mirror of
https://github.com/dev-sec/ansible-nginx-hardening.git
synced 2024-11-26 07:03:49 +01:00
commit
72fd6f11bb
12
.gitignore
vendored
12
.gitignore
vendored
@ -1,13 +1,3 @@
|
|||||||
README.pdf
|
|
||||||
README.html
|
|
||||||
shared_test_repo/
|
|
||||||
test/integration
|
|
||||||
.kitchen
|
.kitchen
|
||||||
coverage
|
|
||||||
Vagrantfile.erb
|
|
||||||
|
|
||||||
Gemfile.lock
|
|
||||||
Berksfile.lock
|
|
||||||
|
|
||||||
ansible.cfg
|
|
||||||
hosts
|
hosts
|
||||||
|
Gemfile.lock
|
||||||
|
@ -1,18 +1,28 @@
|
|||||||
---
|
---
|
||||||
driver:
|
driver:
|
||||||
name: vagrant
|
name: vagrant
|
||||||
|
driver_config:
|
||||||
|
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||||
|
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||||
|
vagrantfiles:
|
||||||
|
- kitchen_vagrant_block.rb
|
||||||
|
|
||||||
provisioner:
|
provisioner:
|
||||||
name: ansible_playbook
|
name: ansible_playbook
|
||||||
test_repo_uri: https://github.com/hardening-io/tests-ssh-hardening.git
|
|
||||||
hosts: all
|
hosts: all
|
||||||
require_ansible_repo: false
|
require_ansible_repo: false
|
||||||
require_ansible_omnibus: true
|
require_ansible_omnibus: true
|
||||||
require_chef_for_busser: false
|
require_chef_for_busser: false
|
||||||
require_ruby_for_busser: false
|
require_ruby_for_busser: false
|
||||||
ansible_verbose: true
|
ansible_verbose: true
|
||||||
roles_path: ../ansible-ssh-hardening/
|
roles_path: ../ansible-nginx-hardening/
|
||||||
|
requirements_path: requirements.yml
|
||||||
playbook: default.yml
|
playbook: default.yml
|
||||||
|
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||||
|
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||||
|
|
||||||
|
transport:
|
||||||
|
max_ssh_sessions: 5
|
||||||
|
|
||||||
platforms:
|
platforms:
|
||||||
- name: ubuntu-12.04
|
- name: ubuntu-12.04
|
||||||
@ -23,6 +33,10 @@ platforms:
|
|||||||
driver_config:
|
driver_config:
|
||||||
box: opscode-ubuntu-14.04
|
box: opscode-ubuntu-14.04
|
||||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
|
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
|
||||||
|
- name: ubuntu-16.04
|
||||||
|
driver_config:
|
||||||
|
box: opscode-ubuntu-16.04
|
||||||
|
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
|
||||||
- name: centos-6.4
|
- name: centos-6.4
|
||||||
driver_config:
|
driver_config:
|
||||||
box: opscode-centos-6.4
|
box: opscode-centos-6.4
|
||||||
@ -31,6 +45,12 @@ platforms:
|
|||||||
driver_config:
|
driver_config:
|
||||||
box: opscode-centos-6.5
|
box: opscode-centos-6.5
|
||||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
|
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
|
||||||
|
- name: centos-6.8
|
||||||
|
driver_config:
|
||||||
|
box: bento/centos-6.8
|
||||||
|
- name: centos-7
|
||||||
|
driver_config:
|
||||||
|
box: bento/centos-7.2
|
||||||
- name: oracle-6.4
|
- name: oracle-6.4
|
||||||
driver_config:
|
driver_config:
|
||||||
box: oracle-6.4
|
box: oracle-6.4
|
||||||
@ -39,10 +59,9 @@ platforms:
|
|||||||
driver_config:
|
driver_config:
|
||||||
box: oracle-6.5
|
box: oracle-6.5
|
||||||
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
|
box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
|
||||||
- name: debian-6
|
- name: oracle-7
|
||||||
driver_config:
|
driver_config:
|
||||||
box: debian-6
|
box: boxcutter/ol72
|
||||||
box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box
|
|
||||||
- name: debian-7
|
- name: debian-7
|
||||||
driver_config:
|
driver_config:
|
||||||
box: debian-7
|
box: debian-7
|
||||||
@ -56,10 +75,7 @@ verifier:
|
|||||||
name: inspec
|
name: inspec
|
||||||
sudo: true
|
sudo: true
|
||||||
inspec_tests:
|
inspec_tests:
|
||||||
- https://github.com/dev-sec/tests-ssh-hardening
|
- https://github.com/dev-sec/nginx-baseline/
|
||||||
|
|
||||||
suites:
|
suites:
|
||||||
- name: nginx-ansible_1.9
|
- name: nginx
|
||||||
provisioner:
|
|
||||||
ansible_version: 1.9.4
|
|
||||||
- name: nginx-ansible_latest
|
|
||||||
|
66
.kitchen.yml
66
.kitchen.yml
@ -2,6 +2,9 @@
|
|||||||
driver:
|
driver:
|
||||||
name: docker
|
name: docker
|
||||||
use_sudo: false
|
use_sudo: false
|
||||||
|
privileged: true
|
||||||
|
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||||
|
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||||
|
|
||||||
transport:
|
transport:
|
||||||
max_ssh_sessions: 5
|
max_ssh_sessions: 5
|
||||||
@ -10,51 +13,64 @@ provisioner:
|
|||||||
name: ansible_playbook
|
name: ansible_playbook
|
||||||
hosts: all
|
hosts: all
|
||||||
require_ansible_repo: false
|
require_ansible_repo: false
|
||||||
require_ansible_omnibus: true
|
|
||||||
require_chef_for_busser: false
|
require_chef_for_busser: false
|
||||||
require_ruby_for_busser: false
|
require_ruby_for_busser: false
|
||||||
ansible_verbose: true
|
ansible_verbose: true
|
||||||
ansible_diff: true
|
ansible_diff: true
|
||||||
requirements_path: requirements.yml
|
hosts: all
|
||||||
roles_path: ../ansible-nginx-hardening/
|
roles_path: ../ansible-nginx-hardening/
|
||||||
|
http_proxy: <%= ENV['http_proxy'] || nil %>
|
||||||
|
https_proxy: <%= ENV['https_proxy'] || nil %>
|
||||||
playbook: default.yml
|
playbook: default.yml
|
||||||
|
requirements_path: requirements.yml
|
||||||
|
|
||||||
platforms:
|
platforms:
|
||||||
- name: ubuntu-12.04
|
- name: centos6-ansible-latest
|
||||||
driver:
|
driver:
|
||||||
image: ubuntu:12.04
|
image: rndmh3ro/docker-centos6-ansible:latest
|
||||||
- name: ubuntu-14.04
|
platform: centos
|
||||||
|
- name: centos7-ansible-latest
|
||||||
driver:
|
driver:
|
||||||
image: ubuntu:14.04
|
image: rndmh3ro/docker-centos7-ansible:latest
|
||||||
- name: ubuntu-16.04
|
platform: centos
|
||||||
|
- name: oracle6-ansible-latest
|
||||||
driver:
|
driver:
|
||||||
image: ubuntu:16.04
|
image: rndmh3ro/docker-oracle6-ansible:latest
|
||||||
- name: centos-6.7
|
platform: centos
|
||||||
|
- name: oracle7-ansible-latest
|
||||||
driver:
|
driver:
|
||||||
image: centos:6.7
|
image: rndmh3ro/docker-oracle7-ansible:latest
|
||||||
- name: centos-6.8
|
platform: centos
|
||||||
|
- name: ubuntu1204-ansible-latest
|
||||||
driver:
|
driver:
|
||||||
image: centos:6.8
|
image: rndmh3ro/docker-ubuntu1204-ansible:latest
|
||||||
- name: centos-7
|
platform: ubuntu
|
||||||
|
- name: ubuntu1404-ansible-latest
|
||||||
driver:
|
driver:
|
||||||
image: centos:7
|
image: rndmh3ro/docker-ubuntu1404-ansible:latest
|
||||||
privileged: true
|
platform: ubuntu
|
||||||
run_command: /usr/sbin/init
|
- name: ubuntu1604-ansible-latest
|
||||||
- name: debian-7
|
|
||||||
driver:
|
driver:
|
||||||
image: debian:7
|
image: rndmh3ro/docker-ubuntu1604-ansible:latest
|
||||||
- name: debian-8
|
platform: ubuntu
|
||||||
|
- name: debian7-ansible-latest
|
||||||
driver:
|
driver:
|
||||||
image: debian:8
|
image: rndmh3ro/docker-debian7-ansible:latest
|
||||||
|
platform: debian
|
||||||
|
- name: debian8-ansible-latest
|
||||||
|
driver:
|
||||||
|
image: rndmh3ro/docker-debian8-ansible:latest
|
||||||
|
platform: debian
|
||||||
|
- name: debian9-ansible-latest
|
||||||
|
driver:
|
||||||
|
image: rndmh3ro/docker-debian9-ansible:latest
|
||||||
|
platform: debian
|
||||||
|
|
||||||
verifier:
|
verifier:
|
||||||
name: inspec
|
name: inspec
|
||||||
sudo: true
|
sudo: true
|
||||||
inspec_tests:
|
inspec_tests:
|
||||||
- https://github.com/dev-sec/tests-nginx-hardening
|
- https://github.com/dev-sec/nginx-baseline
|
||||||
|
|
||||||
suites:
|
suites:
|
||||||
- name: nginx-ansible_1.9
|
- name: nginx
|
||||||
provisioner:
|
|
||||||
ansible_version: 1.9.4
|
|
||||||
- name: nginx-ansible_latest
|
|
||||||
|
74
.travis.yml
74
.travis.yml
@ -1,23 +1,65 @@
|
|||||||
---
|
---
|
||||||
notifications:
|
services: docker
|
||||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
||||||
language: python
|
|
||||||
python: "2.7"
|
|
||||||
|
|
||||||
env:
|
env:
|
||||||
- ANSIBLE_VERSION=latest
|
- distro: centos6
|
||||||
- ANSIBLE_VERSION=1.9.4
|
version: latest
|
||||||
|
init: /sbin/init
|
||||||
|
|
||||||
|
- distro: centos7
|
||||||
|
init: /usr/lib/systemd/systemd
|
||||||
|
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||||
|
version: latest
|
||||||
|
|
||||||
|
- distro: oracle6
|
||||||
|
version: latest
|
||||||
|
init: /sbin/init
|
||||||
|
|
||||||
|
- distro: oracle7
|
||||||
|
init: /usr/lib/systemd/systemd
|
||||||
|
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||||
|
version: latest
|
||||||
|
|
||||||
|
- distro: ubuntu1604
|
||||||
|
version: latest
|
||||||
|
init: /lib/systemd/systemd
|
||||||
|
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||||
|
|
||||||
|
- distro: ubuntu1404
|
||||||
|
version: latest
|
||||||
|
init: /sbin/init
|
||||||
|
|
||||||
|
# - distro: debian7
|
||||||
|
# version: latest
|
||||||
|
# init: /sbin/init
|
||||||
|
|
||||||
|
- distro: debian8
|
||||||
|
version: latest
|
||||||
|
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||||
|
init: /sbin/init
|
||||||
|
|
||||||
|
- distro: debian9
|
||||||
|
version: latest
|
||||||
|
init: /lib/systemd/systemd
|
||||||
|
run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
|
||||||
|
|
||||||
before_install:
|
before_install:
|
||||||
- sudo apt-get update -qq
|
# Pull container
|
||||||
- sudo apt-get install -qq python-apt python-pycurl
|
- 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
|
||||||
install:
|
|
||||||
- if [ "$ANSIBLE_VERSION" = "latest" ]; then pip install ansible; else pip install ansible==$ANSIBLE_VERSION; fi
|
|
||||||
- echo -e 'localhost ansible_connection=local' > spec/inventory
|
|
||||||
- echo -e '[defaults]\nroles_path = ../\nhostfile = ./spec/inventory' > ansible.cfg
|
|
||||||
|
|
||||||
script:
|
script:
|
||||||
- ansible-galaxy install -r requirements.yml
|
- container_id=$(mktemp)
|
||||||
- ansible-playbook --syntax-check spec/travis.yml
|
# Run container in detached state.
|
||||||
- ansible-playbook --sudo -v --diff spec/travis.yml
|
- 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-nginx-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
|
||||||
- ansible-playbook --sudo -v --diff spec/travis.yml --extra-vars "nginx_remove_default_site=false"
|
|
||||||
|
# Install ansible galaxy requirements
|
||||||
|
- 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/'
|
||||||
|
|
||||||
|
# Test role.
|
||||||
|
- 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/default.yml -vv'
|
||||||
|
|
||||||
|
# Verify role
|
||||||
|
- 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id})'
|
||||||
|
|
||||||
|
notifications:
|
||||||
|
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
||||||
|
23
Gemfile
23
Gemfile
@ -2,25 +2,6 @@
|
|||||||
|
|
||||||
source 'https://rubygems.org'
|
source 'https://rubygems.org'
|
||||||
|
|
||||||
if Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.2.2')
|
|
||||||
gem 'rack', '< 2.0'
|
|
||||||
gem 'ruby_dep', '< 1.4.0'
|
|
||||||
gem 'listen', '< 3.0.0'
|
|
||||||
end
|
|
||||||
|
|
||||||
group :test do
|
|
||||||
gem 'rake'
|
|
||||||
gem 'foodcritic', '~> 4.0'
|
|
||||||
gem 'thor-foodcritic'
|
|
||||||
gem 'coveralls', require: false
|
|
||||||
end
|
|
||||||
|
|
||||||
group :development do
|
|
||||||
gem 'guard'
|
|
||||||
gem 'guard-rspec'
|
|
||||||
gem 'guard-kitchen'
|
|
||||||
end
|
|
||||||
|
|
||||||
group :integration do
|
group :integration do
|
||||||
gem 'test-kitchen', '~> 1.0'
|
gem 'test-kitchen', '~> 1.0'
|
||||||
gem 'kitchen-ansible'
|
gem 'kitchen-ansible'
|
||||||
@ -32,10 +13,6 @@ group :integration do
|
|||||||
gem 'kitchen-docker'
|
gem 'kitchen-docker'
|
||||||
end
|
end
|
||||||
|
|
||||||
group :openstack do
|
|
||||||
gem 'kitchen-openstack'
|
|
||||||
end
|
|
||||||
|
|
||||||
group :tools do
|
group :tools do
|
||||||
gem 'github_changelog_generator', '~> 1'
|
gem 'github_changelog_generator', '~> 1'
|
||||||
end
|
end
|
||||||
|
14
ansible.cfg
Normal file
14
ansible.cfg
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# config file for ansible -- http://ansible.com/
|
||||||
|
# ==============================================
|
||||||
|
|
||||||
|
# nearly all parameters can be overridden in ansible-playbook
|
||||||
|
# or with command line flags. ansible will read ANSIBLE_CONFIG,
|
||||||
|
# ansible.cfg in the current working directory, .ansible.cfg in
|
||||||
|
# the home directory or /etc/ansible/ansible.cfg, whichever it
|
||||||
|
# finds first
|
||||||
|
|
||||||
|
[defaults]
|
||||||
|
ansible_managed = Ansible managed: {file} modified on %Y-%m-%d by {uid} on {host}
|
||||||
|
|
||||||
|
role_path = /vagrant
|
||||||
|
scp_if_ssh = True
|
15
kitchen_vagrant_block.rb
Normal file
15
kitchen_vagrant_block.rb
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
# This is a Vagrant block to allow proxy settings to be carried into Kitchen
|
||||||
|
# You need this for all of yum/apt etc. to work!
|
||||||
|
unless ENV['http_proxy'].empty? || Vagrant.has_plugin?("vagrant-proxyconf")
|
||||||
|
raise "Missing required plugin 'vagrant-proxyconf' to support HTTP(S) proxies, run `vagrant plugin install vagrant-proxyconf`"
|
||||||
|
end
|
||||||
|
|
||||||
|
Vagrant.configure(2) do |config|
|
||||||
|
config.proxy.http = "#{ENV['http_proxy']}"
|
||||||
|
config.proxy.https = "#{ENV['https_proxy']}"
|
||||||
|
config.proxy.no_proxy = "localhost,127.0.0.1"
|
||||||
|
|
||||||
|
# You may have vagrant-vbguest plugin installed to keep your images up to date
|
||||||
|
# - but will probably have VBoxAddition build issues with the foreign boxes listed in .kitchen.vagrant.yml
|
||||||
|
config.vbguest.auto_update = false
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user