Fix for MITRE issue #13

.github/workflows/update-profile-json.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.7'
+          ruby-version: "3.1"
       - run: bundle install
       - name: Regenerate current `profile.json`
         run: |
@@ -30,4 +30,4 @@ jobs:
         with:
           commit_user_name: GitHub Actions
           commit_user_email: [email protected]
-          commit_message: 'Updating profile.json in the repository'
+          commit_message: "Updating profile.json in the repository"

.github/workflows/verify-ec2.yml

@@ -2,7 +2,7 @@ name: EC2 Testing Matrix
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
 
 jobs:
@@ -12,10 +12,11 @@ jobs:
     env:
       CHEF_LICENSE: accept-silent
       KITCHEN_LOCAL_YAML: kitchen.ec2.yml
+      SUDO_PASSWD: ${{ secrets.SAF_SUDO_PASSWORD }}
       LC_ALL: "en_US.UTF-8"
     strategy:
       matrix:
-        suite: ['vanilla', 'hardened']
+        suite: ["vanilla", "hardened"]
       fail-fast: false
     steps:
       - name: add needed packages
@@ -36,7 +37,7 @@ jobs:
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.7'
+          ruby-version: "3.1"
       - name: Disable ri and rdoc
         run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
       - run: bundle install
@@ -46,16 +47,19 @@ jobs:
       - name: Lint the Inspec profile
         run: bundle exec inspec check .
       - name: Run kitchen test
-        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-rhel-7 || true
+        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-amazon2 || true
+      - name: Show the 'spec/results'
+        run: |
+          ls -alh ./spec/results       
       - name: Save Test Result JSON
         uses: actions/upload-artifact@v3
         with:
-          path: spec/results/
-      - name: Display our ${{ matrix.suite }} results summary
+          path: spec/results/*.json
+      - name: Display our Amazon 2 ${{ matrix.suite }} Results Summary
         uses: mitre/saf_action@v1
         with:
-          command_string: 'view summary -i spec/results/ec2_rhel-7_${{ matrix.suite }}.json'
+          command_string: "view summary -i spec/results/ec2_amazon2_${{ matrix.suite }}.json"
       - name: Ensure the scan meets our ${{ matrix.suite }} results threshold
         uses: mitre/saf_action@v1
         with:
-          command_string: 'validate threshold -i spec/results/ec2_rhel-7_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml'
+          command_string: "validate threshold -i spec/results/ec2_amazon2_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"

.github/workflows/verify-vagrant.yml → .github/workflows/verify-vagrant.txt

@@ -2,7 +2,7 @@ name: Vagrant Testing Matrix
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
 
 jobs:
@@ -13,9 +13,10 @@ jobs:
     env:
       CHEF_LICENSE: accept-silent
       KITCHEN_LOCAL_YAML: kitchen.vagrant.yml
+      SUDO_PASSWD: ${{ secrets.SAF_SUDO_PASSWORD }}
     strategy:
       matrix:
-        suite: ['vanilla', 'hardened']
+        suite: ["vanilla", "hardened"]
       fail-fast: false
     steps:
       - name: Add jq for output formatting
@@ -25,7 +26,7 @@ jobs:
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '2.7'
+          ruby-version: "3.1"
       - name: Disable ri and rdoc
         run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'
       - name: ensure bundler up-to-date
@@ -37,16 +38,19 @@ jobs:
       - name: Lint the Inspec profile
         run: bundle exec inspec check .
       - name: Run kitchen test
-        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-rhel-7 || true
+        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-amazon2 || true
+      - name: Show the 'spec/results'
+        run: |
+          ls -alh ./spec/results  
       - name: Save Test Result JSON
         uses: actions/upload-artifact@v3
         with:
-          path: spec/results/
+          path: spec/results/*.json
       - name: Display our ${{ matrix.suite }} results summary
         uses: mitre/saf_action@v1
         with:
-          command_string: 'view summary -i spec/results/rhel-7_${{ matrix.suite }}.json'
+          command_string: "view summary -i spec/results/vagrant_amazon2_${{ matrix.suite }}.json"
       - name: Ensure the scan meets our ${{ matrix.suite }} results threshold
         uses: mitre/saf_action@v1
         with:
-          command_string: 'validate threshold -i spec/results/rhel-7_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml'
+          command_string: "validate threshold -i spec/results/vagrant_amazon2_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"

Gemfile

@@ -3,7 +3,7 @@
 source 'https://rubygems.org'
 
 gem 'inspec-bin'
-gem 'inspec', '>=4.26'
+gem 'inspec', '5.22.36'
 gem 'kitchen-ec2'
 gem 'kitchen-inspec'
 gem 'kitchen-ansible'

README.md

@@ -9,6 +9,14 @@ __For the best security of the runner, always install on the runner the _latest
 
 Latest versions and installation options are available at the [InSpec](http://inspec.io/) site.
 
+### Sudo Password
+
+The hardening configures the system to require a sudo password.  You should set the sudo password you want via an Environment Variable as `SUDO_PASSWD` to test-kitchen can set it correctly. 
+
+The default is set to 'P@ssw0rd!' ***WHICH YOU NEED TO UPDATE***.
+
+The GitHub Actions Set the sudo password they use via a shared secret.
+
 ## Tailoring to Your Environment
 
 The following inputs may be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the [InSpec Profile Documentation](https://www.inspec.io/docs/reference/profiles/).

controls/AMZL-02-710343.rb

@@ -39,7 +39,7 @@
     end
   else
     describe command("grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d").stdout.strip do
-      it { should match /^[^#].*Defaults timestamp_timeout=\d/ }
+      it { should match /^[^#].*Defaults\s*timestamp_timeout=\d/ }
       it { should_not match /\n/ }
     end
   end

controls/AMZL-02-740320.rb

@@ -47,8 +47,7 @@
     # convert it to an integer using to_i it will convert it to 0 and pass the
     # <= client_alive_interval check. However, the control as a whole will still fail.
     describe sshd_config do
-      its('ClientAliveInterval') { should be_between(1, input('client_alive_interval')) }
-      its('ClientAliveInterval') { should_not eq nil }
+      its('ClientAliveInterval.to_i') { should be_between(1, input('client_alive_interval')) }
     end
   end
 end

kitchen.ec2.yml

@@ -1,23 +1,20 @@
 ---
-platforms:
-  - name: rhel-7
-
 driver:
   name: ec2
-  aws_ssh_key_id: <%= ENV['AWS_SSH_KEY_ID'] %>
-  user_data: ./user_data.sh
-  tags:
-    POC: <%= ENV['POC_TAG'] %>
-  security_group_ids: <%= ENV['SECURITY_GROUP_IDS'] %>
-  region: <%= ENV['AWS_REGION'] %>
-  subnet_id: <%= ENV['SUBNET_ID'] %>
-  instance_type: t2.large
+  #aws_ssh_key_id: <%= ENV['AWS_SSH_KEY_ID'] %>
+  #user_data: ./user_data.sh
+  #tags:
+  #  POC: <%= ENV['POC_TAG'] %>
+  # security_group_ids: <%= ENV['SECURITY_GROUP_IDS'] %>
+  # region: <%= ENV['AWS_REGION'] %>
+  # subnet_id: <%= ENV['SUBNET_ID'] %>
+  # instance_type: t2.large
   associate_public_ip: true
 
 transport:
   name: ssh
-  username: <%= ENV['AWS_EC2_USER'] %>
-  ssh_key: <%= ENV['AWS_EC2_SSH_KEY'] %>
+  username: "ec2-user"
+  # ssh_key: <%= ENV['AWS_EC2_SSH_KEY'] %>
   connection_timeout: 10
   connection_retries: 5
 
@@ -31,17 +28,14 @@ verifier:
 lifecycle:
   post_create:
     - remote: |
-        sudo yum -y install python3-pip
-        sudo python3 -m pip install --upgrade pip
+        sudo yum -y install git python3-pip
+        sudo python3 -m pip install --user --upgrade pip
 
   pre_converge:
     - remote: |
+        echo 'updating the ec2-user password'
+        sudo chpasswd <<<"ec2-user:<%= ENV['SUDO_PASSWD'] || 'P@ssw0rd!' %>"
         echo "NOTICE - Updating the ec2-user to keep sudo working"
         sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user
         echo "NOTICE - updating ec2-user sudo config"
         sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers
-
-transport:
-  name: ssh
-  #https://github.com/neillturner/kitchen-ansible/issues/295
-  max_ssh_sessions: 2

kitchen.vagrant.yml

@@ -16,19 +16,29 @@ driver:
       clipboard: "disabled"
 
 platforms:
-  - name: rhel-7
-
+  - name: amazon2
     driver:
       box: generic/centos7
 
+verifier:
+  input_files:
+    - ec2.inputs.yml
+  reporter:
+    - cli
+    - json:spec/results/vagrant_%{platform}_%{suite}.json
+
 lifecycle:
+  post_create:
+    - remote: |
+        sudo yum -y install git python3-pip
+        sudo python3 -m pip install --user --upgrade pip
   pre_converge:
     - remote: |
-        echo "NOTICE - Installing needed packages"
-        sudo yum install -y bc bind-utils redhat-lsb-core vim
+        echo 'updating the ec2-user password'
+        sudo chpasswd <<<"ec2-user:<%= ENV['SUDO_PASSWD'] || 'P@ssw0rd!' %>"
         echo "NOTICE - Updating the vagrant user to keep sudo working"
         sudo chage -d $(( $( date +%s ) / 86400 )) vagrant
         echo "NOTICE - Updating root passwd"
         echo 'password' | sudo passwd --stdin root
         echo "NOTICE - updating vagrant sudo config"
-        sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers
+        sudo chmod 600 /etc/sudoers && sudo sed -i'' "/vagrant/d" /etc/sudoers && sudo chmod 400 /etc/sudoers

kitchen.yml

@@ -8,9 +8,15 @@ verifier:
   reporter:
     - cli
     - json:spec/results/%{platform}_%{suite}.json
+  input_files:
+    - ec2.inputs.yml
   inspec_tests:
-    - name: RedHat Enterprise Linux 7 STIG
+    - name: Amazon Linux 2 STIG
       path: .
+  <% if ENV['INSPEC_CONTROL'] %>
+  controls:
+    - "<%= ENV['INSPEC_CONTROL'] %>"
+  <% end %>
   load_plugins: true
 
 provisioner:
@@ -30,13 +36,18 @@ provisioner:
     - ANSIBLE_REMOTE_TEMP=$HOME/.ansible/tmp
 
 platforms:
-  - name: rhel-7
+  - name: amazon2
+  # - name: amazon2023
 
 suites:
   - name: vanilla
     provisioner:
-      playbook: spec/ansible/roles/ansible-role-rhel-vanilla.yml
-
+      playbook: spec/ansible/roles/ansible-role-al2-vanilla.yml
+    verifier:
+      sudo_password: <%= ENV['SUDO_PASSWD'] || 'P@ssw0rd!' %>
+
   - name: hardened
     provisioner:
-      playbook: spec/ansible/roles/ansible-role-rhel-hardened.yml
+      playbook: spec/ansible/roles/ansible-role-al2-hardened.yml
+    verifier:
+      sudo_password: <%= ENV['SUDO_PASSWD'] || 'P@ssw0rd!' %>

spec/ansible/roles/ansible-role-al2-hardened.yml

@@ -0,0 +1,23 @@
+---
+- hosts:
+    - localhost
+  roles:
+    - roles/ansible-role-al2-vanilla
+    - roles/al2STIG
+  serial: 50
+  become: yes
+  vars:
+    # al2stig_bootloader_password_hash: 'changethispassword'
+    # al2stig_using_password_auth: false
+    DISA_STIG_AMZL_02_020022: false
+  tasks:
+  - name: Call the handler to reload audit rules
+    debug:
+      msg: 'reload audit rules'
+    changed_when: true
+    notify: reload audit rules  # Notify the handler
+
+  handlers:
+    - name: reload audit rules
+      become: yes
+      shell: "augenrules --load"

spec/ansible/roles/ansible-role-al2-vanilla.yml

@@ -0,0 +1,7 @@
+---
+- hosts:
+    - localhost
+  roles:
+    - roles/ansible-role-al2-vanilla
+  serial: 50
+  become: yes

spec/ansible/roles/ansible-role-al2-vanilla/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+# defaults file for ansible-role-al2-stig-vanilla
+ansible_python_interpreter: /usr/bin/python3

spec/ansible/roles/ansible-role-al2-vanilla/meta/main.yml

@@ -0,0 +1,12 @@
+galaxy_info:
+  author: Sai Pavan Marlakunta
+  description: Ansible Role for AL2 Vanilla install
+  company: MITRE
+  license: license Apache-2.0
+
+  min_ansible_version: "2.1"
+
+  platforms:
+    - name: Amazon Linux
+      versions:
+        - "2"

spec/ansible/roles/ansible-role-rhel-vanilla/tasks/_packages.yml → spec/ansible/roles/ansible-role-al2-vanilla/tasks/_packages.yml

@@ -1,20 +1,20 @@
 ---
 - name: Upgrade all packages
-  yum:
-    name: '*'
+  ansible.builtin.yum:
+    name: "*"
     state: latest
 - name: Install required packages via yum
-  yum:
+  ansible.builtin.yum:
     name:
       - vim
       - bc
+      - git
     state: latest
 
 - name: Install required packages via pip
-  pip:
+  ansible.builtin.pip:
     name:
       - jmespath
     state: latest
   tags:
     - pip-task
-

spec/ansible/roles/ansible-role-al2-vanilla/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Include sub-tasks
+  ansible.builtin.include_tasks: "{{ item }}"
+  with_first_found:
+    - files:
+        - _packages.yml
+        - _config.yml
+      skip: true
+
+# https://stackoverflow.com/questions/28119521/ansible-include-task-only-if-file-exists

spec/ansible/roles/ansible-role-rhel-vanilla/tests/test.yml → spec/ansible/roles/ansible-role-al2-vanilla/tests/test.yml

@@ -2,4 +2,4 @@
 - hosts: localhost
   remote_user: root
   roles:
-    - ansible-role-rhel-stig-vanilla
+    - ansible-role-al2-stig-vanilla