Collections (#7)

* added collections requiremenst for tower integration Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added crypto & posix Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed older files Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated workflow uses rocky8 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated tags Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated ansible ver Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated discord info Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2022-03-02 13:19:54 +00:00 · 2022-03-02 13:19:54 +00:00 · ac744cb5ae
commit ac744cb5ae
parent 79cc69e3d9
14 changed files with 333 additions and 82 deletions
--- a/.github/workflows/OS.tfvars
+++ b/.github/workflows/OS.tfvars
@ -0,0 +1,9 @@
+#Ami Rocky 85
+ami_id        = "ami-043ceee68871e0bb5"
+ami_os        = "rocky8"
+ami_username  = "rocky"
+ami_user_home = "/home/rocky"
+instance_tags = {
+  Name        = "RHEL9-CIS"
+  Environment = "lockdown_github_repo_workflow"
+}
--- a/.github/workflows/communitytodevel.yml
+++ b/.github/workflows/communitytodevel.yml
@ -1,39 +0,0 @@
---
-# This is a basic workflow to help you get started with Actions
-
-name: CommunityToDevel
-
-# Controls when the action will run. Triggers the workflow on push or pull request
-# events but only for the devel branch
-on:
-    pull_request:
-        branches: [ devel ]
-
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
-jobs:
-    # This workflow contains a single job called "build"
-    build:
-        # The type of runner that the job will run on
-        runs-on: ubuntu-latest
-
-        # Steps represent a sequence of tasks that will be executed as part of the job
-        steps:
-            # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-            - uses: actions/checkout@v2
-
-            # Refactr pipeline for devel pull request/merge
-            - name: Refactr - Run Pipeline (to devel)
-              # You may pin to the exact commit or the version.
-              # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
-              uses: refactr/action-run-pipeline@v0.1.2
-              with:
-                  # API token
-                  api_token: '${{ secrets.REFACTR_KEY }}'
-                  # Project ID
-                  project_id: 5f47f0c4a13c7b18373e5556
-                  # Job ID
-                  job_id: 5f933cbcf9c74e86b1609c00
-                  # Variables
-                  variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-0335e1660e1197d63", "githubBranch": "${{ github.head_ref }}", "username": "rocky" }'
-                  # Refactr API base URL
-                  api_url:  # optional
--- a/.github/workflows/develtomain.yml
+++ b/.github/workflows/develtomain.yml
@ -1,40 +0,0 @@
---
-# This is a basic workflow to help you get started with Actions
-
-name: DevelToMain
-
-# Controls when the action will run. Triggers the workflow on push or pull request
-# events but only for the devel branch
-on:
-    pull_request:
-        branches: [ main ]
-
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
-
-jobs:
-    # This workflow contains a single job called "build"
-    build:
-        # The type of runner that the job will run on
-        runs-on: ubuntu-latest
-
-        # Steps represent a sequence of tasks that will be executed as part of the job
-        steps:
-            # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-            - uses: actions/checkout@v2
-
-            # Refactr pipeline for devel pull request/merge
-            - name: Refactr - Run Pipeline (to main)
-              # You may pin to the exact commit or the version.
-              # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
-              uses: refactr/action-run-pipeline@v0.1.2
-              with:
-                  # API token
-                  api_token: '${{ secrets.REFACTR_KEY }}'
-                  # Project ID
-                  project_id: 5f47f0c4a13c7b18373e5556
-                  # Job ID
-                  job_id: 5f90ad90f9c74e6d1e606e33
-                  # Variables
-                  variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-0335e1660e1197d63", "username": "rocky" }'
-                  # Refactr API base URL
-                  api_url:  # optional
--- a/.github/workflows/github_networks.tf
+++ b/.github/workflows/github_networks.tf
@ -0,0 +1,11 @@
+resource "aws_vpc" "Main" {
+  cidr_block = var.main_vpc_cidr
+  tags = var.instance_tags
+}
+
+resource "aws_internet_gateway" "IGW" {
+  vpc_id = aws_vpc.Main.id
+  tags = {
+    Name      = "${var.namespace}-IGW"
+  }
+}
--- a/.github/workflows/github_vars.tfvars
+++ b/.github/workflows/github_vars.tfvars
@ -0,0 +1,12 @@
+// github_actions variables
+// Resourced in github_networks.tf
+// Declared in variables.tf
+// 
+
+namespace         = "github_actions"
+
+// Matching pair name found in AWS for keypairs PEM key
+ami_key_pair_name = "github_actions"
+main_vpc_cidr     = "172.22.0.0/24"
+public_subnets    = "172.22.0.128/26"
+private_subnets   = "172.22.0.192/26"
--- a/.github/workflows/linux_benchmark_testing.yml
+++ b/.github/workflows/linux_benchmark_testing.yml
@ -0,0 +1,120 @@
+# This is a basic workflow to help you get started with Actions
+
+name: linux_benchmark_pipeline
+
+# Controls when the action will run.
+# Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+    branches:
+      - devel
+      - main
+    paths:
+      - '**.yml'
+      - '**.sh'
+      - '**.j2'
+      - '**.ps1'
+      - '**.cfg'
+
+# A workflow run is made up of one or more jobs
+# that can run sequentially or in parallel
+jobs:
+  # This will create messages for first time contributers and direct them to the Discord server
+  welcome:
+      runs-on: ubuntu-latest
+
+      steps:
+          - uses: actions/first-interaction@v1.1.0
+            with:
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                pr-message: |-
+                  Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! 
+                  Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well.
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    env: 
+      ENABLE_DEBUG: false
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, 
+      # so your job can access it
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Add_ssh_key
+        working-directory: .github/workflows
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+          PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+        run: |
+          mkdir .ssh
+          chmod 700 .ssh
+          echo $PRIVATE_KEY > .ssh/github_actions.pem
+          chmod 600 .ssh/github_actions.pem
+
+### Build out the server
+      - name: Terraform_Init
+        working-directory: .github/workflows
+        run: terraform init
+
+      - name: Terraform_Validate
+        working-directory: .github/workflows
+        run: terraform validate
+
+      - name: Terraform_Apply
+        working-directory: .github/workflows
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+
+## Debug Section
+      - name: DEBUG - Show Ansible hostfile
+        if: env.ENABLE_DEBUG == 'true'
+        working-directory: .github/workflows
+        run: cat hosts.yml
+
+# Centos 7 images take a while to come up insert sleep or playbook fails
+
+      - name: Check if test os is rhel7
+        working-directory: .github/workflows
+        id: test_os
+        run: >-
+          echo "::set-output name=RHEL7::$(
+          grep -c RHEL7 OS.tfvars
+          )"
+
+      - name: if RHEL7 - Sleep for 60 seconds
+        if: steps.test_os.outputs.RHEL7 >= 1
+        run: sleep 60s
+        shell: bash
+
+# Run the ansible playbook
+      - name: Run_Ansible_Playbook
+        uses: arillso/action.playbook@master
+        with:
+          playbook: site.yml
+          inventory: .github/workflows/hosts.yml
+          galaxy_file: collections/requirements.yml
+          private_key: ${{ secrets.SSH_PRV_KEY }}
+#          verbose: 3
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: "false"
+          ANSIBLE_DEPRECATION_WARNINGS: "false"
+
+# Remove test system - User secrets to keep if necessary
+
+      - name: Terraform_Destroy
+        working-directory: .github/workflows
+        if: always() && env.ENABLE_DEBUG == 'false'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
--- a/.github/workflows/main.tf
+++ b/.github/workflows/main.tf
@ -0,0 +1,83 @@
+provider "aws" {
+  profile = ""
+  region  = var.aws_region
+}
+
+// Create a security group with access to port 22 and port 80 open to serve HTTP traffic
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+resource "random_id" "server" {
+  keepers = {
+    # Generate a new id each time we switch to a new AMI id
+    ami_id = "${var.ami_id}"
+  }
+
+  byte_length = 8
+}
+
+resource "aws_security_group" "github_actions" {
+  name   = "${var.namespace}-${random_id.server.hex}"
+  vpc_id = data.aws_vpc.default.id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "${var.namespace}-SG"
+ }
+}
+
+// instance setup
+
+resource "aws_instance" "testing_vm" {
+  ami                         = var.ami_id
+  associate_public_ip_address = true
+  key_name                    = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
+  instance_type               = var.instance_type
+  tags                        = var.instance_tags
+  vpc_security_group_ids      = [aws_security_group.github_actions.id]
+  root_block_device {
+        delete_on_termination = true
+  }
+}
+
+// generate inventory file
+resource "local_file" "inventory" {
+  filename = "./hosts.yml"
+  directory_permission = "0755"
+  file_permission      = "0644"
+  content  = <<EOF
+    # benchmark host
+    all:
+      hosts:
+        ${var.ami_os}:
+          ansible_host: ${aws_instance.testing_vm.public_ip}
+          ansible_user: ${var.ami_username}
+      vars:
+        setup_audit: true
+        run_audit: true
+        system_is_ec2: true
+        audit_git_version: devel
+    EOF
+}
+
--- a/.github/workflows/terraform.tfvars
+++ b/.github/workflows/terraform.tfvars
@ -0,0 +1,5 @@
+// vars should be loaded by OSname.tfvars
+aws_region    = "us-east-1"
+ami_os        = var.ami_os
+ami_username  = var.ami_username
+instance_tags = var.instance_tags
--- a/.github/workflows/test.sh
+++ b/.github/workflows/test.sh
@ -0,0 +1,6 @@
+RHEL7=$(grep -c RHEL7 OS.tfvars)
+if [ `echo $?` != 0 ]; then
+   exit 0
+fi
+    
+  
--- a/.github/workflows/variables.tf
+++ b/.github/workflows/variables.tf
@ -0,0 +1,65 @@
+// Taken from the OSname.tfvars
+
+variable "aws_region" {
+  description = "AWS region"
+  default     = "us-east-1"
+  type        = string
+}
+
+variable "instance_type" {
+  description = "EC2 Instance Type"
+  default     = "t3.micro"
+  type        = string
+}
+
+variable "instance_tags" {
+  description = "Tags to set for instances"
+  type        = map(string)
+}
+
+variable "ami_key_pair_name" {
+  description = "Name of key pair in AWS thats used"
+  type        = string
+}
+
+variable "ami_os" {
+  description = "AMI OS Type"
+  type        = string
+}
+
+variable "ami_id" {
+  description = "AMI ID reference"
+  type = string
+}
+
+variable "ami_username" {
+  description = "Username for the ami id"
+  type        = string
+}
+
+variable "ami_user_home" {
+  description = "home dir for the username"
+  type        = string
+}
+
+variable "namespace" {
+  description = "Name used across all tags"
+  type        = string
+}
+
+// taken from github_vars.tfvars &
+
+variable "main_vpc_cidr" {
+  description = "Private cidr block to be used for vpc"
+  type        = string
+}
+
+variable "public_subnets" {
+  description = "public subnet cidr block"
+  type        = string
+}
+
+variable "private_subnets" {
+  description = "private subnet cidr block"
+  type        = string
+}
--- a/README.md
+++ b/README.md
@ -14,6 +14,10 @@ Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/)

 Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/)

+## Join us
+
+On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
+
 ## Caution(s)

 This role **will make changes to the system** which may have unintended concequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
--- a/collections/requirements.yml
+++ b/collections/requirements.yml
@ -0,0 +1,8 @@
+---
+
+collections:
+- name: community.general
+
+- name: community.crypto
+
+- name: ansible.posix
--- a/meta/main.yml
+++ b/meta/main.yml
@ -5,7 +5,7 @@ galaxy_info:
    company: "MindPoint Group"
    license: MIT
    role_name: rhel9_cis
-    min_ansible_version: 2.9.0
+    min_ansible_version: 2.10.0
    platforms:
        - name: EL
          versions:
@ -13,9 +13,16 @@ galaxy_info:
    galaxy_tags:
        - system
        - security
-        - cis
+        - stig
        - hardening
        - benchmark
+        - compliance
+        - redhat
+        - complianceascode
+        - disa
+        - rhel9
 collections:
  - community.general
+  - community.crypto
+  - ansible.posix
 dependencies: []
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,7 +1,7 @@
 ---
 # vars file for RHEL9-CIS

-min_ansible_version: 2.9
+min_ansible_version: 2.10
 rhel9cis_allowed_crypto_policies:
    - 'FUTURE'
    - 'FIPS'