Merge branch 'playbook-tests'

pyllyukko · Dec 17, 2024 · 757df97 · 757df97
2 parents a5b1b13 + d6c2ffa
commit 757df97
Show file tree

Hide file tree

Showing 9 changed files with 128 additions and 26 deletions.
diff --git a/.github/workflows/ansible-playbook.yml b/.github/workflows/ansible-playbook.yml
@@ -0,0 +1,103 @@
+name: ansible-playbook
+on: [push, pull_request]
+
+env:
+  ANSIBLE_FORCE_COLOR: '1'
+
+jobs:
+  banners:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install Lynis
+        run: ansible-playbook -v harden.yml --tags lynis --skip-tags slackware,centos
+      - name: Run Ansible playbook for banners
+        run: ansible-playbook -v harden.yml --tags banners --extra-vars run_lynis_after_hardening=true
+      - name: chmod Lynis log
+        run: sudo chmod -c 644 /var/log/lynis.log
+      - name: Archive Lynis log
+        uses: actions/upload-artifact@v4
+        with:
+          name: lynis-banner.log
+          path: /var/log/lynis.log
+  authentication:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install Lynis
+        run: ansible-playbook -v harden.yml --tags lynis --skip-tags slackware,centos
+      - name: Run Lynis (pre-harden)
+        run: sudo lynis audit system --skip-plugins --tests-from-group authentication
+      - name: Run Ansible playbook for passwords, pam & umask
+        run: ansible-playbook harden.yml --tags passwords,pam,umask --skip-tags slackware,centos
+      - name: Run Lynis
+        run: sudo lynis audit system --skip-plugins --tests-from-group authentication
+      - name: chmod Lynis log
+        run: sudo chmod -c 644 /var/log/lynis.log
+      - name: Archive Lynis log
+        uses: actions/upload-artifact@v4
+        with:
+          name: lynis-authentication.log
+          path: /var/log/lynis.log
+  accounting:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install Lynis
+        run: ansible-playbook -v harden.yml --tags lynis --skip-tags slackware,centos
+      - name: Run Lynis (pre-harden)
+        run: sudo lynis audit system --skip-plugins --tests-from-group accounting
+      - name: Run Ansible playbook for accounting, audit & sysstat
+        run: ansible-playbook harden.yml --tags accounting,audit,sysstat --skip-tags slackware,centos
+      - name: Run Lynis
+        run: sudo lynis audit system --skip-plugins --tests-from-group accounting
+      - name: chmod Lynis log
+        run: sudo chmod -c 644 /var/log/lynis.log
+      - name: Archive Lynis log
+        uses: actions/upload-artifact@v4
+        with:
+          name: lynis-accounting.log
+          path: /var/log/lynis.log
+  scheduling:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install Lynis
+        run: ansible-playbook -v harden.yml --tags lynis --skip-tags slackware,centos
+      - name: Run Lynis (pre-harden)
+        run: sudo lynis audit system --skip-plugins --tests-from-group scheduling
+      - name: Run Ansible playbook for cron
+        run: ansible-playbook harden.yml --tags cron --skip-tags slackware
+      - name: Run Lynis
+        run: sudo lynis audit system --skip-plugins --tests-from-group scheduling
+      - name: chmod Lynis log
+        run: sudo chmod -c 644 /var/log/lynis.log
+      - name: Archive Lynis log
+        uses: actions/upload-artifact@v4
+        with:
+          name: lynis-scheduling.log
+          path: /var/log/lynis.log
+  shells:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Install Lynis
+        run: ansible-playbook -v harden.yml --tags lynis --skip-tags slackware,centos
+      - name: Run Lynis (pre-harden)
+        run: sudo lynis audit system --skip-plugins --tests-from-group shells
+      - name: Run Ansible playbook for umask & shells
+        run: ansible-playbook harden.yml --tags umask,shells --skip-tags slackware
+      - name: Run Lynis
+        run: sudo lynis audit system --skip-plugins --tests-from-group shells
+      - name: chmod Lynis log
+        run: sudo chmod -c 644 /var/log/lynis.log
+      - name: Archive Lynis log
+        uses: actions/upload-artifact@v4
+        with:
+          name: lynis-shells.log
+          path: /var/log/lynis.log
diff --git a/harden.yml b/harden.yml
@@ -5,13 +5,14 @@
     - vars.yml
   tasks:
     # Bunch of checks first, so the playbook doesn't fail in the middle.
+    # Ubuntu is only for the GitHub Actions runner
     - name: Check OS version
       ansible.builtin.assert:
         that: >
           (ansible_distribution == "Slackware" and ansible_distribution_major_version | int >= 15) or
           (ansible_distribution == "Debian" and ansible_distribution_major_version | int >= 12) or
           (ansible_distribution == "CentOS" and ansible_distribution_major_version == "7") or
-          ansible_distribution == "Kali"
+          ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
         msg: "Unsupported operating system"
       tags: check
     - name: Sudo checks

diff --git a/tasks/audit.yml b/tasks/audit.yml
@@ -2,13 +2,12 @@
 # Some documentation available at https://github.com/pyllyukko/harden.sh/wiki/audit
 - name: Install auditing
   become: true
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Slackware" or ansible_os_family == "RedHat"
   block:
     - name: Install necessary software for auditing (Debian)
       ansible.builtin.apt:
         name: ['auditd', 'libcap-ng-utils', 'make']
         update_cache: true
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
       tags:
         - packages
         - debian
@@ -178,7 +177,7 @@
       with_items:
         - audit=1
         - audit_backlog_limit=8192
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_os_family == "RedHat"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu"
       tags: configuration
       notify: "Run update-grub"
       register: result

diff --git a/tasks/handlers.yml b/tasks/handlers.yml
@@ -30,7 +30,7 @@
   become: true
   async: 3600
   poll: 0
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   changed_when: true
 - name: Create aide.db (Slackware)
   ansible.builtin.command: /usr/bin/aide -i
@@ -58,7 +58,7 @@
   tags:
     - pam
     - configuration
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   changed_when: true
 # rc.sshd exits if /var/run/sshd.pid doesn't exist
 - name: Restart sshd (Slackware)

diff --git a/tasks/login_defs.yml b/tasks/login_defs.yml
@@ -118,7 +118,7 @@
     - configuration
     - debian
     - umask
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
 # </profile.d>
 
 # Slackware Linux Benchmark v1.1 - 7.3 Create ftpusers Files
@@ -262,7 +262,7 @@
     regexp: '^({{ item.key }}=).*$'
     replace: '\g<1>{{ item.value }}'
     validate: '/bin/grep "^{{ item.key }}={{ item.value }}$" %s'
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   tags:
     - configuration
     - debian
@@ -332,7 +332,7 @@
     - name: Debian specific groups
       become: true
       tags: debian
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
       block:
         - name: Remove all users from group "lpadmin"
           ansible.builtin.command: gpasswd -d {{ item }} lpadmin

diff --git a/tasks/lynis.yml b/tasks/lynis.yml
@@ -5,7 +5,7 @@
     - packages
     - lynis
     - debian
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   block:
     - name: Install apt-transport-https & gnupg2
       ansible.builtin.apt:

diff --git a/tasks/pam.yml b/tasks/pam.yml
@@ -111,7 +111,6 @@
 # http://linux-pam.org/Linux-PAM-html/sag-security-issues-other.html
 # https://tldp.org/HOWTO/User-Authentication-HOWTO/x263.html#AEN266
 - name: /etc/pam.d/other
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_os_family == "RedHat" or ansible_distribution == "Slackware"
   become: true
   block:
     - name: Create secure default /etc/pam.d/other
@@ -173,7 +172,7 @@
 # AUTH-9408
 - name: faillock
   become: true
-  when: ansible_distribution == "Slackware" or ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_os_family != "RedHat"
   tags:
     - pam
     - authorization
@@ -196,7 +195,7 @@
     # pam-auth-update as long as there are no failed logins recorded in
     # /var/run/faillock/
     - name: Insert "auth required pam_faillock.so preauth" into /etc/pam.d/common-auth
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
       tags:
         - configuration
         - debian
@@ -258,7 +257,7 @@
     - pam
     - passwords
     - debian
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   ansible.builtin.replace:
     path: '{{ item }}'
     regexp: '\s+nullok(_secure)?'
@@ -271,7 +270,7 @@
 # https://wiki.debian.org/WHEEL/PAM
 # This is not enabled in Slackware because it has a separate "Deny use of su" task
 - name: Enable pam_wheel.so in /etc/pam.d/su
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_os_family == "RedHat"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu"
   become: true
   ansible.builtin.replace:
     path: /etc/pam.d/su
@@ -320,7 +319,7 @@
 
 # https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19
 - name: Debian pam-configs
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   become: true
   tags:
     - configuration
@@ -396,7 +395,7 @@
     - passwords
   block:
     - name: Install passwdqc (Debian)
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
       ansible.builtin.apt:
         name: libpam-passwdqc
         update_cache: true
@@ -416,7 +415,7 @@
         - packages
     # https://github.com/linux-pam/linux-pam/issues/352
     - name: Add rounds={{ crypt_rounds }} to pam_unix in /etc/pam.d/common-password
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
       tags: debian
       ansible.builtin.replace:
         path: /etc/pam.d/common-password

diff --git a/tasks/services-accounting.yml b/tasks/services-accounting.yml
@@ -7,7 +7,7 @@
   block:
     - name: Install sysstat
       become: true
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
       ansible.builtin.apt:
         name: sysstat
         update_cache: true
@@ -17,7 +17,7 @@
         - debian
     - name: Enable system accounting in /etc/default/sysstat
       become: true
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
       ansible.builtin.replace:
         path: /etc/default/sysstat
         regexp: '^ENABLED=.*$'
@@ -29,7 +29,7 @@
         - debian
     - name: Enable system accounting systemd service
       become: true
-      when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+      when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
       ansible.builtin.service:
         name: sysstat
         state: started
@@ -110,7 +110,7 @@
 # Process accounting
 - name: Install acct
   become: true
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   ansible.builtin.apt:
     name: acct
     update_cache: true
@@ -121,7 +121,7 @@
     - debian
 - name: Enable acct
   become: true
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   ansible.builtin.systemd:
     name: acct
     state: started
@@ -189,7 +189,7 @@
     - accounting
     - configuration
     - debian
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   notify: Run systemctl daemon-reload
   community.general.ini_file:
     path: /lib/systemd/system/{{ item }}.service

diff --git a/tasks/services.yml b/tasks/services.yml
@@ -50,7 +50,7 @@
 # CIS Debian Linux 10 Benchmark v1.0.0 - 5.1.8 Ensure at/cron is restricted to authorized users
 - name: Debian cron
   become: true
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Ubuntu"
   tags:
     - services
     - configuration
@@ -72,7 +72,7 @@
 
 - name: Create empty /etc/at.allow (whitelist) and remove /etc/at.deny (blacklist)
   become: true
-  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Slackware"
+  when: ansible_distribution == "Debian" or ansible_distribution == "Kali" or ansible_distribution == "Slackware" or ansible_distribution == "Ubuntu"
   tags:
     - services
     - configuration