diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml index f5de6ed2a..408d3391e 100644 --- a/.config/ansible-lint.yml +++ b/.config/ansible-lint.yml @@ -8,9 +8,10 @@ exclude_paths: - .ansible/ # somehow someone decided that the cache directory should be renamed # add all waivers individually, since exclude_files does not support globs - molecule/os_hardening/waivers.yaml - - molecule/ssh_hardening_bsd/waivers_freebsd13.yaml - - molecule/ssh_hardening_bsd/waivers_freebsd14.yaml - - molecule/ssh_hardening_bsd/waivers_openbsd7.yaml + - molecule/ssh_hardening_vm/waivers_freebsd13.yaml + - molecule/ssh_hardening_vm/waivers_freebsd14.yaml + - molecule/ssh_hardening_vm/waivers_openbsd7.yaml + - molecule/ssh_hardening_vm/waivers_ubuntu-24.04.yaml mock_roles: - geerlingguy.git diff --git a/.github/workflows/ssh_hardening_bsd.yml b/.github/workflows/ssh_hardening_vm.yml similarity index 54% rename from .github/workflows/ssh_hardening_bsd.yml rename to .github/workflows/ssh_hardening_vm.yml index e4b5598f1..e8b9b8595 100644 --- a/.github/workflows/ssh_hardening_bsd.yml +++ b/.github/workflows/ssh_hardening_vm.yml @@ -1,20 +1,20 @@ --- -name: "devsec.ssh_hardening BSD" +name: "devsec.ssh_hardening VM" on: # yamllint disable-line rule:truthy workflow_dispatch: push: branches: [master] paths: - 'roles/ssh_hardening/**' - - 'molecule/ssh_hardening_bsd/**' - - '.github/workflows/ssh_hardening_bsd.yml' + - 'molecule/ssh_hardening_vm/**' + - '.github/workflows/ssh_hardening_vm.yml' - 'requirements.txt' pull_request: branches: [master] paths: - 'roles/ssh_hardening/**' - - 'molecule/ssh_hardening_bsd/**' - - '.github/workflows/ssh_hardening_bsd.yml' + - 'molecule/ssh_hardening_vm/**' + - '.github/workflows/ssh_hardening_vm.yml' - 'requirements.txt' schedule: - cron: '0 6 * * 5' @@ -36,9 +36,10 @@ jobs: fail-fast: false matrix: molecule_distro: - - openbsd7 - - freebsd13 - - freebsd14 + - generic/openbsd7 + - generic/freebsd13 + - generic/freebsd14 + - cloud-image/ubuntu-24.04 steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 @@ -46,11 +47,22 @@ jobs: path: ansible_collections/devsec/hardening submodules: true + - name: Install dependencies + run: | + source ~/.venv/ansible-collection-hardening/bin/activate + python -m pip install --no-cache-dir --upgrade pip + pip install -r requirements.txt + pip install python-vagrant + working-directory: ansible_collections/devsec/hardening + - name: Update Vagrant Box - run: vagrant box update --box generic/${{ matrix.molecule_distro }} || true + run: | + vagrant box update --box ${{ matrix.molecule_distro }} || true - name: Test with molecule - run: molecule test -s ssh_hardening_bsd + run: | + source ~/.venv/ansible-collection-hardening/bin/activate + molecule test -s ssh_hardening_vm env: MOLECULE_DISTRO: ${{ matrix.molecule_distro }} working-directory: ansible_collections/devsec/hardening diff --git a/README.md b/README.md index 94f77e63a..ced4be406 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ [![devsec.os_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/os_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/os_hardening.yml) [![devsec.os_hardening VM](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/os_hardening_vm.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/os_hardening_vm.yml) [![devsec.ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening.yml) -[![devsec.ssh_hardening BSD](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_bsd.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_bsd.yml) +[![devsec.ssh_hardening VM](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_vm.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_vm.yml) [![devsec.ssh_hardening with custom tests](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_custom_tests.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_custom_tests.yml) [![devsec.nginx_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/nginx_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/nginx_hardening.yml) [![devsec.mysql_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/mysql_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/mysql_hardening.yml) diff --git a/molecule/ssh_hardening/prepare.yml b/molecule/ssh_hardening/prepare.yml index 7d3b8c652..590736952 100644 --- a/molecule/ssh_hardening/prepare.yml +++ b/molecule/ssh_hardening/prepare.yml @@ -12,27 +12,32 @@ ansible_python_interpreter: /usr/bin/python3 when: ansible_facts.distribution == 'Fedora' - - name: Install packages # noqa ignore-errors + - name: Install dnf packages # noqa ignore-errors ansible.builtin.dnf: name: - openssh-clients - openssh-server + state: present + update_cache: true + ignore_errors: true + + - name: Install libselinux-python # noqa ignore-errors + ansible.builtin.dnf: + name: - libselinux-python state: present update_cache: true ignore_errors: true - - name: Install packages # noqa ignore-errors + - name: Install procps-ng # noqa ignore-errors ansible.builtin.dnf: name: - - openssh-clients - - openssh-server - procps-ng state: present update_cache: true ignore_errors: true - - name: Install packages # noqa ignore-errors + - name: Install apt packages # noqa ignore-errors ansible.builtin.apt: name: - openssh-client @@ -47,7 +52,7 @@ changed_when: false when: ansible_facts.os_family == 'Suse' - - name: Install packages + - name: Install packages on SuSE community.general.zypper: name: - openssh diff --git a/molecule/ssh_hardening_custom_tests/prepare.yml b/molecule/ssh_hardening_custom_tests/prepare.yml index 83884dd47..08059c174 100644 --- a/molecule/ssh_hardening_custom_tests/prepare.yml +++ b/molecule/ssh_hardening_custom_tests/prepare.yml @@ -12,27 +12,32 @@ ansible_python_interpreter: /usr/bin/python3 when: ansible_facts.distribution == 'Fedora' - - name: Install packages # noqa ignore-errors + - name: Install dnf packages # noqa ignore-errors ansible.builtin.dnf: name: - openssh-clients - openssh-server + state: present + update_cache: true + ignore_errors: true + + - name: Install libselinux-python # noqa ignore-errors + ansible.builtin.dnf: + name: - libselinux-python state: present update_cache: true ignore_errors: true - - name: Install packages # noqa ignore-errors + - name: Install procps-ng # noqa ignore-errors ansible.builtin.dnf: name: - - openssh-clients - - openssh-server - procps-ng state: present update_cache: true ignore_errors: true - - name: Install packages # noqa ignore-errors + - name: Install apt packages # noqa ignore-errors ansible.builtin.apt: name: - openssh-client diff --git a/molecule/ssh_hardening_bsd/INSTALL.rst b/molecule/ssh_hardening_vm/INSTALL.rst similarity index 100% rename from molecule/ssh_hardening_bsd/INSTALL.rst rename to molecule/ssh_hardening_vm/INSTALL.rst diff --git a/molecule/ssh_hardening_bsd/converge.yml b/molecule/ssh_hardening_vm/converge.yml similarity index 100% rename from molecule/ssh_hardening_bsd/converge.yml rename to molecule/ssh_hardening_vm/converge.yml diff --git a/molecule/ssh_hardening_bsd/molecule.yml b/molecule/ssh_hardening_vm/molecule.yml similarity index 97% rename from molecule/ssh_hardening_bsd/molecule.yml rename to molecule/ssh_hardening_vm/molecule.yml index 2c98fd415..0d029f28e 100644 --- a/molecule/ssh_hardening_bsd/molecule.yml +++ b/molecule/ssh_hardening_vm/molecule.yml @@ -8,7 +8,7 @@ platforms: # since we also need to use different OS users to run the tests because of how molecule operates, # the VM names must be predictable by OS user (to clean up canceled runs) - name: ${USER} - box: generic/${MOLECULE_DISTRO} + box: ${MOLECULE_DISTRO} memory: 1024 cpus: 2 provisioner: diff --git a/molecule/ssh_hardening_bsd/prepare.yml b/molecule/ssh_hardening_vm/prepare.yml similarity index 100% rename from molecule/ssh_hardening_bsd/prepare.yml rename to molecule/ssh_hardening_vm/prepare.yml diff --git a/molecule/ssh_hardening_bsd/verify.yml b/molecule/ssh_hardening_vm/verify.yml similarity index 94% rename from molecule/ssh_hardening_bsd/verify.yml rename to molecule/ssh_hardening_vm/verify.yml index 6566f6845..bc8f8527a 100644 --- a/molecule/ssh_hardening_bsd/verify.yml +++ b/molecule/ssh_hardening_vm/verify.yml @@ -36,7 +36,7 @@ ansible.builtin.command: > docker run --rm --volume {{ molecule_ephemeral_directory }}:{{ molecule_ephemeral_directory }} - --volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') }}.yaml:/waivers.yaml + --volume ./waivers_{{ lookup('env', 'MOLECULE_DISTRO') | regex_replace('^.*/', '') }}.yaml:/waivers.yaml docker.io/cincproject/auditor exec --ssh-config-file={{ molecule_ephemeral_directory }}/ssh-config -t ssh://{{ lookup('env', 'USER') }} diff --git a/molecule/ssh_hardening_bsd/waivers_freebsd13.yaml b/molecule/ssh_hardening_vm/waivers_freebsd13.yaml similarity index 100% rename from molecule/ssh_hardening_bsd/waivers_freebsd13.yaml rename to molecule/ssh_hardening_vm/waivers_freebsd13.yaml diff --git a/molecule/ssh_hardening_bsd/waivers_freebsd14.yaml b/molecule/ssh_hardening_vm/waivers_freebsd14.yaml similarity index 100% rename from molecule/ssh_hardening_bsd/waivers_freebsd14.yaml rename to molecule/ssh_hardening_vm/waivers_freebsd14.yaml diff --git a/molecule/ssh_hardening_bsd/waivers_openbsd7.yaml b/molecule/ssh_hardening_vm/waivers_openbsd7.yaml similarity index 100% rename from molecule/ssh_hardening_bsd/waivers_openbsd7.yaml rename to molecule/ssh_hardening_vm/waivers_openbsd7.yaml diff --git a/molecule/ssh_hardening_vm/waivers_ubuntu-24.04.yaml b/molecule/ssh_hardening_vm/waivers_ubuntu-24.04.yaml new file mode 100644 index 000000000..3f7cf4c83 --- /dev/null +++ b/molecule/ssh_hardening_vm/waivers_ubuntu-24.04.yaml @@ -0,0 +1,2 @@ +--- +{} \ No newline at end of file diff --git a/roles/ssh_hardening/README.md b/roles/ssh_hardening/README.md index e1b363470..6bc8a2a02 100644 --- a/roles/ssh_hardening/README.md +++ b/roles/ssh_hardening/README.md @@ -1,7 +1,7 @@ # dev-sec.ssh_hardening [![devsec.ssh_hardening](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening.yml) -[![devsec.ssh_hardening BSD](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_bsd.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_bsd.yml) +[![devsec.ssh_hardening VM](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_vm.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_vm.yml) [![devsec.ssh_hardening with custom tests](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_custom_tests.yml/badge.svg)](https://github.com/dev-sec/ansible-collection-hardening/actions/workflows/ssh_hardening_custom_tests.yml) ## Description