Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Profile to V1R6 #2

Merged
merged 100 commits into from
Dec 9, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
100 commits
Select commit Hold shift + click to select a range
77a5062
fresh conversion of controls using new SV id
HackerShark Oct 31, 2022
3bafbd7
added logic from main branch
HackerShark Oct 31, 2022
943e355
fixing issues
HackerShark Nov 16, 2022
5ee89c0
uncommenting initial logic for SV-238198
HackerShark Nov 28, 2022
6b38fa9
changing logic to use grub config resource
HackerShark Nov 28, 2022
9fd9788
updating logic, putting quotes around numbers in case command line re…
HackerShark Nov 28, 2022
da7a4e8
developed new controls logic for new controls. Moved config files loc…
HackerShark Nov 30, 2022
ca28d42
added new inputs for controls
HackerShark Nov 30, 2022
14fb9a6
added new inputs for controls
HackerShark Nov 30, 2022
a0906a8
updating control logic to fix profile error
HackerShark Nov 30, 2022
3310f6e
removed miscellaneous character that was stopping control from running
HackerShark Nov 30, 2022
f4eea60
fixed typo
HackerShark Nov 30, 2022
7115042
updating README
HackerShark Nov 30, 2022
77ae270
fixed linting issues
HackerShark Nov 30, 2022
927e7c0
added containerized logic
HackerShark Dec 5, 2022
cac07d4
added fips logic and containerized logic, also updated inspec.yml and…
HackerShark Dec 5, 2022
af2fe01
Started adding test-kitchen testing
aaronlippold Dec 3, 2022
8519a92
updating gitignore to not upload pem files. Created github workflow f…
HackerShark Dec 5, 2022
3944bb1
commenting out vanilla logic until vanilla playbook is created
HackerShark Dec 5, 2022
c03c600
adding ec2 workflow
HackerShark Dec 5, 2022
901ad8f
updating yaml file extension to yml
HackerShark Dec 5, 2022
dee8f30
deleting old yaml file
HackerShark Dec 5, 2022
ef6a6b1
removing vanilla until vanilla playbook is created
HackerShark Dec 5, 2022
11051a9
fixing naming of json file
HackerShark Dec 5, 2022
1df7a74
fixing naming convention across the profile
HackerShark Dec 5, 2022
758fc80
fixing naming of json file
HackerShark Dec 5, 2022
4201537
fixing keys in ec2
HackerShark Dec 5, 2022
9bded4d
fixing ec2 connection issues
HackerShark Dec 5, 2022
2263dac
fixing kitchen issues
HackerShark Dec 5, 2022
b20c5c0
updating region to the secret
HackerShark Dec 5, 2022
0b40918
updating reporter for ec2
HackerShark Dec 5, 2022
e321f55
adding environment variable for region
HackerShark Dec 5, 2022
9105ff9
commenting out unneeded AWS vars; specifying the platform correctly
wdower Dec 5, 2022
7716645
Update verify-ec2.yml
wdower Dec 5, 2022
ab3a706
removed all reference to AWS_REGION to try and force kitchen to use t…
wdower Dec 5, 2022
919807a
adding in a reference to aws-region for the action to work
wdower Dec 5, 2022
d53cc57
testing vagrant image fix
HackerShark Dec 6, 2022
1963511
fixing kitchen files
HackerShark Dec 6, 2022
0c62662
updated preconverge in kitchen.ec2.yaml to install pip3
wdower Dec 6, 2022
6340d55
stripping whoami and adding more apt prep commands
wdower Dec 6, 2022
d03fc19
adding flags to apt prep commands so they won't hang in the pipeline …
wdower Dec 6, 2022
9fb116c
adding in skeleton for dokken testing
wdower Dec 6, 2022
f137102
fixing typo -- adding a file extension to the .github workflow file f…
wdower Dec 6, 2022
c9142b1
kitchen-docker ==> kitchen-dokken in Gemfile
wdower Dec 6, 2022
236a12d
adding custom reporter for the container tests
wdower Dec 6, 2022
d2aa816
refactoring container test workflow to locally build the hardened ima…
wdower Dec 6, 2022
898474c
adding cli output for containers and ec2 inspec runs
wdower Dec 6, 2022
2e03ce1
cleanup; moving the lifecycle step for docker build to inside the har…
wdower Dec 6, 2022
e585259
putting the artifact upload step into its own job to ensure it runs e…
wdower Dec 6, 2022
9ec783c
removed unnecessary lines from .gitignore, fixed spacing mistakes in …
wdower Dec 6, 2022
1392aad
made the artifact upload step depend on validate
wdower Dec 6, 2022
c531755
Updating profile.json in the repository
wdower Dec 6, 2022
1a53397
added clause to ensure that artifact upload job ALWAYS fires after th…
wdower Dec 6, 2022
a447190
linting fixes and captured some inputs as local vars to make them usa…
wdower Dec 6, 2022
0aa32db
adding debug statement to start of workflow for containers
wdower Dec 6, 2022
e4c21e7
Updating profile.json in the repository
wdower Dec 6, 2022
af2b492
more debug statements
wdower Dec 6, 2022
99ca1e7
moving the artifact upload step back into the main validate action
wdower Dec 6, 2022
6230a7a
removed debug statements
wdower Dec 6, 2022
aebc8b0
adding bash script to do container validation. could not take heat, h…
wdower Dec 7, 2022
f14fa3f
quick container testing on actions
aaronlippold Dec 7, 2022
4ff1f26
typo
aaronlippold Dec 7, 2022
ce016ea
typo2
aaronlippold Dec 7, 2022
9a53dab
typo3
aaronlippold Dec 7, 2022
838ecf9
syntax fix
aaronlippold Dec 7, 2022
a31da95
added the rest of the workflow
aaronlippold Dec 7, 2022
9af7e5e
fixed missing item in workflow task
aaronlippold Dec 7, 2022
b114d05
readded chef license accept
aaronlippold Dec 7, 2022
086e10c
fixed spelling on Chef License env var
aaronlippold Dec 7, 2022
1434479
fixed thresholds for containers and broke things out a bit
aaronlippold Dec 7, 2022
3c1c6d6
adding python3-pip dependency outside of kitchen files
wdower Dec 7, 2022
e8a103e
switching from apt to apt-get
wdower Dec 7, 2022
a26e8a6
working on ec2 testings
aaronlippold Dec 7, 2022
ebfe00d
removing build-essentials from the list
aaronlippold Dec 7, 2022
d73aea1
trying another method
aaronlippold Dec 7, 2022
4102a21
removed undeed newlines, updated profile errors for now
aaronlippold Dec 8, 2022
18d8cf9
trying with apt vs apt-get
aaronlippold Dec 8, 2022
99156c1
typo
aaronlippold Dec 8, 2022
908ddcb
tying without the pip3 requirement
aaronlippold Dec 8, 2022
6c73fc5
moving away from pip to repo install
aaronlippold Dec 8, 2022
dbdf5c3
upddated playbook for bug in conditional, added missing variable, mov…
aaronlippold Dec 8, 2022
1a5a5fc
updated the ansible verbosity to be less detailed
aaronlippold Dec 8, 2022
26a47c2
updated vanilla threshold to account for current errors
aaronlippold Dec 8, 2022
1b88b74
updated vagrant testing to only run on release
aaronlippold Dec 8, 2022
b921f19
ensured that all the kictchen files run as sudo, updated the FIPS con…
aaronlippold Dec 8, 2022
75fb020
Updating profile.json in the repository
aaronlippold Dec 8, 2022
5cd74e6
resolved all profile errors for ec2 and container, excluded a couple …
aaronlippold Dec 8, 2022
2909a91
Updating profile.json in the repository
aaronlippold Dec 8, 2022
bb1240d
added suggested fix to ansible, ran cookstyle -a. added fips awarenes…
aaronlippold Dec 9, 2022
adb6a47
Updating profile.json in the repository
aaronlippold Dec 9, 2022
6a7450e
fixed missing input defn
aaronlippold Dec 9, 2022
8f9d763
Updating profile.json in the repository
aaronlippold Dec 9, 2022
a4db7f1
updated local and github actions to create Markdown reports
aaronlippold Dec 9, 2022
1cd0822
debugging markdown report workflows
aaronlippold Dec 9, 2022
7f763a5
updated scripts to be less complicated
aaronlippold Dec 9, 2022
7ce7ece
started adding host,container tags
aaronlippold Dec 9, 2022
f9bf8a9
Updating profile.json in the repository
aaronlippold Dec 9, 2022
2ffc7f8
adding file that lists which controls are applicable and not applicab…
HackerShark Dec 9, 2022
fe4d577
Fixed issue #11 adding tags for host and container
HackerShark Dec 9, 2022
b434e90
Updating profile.json in the repository
HackerShark Dec 9, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
34 changes: 34 additions & 0 deletions .github/workflows/update-profile-json.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
name: Update the Profile JSON

on:
pull_request:
branches: [ main ]

jobs:
my-job:
name: Update profile.json in the repository
runs-on: ubuntu-latest
env:
CHEF_LICENSE: accept-silent
steps:
- name: add needed packages
run: sudo apt-get install -y jq
- name: Check out repository
uses: actions/checkout@v2
with:
fetch-depth: 0
ref: ${{ github.head_ref }}
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: '2.7'
- run: bundle install
- name: Regenerate current `profile.json`
run: |
bundle exec inspec json . | jq . > profile.json
- name: Update profile.json in the repository
uses: stefanzweifel/git-auto-commit-action@v4
with:
commit_user_name: GitHub Actions
commit_user_email: [email protected]
commit_message: 'Updating profile.json in the repository'
84 changes: 84 additions & 0 deletions .github/workflows/verify-container.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: Container Testing Matrix

on:
push:
branches: [main]
pull_request:
branches: [main]

jobs:
validate:
name: Validate my Profile on Containers
runs-on: ubuntu-latest
env:
LC_ALL: "en_US.UTF-8"
VANILLA_IMAGE: "public.ecr.aws/lts/ubuntu:focal"
HARDENED_IMAGE: "canonical/ubuntu-pro-stig-20.04:latest"
CHEF_LICENSE: "accept-silent"
steps:
- name: add needed packages
run: sudo apt-get install -y jq
- name: Checkout InSpec profile repository
uses: actions/checkout@v2
- name: Clone full repository so we can push
run: git fetch --prune --unshallow
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: "2.7"
- name: Disable ri and rdoc
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
- name: Bundle install
run: bundle install
- name: Lint the Inspec profile
run: bundle exec inspec check .
- name: Build the Hardened Container
run: docker build https://repo1.dso.mil/dsop/canonical/ubuntu/ubuntu-pro-cis-stig-20.04.git\#development --tag $HARDENED_IMAGE
- name: Start the Vanilla Container
run: docker run -itd --rm --name vanilla-ubuntu $VANILLA_IMAGE
- name: Start the Hardened Container
run: docker run -itd --rm --name hardened-ubuntu $HARDENED_IMAGE
- name: Verify both our containers are running
run: docker ps -f name=-ubuntu
- name: Test Vanilla Container
run: inspec exec . --input-file=container.inputs.yml -t docker://vanilla-ubuntu --reporter cli json:vanilla.json || true
- name: Test Hardened Container
run: inspec exec . --input-file=container.inputs.yml -t docker://hardened-ubuntu --reporter cli json:hardened.json || true
- name: Display our Vanilla Summary
uses: mitre/saf_action@v1
with:
command_string: "view summary -i vanilla.json"
- name: Display our Hardened Summary
uses: mitre/saf_action@v1
with:
command_string: "view summary -i hardened.json"
- name: Ensure the scan meets our Vanilla results threshold
uses: mitre/saf_action@v1
with:
command_string: "validate threshold -i vanilla.json -F container.vanilla.threshold.yml"
- name: Ensure the scan meets our Hardened results threshold
uses: mitre/saf_action@v1
with:
command_string: "validate threshold -i hardened.json -F container.hardened.threshold.yml"
- name: Generate Vanilla Markdown Report
uses: mitre/saf_action@v1
with:
command_string: generate:threshold -i vanilla.json -c -o vanilla.md
- name: Generate Hardened Markdown Report
uses: mitre/saf_action@v1
with:
command_string: generate:threshold -i hardened.json -c -o hardened.md
- name: Amend Markdown Reports for readability
run: |
(echo '```yaml' && cat vanilla.md && echo '```') > vanilla-report.md
rm vanilla.md
(echo '```yaml' && cat hardened.md && echo '```') > hardened-report.md
rm hardened.md
- name: Save Test Result JSONs
if: ${{ always() }}
uses: actions/upload-artifact@v3
with:
path: |
vanilla.json
hardened.json
*-report.md
77 changes: 77 additions & 0 deletions .github/workflows/verify-ec2.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
name: EC2 Testing Matrix

on:
push:
branches: [main]
pull_request:
branches: [main]

jobs:
validate:
name: Validate my profile
runs-on: ubuntu-latest
env:
CHEF_LICENSE: accept-silent
KITCHEN_LOCAL_YAML: kitchen.ec2.yml
LC_ALL: "en_US.UTF-8"
#AWS_REGION: 'us-east-1'
strategy:
matrix:
suite: ["hardened"]
fail-fast: false
steps:
- name: add needed packages
run: sudo apt-get install -y jq
- name: Configure AWS credentials
env:
AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }}
AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }}
#AWS_REGION: ${{ secrets.SAF_AWS_REGION }}
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.SAF_AWS_REGION }}
- name: Check out repository
uses: actions/checkout@v2
- name: Clone full repository so we can push
run: git fetch --prune --unshallow
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: "2.7"
- name: Disable ri and rdoc
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
- run: bundle install
- name: Regenerate current `profile.json`
run: |
bundle exec inspec json . | jq . > profile.json
- name: Lint the Inspec profile
run: bundle exec inspec check .
- name: Run kitchen test
run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true
- name: Display our ${{ matrix.suite }} results summary
uses: mitre/saf_action@v1
with:
command_string: "view summary -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json"
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold
uses: mitre/saf_action@v1
with:
command_string: "validate threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"
- name: Generate ${{ matrix.suite }} Markdown Report
uses: mitre/saf_action@v1
with:
command_string: generate:threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -c -o spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md
- name: Generate the ${{ matrix.suite }} Markdown Report
uses: mitre/saf_action@v1
with:
command_string: generate:threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -c -o spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.md
- name: Amend Markdown Reports for readability
run: |
(echo '```yaml' && cat spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.md && echo '```') > spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md
rm spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.md
- name: Save Test Result JSONs
if: ${{ always() }}
uses: actions/upload-artifact@v2
with:
path: spec/results/
58 changes: 58 additions & 0 deletions .github/workflows/verify-vagrant.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Vagrant Testing Matrix
on:
release:
types: [published]

jobs:
validate:
name: Validate my profile
runs-on: macos-12
env:
CHEF_LICENSE: accept-silent
KITCHEN_LOCAL_YAML: kitchen.vagrant.yml
strategy:
matrix:
suite: ["hardened"]
fail-fast: false
steps:
- name: Add jq for output formatting
run: brew install jq
- name: Check out repository
uses: actions/checkout@v2
- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: "2.7"
- name: Disable ri and rdoc
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
- name: ensure bundler up-to-date
run: gem install bundler
- run: bundle install
- name: Regenerate current `profile.json`
run: |
bundle exec inspec json . | jq . > profile.json
- name: Lint the Inspec profile
run: bundle exec inspec check .
- name: Run kitchen test
run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-ubuntu-2004 || true
- name: Display our ${{ matrix.suite }} results summary
uses: mitre/saf_action@v1
with:
command_string: "view summary -i spec/results/ubuntu-2004_${{ matrix.suite }}.json"
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold
uses: mitre/saf_action@v1
with:
command_string: "validate threshold -i spec/results/ubuntu-2004_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"
- name: Generate the ${{ matrix.suite }} Markdown Report
uses: mitre/saf_action@v1
with:
command_string: generate:threshold -i spec/results/ec2_ubuntu-2004_${{ matrix.suite }}.json -c -o spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md
- name: Amend the ${{ matrix.suite }} Markdown Report for readability
run: |
sed -i '' '1s/^/```yaml\'$'\n/' spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md
echo '```' | tee -a spec/results/ec2_ubuntu-2004_${{ matrix.suite }}-report.md
- name: Save Test Result JSONs
if: ${{ always() }}
uses: actions/upload-artifact@v2
with:
path: spec/results/
13 changes: 1 addition & 12 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
.*.sw?
**/inspec.lock
**/Puppetfile.lock
.yardoc
.beaker
dist/
sec_results/
pkg/
Expand All @@ -12,20 +8,13 @@ spec/rp_env/
.rspec_system/
.vagrant/
.bundle/
Gemfile.lock
vendor/
junit/
log/
doc/
.kitchen/
.tmp/
reports/
.github*
.gemrc
.rspec*
CHANGELOG
Puppet*
*.csv
_config*
inputs.nolong*
profile.json
*.pem
Loading