpd /etc/default/ntp /etc/chrony.conf || true
cat /etc/openntpd/ntpd.conf /etc/ntpd.conf || true
ls -l /etc/login.defs
cat /etc/login.defs
ls -la /etc
ls -la /etc/ssh/
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_config
ls -l /etc/pam.d/
cat /etc/pam.d/system-auth || true
cat /etc/pam.d/password-auth || true
cat /etc/logrotate.conf || true
cat /etc/security/pwquality.conf || true
ls -laR /etc/monit/
sudo cat /etc/monit/monitrc
if: ${{ always() }}
continue-on-error: true
- name: After script - ssh
run: |
set -x
ls -la /etc/ssh/
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_config
if: ${{ always() }}
continue-on-error: true
- name: After script - aide hids
run: |
set -x
ls -laR /etc/aide/
cat /etc/aide/aide.conf
cat /usr/local/scripts/cron.daily-aide
if: ${{ always() }}
continue-on-error: true
- name: After script - files
run: |
set -x
ls -lR /var/lib/ntp /var/ntp/drift /var/lib/openntpd || true
ls -l /var/db/ntp.drift /var/ntp/drift/ /var/lib/ntp/ /var/lib/openntpd/db/ /var/lib/chrony/ || true
ls -l /boot/grub2/grub.cfg || true
ls -l /var/lib/aide/
ls -la /tmp/ || true
sudo rpm -Va | grep '^..5' || true
sudo ls -la /tmp/cadir/ || true
if: ${{ always() }}
continue-on-error: true
- name: lsattr2
run: |
set -x
sudo lsattr / -R -a 2> /dev/null | grep "\----i" > /tmp/lsattr-i-2 || true
sdiff /tmp/lsattr-i-* || true
if: ${{ always() }}
continue-on-error: true