ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Collections (#7)

Browse source 
* added collections requiremenst for tower integration

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* added crypto & posix

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* removed older files

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated workflow uses rocky8

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated tags

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated ansible ver

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated discord info

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
uk-bolly 2022-03-02 13:19:54 +00:00 committed by GitHub
parent 79cc69e3d9
commit ac744cb5ae
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 333 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.github/workflows/OS.tfvars vendored Normal file
View file

@ -0,0 +1,9 @@
#Ami Rocky 85
ami_id = "ami-043ceee68871e0bb5"
ami_os = "rocky8"
ami_username = "rocky"
ami_user_home = "/home/rocky"
instance_tags = {
Name = "RHEL9-CIS"
Environment = "lockdown_github_repo_workflow"
}

39
.github/workflows/communitytodevel.yml vendored
View file

@ -1,39 +0,0 @@
---
# This is a basic workflow to help you get started with Actions
name: CommunityToDevel
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the devel branch
on:
pull_request:
branches: [ devel ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
# Refactr pipeline for devel pull request/merge
- name: Refactr - Run Pipeline (to devel)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/action-run-pipeline@v0.1.2
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f933cbcf9c74e86b1609c00
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-0335e1660e1197d63", "githubBranch": "${{ github.head_ref }}", "username": "rocky" }'
# Refactr API base URL
api_url: # optional

40
.github/workflows/develtomain.yml vendored
View file

@ -1,40 +0,0 @@
---
# This is a basic workflow to help you get started with Actions
name: DevelToMain
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the devel branch
on:
pull_request:
branches: [ main ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
# Refactr pipeline for devel pull request/merge
- name: Refactr - Run Pipeline (to main)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/action-run-pipeline@v0.1.2
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f90ad90f9c74e6d1e606e33
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-0335e1660e1197d63", "username": "rocky" }'
# Refactr API base URL
api_url: # optional

11
.github/workflows/github_networks.tf vendored Normal file
View file

@ -0,0 +1,11 @@
resource "aws_vpc" "Main" {
cidr_block = var.main_vpc_cidr
tags = var.instance_tags
}
resource "aws_internet_gateway" "IGW" {
vpc_id = aws_vpc.Main.id
tags = {
Name = "${var.namespace}-IGW"
}
}

12
.github/workflows/github_vars.tfvars vendored Normal file
View file

@ -0,0 +1,12 @@
// github_actions variables
// Resourced in github_networks.tf
// Declared in variables.tf
//
namespace = "github_actions"
// Matching pair name found in AWS for keypairs PEM key
ami_key_pair_name = "github_actions"
main_vpc_cidr = "172.22.0.0/24"
public_subnets = "172.22.0.128/26"
private_subnets = "172.22.0.192/26"

120
.github/workflows/linux_benchmark_testing.yml vendored Normal file
View file

@ -0,0 +1,120 @@
# This is a basic workflow to help you get started with Actions
name: linux_benchmark_pipeline
# Controls when the action will run.
# Triggers the workflow on push or pull request
# events but only for the devel branch
on:
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
- main
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@v1.1.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well.
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
env:
ENABLE_DEBUG: false
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE,
# so your job can access it
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Add_ssh_key
working-directory: .github/workflows
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
run: |
mkdir .ssh
chmod 700 .ssh
echo $PRIVATE_KEY > .ssh/github_actions.pem
chmod 600 .ssh/github_actions.pem
### Build out the server
- name: Terraform_Init
working-directory: .github/workflows
run: terraform init
- name: Terraform_Validate
working-directory: .github/workflows
run: terraform validate
- name: Terraform_Apply
working-directory: .github/workflows
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
## Debug Section
- name: DEBUG - Show Ansible hostfile
if: env.ENABLE_DEBUG == 'true'
working-directory: .github/workflows
run: cat hosts.yml
# Centos 7 images take a while to come up insert sleep or playbook fails
- name: Check if test os is rhel7
working-directory: .github/workflows
id: test_os
run: >-
echo "::set-output name=RHEL7::$(
grep -c RHEL7 OS.tfvars
)"
- name: if RHEL7 - Sleep for 60 seconds
if: steps.test_os.outputs.RHEL7 >= 1
run: sleep 60s
shell: bash
# Run the ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/hosts.yml
galaxy_file: collections/requirements.yml
private_key: ${{ secrets.SSH_PRV_KEY }}
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
# Remove test system - User secrets to keep if necessary
- name: Terraform_Destroy
working-directory: .github/workflows
if: always() && env.ENABLE_DEBUG == 'false'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false

83
.github/workflows/main.tf vendored Normal file
View file

@ -0,0 +1,83 @@
provider "aws" {
profile = ""
region = var.aws_region
}
// Create a security group with access to port 22 and port 80 open to serve HTTP traffic
data "aws_vpc" "default" {
default = true
}
resource "random_id" "server" {
keepers = {
# Generate a new id each time we switch to a new AMI id
ami_id = "${var.ami_id}"
}
byte_length = 8
}
resource "aws_security_group" "github_actions" {
name = "${var.namespace}-${random_id.server.hex}"
vpc_id = data.aws_vpc.default.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.namespace}-SG"
}
}
// instance setup
resource "aws_instance" "testing_vm" {
ami = var.ami_id
associate_public_ip_address = true
key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
instance_type = var.instance_type
tags = var.instance_tags
vpc_security_group_ids = [aws_security_group.github_actions.id]
root_block_device {
delete_on_termination = true
}
}
// generate inventory file
resource "local_file" "inventory" {
filename = "./hosts.yml"
directory_permission = "0755"
file_permission = "0644"
content = <<EOF
# benchmark host
all:
hosts:
${var.ami_os}:
ansible_host: ${aws_instance.testing_vm.public_ip}
ansible_user: ${var.ami_username}
vars:
setup_audit: true
run_audit: true
system_is_ec2: true
audit_git_version: devel
EOF
}

5
.github/workflows/terraform.tfvars vendored Normal file
View file

@ -0,0 +1,5 @@
// vars should be loaded by OSname.tfvars
aws_region = "us-east-1"
ami_os = var.ami_os
ami_username = var.ami_username
instance_tags = var.instance_tags

6
.github/workflows/test.sh vendored Normal file
View file

@ -0,0 +1,6 @@
RHEL7=$(grep -c RHEL7 OS.tfvars)
if [ `echo $?` != 0 ]; then
exit 0
fi

65
.github/workflows/variables.tf vendored Normal file
View file

@ -0,0 +1,65 @@
// Taken from the OSname.tfvars
variable "aws_region" {
description = "AWS region"
default = "us-east-1"
type = string
}
variable "instance_type" {
description = "EC2 Instance Type"
default = "t3.micro"
type = string
}
variable "instance_tags" {
description = "Tags to set for instances"
type = map(string)
}
variable "ami_key_pair_name" {
description = "Name of key pair in AWS thats used"
type = string
}
variable "ami_os" {
description = "AMI OS Type"
type = string
}
variable "ami_id" {
description = "AMI ID reference"
type = string
}
variable "ami_username" {
description = "Username for the ami id"
type = string
}
variable "ami_user_home" {
description = "home dir for the username"
type = string
}
variable "namespace" {
description = "Name used across all tags"
type = string
}
// taken from github_vars.tfvars &
variable "main_vpc_cidr" {
description = "Private cidr block to be used for vpc"
type = string
}
variable "public_subnets" {
description = "public subnet cidr block"
type = string
}
variable "private_subnets" {
description = "private subnet cidr block"
type = string
}

4
README.md
View file

@ -14,6 +14,10 @@ Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/)
Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/) Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/)
## Join us
On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
## Caution(s) ## Caution(s)
This role **will make changes to the system** which may have unintended concequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. This role **will make changes to the system** which may have unintended concequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

8
collections/requirements.yml Normal file
View file

@ -0,0 +1,8 @@
---
collections:
- name: community.general
- name: community.crypto
- name: ansible.posix

11
meta/main.yml
View file

@ -5,7 +5,7 @@ galaxy_info:
company: "MindPoint Group" company: "MindPoint Group"
license: MIT license: MIT
role_name: rhel9_cis role_name: rhel9_cis
min_ansible_version: 2.9.0 min_ansible_version: 2.10.0
platforms: platforms:
- name: EL - name: EL
versions: versions:
@ -13,9 +13,16 @@ galaxy_info:
galaxy_tags: galaxy_tags:
- system - system
- security - security
- cis - stig
- hardening - hardening
- benchmark - benchmark
- compliance
- redhat
- complianceascode
- disa
- rhel9
collections: collections:
- community.general - community.general
- community.crypto
- ansible.posix
dependencies: [] dependencies: []

2
vars/main.yml
View file

@ -1,7 +1,7 @@
--- ---
# vars file for RHEL9-CIS # vars file for RHEL9-CIS
min_ansible_version: 2.9 min_ansible_version: 2.10
rhel9cis_allowed_crypto_policies: rhel9cis_allowed_crypto_policies:
- 'FUTURE' - 'FUTURE'
- 'FIPS' - 'FIPS'