diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml index e1f8a3275..b4bf6db2f 100644 --- a/molecule/mysql_hardening/molecule.yml +++ b/molecule/mysql_hardening/molecule.yml @@ -8,7 +8,7 @@ driver: name: docker platforms: - name: instance - image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest" + image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/nginx_hardening/molecule.yml b/molecule/nginx_hardening/molecule.yml index d854d08da..a722c8936 100644 --- a/molecule/nginx_hardening/molecule.yml +++ b/molecule/nginx_hardening/molecule.yml @@ -7,7 +7,7 @@ driver: name: docker platforms: - name: instance - image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest" + image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml index 31fdc6be7..f834c81a5 100644 --- a/molecule/os_hardening/molecule.yml +++ b/molecule/os_hardening/molecule.yml @@ -3,7 +3,7 @@ driver: name: docker platforms: - name: instance - image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest" + image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml index 5479be75d..866960d63 100644 --- a/molecule/os_hardening/prepare.yml +++ b/molecule/os_hardening/prepare.yml @@ -1,5 +1,5 @@ --- -- name: wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing +- name: Wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing hosts: all become: true environment: @@ -7,32 +7,31 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - - name: set ansible_python_interpreter to "/usr/bin/python3" on fedora - set_fact: - ansible_python_interpreter: "/usr/bin/python3" - when: ansible_facts.distribution == 'Fedora' - - - name: Run the equivalent of "apt-get update && apt-get upgrade" - apt: - name: "*" - state: latest + - name: Install Python3 on Debian 10 + ansible.builtin.apt: + name: python3 + state: present update_cache: true when: ansible_os_family == 'Debian' - - name: install required tools on SuSE + - name: Set ansible_python_interpreter to "/usr/bin/python3" + ansible.builtin.set_fact: + ansible_python_interpreter: /usr/bin/python3 + + - name: Install required tools on SuSE # cannot use zypper module, since it depends on python-xml - shell: "zypper -n install python-xml" + ansible.builtin.shell: zypper -n install python-xml when: ansible_facts.os_family == 'Suse' - - name: install required tools on fedora - dnf: + - name: Install required tools on fedora + ansible.builtin.dnf: name: - python - findutils - procps-ng when: ansible_facts.distribution == 'Fedora' - - name: install required tools on Arch + - name: Install required tools on Arch community.general.pacman: name: - awk @@ -40,8 +39,8 @@ update_cache: true when: ansible_facts.os_family == 'Archlinux' - - name: install required tools on RHEL # noqa ignore-errors - yum: + - name: Install required tools on RHEL # noqa ignore-errors + ansible.builtin.yum: name: - openssh-clients - openssh @@ -49,15 +48,15 @@ update_cache: true ignore_errors: true - - name: create recursing symlink to test minimize access - shell: "rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz" + - name: Create recursing symlink to test minimize access + ansible.builtin.shell: rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz changed_when: false - - name: include YUM prepare tasks - include_tasks: prepare_tasks/yum.yml + - name: Include YUM prepare tasks + ansible.builtin.include_tasks: prepare_tasks/yum.yml when: ansible_facts.os_family == 'RedHat' - - name: include preparation tasks + - name: Include preparation tasks ansible.builtin.include_tasks: file: "{{ item }}" loop: diff --git a/molecule/os_hardening/verify.yml b/molecule/os_hardening/verify.yml index c890eb3f0..7986ebfd3 100644 --- a/molecule/os_hardening/verify.yml +++ b/molecule/os_hardening/verify.yml @@ -7,28 +7,27 @@ https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}" no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - - name: set ansible_python_interpreter to "/usr/bin/python3" - set_fact: - ansible_python_interpreter: "/usr/bin/python3" + - name: Set ansible_python_interpreter to "/usr/bin/python3" + ansible.builtin.set_fact: + ansible_python_interpreter: /usr/bin/python3 - - name: include verification tasks + - name: Include verification tasks ansible.builtin.include_tasks: file: "{{ item }}" - loop: + loop: - verify_tasks/sys_account_shell.yml - verify_tasks/pw_ageing.yml - verify_tasks/netrc.yml - verify_tasks/ignore_home_folders.yml -# temp. disabled - https://github.com/dev-sec/ansible-collection-hardening/issues/690 -# - name: include PAM tests -# include_tasks: verify_tasks/pam.yml -# when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' - - - name: include YUM tests - include_tasks: verify_tasks/yum.yml + - name: Include YUM tests + ansible.builtin.include_tasks: verify_tasks/yum.yml when: ansible_facts.os_family == 'RedHat' + - name: Include PAM tests + ansible.builtin.include_tasks: verify_tasks/pam.yml + when: ansible_facts.distribution in ['Debian', 'Ubuntu'] or ansible_facts.os_family == 'RedHat' + - name: Verify hosts: localhost environment: @@ -37,7 +36,7 @@ no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}" tasks: - name: Execute cinc-auditor tests - command: > + ansible.builtin.command: > docker run --volume /run/docker.sock:/run/docker.sock --volume {{ playbook_dir }}/waivers.yaml:/waivers.yaml @@ -51,12 +50,12 @@ ignore_errors: true - name: Display details about the cinc-auditor results - debug: + ansible.builtin.debug: msg: "{{ test_results.stdout_lines }}" - name: Fail when tests fail - fail: - msg: "Inspec failed to validate" + ansible.builtin.fail: + msg: Inspec failed to validate when: test_results.rc != 0 - name: Verify @@ -70,15 +69,15 @@ - devsec.hardening tasks: # test if variable can be overridden - - name: workaround for https://github.com/ansible/ansible/issues/66304 - set_fact: - ansible_virtualization_type: "docker" + - name: Workaround for https://github.com/ansible/ansible/issues/66304 + ansible.builtin.set_fact: + ansible_virtualization_type: docker os_env_umask: "027 #override" - - include_role: + - ansible.builtin.include_role: name: os_hardening - - name: verify os_env_umask - shell: + - name: Verify os_env_umask + ansible.builtin.shell: cmd: "grep '027 #override' /etc/login.defs" changed_when: false diff --git a/molecule/os_hardening/verify_tasks/netrc.yml b/molecule/os_hardening/verify_tasks/netrc.yml index cee31463d..7e27aebe6 100644 --- a/molecule/os_hardening/verify_tasks/netrc.yml +++ b/molecule/os_hardening/verify_tasks/netrc.yml @@ -1,19 +1,19 @@ --- - name: test that .netrc in root homedir exists ansible.builtin.file: - path: '/root/.netrc' + path: /root/.netrc state: file register: result_test_netrc - name: output result if .netrc for user root exists ansible.builtin.assert: that: - - "result_test_netrc.state == 'file'" - fail_msg: ".netrc in /root/ not present" - success_msg: ".netrc exists in /root/" + - result_test_netrc.state == 'file' + fail_msg: .netrc in /root/ not present + success_msg: .netrc exists in /root/ - name: delete '.netrc' in /root ansible.builtin.file: - path: '/root/.netrc' + path: /root/.netrc state: absent when: result_test_netrc.state == 'file' diff --git a/molecule/os_hardening/verify_tasks/pam.yml b/molecule/os_hardening/verify_tasks/pam.yml index c71cae010..fee7ade07 100644 --- a/molecule/os_hardening/verify_tasks/pam.yml +++ b/molecule/os_hardening/verify_tasks/pam.yml @@ -1,66 +1,65 @@ --- - -- name: install pip - package: +- name: Install pip + ansible.builtin.package: name: - python3-pip - python3-setuptools state: present -- name: install pam-tester +- name: Install pam-tester ansible.builtin.pip: name: pam-tester state: present executable: /usr/bin/pip3 -- name: set password for test - set_fact: - test_pw: "myTest!pw" +- name: Set password for test + ansible.builtin.set_fact: + test_pw: myTestpwSage -- name: set locale for test - set_fact: - locale: "en_US.UTF-8" +- name: Set locale for test + ansible.builtin.set_fact: + locale: en_US.UTF-8 when: - ansible_facts.os_family == 'RedHat' - ansible_facts.distribution_major_version < '8' -- name: create testuser - user: +- name: Create testuser + ansible.builtin.user: name: testuser password: "{{ test_pw | password_hash('sha512') }}" -- name: check successful login with correct password - shell: - cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" +- name: Check successful login with correct password + ansible.builtin.shell: + cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }} environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" LANG: "{{ locale | default('C.UTF-8') }}" -- name: check unsuccessful login with incorrect password - shell: - cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail" +- name: Check unsuccessful login with incorrect password + ansible.builtin.shell: + cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" LANG: "{{ locale | default('C.UTF-8') }}" with_sequence: count=6 -- name: check unsuccessful login, with correct password (lockout) - shell: - cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail" +- name: Check unsuccessful login, with correct password (lockout) + ansible.builtin.shell: + cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" LANG: "{{ locale | default('C.UTF-8') }}" -- name: wait for account to unlock - pause: +- name: Wait for account to unlock + ansible.builtin.pause: seconds: 20 -- name: check successful login - shell: - cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" +- name: Check successful login + ansible.builtin.shell: + cmd: /usr/local/bin/pam-tester --user testuser --password {{ test_pw }} environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" diff --git a/molecule/os_hardening/verify_tasks/sys_account_shell.yml b/molecule/os_hardening/verify_tasks/sys_account_shell.yml index e44c197c2..731519783 100644 --- a/molecule/os_hardening/verify_tasks/sys_account_shell.yml +++ b/molecule/os_hardening/verify_tasks/sys_account_shell.yml @@ -1,8 +1,9 @@ +--- - name: Read local linux user database - getent: + ansible.builtin.getent: database: passwd - name: Check that shell_sys_acc's shell is still bash - assert: + ansible.builtin.assert: that: - getent_passwd['shell_sys_acc'][5] == "/bin/bash" diff --git a/molecule/os_hardening/verify_tasks/yum.yml b/molecule/os_hardening/verify_tasks/yum.yml index 15afbbf20..dc89f6b25 100644 --- a/molecule/os_hardening/verify_tasks/yum.yml +++ b/molecule/os_hardening/verify_tasks/yum.yml @@ -1,8 +1,8 @@ --- - name: verify 'gpgcheck' was not enabled for 'foo' repository (in whitelist) - command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo + ansible.builtin.command: grep -e 'gpgcheck\s*=\s*0' /etc/yum.repos.d/foo.repo changed_when: false - name: verify 'gpgcheck' was enabled for 'bar' repository (not in whitelist) - command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo + ansible.builtin.command: grep -e 'gpgcheck\s*=\s*1' /etc/yum.repos.d/bar.repo changed_when: false diff --git a/molecule/os_hardening_vm/verify_tasks/pam.yml b/molecule/os_hardening_vm/verify_tasks/pam.yml index bfbb7a3b1..c71cae010 100644 --- a/molecule/os_hardening_vm/verify_tasks/pam.yml +++ b/molecule/os_hardening_vm/verify_tasks/pam.yml @@ -1,4 +1,5 @@ --- + - name: install pip package: name: @@ -10,6 +11,7 @@ ansible.builtin.pip: name: pam-tester state: present + executable: /usr/bin/pip3 - name: set password for test set_fact: @@ -29,7 +31,7 @@ - name: check successful login with correct password shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -37,7 +39,7 @@ - name: check unsuccessful login with incorrect password shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}fail --expectfail" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}fail --expectfail" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -46,7 +48,7 @@ - name: check unsuccessful login, with correct password (lockout) shell: - cmd: "pam-tester --user testuser --password {{ test_pw }} --expectfail" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }} --expectfail" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" @@ -58,7 +60,7 @@ - name: check successful login shell: - cmd: "pam-tester --user testuser --password {{ test_pw }}" + cmd: "/usr/local/bin/pam-tester --user testuser --password {{ test_pw }}" environment: TMPDIR: /var/tmp LC_ALL: "{{ locale | default('C.UTF-8') }}" diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml index 591a5a514..e35ca16d9 100644 --- a/molecule/ssh_hardening/molecule.yml +++ b/molecule/ssh_hardening/molecule.yml @@ -3,7 +3,7 @@ driver: name: docker platforms: - name: instance - image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest" + image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw diff --git a/molecule/ssh_hardening_custom_tests/molecule.yml b/molecule/ssh_hardening_custom_tests/molecule.yml index 31fdc6be7..f834c81a5 100644 --- a/molecule/ssh_hardening_custom_tests/molecule.yml +++ b/molecule/ssh_hardening_custom_tests/molecule.yml @@ -3,7 +3,7 @@ driver: name: docker platforms: - name: instance - image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest" + image: "ghcr.io/dev-sec/docker-${MOLECULE_DISTRO}-ansible:latest" command: ${MOLECULE_DOCKER_COMMAND:-/lib/systemd/systemd} volumes: - /sys/fs/cgroup:/sys/fs/cgroup:rw