From 411c6dc518e0d2fd1344bdc4cce40c2d29f5f144 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 10:35:09 -0400 Subject: [PATCH 01/25] restricting kitchen ec2 behavior -- adding vars to use specifc subnet and security group IDs, removing public IP setting (so it will default to using private IPs) Signed-off-by: wdower --- kitchen.disa.ec2.yml | 7 ++----- kitchen.ec2.yml | 7 ++----- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/kitchen.disa.ec2.yml b/kitchen.disa.ec2.yml index 72ead7c5..1051d175 100644 --- a/kitchen.disa.ec2.yml +++ b/kitchen.disa.ec2.yml @@ -4,16 +4,13 @@ platforms: driver: name: ec2 - # subnet_filter: - # tag: 'Default' - # value: '*public*' + subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> + security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> metadata_options: http_tokens: required http_put_response_hop_limit: 1 instance_metadata_tags: enabled instance_type: t2.micro - associate_public_ip: true - interface: public skip_cost_warning: true privileged: true instance_initiated_shutdown_behavior: terminate diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 0a018f9f..ad40b2a5 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -4,16 +4,13 @@ platforms: driver: name: ec2 - # subnet_filter: - # tag: 'Default' - # value: '*public*' + subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> + security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> metadata_options: http_tokens: required http_put_response_hop_limit: 1 instance_metadata_tags: enabled instance_type: t2.micro - associate_public_ip: true - interface: public skip_cost_warning: true privileged: true instance_initiated_shutdown_behavior: terminate From 92a5dc7e00d657f046182bcb926b2676ec24d25b Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 10:52:54 -0400 Subject: [PATCH 02/25] adding pipeline envars to github workflows Signed-off-by: wdower --- .github/workflows/verify-disa-hardened-ec2.yml | 2 ++ .github/workflows/verify-ec2.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml index 148ef727..223f619c 100644 --- a/.github/workflows/verify-disa-hardened-ec2.yml +++ b/.github/workflows/verify-disa-hardened-ec2.yml @@ -15,6 +15,8 @@ jobs: CHEF_LICENSE: accept-silent CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} KITCHEN_LOCAL_YAML: kitchen.disa.ec2.yml + SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} + SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} PLATFORM: 'rhel-8' LC_ALL: "en_US.UTF-8" strategy: diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index ee2c104e..8702578e 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -15,6 +15,8 @@ jobs: CHEF_LICENSE: accept-silent CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} KITCHEN_LOCAL_YAML: kitchen.ec2.yml + SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} + SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} PLATFORM: 'rhel-8' LC_ALL: "en_US.UTF-8" strategy: From d34fd5c1d8e3ce7e7abf8599f8f802cd024faeaf Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 10:59:22 -0400 Subject: [PATCH 03/25] using the right AWS credential vars Signed-off-by: wdower --- .github/workflows/verify-ec2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 8702578e..f76e11ca 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -30,8 +30,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.SAF_AWS_REGION }} - name: Check out repository From 40de6aac153554ec3a6820e9f1c1f8e794872432 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 11:23:53 -0400 Subject: [PATCH 04/25] explicitly using us-east-1 Signed-off-by: wdower --- .github/workflows/verify-ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index f76e11ca..b7b37b05 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -32,7 +32,7 @@ jobs: with: aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.SAF_AWS_REGION }} + aws-region: us-east-1 - name: Check out repository uses: actions/checkout@v4 From 012feac46dc30230f7dfa7a51ee660a933fc2f4f Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 11:29:21 -0400 Subject: [PATCH 05/25] explicitly setting correct region and availability zone in kitchen Signed-off-by: wdower --- kitchen.ec2.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index ad40b2a5..a498d1f6 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -6,6 +6,8 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> + region: us-east-1 + availability_zone: a metadata_options: http_tokens: required http_put_response_hop_limit: 1 From 33dbb64889275224182685f2111424564b500abf Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 11:33:40 -0400 Subject: [PATCH 06/25] removing explicit region setting Signed-off-by: wdower --- .github/workflows/verify-ec2.yml | 6 +++--- kitchen.ec2.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index b7b37b05..d9da2c22 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -30,9 +30,9 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-1 + aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID_2 }} + aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY_2 }} + #aws-region: us-east-1 - name: Check out repository uses: actions/checkout@v4 diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index a498d1f6..4693b389 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -6,8 +6,8 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: us-east-1 - availability_zone: a + #region: us-east-1 + #availability_zone: a metadata_options: http_tokens: required http_put_response_hop_limit: 1 From c01ccd976965603d0665515eefc8add6dd9c0d17 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 11:37:13 -0400 Subject: [PATCH 07/25] re-adding the region to the github workflow file, since apparently that one actually is a requirement Signed-off-by: wdower --- .github/workflows/verify-ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index d9da2c22..2ac7745f 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -32,7 +32,7 @@ jobs: with: aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID_2 }} aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY_2 }} - #aws-region: us-east-1 + aws-region: ${{ secrets.SAF_AWS_REGION }} - name: Check out repository uses: actions/checkout@v4 From e64e953b7cbfa5f0663417bd0531d37e6976907d Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 12:49:50 -0400 Subject: [PATCH 08/25] bumping saf_action version so it uses node20 Signed-off-by: wdower --- .github/workflows/verify-ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 2ac7745f..26b2c19d 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -97,7 +97,7 @@ jobs: - name: Display our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json" From 381d9e075fdad81165e4454b6f95f5cc99e254e7 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 12:58:16 -0400 Subject: [PATCH 09/25] adding back in the public IP settings for ec2 This reverts commit 411c6dc518e0d2fd1344bdc4cce40c2d29f5f144. --- kitchen.disa.ec2.yml | 7 +++++-- kitchen.ec2.yml | 8 ++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/kitchen.disa.ec2.yml b/kitchen.disa.ec2.yml index 1051d175..72ead7c5 100644 --- a/kitchen.disa.ec2.yml +++ b/kitchen.disa.ec2.yml @@ -4,13 +4,16 @@ platforms: driver: name: ec2 - subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> - security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> + # subnet_filter: + # tag: 'Default' + # value: '*public*' metadata_options: http_tokens: required http_put_response_hop_limit: 1 instance_metadata_tags: enabled instance_type: t2.micro + associate_public_ip: true + interface: public skip_cost_warning: true privileged: true instance_initiated_shutdown_behavior: terminate diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 4693b389..a6d2451c 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -4,15 +4,23 @@ platforms: driver: name: ec2 +<<<<<<< HEAD subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> #region: us-east-1 #availability_zone: a +======= + # subnet_filter: + # tag: 'Default' + # value: '*public*' +>>>>>>> parent of 411c6dc (restricting kitchen ec2 behavior -- adding vars to use specifc subnet and security group IDs, removing public IP setting (so it will default to using private IPs)) metadata_options: http_tokens: required http_put_response_hop_limit: 1 instance_metadata_tags: enabled instance_type: t2.micro + associate_public_ip: true + interface: public skip_cost_warning: true privileged: true instance_initiated_shutdown_behavior: terminate From 9cab23f33594ff77e497051df9ab47d0a1576543 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 13:02:25 -0400 Subject: [PATCH 10/25] actually saving kitchen.ec2.yml before committing and pushing this time Signed-off-by: wdower --- kitchen.ec2.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index a6d2451c..671abce9 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -4,16 +4,10 @@ platforms: driver: name: ec2 -<<<<<<< HEAD subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> #region: us-east-1 #availability_zone: a -======= - # subnet_filter: - # tag: 'Default' - # value: '*public*' ->>>>>>> parent of 411c6dc (restricting kitchen ec2 behavior -- adding vars to use specifc subnet and security group IDs, removing public IP setting (so it will default to using private IPs)) metadata_options: http_tokens: required http_put_response_hop_limit: 1 From 3ee44ec0986c260570018d20f6bddcb5ae1b88b0 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 13:53:28 -0400 Subject: [PATCH 11/25] specifying availability zone again Signed-off-by: wdower --- kitchen.ec2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 671abce9..b3204fe8 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -6,8 +6,8 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - #region: us-east-1 - #availability_zone: a + region: us-east-1 + availability_zone: a metadata_options: http_tokens: required http_put_response_hop_limit: 1 From 4781f6478015ecc43f21f5eac4bf065a3d776642 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 16:01:01 -0400 Subject: [PATCH 12/25] adding vars for region and az, updating disa ec2 workflow Signed-off-by: wdower --- .github/workflows/lint-profile.yml | 9 ++++----- .github/workflows/verify-container.yml | 9 ++++----- .github/workflows/verify-disa-hardened-ec2.yml | 9 ++++----- .github/workflows/verify-ec2.yml | 9 ++++----- kitchen.disa.ec2.yml | 7 ++++--- kitchen.ec2.yml | 4 ++-- 6 files changed, 22 insertions(+), 25 deletions(-) diff --git a/.github/workflows/lint-profile.yml b/.github/workflows/lint-profile.yml index 0b05ceff..2dae704d 100644 --- a/.github/workflows/lint-profile.yml +++ b/.github/workflows/lint-profile.yml @@ -1,11 +1,10 @@ name: Lint & Check the Profile on: - workflow_dispatch: - # push: - # branches-ignore: - # - none - # pull_request: + push: + branches-ignore: + - none + pull_request: jobs: validate: diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index a50479ee..67b8cc21 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -1,11 +1,10 @@ name: UBI8 Testing Matrix on: - workflow_dispatch: - # push: - # branches-ignore: - # - none - # pull_request: + push: + branches-ignore: + - none + pull_request: jobs: validate: diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml index 223f619c..864163c1 100644 --- a/.github/workflows/verify-disa-hardened-ec2.yml +++ b/.github/workflows/verify-disa-hardened-ec2.yml @@ -1,11 +1,10 @@ name: DISA Hardened EC2 Testing Matrix on: - workflow_dispatch: - # push: - # branches-ignore: - # - none - # pull_request: + push: + branches-ignore: + - none + pull_request: jobs: validate: diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 26b2c19d..d22b3259 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -1,11 +1,10 @@ name: EC2 Testing Matrix on: - workflow_dispatch: - # push: - # branches-ignore: - # - none - # pull_request: + push: + branches-ignore: + - none + pull_request: jobs: validate: diff --git a/kitchen.disa.ec2.yml b/kitchen.disa.ec2.yml index 72ead7c5..66cc8926 100644 --- a/kitchen.disa.ec2.yml +++ b/kitchen.disa.ec2.yml @@ -4,9 +4,10 @@ platforms: driver: name: ec2 - # subnet_filter: - # tag: 'Default' - # value: '*public*' + subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> + security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> + region: <%= ENV['SAF_REGION'] %> + availability_zone: <%= ENV['SAF_AZ'] %> metadata_options: http_tokens: required http_put_response_hop_limit: 1 diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index b3204fe8..5d517b30 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -6,8 +6,8 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: us-east-1 - availability_zone: a + region: <%= ENV['SAF_REGION'] %> + availability_zone: <%= ENV['SAF_AZ'] %> metadata_options: http_tokens: required http_put_response_hop_limit: 1 From 93f0cc8103e1b2f06d29ec020c89aecf54f66a58 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 16:18:31 -0400 Subject: [PATCH 13/25] adding another pipeline for using red hat's official hardening role Signed-off-by: wdower --- .../verify-rhel-official-hardened-ec2.yml | 113 ++++++++++++++++++ kitchen.rhel-official-role.ec2.yml | 73 +++++++++++ rhel-official-role-hardened.threshold.yml | 5 + .../roles/ansible-role-rhel-hardened.yml | 4 +- .../defaults/main.yml | 0 .../meta/main.yml | 0 .../tasks/ad_hoc.yml | 0 .../tasks/main.yml | 0 .../ansible-role-rhel-official-hardened.yml | 9 ++ spec/ansible/roles/requirements.yml | 5 +- 10 files changed, 206 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/verify-rhel-official-hardened-ec2.yml create mode 100644 kitchen.rhel-official-role.ec2.yml create mode 100644 rhel-official-role-hardened.threshold.yml rename spec/ansible/roles/{ansible-role-rhel-hardened => ansible-role-rhel-local-hardening-tasks}/defaults/main.yml (100%) rename spec/ansible/roles/{ansible-role-rhel-hardened => ansible-role-rhel-local-hardening-tasks}/meta/main.yml (100%) rename spec/ansible/roles/{ansible-role-rhel-hardened => ansible-role-rhel-local-hardening-tasks}/tasks/ad_hoc.yml (100%) rename spec/ansible/roles/{ansible-role-rhel-hardened => ansible-role-rhel-local-hardening-tasks}/tasks/main.yml (100%) create mode 100644 spec/ansible/roles/ansible-role-rhel-official-hardened.yml diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml new file mode 100644 index 00000000..cd7c61e9 --- /dev/null +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -0,0 +1,113 @@ +name: RHEL-Official Hardened EC2 Testing Matrix + +on: + push: + branches-ignore: + - none + pull_request: + +jobs: + validate: + name: Validate my profile + runs-on: ubuntu-latest + env: + CHEF_LICENSE: accept-silent + CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} + KITCHEN_LOCAL_YAML: kitchen.rhel-official.ec2.yml + SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} + SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} + PLATFORM: 'rhel-8' + LC_ALL: "en_US.UTF-8" + strategy: + matrix: + suite: ["rhel-official-role-hardened"] + fail-fast: false + steps: + - name: add needed packages + run: sudo apt-get install -y jq + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.SAF_AWS_REGION }} + + - name: Check out repository + uses: actions/checkout@v4 + + - name: Clone full repository so we can push + run: git fetch --prune --unshallow + + - name: Set short git commit SHA + id: vars + run: | + calculatedSha=$(git rev-parse --short ${{ github.sha }}) + echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV + + - name: Confirm git commit SHA output + run: echo ${{ env.COMMIT_SHORT_SHA }} + + - name: Get commit message + id: commit + run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})" + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: "3.1" + + - name: Disable ri and rdoc + run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' + + - name: Run Bundle Install + run: bundle install + + - name: Installed Inspec + run: bundle exec inspec version + + - name: Vendor the Profile + run: bundle exec inspec vendor . --overwrite + + - name: Run kitchen test + if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} + continue-on-error: true + run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }} + + - name: Create our ${{ matrix.suite }} results summary + if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} + uses: mitre/saf_action@v1.5.0 + with: + command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json" + + - name: Save Test Result JSON + if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} + uses: actions/upload-artifact@v3 + with: + name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results + path: spec/results/ + + - name: Upload ${{ matrix.suite }} to Heimdall + if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} + continue-on-error: true + run: | + curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" + + - name: Display our ${{ matrix.suite }} results summary + if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} + uses: mitre/saf_action@v1.5.0 + with: + command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json" + + - name: Generate Markdown Summary + continue-on-error: true + id: generate-summary + run: | + cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md + cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY + + - name: Ensure the scan meets our ${{ matrix.suite }} results threshold + if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} + uses: mitre/saf_action@v1.5.0 + with: + command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" diff --git a/kitchen.rhel-official-role.ec2.yml b/kitchen.rhel-official-role.ec2.yml new file mode 100644 index 00000000..e2596f88 --- /dev/null +++ b/kitchen.rhel-official-role.ec2.yml @@ -0,0 +1,73 @@ +--- +platforms: + - name: rhel-8 + +driver: + name: ec2 + subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> + security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> + region: <%= ENV['SAF_REGION'] %> + availability_zone: <%= ENV['SAF_AZ'] %> + metadata_options: + http_tokens: required + http_put_response_hop_limit: 1 + instance_metadata_tags: enabled + instance_type: t2.micro + associate_public_ip: true + interface: public + skip_cost_warning: true + privileged: true + instance_initiated_shutdown_behavior: terminate + +provisioner: + name: ansible_playbook + hosts: all + require_chef_for_busser: false + require_ruby_for_busser: false + ansible_binary_path: /usr/local/bin + # require_pip3: true + ansible_verbose: true + roles_path: spec/ansible/roles + galaxy_ignore_certs: true + requirements_path: spec/ansible/roles/requirements.yml + requirements_collection_path: spec/ansible/roles/requirements.yml + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> + +suites: + - name: rhel-official-role-hardened + provisioner: + playbook: spec/ansible/roles/ansible-rhel-official-hardened.yml + driver: + tags: + Name: RHEL-Official-Hardened-<%= ENV['USER'] %> + CreatedBy: test-kitchen + +lifecycle: + pre_converge: + - remote: | + # echo "+++ Refreshing DNF package cache +++" + # sudo dnf -y clean all + echo "" + echo "+++ Updating DNF Packages +++" + sudo dnf -y update --nogpgcheck --nobest + echo "" + echo "+++ Installing needed packages for workflow and utility +++\n\n" + sudo dnf -y install --nogpgcheck bc bind-utils redhat-lsb-core vim git wget gcc openssl-devel libffi-devel bzip2-devel + echo "" + echo "+++ Installing Python 3.9 and Ansible +++\n\n" + export PATH=/usr/local/bin:$PATH + sudo dnf -y install python3.9 + sudo dnf -y install python3-pip + sudo update-alternatives --set python3 /usr/bin/python3.9 + sudo python3 -m pip install ansible jmespath + echo "" + echo "+++ Updating the ec2-user to keep sudo working after hardening phase +++\n\n" + sudo chage -d $(( $( date +%s ) / 86400 )) ec2-user + echo "" + echo "+++ updating ec2-user sudo config for hardening phase +++\n\n" + sudo chmod 600 /etc/sudoers && sudo sed -i'' "/ec2-user/d" /etc/sudoers && sudo chmod 400 /etc/sudoers + +#https://github.com/neillturner/kitchen-ansible/issues/295 +transport: + name: ssh + max_ssh_sessions: 2 diff --git a/rhel-official-role-hardened.threshold.yml b/rhel-official-role-hardened.threshold.yml new file mode 100644 index 00000000..fd7fa61b --- /dev/null +++ b/rhel-official-role-hardened.threshold.yml @@ -0,0 +1,5 @@ +compliance: + min: 64 +error: + total: + max: 0 \ No newline at end of file diff --git a/spec/ansible/roles/ansible-role-rhel-hardened.yml b/spec/ansible/roles/ansible-role-rhel-hardened.yml index a68b9f8c..db7f65b9 100644 --- a/spec/ansible/roles/ansible-role-rhel-hardened.yml +++ b/spec/ansible/roles/ansible-role-rhel-hardened.yml @@ -3,8 +3,8 @@ - localhost roles: - roles/ansible-role-rhel-vanilla - - roles/ansible-role-rhel-hardened - - roles/rhel8STIG + - roles/ansible-role-rhel-local-hardening-tasks + - roles/rhel8STIG-ansible-lockdown serial: 50 become: yes vars: diff --git a/spec/ansible/roles/ansible-role-rhel-hardened/defaults/main.yml b/spec/ansible/roles/ansible-role-rhel-local-hardening-tasks/defaults/main.yml similarity index 100% rename from spec/ansible/roles/ansible-role-rhel-hardened/defaults/main.yml rename to spec/ansible/roles/ansible-role-rhel-local-hardening-tasks/defaults/main.yml diff --git a/spec/ansible/roles/ansible-role-rhel-hardened/meta/main.yml b/spec/ansible/roles/ansible-role-rhel-local-hardening-tasks/meta/main.yml similarity index 100% rename from spec/ansible/roles/ansible-role-rhel-hardened/meta/main.yml rename to spec/ansible/roles/ansible-role-rhel-local-hardening-tasks/meta/main.yml diff --git a/spec/ansible/roles/ansible-role-rhel-hardened/tasks/ad_hoc.yml b/spec/ansible/roles/ansible-role-rhel-local-hardening-tasks/tasks/ad_hoc.yml similarity index 100% rename from spec/ansible/roles/ansible-role-rhel-hardened/tasks/ad_hoc.yml rename to spec/ansible/roles/ansible-role-rhel-local-hardening-tasks/tasks/ad_hoc.yml diff --git a/spec/ansible/roles/ansible-role-rhel-hardened/tasks/main.yml b/spec/ansible/roles/ansible-role-rhel-local-hardening-tasks/tasks/main.yml similarity index 100% rename from spec/ansible/roles/ansible-role-rhel-hardened/tasks/main.yml rename to spec/ansible/roles/ansible-role-rhel-local-hardening-tasks/tasks/main.yml diff --git a/spec/ansible/roles/ansible-role-rhel-official-hardened.yml b/spec/ansible/roles/ansible-role-rhel-official-hardened.yml new file mode 100644 index 00000000..3d4da816 --- /dev/null +++ b/spec/ansible/roles/ansible-role-rhel-official-hardened.yml @@ -0,0 +1,9 @@ +--- +- hosts: + - localhost + roles: + - roles/ansible-role-rhel-vanilla + # - roles/ansible-role-rhel-local-hardening-tasks # leaving this commented out at first to see what happens with no outside tasks other than a yum update + - roles/rhel8STIG-rhel-official + serial: 50 + become: yes \ No newline at end of file diff --git a/spec/ansible/roles/requirements.yml b/spec/ansible/roles/requirements.yml index a78bd418..8987d9e1 100644 --- a/spec/ansible/roles/requirements.yml +++ b/spec/ansible/roles/requirements.yml @@ -1,7 +1,10 @@ roles: - - name: rhel8STIG + - name: rhel8STIG-ansible-lockdown src: https://github.com/ansible-lockdown/RHEL8-STIG version: 3.0.0 + - name: rhel8STIG-rhel-official + src: https://github.com/RedHatOfficial/ansible-role-rhel8-stig + version: 0.1.72 collections: - name: community.general From 03d5874f7e9aebef0c49687b6bf5bcc795241a6e Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 16:29:24 -0400 Subject: [PATCH 14/25] fixing incorrect name of the rhel-official kitchen file, disabling other pipelines while we get this one early Signed-off-by: wdower --- .github/workflows/verify-container.yml | 6 +++--- .github/workflows/verify-disa-hardened-ec2.yml | 6 +++--- .github/workflows/verify-ec2.yml | 6 +++--- .github/workflows/verify-rhel-official-hardened-ec2.yml | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 67b8cc21..9903effb 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -1,9 +1,9 @@ name: UBI8 Testing Matrix on: - push: - branches-ignore: - - none + # push: + # branches-ignore: + # - none pull_request: jobs: diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml index 864163c1..54da52b6 100644 --- a/.github/workflows/verify-disa-hardened-ec2.yml +++ b/.github/workflows/verify-disa-hardened-ec2.yml @@ -1,9 +1,9 @@ name: DISA Hardened EC2 Testing Matrix on: - push: - branches-ignore: - - none + # push: + # branches-ignore: + # - none pull_request: jobs: diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index d22b3259..f4d1cd25 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -1,9 +1,9 @@ name: EC2 Testing Matrix on: - push: - branches-ignore: - - none + # push: + # branches-ignore: + # - none pull_request: jobs: diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml index cd7c61e9..80c0fab2 100644 --- a/.github/workflows/verify-rhel-official-hardened-ec2.yml +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -13,7 +13,7 @@ jobs: env: CHEF_LICENSE: accept-silent CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} - KITCHEN_LOCAL_YAML: kitchen.rhel-official.ec2.yml + KITCHEN_LOCAL_YAML: kitchen.rhel-official-role.ec2.yml SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} PLATFORM: 'rhel-8' From 1da995e38883ea705a617d4c36de5b769e046e02 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 16:33:55 -0400 Subject: [PATCH 15/25] correct name for SAF_AWS_REGION var Signed-off-by: wdower --- kitchen.disa.ec2.yml | 2 +- kitchen.ec2.yml | 2 +- kitchen.rhel-official-role.ec2.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kitchen.disa.ec2.yml b/kitchen.disa.ec2.yml index 66cc8926..02e938a1 100644 --- a/kitchen.disa.ec2.yml +++ b/kitchen.disa.ec2.yml @@ -6,7 +6,7 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: <%= ENV['SAF_REGION'] %> + region: <%= ENV['SAF_AWS_REGION'] %> availability_zone: <%= ENV['SAF_AZ'] %> metadata_options: http_tokens: required diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index 5d517b30..c4282238 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -6,7 +6,7 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: <%= ENV['SAF_REGION'] %> + region: <%= ENV['SAF_AWS_REGION'] %> availability_zone: <%= ENV['SAF_AZ'] %> metadata_options: http_tokens: required diff --git a/kitchen.rhel-official-role.ec2.yml b/kitchen.rhel-official-role.ec2.yml index e2596f88..b1994604 100644 --- a/kitchen.rhel-official-role.ec2.yml +++ b/kitchen.rhel-official-role.ec2.yml @@ -6,7 +6,7 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: <%= ENV['SAF_REGION'] %> + region: <%= ENV['SAF_AWS_REGION'] %> availability_zone: <%= ENV['SAF_AZ'] %> metadata_options: http_tokens: required From ed8905a92a9493c72b3386468927ae9115135723 Mon Sep 17 00:00:00 2001 From: wdower Date: Mon, 25 Mar 2024 16:39:38 -0400 Subject: [PATCH 16/25] adding SAF_AWS_REGION and SAF_AZ to workflow files Signed-off-by: wdower --- .github/workflows/verify-disa-hardened-ec2.yml | 2 ++ .github/workflows/verify-ec2.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml index 54da52b6..e2fe0b0c 100644 --- a/.github/workflows/verify-disa-hardened-ec2.yml +++ b/.github/workflows/verify-disa-hardened-ec2.yml @@ -16,6 +16,8 @@ jobs: KITCHEN_LOCAL_YAML: kitchen.disa.ec2.yml SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} + SAF_AWS_REGION: ${{ secrets.SAF_AWS_REGION }} + SAF_AZ: ${{ secrets.SAF_AZ }} PLATFORM: 'rhel-8' LC_ALL: "en_US.UTF-8" strategy: diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index f4d1cd25..4fc1217e 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -16,6 +16,8 @@ jobs: KITCHEN_LOCAL_YAML: kitchen.ec2.yml SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} + SAF_AWS_REGION: ${{ secrets.SAF_AWS_REGION }} + SAF_AZ: ${{ secrets.SAF_AZ }} PLATFORM: 'rhel-8' LC_ALL: "en_US.UTF-8" strategy: From 618b517a7ff82222aa26356e9967f302809ea14e Mon Sep 17 00:00:00 2001 From: wdower Date: Tue, 26 Mar 2024 11:21:54 -0400 Subject: [PATCH 17/25] adding envars for aws region and az to workflow file Signed-off-by: wdower --- .github/workflows/verify-rhel-official-hardened-ec2.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml index 80c0fab2..47b23c9c 100644 --- a/.github/workflows/verify-rhel-official-hardened-ec2.yml +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -16,6 +16,8 @@ jobs: KITCHEN_LOCAL_YAML: kitchen.rhel-official-role.ec2.yml SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} + SAF_AWS_REGION: ${{ secrets.SAF_AWS_REGION }} + SAF_AZ: ${{ secrets.SAF_AZ }} PLATFORM: 'rhel-8' LC_ALL: "en_US.UTF-8" strategy: From 6b10dbc3463f612f50fb11a35295e78ea0133e1a Mon Sep 17 00:00:00 2001 From: wdower Date: Tue, 26 Mar 2024 11:32:50 -0400 Subject: [PATCH 18/25] forcing default AWS region Signed-off-by: wdower --- kitchen.rhel-official-role.ec2.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/kitchen.rhel-official-role.ec2.yml b/kitchen.rhel-official-role.ec2.yml index b1994604..8dffdd95 100644 --- a/kitchen.rhel-official-role.ec2.yml +++ b/kitchen.rhel-official-role.ec2.yml @@ -6,8 +6,6 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: <%= ENV['SAF_AWS_REGION'] %> - availability_zone: <%= ENV['SAF_AZ'] %> metadata_options: http_tokens: required http_put_response_hop_limit: 1 From 3efb5162cb027a2e8dec70f9ad0cc17ba6a011ae Mon Sep 17 00:00:00 2001 From: wdower Date: Tue, 26 Mar 2024 11:36:25 -0400 Subject: [PATCH 19/25] forcing default in the workflow file Signed-off-by: wdower --- .github/workflows/verify-rhel-official-hardened-ec2.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml index 47b23c9c..80c0fab2 100644 --- a/.github/workflows/verify-rhel-official-hardened-ec2.yml +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -16,8 +16,6 @@ jobs: KITCHEN_LOCAL_YAML: kitchen.rhel-official-role.ec2.yml SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} - SAF_AWS_REGION: ${{ secrets.SAF_AWS_REGION }} - SAF_AZ: ${{ secrets.SAF_AZ }} PLATFORM: 'rhel-8' LC_ALL: "en_US.UTF-8" strategy: From d36260b5cbca3e21a4abec8cb08b8132faeff9e1 Mon Sep 17 00:00:00 2001 From: wdower Date: Tue, 26 Mar 2024 12:46:07 -0400 Subject: [PATCH 20/25] hardcoding region/az Signed-off-by: wdower --- kitchen.rhel-official-role.ec2.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kitchen.rhel-official-role.ec2.yml b/kitchen.rhel-official-role.ec2.yml index 8dffdd95..895a34f8 100644 --- a/kitchen.rhel-official-role.ec2.yml +++ b/kitchen.rhel-official-role.ec2.yml @@ -6,6 +6,8 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> + region: us-east-1 + avaliability_zone: a metadata_options: http_tokens: required http_put_response_hop_limit: 1 From 911ea15e8e34c5eeee2182dd7afcbb64ae34cf9f Mon Sep 17 00:00:00 2001 From: wdower Date: Tue, 26 Mar 2024 12:51:04 -0400 Subject: [PATCH 21/25] hardcoding in the AWS credential step Signed-off-by: wdower --- .github/workflows/verify-rhel-official-hardened-ec2.yml | 2 +- kitchen.rhel-official-role.ec2.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml index 80c0fab2..0b35c4c0 100644 --- a/.github/workflows/verify-rhel-official-hardened-ec2.yml +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -31,7 +31,7 @@ jobs: with: aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.SAF_AWS_REGION }} + aws-region: us-east-1 - name: Check out repository uses: actions/checkout@v4 diff --git a/kitchen.rhel-official-role.ec2.yml b/kitchen.rhel-official-role.ec2.yml index 895a34f8..8dffdd95 100644 --- a/kitchen.rhel-official-role.ec2.yml +++ b/kitchen.rhel-official-role.ec2.yml @@ -6,8 +6,6 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: us-east-1 - avaliability_zone: a metadata_options: http_tokens: required http_put_response_hop_limit: 1 From 146723782a6e7191d627f252d8cedbd57162e6d6 Mon Sep 17 00:00:00 2001 From: wdower Date: Tue, 26 Mar 2024 12:57:34 -0400 Subject: [PATCH 22/25] swapping keys Signed-off-by: wdower --- .github/workflows/verify-rhel-official-hardened-ec2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml index 0b35c4c0..76a07216 100644 --- a/.github/workflows/verify-rhel-official-hardened-ec2.yml +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -29,8 +29,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} + aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID_2 }} + aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY_2 }} aws-region: us-east-1 - name: Check out repository From 26fae186cdd69779c1bbdf2e80898d86e6b2848e Mon Sep 17 00:00:00 2001 From: wdower Date: Wed, 27 Mar 2024 10:21:44 -0400 Subject: [PATCH 23/25] updated rhel-official playbook path Signed-off-by: wdower --- kitchen.rhel-official-role.ec2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kitchen.rhel-official-role.ec2.yml b/kitchen.rhel-official-role.ec2.yml index 8dffdd95..1066e74b 100644 --- a/kitchen.rhel-official-role.ec2.yml +++ b/kitchen.rhel-official-role.ec2.yml @@ -34,7 +34,7 @@ provisioner: suites: - name: rhel-official-role-hardened provisioner: - playbook: spec/ansible/roles/ansible-rhel-official-hardened.yml + playbook: spec/ansible/roles/ansible-role-rhel-official-hardened.yml driver: tags: Name: RHEL-Official-Hardened-<%= ENV['USER'] %> From 68ac1b8b8b1fcd8e17a8ddce898b4f9167482c79 Mon Sep 17 00:00:00 2001 From: wdower Date: Wed, 27 Mar 2024 13:11:35 -0400 Subject: [PATCH 24/25] re-enabling the other ec2 pipelines, using the main SAF_AWS_ACCESS_KEY and SAF_AWS_SECRET_ACCESS_KEY vars again now that we know they work, bumping up ec2 size to t2.small to decrease time to harden Signed-off-by: wdower --- .github/workflows/verify-container.yml | 6 +++--- .github/workflows/verify-disa-hardened-ec2.yml | 8 +++----- .github/workflows/verify-ec2.yml | 12 +++++------- .../workflows/verify-rhel-official-hardened-ec2.yml | 4 ++-- kitchen.disa.ec2.yml | 4 +--- kitchen.ec2.yml | 4 +--- kitchen.rhel-official-role.ec2.yml | 2 +- 7 files changed, 16 insertions(+), 24 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 9903effb..67b8cc21 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -1,9 +1,9 @@ name: UBI8 Testing Matrix on: - # push: - # branches-ignore: - # - none + push: + branches-ignore: + - none pull_request: jobs: diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml index e2fe0b0c..864163c1 100644 --- a/.github/workflows/verify-disa-hardened-ec2.yml +++ b/.github/workflows/verify-disa-hardened-ec2.yml @@ -1,9 +1,9 @@ name: DISA Hardened EC2 Testing Matrix on: - # push: - # branches-ignore: - # - none + push: + branches-ignore: + - none pull_request: jobs: @@ -16,8 +16,6 @@ jobs: KITCHEN_LOCAL_YAML: kitchen.disa.ec2.yml SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} - SAF_AWS_REGION: ${{ secrets.SAF_AWS_REGION }} - SAF_AZ: ${{ secrets.SAF_AZ }} PLATFORM: 'rhel-8' LC_ALL: "en_US.UTF-8" strategy: diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 4fc1217e..634c069a 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -1,9 +1,9 @@ name: EC2 Testing Matrix on: - # push: - # branches-ignore: - # - none + push: + branches-ignore: + - none pull_request: jobs: @@ -16,8 +16,6 @@ jobs: KITCHEN_LOCAL_YAML: kitchen.ec2.yml SAF_PIPELINE_SUBNET: ${{ secrets.SAF_PIPELINE_SUBNET }} SAF_PIPELINE_SG: ${{ secrets.SAF_PIPELINE_SG }} - SAF_AWS_REGION: ${{ secrets.SAF_AWS_REGION }} - SAF_AZ: ${{ secrets.SAF_AZ }} PLATFORM: 'rhel-8' LC_ALL: "en_US.UTF-8" strategy: @@ -31,8 +29,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID_2 }} - aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY_2 }} + aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.SAF_AWS_REGION }} - name: Check out repository diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml index 76a07216..0b35c4c0 100644 --- a/.github/workflows/verify-rhel-official-hardened-ec2.yml +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -29,8 +29,8 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID_2 }} - aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY_2 }} + aws-access-key-id: ${{ secrets.SAF_AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.SAF_AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - name: Check out repository diff --git a/kitchen.disa.ec2.yml b/kitchen.disa.ec2.yml index 02e938a1..2f50a7ea 100644 --- a/kitchen.disa.ec2.yml +++ b/kitchen.disa.ec2.yml @@ -6,13 +6,11 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: <%= ENV['SAF_AWS_REGION'] %> - availability_zone: <%= ENV['SAF_AZ'] %> metadata_options: http_tokens: required http_put_response_hop_limit: 1 instance_metadata_tags: enabled - instance_type: t2.micro + instance_type: t2.small associate_public_ip: true interface: public skip_cost_warning: true diff --git a/kitchen.ec2.yml b/kitchen.ec2.yml index c4282238..b6baaf0b 100644 --- a/kitchen.ec2.yml +++ b/kitchen.ec2.yml @@ -6,13 +6,11 @@ driver: name: ec2 subnet_id: <%= ENV['SAF_PIPELINE_SUBNET'] %> security_group_ids: <%= ENV['SAF_PIPELINE_SG'] %> - region: <%= ENV['SAF_AWS_REGION'] %> - availability_zone: <%= ENV['SAF_AZ'] %> metadata_options: http_tokens: required http_put_response_hop_limit: 1 instance_metadata_tags: enabled - instance_type: t2.micro + instance_type: t2.small associate_public_ip: true interface: public skip_cost_warning: true diff --git a/kitchen.rhel-official-role.ec2.yml b/kitchen.rhel-official-role.ec2.yml index 1066e74b..66c9e979 100644 --- a/kitchen.rhel-official-role.ec2.yml +++ b/kitchen.rhel-official-role.ec2.yml @@ -10,7 +10,7 @@ driver: http_tokens: required http_put_response_hop_limit: 1 instance_metadata_tags: enabled - instance_type: t2.micro + instance_type: t2.small associate_public_ip: true interface: public skip_cost_warning: true From 7ac6e13b569ffefb2b61feebde9fa3907f17c97a Mon Sep 17 00:00:00 2001 From: wdower Date: Wed, 27 Mar 2024 13:12:10 -0400 Subject: [PATCH 25/25] bumping saf_action to latest release Signed-off-by: wdower --- .github/workflows/verify-container.yml | 6 +++--- .github/workflows/verify-disa-hardened-ec2.yml | 6 +++--- .github/workflows/verify-ec2.yml | 4 ++-- .github/workflows/verify-rhel-official-hardened-ec2.yml | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 67b8cc21..281f6219 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -77,7 +77,7 @@ jobs: - name: Create our ${{ matrix.suite }} results summary continue-on-error: true if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json" @@ -96,7 +96,7 @@ jobs: - name: Display our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json" @@ -109,6 +109,6 @@ jobs: - name: Ensure the scan meets our ${{ matrix.suite }} results threshold ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml" diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml index 864163c1..973912e8 100644 --- a/.github/workflows/verify-disa-hardened-ec2.yml +++ b/.github/workflows/verify-disa-hardened-ec2.yml @@ -76,7 +76,7 @@ jobs: - name: Create our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json" @@ -95,7 +95,7 @@ jobs: - name: Display our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json" @@ -108,6 +108,6 @@ jobs: - name: Ensure the scan meets our ${{ matrix.suite }} results threshold if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 634c069a..44c87352 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -77,7 +77,7 @@ jobs: - name: Save our ${{ matrix.suite }} results summary continue-on-error: true if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json" @@ -109,6 +109,6 @@ jobs: - name: Ensure the scan meets our ${{ matrix.suite }} results threshold if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml" diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml index 0b35c4c0..38984df8 100644 --- a/.github/workflows/verify-rhel-official-hardened-ec2.yml +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -76,7 +76,7 @@ jobs: - name: Create our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json" @@ -95,7 +95,7 @@ jobs: - name: Display our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json" @@ -108,6 +108,6 @@ jobs: - name: Ensure the scan meets our ${{ matrix.suite }} results threshold if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} - uses: mitre/saf_action@v1.5.0 + uses: mitre/saf_action@v1.5.2 with: command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"