-
Notifications
You must be signed in to change notification settings - Fork 66
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #97 from ansible-lockdown/devel
devel -> main cis 2.0.1
- Loading branch information
Showing
122 changed files
with
5,610 additions
and
4,274 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
[] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
{ | ||
"version": "1.4.0", | ||
"plugins_used": [ | ||
{ | ||
"name": "ArtifactoryDetector" | ||
}, | ||
{ | ||
"name": "AWSKeyDetector" | ||
}, | ||
{ | ||
"name": "AzureStorageKeyDetector" | ||
}, | ||
{ | ||
"name": "Base64HighEntropyString", | ||
"limit": 4.5 | ||
}, | ||
{ | ||
"name": "BasicAuthDetector" | ||
}, | ||
{ | ||
"name": "CloudantDetector" | ||
}, | ||
{ | ||
"name": "DiscordBotTokenDetector" | ||
}, | ||
{ | ||
"name": "GitHubTokenDetector" | ||
}, | ||
{ | ||
"name": "HexHighEntropyString", | ||
"limit": 3.0 | ||
}, | ||
{ | ||
"name": "IbmCloudIamDetector" | ||
}, | ||
{ | ||
"name": "IbmCosHmacDetector" | ||
}, | ||
{ | ||
"name": "JwtTokenDetector" | ||
}, | ||
{ | ||
"name": "KeywordDetector", | ||
"keyword_exclude": "" | ||
}, | ||
{ | ||
"name": "MailchimpDetector" | ||
}, | ||
{ | ||
"name": "NpmDetector" | ||
}, | ||
{ | ||
"name": "PrivateKeyDetector" | ||
}, | ||
{ | ||
"name": "SendGridDetector" | ||
}, | ||
{ | ||
"name": "SlackDetector" | ||
}, | ||
{ | ||
"name": "SoftlayerDetector" | ||
}, | ||
{ | ||
"name": "SquareOAuthDetector" | ||
}, | ||
{ | ||
"name": "StripeDetector" | ||
}, | ||
{ | ||
"name": "TwilioKeyDetector" | ||
} | ||
], | ||
"filters_used": [ | ||
{ | ||
"path": "detect_secrets.filters.allowlist.is_line_allowlisted" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", | ||
"min_level": 2 | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_indirect_reference" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_likely_id_string" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_lock_file" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_potential_uuid" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_sequential_string" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_swagger_file" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.heuristic.is_templated_secret" | ||
}, | ||
{ | ||
"path": "detect_secrets.filters.regex.should_exclude_file", | ||
"pattern": [ | ||
".config/.gitleaks-report.json", | ||
"tasks/parse_etc_password.yml" | ||
] | ||
} | ||
], | ||
"results": {}, | ||
"generated_at": "2023-09-19T12:32:59Z" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github | ||
# Default behaviour | ||
* text=auto | ||
|
||
# https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings | ||
# Ensure to read artcile prior to adding | ||
# Scripts should have Unix endings | ||
*.py text eol=lf | ||
*.sh text eol=lf | ||
|
||
# Windows Batch or PowerShell scripts should have CRLF endings | ||
*.bat text eol=crlf | ||
*.ps1 text eol=crlf | ||
|
||
# adding github settings to show correct language | ||
*.sh linguist-detectable=true | ||
*.yml linguist-detectable=true | ||
*.ps1 linguist-detectable=true | ||
*.j2 linguist-detectable=true | ||
*.md linguist-documentation |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,138 @@ | ||
--- | ||
|
||
name: Devel pipeline | ||
|
||
on: # yamllint disable-line rule:truthy | ||
pull_request_target: | ||
types: [opened, reopened, synchronize] | ||
branches: | ||
- devel | ||
paths: | ||
- '**.yml' | ||
- '**.sh' | ||
- '**.j2' | ||
- '**.ps1' | ||
- '**.cfg' | ||
|
||
# A workflow run is made up of one or more jobs | ||
# that can run sequentially or in parallel | ||
jobs: | ||
# This will create messages for first time contributers and direct them to the Discord server | ||
welcome: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/first-interaction@main | ||
with: | ||
repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
pr-message: |- | ||
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! | ||
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. | ||
# This workflow contains a single job which tests the playbook | ||
playbook-test: | ||
# The type of runner that the job will run on | ||
runs-on: ubuntu-latest | ||
env: | ||
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} | ||
# Imported as a variable by terraform | ||
TF_VAR_repository: ${{ github.event.repository.name }} | ||
defaults: | ||
run: | ||
shell: bash | ||
working-directory: .github/workflows/github_linux_IaC | ||
|
||
steps: | ||
- name: Clone ${{ github.event.repository.name }} | ||
uses: actions/checkout@v3 | ||
with: | ||
ref: ${{ github.event.pull_request.head.sha }} | ||
|
||
# Pull in terraform code for linux servers | ||
- name: Clone github IaC plan | ||
uses: actions/checkout@v3 | ||
with: | ||
repository: ansible-lockdown/github_linux_IaC | ||
path: .github/workflows/github_linux_IaC | ||
|
||
- name: Add_ssh_key | ||
working-directory: .github/workflows | ||
env: | ||
SSH_AUTH_SOCK: /tmp/ssh_agent.sock | ||
PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" | ||
run: | | ||
mkdir .ssh | ||
chmod 700 .ssh | ||
echo $PRIVATE_KEY > .ssh/github_actions.pem | ||
chmod 600 .ssh/github_actions.pem | ||
- name: DEBUG - Show IaC files | ||
if: env.ENABLE_DEBUG == 'true' | ||
run: | | ||
echo "OSVAR = $OSVAR" | ||
echo "benchmark_type = $benchmark_type" | ||
pwd | ||
ls | ||
env: | ||
# Imported from github variables this is used to load the relvent OS.tfvars file | ||
OSVAR: ${{ vars.OSVAR }} | ||
benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
||
- name: Terraform_Init | ||
id: init | ||
run: terraform init | ||
env: | ||
# Imported from github variables this is used to load the relvent OS.tfvars file | ||
OSVAR: ${{ vars.OSVAR }} | ||
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
||
- name: Terraform_Validate | ||
id: validate | ||
run: terraform validate | ||
env: | ||
# Imported from github variables this is used to load the relvent OS.tfvars file | ||
OSVAR: ${{ vars.OSVAR }} | ||
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
|
||
- name: Terraform_Apply | ||
id: apply | ||
env: | ||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
OSVAR: ${{ vars.OSVAR }} | ||
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false | ||
|
||
## Debug Section | ||
- name: DEBUG - Show Ansible hostfile | ||
if: env.ENABLE_DEBUG == 'true' | ||
run: cat hosts.yml | ||
|
||
# Aws deployments taking a while to come up insert sleep or playbook fails | ||
|
||
- name: Sleep for 60 seconds | ||
run: sleep 60s | ||
|
||
# Run the ansible playbook | ||
- name: Run_Ansible_Playbook | ||
uses: arillso/action.playbook@master | ||
with: | ||
playbook: site.yml | ||
inventory: .github/workflows/github_linux_IaC/hosts.yml | ||
galaxy_file: collections/requirements.yml | ||
private_key: ${{ secrets.SSH_PRV_KEY }} | ||
# verbose: 3 | ||
env: | ||
ANSIBLE_HOST_KEY_CHECKING: "false" | ||
ANSIBLE_DEPRECATION_WARNINGS: "false" | ||
|
||
# Remove test system - User secrets to keep if necessary | ||
|
||
- name: Terraform_Destroy | ||
if: always() && env.ENABLE_DEBUG == 'false' | ||
env: | ||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
OSVAR: ${{ vars.OSVAR }} | ||
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} | ||
run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false |
Oops, something went wrong.