Skip to content

Merge branch 'main' into devel #180

Merge branch 'main' into devel

Merge branch 'main' into devel #180

Workflow file for this run

---
name: default-bare
on:
push:
pull_request:
workflow_dispatch:
schedule: # run weekly, every Wednesday 03:00
- cron: '0 3 * * 3'
permissions: {}
jobs:
build:
permissions:
contents: read
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
max-parallel: 4
matrix:
os: [ubuntu-22.04, ubuntu-20.04]
env:
ANSIBLE_CALLBACKS_ENABLED: profile_tasks
ANSIBLE_EXTRA_VARS: "-e harden_sshd_remote_src=yes -e harden_testing_privesc_upc=false -e harden_testing_privesc_lpc=false -e inspec_dir=/home/runner/work/ansible-harden/ansible-harden/juju4.harden/test/integration/default"
ANSIBLE_ROLE: juju4.harden
steps:
- uses: actions/checkout@v4
with:
path: ${{ env.ANSIBLE_ROLE }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.x'
- name: ACL
run: |
sudo apt-get install -y acl || true
mount
sudo mount -o remount,acl / || true
- name: Install dependencies
run: |
python3 -m pip install --upgrade pip
pip3 install ansible-lint flake8 yamllint
which ansible
pip3 install ansible
pip3 show ansible
ls -l $HOME/.local/bin || true
ls -l /opt/hostedtoolcache/Python/3.9.1/x64/bin || true
echo "/opt/hostedtoolcache/Python/3.9.1/x64/bin" >> $GITHUB_PATH
ansible --version
cd $GITHUB_WORKSPACE/juju4.harden
[ -f get-dependencies.sh ] && sh -x get-dependencies.sh
{ echo '[defaults]'; echo 'callbacks_enabled = profile_tasks, timer'; echo 'roles_path = ../'; echo 'ansible_python_interpreter: /usr/bin/python3'; } >> ansible.cfg
- name: Environment
run: |
set -x
pwd
env
find -ls
- name: lsattr
run: |
set -x
sudo apt-get install -y e2fsprogs || true
sudo lsattr / -R -a 2> /dev/null | grep "\----i" > /tmp/lsattr-i-1 || true
- name: run test
run: |
cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml ${ANSIBLE_EXTRA_VARS}
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
- name: idempotency run
run: |
cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml ${ANSIBLE_EXTRA_VARS} | tee /tmp/idempotency.log | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0)
- name: On failure
run: |
systemctl -l --no-pager status
systemctl -l --no-pager --failed
ls -l /usr/bin/ | egrep '(python|pip|ansible)'
pip freeze
pip3 freeze
ip addr
cat /etc/resolv.conf
host www.google.com
ping -c 1 www.google.com || true
ping -c 1 8.8.8.8 || true
if: ${{ failure() }}
continue-on-error: true
- name: After script - ansible setup
run: |
ansible -i inventory --connection=local -m setup localhost
if: ${{ always() }}
continue-on-error: true
- name: After script - systemd
run: |
systemctl -l --no-pager status iptables || true
systemctl -l --no-pager status netfilter-persistent || true
systemctl -l --no-pager status openntpd || true
systemctl -l --no-pager status ntpd || true
systemctl -l --no-pager status chronyd || true
systemctl -l --no-pager status monit
systemd-analyze --no-pager security || true
rsyslogd -v
if: ${{ always() }}
continue-on-error: true
- name: After script - network
run: |
sudo iptables -L -vn
sudo iptables-save
sudo ip6tables -L -vn
sudo ip6tables-save
if: ${{ always() }}
continue-on-error: true
- name: After script - scap
run: |
ls -la /usr/share/xml/scap/ssg/content/
perl -pi -e \"s@platform idref=\\\"cpe:/o:redhat:enterprise_linux:${version}\\\"@platform idref=\\\"cpe:/o:centos:centos:${version}\\\"@\" /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml"
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --results-arf arf-pci.xml --report report-pci.html /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml"
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel${version}-disa --results-arf arf-disa.xml --report report-disa.html /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml"
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive --results-arf arf.xml --report report.html /usr/share/scap-security-guide/ssg-ubuntu1604-ds.xml"
if: ${{ always() }}
continue-on-error: true
- name: After script - etc
run: |
set -x
cat /etc/passwd
cat /etc/rsyslog.conf
find /etc/rsyslog.d -type f -exec cat {} \;
cat /etc/ntp.conf /etc/sysconfig/ntpd /etc/default/ntp /etc/chrony.conf || true
cat /etc/openntpd/ntpd.conf /etc/ntpd.conf || true
ls -l /etc/login.defs
cat /etc/login.defs
ls -la /etc
ls -la /etc/ssh/
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_config
ls -l /etc/pam.d/
cat /etc/pam.d/system-auth || true
cat /etc/pam.d/password-auth || true
cat /etc/logrotate.conf || true
cat /etc/security/pwquality.conf || true
ls -laR /etc/monit/
sudo cat /etc/monit/monitrc
if: ${{ always() }}
continue-on-error: true
- name: After script - ssh
run: |
set -x
ls -la /etc/ssh/
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_config
if: ${{ always() }}
continue-on-error: true
- name: After script - aide hids
run: |
set -x
ls -laR /etc/aide/
cat /etc/aide/aide.conf
cat /usr/local/scripts/cron.daily-aide
if: ${{ always() }}
continue-on-error: true
- name: After script - files
run: |
set -x
ls -lR /var/lib/ntp /var/ntp/drift /var/lib/openntpd || true
ls -l /var/db/ntp.drift /var/ntp/drift/ /var/lib/ntp/ /var/lib/openntpd/db/ /var/lib/chrony/ || true
ls -l /boot/grub2/grub.cfg || true
ls -l /var/lib/aide/
ls -la /tmp/ || true
sudo rpm -Va | grep '^..5' || true
sudo ls -la /tmp/cadir/ || true
if: ${{ always() }}
continue-on-error: true
- name: lsattr2
run: |
set -x
sudo lsattr / -R -a 2> /dev/null | grep "\----i" > /tmp/lsattr-i-2 || true
sdiff /tmp/lsattr-i-* || true
if: ${{ always() }}
continue-on-error: true