Skip to content

Commit

Permalink
Merge pull request #13 from mitre/ec2-pipeline-refactor
Browse files Browse the repository at this point in the history 
Ec2 pipeline refactor
  • Loading branch information
@wdower
wdower authored Mar 27, 2024
2 parents 9d642cf + 7ac6e13 commit df91b21
Show file tree
Hide file tree
Showing 16 changed files with 241 additions and 42 deletions.
9 changes: 4 additions & 5 deletions .github/workflows/lint-profile.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
name: Lint & Check the Profile

on:
workflow_dispatch:
# push:
# branches-ignore:
# - none
# pull_request:
push:
branches-ignore:
- none
pull_request:

jobs:
validate:
Expand Down
15 changes: 7 additions & 8 deletions .github/workflows/verify-container.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
name: UBI8 Testing Matrix

on:
workflow_dispatch:
# push:
# branches-ignore:
# - none
# pull_request:
push:
branches-ignore:
- none
pull_request:

jobs:
validate:
Expand Down Expand Up @@ -78,7 +77,7 @@ jobs:
- name: Create our ${{ matrix.suite }} results summary
continue-on-error: true
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"

Expand All @@ -97,7 +96,7 @@ jobs:
- name: Display our ${{ matrix.suite }} results summary
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json"

Expand All @@ -110,6 +109,6 @@ jobs:
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml"
17 changes: 9 additions & 8 deletions .github/workflows/verify-disa-hardened-ec2.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
name: DISA Hardened EC2 Testing Matrix

on:
workflow_dispatch:
# push:
# branches-ignore:
# - none
# pull_request:
push:
branches-ignore:
- none
pull_request:

jobs:
validate:
Expand All @@ -15,6 +14,8 @@ jobs:
CHEF_LICENSE: accept-silent
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
KITCHEN_LOCAL_YAML: kitchen.disa.ec2.yml
SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }}
SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }}
PLATFORM: 'rhel-8'
LC_ALL: "en_US.UTF-8"
strategy:
Expand Down Expand Up @@ -75,7 +76,7 @@ jobs:

- name: Create our ${{ matrix.suite }} results summary
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"

Expand All @@ -94,7 +95,7 @@ jobs:
- name: Display our ${{ matrix.suite }} results summary
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json"

Expand All @@ -107,6 +108,6 @@ jobs:
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"
21 changes: 11 additions & 10 deletions .github/workflows/verify-ec2.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
name: EC2 Testing Matrix

on:
workflow_dispatch:
# push:
# branches-ignore:
# - none
# pull_request:
push:
branches-ignore:
- none
pull_request:

jobs:
validate:
Expand All @@ -15,6 +14,8 @@ jobs:
CHEF_LICENSE: accept-silent
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
KITCHEN_LOCAL_YAML: kitchen.ec2.yml
SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }}
SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }}
PLATFORM: 'rhel-8'
LC_ALL: "en_US.UTF-8"
strategy:
Expand All @@ -28,8 +29,8 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.SAF_AWS_REGION }}

- name: Check out repository
Expand Down Expand Up @@ -76,7 +77,7 @@ jobs:
- name: Save our ${{ matrix.suite }} results summary
continue-on-error: true
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"

Expand All @@ -95,7 +96,7 @@ jobs:
- name: Display our ${{ matrix.suite }} results summary
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json"

Expand All @@ -108,6 +109,6 @@ jobs:
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected].0
uses: mitre/[email protected].2
with:
command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"
113 changes: 113 additions & 0 deletions .github/workflows/verify-rhel-official-hardened-ec2.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
name: RHEL-Official Hardened EC2 Testing Matrix

on:
push:
branches-ignore:
- none
pull_request:

jobs:
validate:
name: Validate my profile
runs-on: ubuntu-latest
env:
CHEF_LICENSE: accept-silent
CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
KITCHEN_LOCAL_YAML: kitchen.rhel-official-role.ec2.yml
SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }}
SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }}
PLATFORM: 'rhel-8'
LC_ALL: "en_US.UTF-8"
strategy:
matrix:
suite: ["rhel-official-role-hardened"]
fail-fast: false
steps:
- name: add needed packages
run: sudo apt-get install -y jq

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1

- name: Check out repository
uses: actions/checkout@v4

- name: Clone full repository so we can push
run: git fetch --prune --unshallow

- name: Set short git commit SHA
id: vars
run: |
calculatedSha=$(git rev-parse --short ${{ github.sha }})
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
- name: Confirm git commit SHA output
run: echo ${{ env.COMMIT_SHORT_SHA }}

- name: Get commit message
id: commit
run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})"

- name: Setup Ruby
uses: ruby/setup-ruby@v1
with:
ruby-version: "3.1"

- name: Disable ri and rdoc
run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'

- name: Run Bundle Install
run: bundle install

- name: Installed Inspec
run: bundle exec inspec version

- name: Vendor the Profile
run: bundle exec inspec vendor . --overwrite

- name: Run kitchen test
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
continue-on-error: true
run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }}

- name: Create our ${{ matrix.suite }} results summary
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected]
with:
command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"

- name: Save Test Result JSON
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: actions/upload-artifact@v3
with:
name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
path: spec/results/

- name: Upload ${{ matrix.suite }} to Heimdall
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
continue-on-error: true
run: |
curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
- name: Display our ${{ matrix.suite }} results summary
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected]
with:
command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json"

- name: Generate Markdown Summary
continue-on-error: true
id: generate-summary
run: |
cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md
cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY
- name: Ensure the scan meets our ${{ matrix.suite }} results threshold
if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
uses: mitre/[email protected]
with:
command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"
7 changes: 3 additions & 4 deletions kitchen.disa.ec2.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,13 @@ platforms:

driver:
name: ec2
# subnet_filter:
# tag: 'Default'
# value: '*public*'
subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %>
security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %>
metadata_options:
http_tokens: required
http_put_response_hop_limit: 1
instance_metadata_tags: enabled
instance_type: t2.micro
instance_type: t2.small
associate_public_ip: true
interface: public
skip_cost_warning: true
Expand Down
7 changes: 3 additions & 4 deletions kitchen.ec2.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,13 @@ platforms:

driver:
name: ec2
# subnet_filter:
# tag: 'Default'
# value: '*public*'
subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %>
security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %>
metadata_options:
http_tokens: required
http_put_response_hop_limit: 1
instance_metadata_tags: enabled
instance_type: t2.micro
instance_type: t2.small
associate_public_ip: true
interface: public
skip_cost_warning: true
Expand Down
71 changes: 71 additions & 0 deletions kitchen.rhel-official-role.ec2.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
platforms:
- name: rhel-8

driver:
name: ec2
subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %>
security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %>
metadata_options:
http_tokens: required
http_put_response_hop_limit: 1
instance_metadata_tags: enabled
instance_type: t2.small
associate_public_ip: true
interface: public
skip_cost_warning: true
privileged: true
instance_initiated_shutdown_behavior: terminate

provisioner:
name: ansible_playbook
hosts: all
require_chef_for_busser: false
require_ruby_for_busser: false
ansible_binary_path: /usr/local/bin
# require_pip3: true
ansible_verbose: true
roles_path: spec/ansible/roles
galaxy_ignore_certs: true
requirements_path: spec/ansible/roles/requirements.yml
requirements_collection_path: spec/ansible/roles/requirements.yml
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>

suites:
- name: rhel-official-role-hardened
provisioner:
playbook: spec/ansible/roles/ansible-role-rhel-official-hardened.yml
driver:
tags:
Name: RHEL-Official-Hardened-<%= ENV['USER'] %>
CreatedBy: test-kitchen

lifecycle:
pre_converge:
- remote: |
# echo "+++ Refreshing DNF package cache +++"
# sudo dnf -y clean all
echo ""
echo "+++ Updating DNF Packages +++"
sudo dnf -y update --nogpgcheck --nobest
echo ""
echo "+++ Installing needed packages for workflow and utility +++\n\n"
sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim git wget gcc openssl-devel libffi-devel bzip2-devel
echo ""
echo "+++ Installing Python 3.9 and Ansible +++\n\n"
export PATH=/usr/local/bin:$PATH
sudo dnf -y install python3.9
sudo dnf -y install python3-pip
sudo update-alternatives --set python3 /usr/bin/python3.9
sudo python3 -m pip install ansible jmespath
echo ""
echo "+++ Updating the ec2-user to keep sudo working after hardening phase +++\n\n"
sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user
echo ""
echo "+++ updating ec2-user sudo config for hardening phase +++\n\n"
sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers
#https://github.com/neillturner/kitchen-ansible/issues/295
transport:
name: ssh
max_ssh_sessions: 2
5 changes: 5 additions & 0 deletions rhel-official-role-hardened.threshold.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
compliance:
min: 64
error:
total:
max: 0
Loading

0 comments on commit df91b21

Please sign in to comment.