Merge pull request #57 from anthcourtney/build

Fix issues 45, 48 and more testing related changes
anthcourtney · Apr 24, 2019 · 6ef299c · 6ef299c
2 parents 1e159f8 + eedad6b
commit 6ef299c
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 6 deletions.
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@ ANSIBLE_CONTAINER_PLAYBOOK_FILE = container.yml
 
 symlink-role:
 	@mkdir -p tests/roles 
-	@rsync -a . tests/roles/anthcourtney.cis-amazon-linux --exclude 'tests/' --exclude '.git'
+	@rsync -a . tests/roles/ansible-role-cis-amazon-linux --exclude 'tests/' --exclude '.git'
 
 test: symlink-role syntax test-ansible
 
@@ -19,6 +19,18 @@ test-ansible-2.7:
 test-ansible-travis:
 	cd tests && ansible-playbook -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE)
 
+test-ansible-2.3.3:
+	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.3.3"
+
+test-ansible-2.4.5:
+	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.4.5"
+
+test-ansible-2.5.5:
+	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.5.5"
+
+test-ansible-2.6:
+	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.6"
+
 syntax:
 	cd tests && ansible-playbook --syntax-check -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE)
 

diff --git a/tasks/level-1/5.4.4.yml b/tasks/level-1/5.4.4.yml
@@ -4,10 +4,7 @@
 # 5.4.4 Ensure default user umask is 027 or more restrictive
 
 - name: 5.4.4 - Ensure default user umask is 027 or more restrictive
-  lineinfile:
-    regexp: "^umask\\s+"
-    line: "umask {{ cis_umask_default }}"
-    dest: "{{ item }}"
+  shell: sed -i -e "s/umask 022/umask {{ cis_umask_default }}/g"  {{ item }}
   with_items: "{{ cis_umask_shell_files }}"
   tags:
     - level-1

diff --git a/tasks/level-2.yml b/tasks/level-2.yml
@@ -29,6 +29,8 @@
   when: "'4.1.1.3' not in cis_level_2_exclusions"
 - include: "level-2/4.1.2.yml"
   when: "'4.1.2' not in cis_level_2_exclusions"
+- include: "level-2/4.1.3.yml"
+  when: "'4.1.3' not in cis_level_2_exclusions"
 - include: "level-2/4.1.4.yml"
   when: "'4.1.4' not in cis_level_2_exclusions" 
 - include: "level-2/4.1.5.yml"

diff --git a/tasks/level-2/4.1.3.yml b/tasks/level-2/4.1.3.yml
@@ -0,0 +1,26 @@
+# Standards: 0.11
+---
+
+# 4.1.3 Ensure auditing for processes that start prior to auditd is enabled
+
+- name: 4.1.3 Ensure auditing for processes that start prior to auditd is enabled
+  shell: "grep '^\\s*kernel*audit=1' {{ cis_grub_bootloader_filename }}"
+  register: cis_4_1_3
+  ignore_errors: true
+  tags:
+    - "4.1.3"
+    - level-2
+    - section-4
+    - scored
+
+- name: 4.1.3 Inform user to make the required change
+  debug: 
+    msg:
+      - "*** ACTION REQUIRED ***"
+      - "Edit /boot/grub/menu.lst to include audit=1 on all kernel lines."
+  when: cis_4_1_3.rc > 0
+  tags:
+    - "4.1.3"
+    - level-2
+    - section-4
+    - scored
diff --git a/tests/Vagrantfile b/tests/Vagrantfile
@@ -0,0 +1,45 @@
+#####
+#
+# 1. First boot run "vagrant up" to download OS image and initial provisioning.
+# 2. It will fail to mount as OS need reboot. So run "vagrant reload --provision" to reboot the OS and force provisioning again.
+# 3. Run "vagrant ssh" to login to the system.
+# 4. Run below commands to install ansible and run tasks
+#    a) pip install --upgrade --user setuptools ansible ansible-review 
+#    b) cd /home/vagrant/ansible-role-cis-amazon-linux/tests && ansible-playbook -i localhost, playbook.yml
+#
+# Manual mount command: sudo mount -t vboxsf -o uid=500,gid=500 vagrant /vagrant
+
+
+Vagrant.configure("2") do |config|
+    #config.vm.provider "vmware_fusion"
+    #config.vm.provider "virtualbox"
+
+    config.vm.box = "mvbcoding/awslinux"
+
+    # config.vm.network :forwarded_port, guest: 22, host: 10022, auto_correct: true
+
+    config.vm.synced_folder "../", "/home/vagrant/ansible-role-cis-amazon-linux", create: true, group: "vagrant", owner: "vagrant"
+
+    config.vm.provider "virtualbox" do |v|
+        v.name = "AWSLinux"
+        v.cpus = 2
+        v.memory = 2048
+        # Limit host CPU usage to 50% max
+        v.customize ["modifyvm", :id, "--cpuexecutioncap", "50"]
+    end
+
+    config.vm.provision "shell", inline: <<-SCRIPT
+        echo I am provisioning...
+        whoami
+        
+        # make sure OS is up to date
+        sudo yum update -y
+        
+        # install pip and other required dependencies
+        sudo yum install python-pip libffi-devel -y
+
+        # upgrade pip
+        sudo pip install --upgrade pip
+    SCRIPT
+
+end
diff --git a/tests/container.yml b/tests/container.yml
@@ -33,7 +33,8 @@
 
     - name: Test playbook within docker container
       docker_container:
-        command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml"
+        #command: "/sbin/my_init -- ansible-playbook -i localhost, --e \"cis_level_1_exclusions=['3.2.8','5.3.4']\" playbook.yml"
+        command: "/sbin/my_init -- ansible-playbook -i localhost playbook.yml"
         detach: false
         image: "{{ docker_image_name }}"
         name: "{{ docker_container_name }}"