Merge branch 'main' into devel #180
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: default-bare | |
on: | |
push: | |
pull_request: | |
workflow_dispatch: | |
schedule: # run weekly, every Wednesday 03:00 | |
- cron: '0 3 * * 3' | |
permissions: {} | |
jobs: | |
build: | |
permissions: | |
contents: read | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
max-parallel: 4 | |
matrix: | |
os: [ubuntu-22.04, ubuntu-20.04] | |
env: | |
ANSIBLE_CALLBACKS_ENABLED: profile_tasks | |
ANSIBLE_EXTRA_VARS: "-e harden_sshd_remote_src=yes -e harden_testing_privesc_upc=false -e harden_testing_privesc_lpc=false -e inspec_dir=/home/runner/work/ansible-harden/ansible-harden/juju4.harden/test/integration/default" | |
ANSIBLE_ROLE: juju4.harden | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
path: ${{ env.ANSIBLE_ROLE }} | |
- name: Set up Python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.x' | |
- name: ACL | |
run: | | |
sudo apt-get install -y acl || true | |
mount | |
sudo mount -o remount,acl / || true | |
- name: Install dependencies | |
run: | | |
python3 -m pip install --upgrade pip | |
pip3 install ansible-lint flake8 yamllint | |
which ansible | |
pip3 install ansible | |
pip3 show ansible | |
ls -l $HOME/.local/bin || true | |
ls -l /opt/hostedtoolcache/Python/3.9.1/x64/bin || true | |
echo "/opt/hostedtoolcache/Python/3.9.1/x64/bin" >> $GITHUB_PATH | |
ansible --version | |
cd $GITHUB_WORKSPACE/juju4.harden | |
[ -f get-dependencies.sh ] && sh -x get-dependencies.sh | |
{ echo '[defaults]'; echo 'callbacks_enabled = profile_tasks, timer'; echo 'roles_path = ../'; echo 'ansible_python_interpreter: /usr/bin/python3'; } >> ansible.cfg | |
- name: Environment | |
run: | | |
set -x | |
pwd | |
env | |
find -ls | |
- name: lsattr | |
run: | | |
set -x | |
sudo apt-get install -y e2fsprogs || true | |
sudo lsattr / -R -a 2> /dev/null | grep "\----i" > /tmp/lsattr-i-1 || true | |
- name: run test | |
run: | | |
cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml ${ANSIBLE_EXTRA_VARS} | |
env: | |
PY_COLORS: '1' | |
ANSIBLE_FORCE_COLOR: '1' | |
- name: idempotency run | |
run: | | |
cd $GITHUB_WORKSPACE/$ANSIBLE_ROLE && ansible-playbook -i localhost, --connection=local --become -vvv test/integration/default/default.yml ${ANSIBLE_EXTRA_VARS} | tee /tmp/idempotency.log | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0) | |
- name: On failure | |
run: | | |
systemctl -l --no-pager status | |
systemctl -l --no-pager --failed | |
ls -l /usr/bin/ | egrep '(python|pip|ansible)' | |
pip freeze | |
pip3 freeze | |
ip addr | |
cat /etc/resolv.conf | |
host www.google.com | |
ping -c 1 www.google.com || true | |
ping -c 1 8.8.8.8 || true | |
if: ${{ failure() }} | |
continue-on-error: true | |
- name: After script - ansible setup | |
run: | | |
ansible -i inventory --connection=local -m setup localhost | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - systemd | |
run: | | |
systemctl -l --no-pager status iptables || true | |
systemctl -l --no-pager status netfilter-persistent || true | |
systemctl -l --no-pager status openntpd || true | |
systemctl -l --no-pager status ntpd || true | |
systemctl -l --no-pager status chronyd || true | |
systemctl -l --no-pager status monit | |
systemd-analyze --no-pager security || true | |
rsyslogd -v | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - network | |
run: | | |
sudo iptables -L -vn | |
sudo iptables-save | |
sudo ip6tables -L -vn | |
sudo ip6tables-save | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - scap | |
run: | | |
ls -la /usr/share/xml/scap/ssg/content/ | |
perl -pi -e \"s@platform idref=\\\"cpe:/o:redhat:enterprise_linux:${version}\\\"@platform idref=\\\"cpe:/o:centos:centos:${version}\\\"@\" /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml" | |
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_pci-dss --results-arf arf-pci.xml --report report-pci.html /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml" | |
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig-rhel${version}-disa --results-arf arf-disa.xml --report report-disa.html /usr/share/xml/scap/ssg/content/ssg-rhel${version}-ds.xml" | |
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive --results-arf arf.xml --report report.html /usr/share/scap-security-guide/ssg-ubuntu1604-ds.xml" | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - etc | |
run: | | |
set -x | |
cat /etc/passwd | |
cat /etc/rsyslog.conf | |
find /etc/rsyslog.d -type f -exec cat {} \; | |
cat /etc/ntp.conf /etc/sysconfig/ntpd /etc/default/ntp /etc/chrony.conf || true | |
cat /etc/openntpd/ntpd.conf /etc/ntpd.conf || true | |
ls -l /etc/login.defs | |
cat /etc/login.defs | |
ls -la /etc | |
ls -la /etc/ssh/ | |
cat /etc/ssh/sshd_config | |
cat /etc/ssh/ssh_config | |
ls -l /etc/pam.d/ | |
cat /etc/pam.d/system-auth || true | |
cat /etc/pam.d/password-auth || true | |
cat /etc/logrotate.conf || true | |
cat /etc/security/pwquality.conf || true | |
ls -laR /etc/monit/ | |
sudo cat /etc/monit/monitrc | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - ssh | |
run: | | |
set -x | |
ls -la /etc/ssh/ | |
cat /etc/ssh/sshd_config | |
cat /etc/ssh/ssh_config | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - aide hids | |
run: | | |
set -x | |
ls -laR /etc/aide/ | |
cat /etc/aide/aide.conf | |
cat /usr/local/scripts/cron.daily-aide | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: After script - files | |
run: | | |
set -x | |
ls -lR /var/lib/ntp /var/ntp/drift /var/lib/openntpd || true | |
ls -l /var/db/ntp.drift /var/ntp/drift/ /var/lib/ntp/ /var/lib/openntpd/db/ /var/lib/chrony/ || true | |
ls -l /boot/grub2/grub.cfg || true | |
ls -l /var/lib/aide/ | |
ls -la /tmp/ || true | |
sudo rpm -Va | grep '^..5' || true | |
sudo ls -la /tmp/cadir/ || true | |
if: ${{ always() }} | |
continue-on-error: true | |
- name: lsattr2 | |
run: | | |
set -x | |
sudo lsattr / -R -a 2> /dev/null | grep "\----i" > /tmp/lsattr-i-2 || true | |
sdiff /tmp/lsattr-i-* || true | |
if: ${{ always() }} | |
continue-on-error: true |