Modified the Kitchen CI config/inputs to point to latest AL2 ansible …

.github/workflows/update-profile-json.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.7'
+          ruby-version: "3.1"
       - run: bundle install
       - name: Regenerate current `profile.json`
         run: |
@@ -30,4 +30,4 @@ jobs:
         with:
           commit_user_name: GitHub Actions
           commit_user_email: [email protected]
-          commit_message: 'Updating profile.json in the repository'
+          commit_message: "Updating profile.json in the repository"

.github/workflows/verify-ec2.yml

@@ -2,7 +2,7 @@ name: EC2 Testing Matrix
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
 
 jobs:
@@ -12,10 +12,11 @@ jobs:
     env:
       CHEF_LICENSE: accept-silent
       KITCHEN_LOCAL_YAML: kitchen.ec2.yml
+      SUDO_PASSWD: ${{ secrets.SAF_SUDO_PASSWORD }}
       LC_ALL: "en_US.UTF-8"
     strategy:
       matrix:
-        suite: ['vanilla', 'hardened']
+        suite: ["vanilla", "hardened"]
       fail-fast: false
     steps:
       - name: add needed packages
@@ -24,7 +25,7 @@ jobs:
         env:
           AWS_SG_ID: ${{ secrets.SAF_AWS_SG_ID }}
           AWS_SUBNET_ID: ${{ secrets.SAF_AWS_SUBNET_ID }}
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }}
@@ -36,7 +37,7 @@ jobs:
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.7'
+          ruby-version: "3.1"
       - name: Disable ri and rdoc
         run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
       - run: bundle install
@@ -46,16 +47,19 @@ jobs:
       - name: Lint the Inspec profile
         run: bundle exec inspec check .
       - name: Run kitchen test
-        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-rhel-7 || true
+        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-amazon2 || true
+      - name: Show the 'spec/results'
+        run: |
+          ls -alh ./spec/results       
       - name: Save Test Result JSON
         uses: actions/upload-artifact@v3
         with:
-          path: spec/results/
-      - name: Display our ${{ matrix.suite }} results summary
+          path: spec/results/*.json
+      - name: Display our Amazon 2 ${{ matrix.suite }} Results Summary
         uses: mitre/saf_action@v1
         with:
-          command_string: 'view summary -i spec/results/ec2_rhel-7_${{ matrix.suite }}.json'
+          command_string: "view summary -i spec/results/ec2_amazon2_${{ matrix.suite }}.json"
       - name: Ensure the scan meets our ${{ matrix.suite }} results threshold
         uses: mitre/saf_action@v1
         with:
-          command_string: 'validate threshold -i spec/results/ec2_rhel-7_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml'
+          command_string: "validate threshold -i spec/results/ec2_amazon2_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"

.github/workflows/verify-vagrant.yml → .github/workflows/verify-vagrant.txt

@@ -2,7 +2,7 @@ name: Vagrant Testing Matrix
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
 
 jobs:
@@ -13,9 +13,10 @@ jobs:
     env:
       CHEF_LICENSE: accept-silent
       KITCHEN_LOCAL_YAML: kitchen.vagrant.yml
+      SUDO_PASSWD: ${{ secrets.SAF_SUDO_PASSWORD }}
     strategy:
       matrix:
-        suite: ['vanilla', 'hardened']
+        suite: ["vanilla", "hardened"]
       fail-fast: false
     steps:
       - name: Add jq for output formatting
@@ -25,7 +26,7 @@ jobs:
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.7'
+          ruby-version: "3.1"
       - name: Disable ri and rdoc
         run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
       - name: ensure bundler up-to-date
@@ -37,16 +38,19 @@ jobs:
       - name: Lint the Inspec profile
         run: bundle exec inspec check .
       - name: Run kitchen test
-        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-rhel-7 || true
+        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-amazon2 || true
+      - name: Show the 'spec/results'
+        run: |
+          ls -alh ./spec/results  
       - name: Save Test Result JSON
         uses: actions/upload-artifact@v3
         with:
-          path: spec/results/
+          path: spec/results/*.json
       - name: Display our ${{ matrix.suite }} results summary
         uses: mitre/saf_action@v1
         with:
-          command_string: 'view summary -i spec/results/rhel-7_${{ matrix.suite }}.json'
+          command_string: "view summary -i spec/results/vagrant_amazon2_${{ matrix.suite }}.json"
       - name: Ensure the scan meets our ${{ matrix.suite }} results threshold
         uses: mitre/saf_action@v1
         with:
-          command_string: 'validate threshold -i spec/results/rhel-7_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml'
+          command_string: "validate threshold -i spec/results/vagrant_amazon2_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"

.gitignore

@@ -26,7 +26,6 @@ doc/
 .librarian/
 .tmp/
 reports/
-.github*
 .fixtures*
 .gemrc
 .gitignore
@@ -38,4 +37,4 @@ Rake*
 _config*
 inputs.nolong*
 profile.json
-*.DS_Store
+*.DS_Store

Gemfile

@@ -3,7 +3,7 @@
 source 'https://rubygems.org'
 
 gem 'inspec-bin'
-gem 'inspec', '>=4.26'
+gem 'inspec', '5.22.36'
 gem 'kitchen-ec2'
 gem 'kitchen-inspec'
 gem 'kitchen-ansible'

README.md

@@ -9,6 +9,14 @@ __For the best security of the runner, always install on the runner the _latest
 
 Latest versions and installation options are available at the [InSpec](http://inspec.io/) site.
 
+### Sudo Password
+
+The hardening configures the system to require a sudo password.  You should set the sudo password you want via an Environment Variable as `SUDO_PASSWD` to test-kitchen can set it correctly. 
+
+The default is set to 'P@ssw0rd!' ***WHICH YOU NEED TO UPDATE***.
+
+The GitHub Actions Set the sudo password they use via a shared secret.
+
 ## Tailoring to Your Environment
 
 The following inputs may be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the [InSpec Profile Documentation](https://www.inspec.io/docs/reference/profiles/).

controls/AMZL-02-710343.rb

@@ -39,7 +39,7 @@
     end
   else
     describe command("grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d").stdout.strip do
-      it { should match /^[^#].*Defaults timestamp_timeout=\d/ }
+      it { should match /^[^#].*Defaults\s*timestamp_timeout=\d/ }
       it { should_not match /\n/ }
     end
   end

controls/AMZL-02-732000.rb

@@ -27,7 +27,7 @@
       describe service('nails') do
         it { should be_running }
       end
-      describe service('clamav-daemon.socket') do
+      describe service('[email protected]') do
         it { should be_running }
       end
       describe service('ds_agent') do

controls/AMZL-02-740100.rb

@@ -43,9 +43,9 @@
   tag 'host'
   tag 'container'
 
-  if input('firewall_application_package') != ''
+  if input('firewall_application_package')
     describe 'Manual review of third-party firewall needed' do
-      skip "A manual review of firewall application \'#{input('firewall_application_package')}\' is needed to determine if it is properly configured"
+      skip "A manual review of firewall application is needed to determine if it is properly configured"
     end
   else
 

controls/AMZL-02-740320.rb

@@ -47,8 +47,7 @@
     # convert it to an integer using to_i it will convert it to 0 and pass the
     # <= client_alive_interval check. However, the control as a whole will still fail.
     describe sshd_config do
-      its('ClientAliveInterval') { should be_between(1, input('client_alive_interval')) }
-      its('ClientAliveInterval') { should_not eq nil }
+      its('ClientAliveInterval.to_i') { should be_between(1, input('client_alive_interval')) }
     end
   end
 end

controls/AMZL-02-740500.rb

@@ -97,21 +97,26 @@
 
   if service('chronyd').installed?
     time_service = service('chronyd')
-    time_sources = ntp_conf('/etc/chrony.conf').server
+    time_sources = ntp_conf('/etc/chrony.d/link-local.sources').server
     if time_sources.nil?
       describe 'chronyd time sources list' do
         subject { time_sources }
         it { should_not be_nil }
       end
     else
-      max_poll_values = time_sources.map do |val|
-        if val.match?(/.*maxpoll.*/)
-          val.gsub(/.*maxpoll\s+(\d+)(\s+.*|$)/,
-                  '\1').to_i
-        else
-          99
-        end
-      end
+      # max_poll_values = time_sources.map do |val|
+      #   if val.match?(/.*maxpoll.*/)
+      #     val.gsub(/.*maxpoll\s+(\d+)(\s+.*|$)/,
+      #             '\1').to_i
+      #   else
+      #     99
+      #   end
+      # end
+      # max_poll_values = time_sources.match(/maxpoll\s+(\d+)/)[1].to_i
+      # max_poll_values = time_sources.findall(/maxpoll\s+(\d+)/).map {|x| x.to_i}
+      # max_poll_values = time_sources.scan(/maxpoll\s+(\d+)/).map {|x| x.to_i}
+      max_poll_values = time_sources.scan(/maxpoll\s+(\d+)/).map {|x| x[0].to_i}
+
 
       # All time sources must contain valid maxpoll entries
       describe 'chronyd maxpoll values (99=maxpoll absent)' do

inspec.yml

@@ -451,7 +451,7 @@ inputs:
   - name: firewall_application_package
     desc: "If a third-party firewall application is in use (other than firewalld or iptables), indicate the package name here. Otherwise, set this value to an empty string"
     type: String
-    value: ""
+    value: "3rd Party Firewall"
 
   - name: firewall_application_service
     desc: "If a third-party firewall application is in use (other than firewalld or iptables), indicate the service name here. Otherwise, set this value to an empty string"
@@ -564,7 +564,7 @@ inputs:
   - name: audit_remote_server
     desc: "Address of the remote server to which audit logs can be sent -- if left blank, control will check that any non-local server is in use"
     type: String
-    value: ""
+    value: "logcollector"
 
   - name: expected_disk_full_action
     desc: "Action that the server should take to preserve audit logs when the disk becomes full -- must be one of syslog, single, halt"

kitchen.ec2.yml

@@ -1,23 +1,20 @@
 ---
-platforms:
-  - name: rhel-7
-
 driver:
   name: ec2
-  aws_ssh_key_id: <%= ENV['AWS_SSH_KEY_ID'] %>
-  user_data: ./user_data.sh
-  tags:
-    POC: <%= ENV['POC_TAG'] %>
-  security_group_ids: <%= ENV['SECURITY_GROUP_IDS'] %>
-  region: <%= ENV['AWS_REGION'] %>
-  subnet_id: <%= ENV['SUBNET_ID'] %>
-  instance_type: t2.large
+  #aws_ssh_key_id: <%= ENV['AWS_SSH_KEY_ID'] %>
+  #user_data: ./user_data.sh
+  #tags:
+  #  POC: <%= ENV['POC_TAG'] %>
+  # security_group_ids: <%= ENV['SECURITY_GROUP_IDS'] %>
+  # region: <%= ENV['AWS_REGION'] %>
+  # subnet_id: <%= ENV['SUBNET_ID'] %>
+  # instance_type: t2.large
   associate_public_ip: true
 
 transport:
   name: ssh
-  username: <%= ENV['AWS_EC2_USER'] %>
-  ssh_key: <%= ENV['AWS_EC2_SSH_KEY'] %>
+  username: "ec2-user"
+  # ssh_key: <%= ENV['AWS_EC2_SSH_KEY'] %>
   connection_timeout: 10
   connection_retries: 5
 
@@ -31,17 +28,14 @@ verifier:
 lifecycle:
   post_create:
     - remote: |
-        sudo yum -y install python3-pip
-        sudo python3 -m pip install --upgrade pip
+        sudo yum -y install git python3-pip
+        sudo python3 -m pip install --user --upgrade pip
 
   pre_converge:
     - remote: |
+        echo 'updating the ec2-user password'
+        sudo chpasswd <<<"ec2-user:<%= ENV['SUDO_PASSWD'] || 'P@ssw0rd!' %>"
         echo "NOTICE - Updating the ec2-user to keep sudo working"
         sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user
         echo "NOTICE - updating ec2-user sudo config"
         sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers
-
-transport:
-  name: ssh
-  #https://github.com/neillturner/kitchen-ansible/issues/295
-  max_ssh_sessions: 2

kitchen.vagrant.yml

@@ -16,19 +16,29 @@ driver:
       clipboard: "disabled"
 
 platforms:
-  - name: rhel-7
-
+  - name: amazon2
     driver:
       box: generic/centos7
 
+verifier:
+  input_files:
+    - ec2.inputs.yml
+  reporter:
+    - cli
+    - json:spec/results/vagrant_%{platform}_%{suite}.json
+
 lifecycle:
+  post_create:
+    - remote: |
+        sudo yum -y install git python3-pip
+        sudo python3 -m pip install --user --upgrade pip
   pre_converge:
     - remote: |
-        echo "NOTICE - Installing needed packages"
-        sudo yum install -y bc bind-utils redhat-lsb-core vim
+        echo 'updating the ec2-user password'
+        sudo chpasswd <<<"ec2-user:<%= ENV['SUDO_PASSWD'] || 'P@ssw0rd!' %>"
         echo "NOTICE - Updating the vagrant user to keep sudo working"
         sudo chage -d $(( $( date +%s ) / 86400 )) vagrant
         echo "NOTICE - Updating root passwd"
         echo 'password' | sudo passwd --stdin root
         echo "NOTICE - updating vagrant sudo config"
-        sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers
+        sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers

kitchen.yml

@@ -8,9 +8,15 @@ verifier:
   reporter:
     - cli
     - json:spec/results/%{platform}_%{suite}.json
+  input_files:
+    - ec2.inputs.yml
   inspec_tests:
-    - name: RedHat Enterprise Linux 7 STIG
+    - name: Amazon Linux 2 STIG
       path: .
+  <% if ENV['INSPEC_CONTROL'] %>
+  controls:
+    - "<%= ENV['INSPEC_CONTROL'] %>"
+  <% end %>
   load_plugins: true
 
 provisioner:
@@ -30,13 +36,18 @@ provisioner:
     - ANSIBLE_REMOTE_TEMP=$HOME/.ansible/tmp
 
 platforms:
-  - name: rhel-7
+  - name: amazon2
+  # - name: amazon2023
 
 suites:
   - name: vanilla
     provisioner:
-      playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml
-
+      playbook: spec/ansible/roles/ansible-role-al2-vanilla.yml
+    verifier:
+      sudo_password: <%= ENV['SUDO_PASSWD'] || 'P@ssw0rd!' %>
+
   - name: hardened
     provisioner:
-      playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml
+      playbook: spec/ansible/roles/ansible-role-al2-hardened.yml
+    verifier:
+      sudo_password: <%= ENV['SUDO_PASSWD'] || 'P@ssw0rd!' %>