Merge pull request #402 from ansible-lockdown/devel

* Issue #397 updated thanks to danbarr

* Issue #398 updated thanks to danbarr

* STIG Benchmark version 3 release 6 updates

* added UID facts

* added tags to uid facts

* added auditd handlers

* auditd now template

* added collections requirements

* Issue #400 updated thanks to danbarr

* added missing deps

* tidyup layout

* updated workflows

* updates to pipelines

* added tag to audit

* updated tags

* updated README layout and added join us

* updated Discord reference in README

* updated pipeline info in README

Signed-off-by: George Nalen <[email protected]>

Author: georgenalen

.github/workflows/OS.tfvars

@@ -0,0 +1,9 @@
+#Ami  centos 7.11
+ami_id        = "ami-00e87074e52e6c9f9"
+ami_os        = "centos7"
+ami_username  = "centos"
+ami_user_home = "/home/centos"
+instance_tags = {
+  Name        = "RHEL7-STIG"
+  Environment = "lockdown_github_repo_workflow"
+}

.github/workflows/communitytodevel.yml

@@ -0,0 +1,11 @@
+resource "aws_vpc" "Main" {
+  cidr_block = var.main_vpc_cidr
+  tags = var.instance_tags
+}
+
+resource "aws_internet_gateway" "IGW" {
+  vpc_id = aws_vpc.Main.id
+  tags = {
+    Name      = "${var.namespace}-IGW"
+  }
+}

.github/workflows/develtomain.yml

@@ -0,0 +1,12 @@
+// github_actions variables
+// Resourced in github_networks.tf
+// Declared in variables.tf
+// 
+
+namespace         = "github_actions"
+
+// Matching pair name found in AWS for keypairs PEM key
+ami_key_pair_name = "github_actions"
+main_vpc_cidr     = "172.22.0.0/24"
+public_subnets    = "172.22.0.128/26"
+private_subnets   = "172.22.0.192/26"

.github/workflows/github_networks.tf

@@ -0,0 +1,120 @@
+# This is a basic workflow to help you get started with Actions
+
+name: linux_benchmark_pipeline
+
+# Controls when the action will run.
+# Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+    branches:
+      - devel
+      - main
+    paths:
+      - '**.yml'
+      - '**.sh'
+      - '**.j2'
+      - '**.ps1'
+      - '**.cfg'
+
+# A workflow run is made up of one or more jobs
+# that can run sequentially or in parallel
+jobs:
+  # This will create messages for first time contributers and direct them to the Discord server
+  welcome:
+      runs-on: ubuntu-latest
+
+      steps:
+          - uses: actions/[email protected]
+            with:
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                pr-message: |-
+                  Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! 
+                  Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well.
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    env: 
+      ENABLE_DEBUG: false
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, 
+      # so your job can access it
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Add_ssh_key
+        working-directory: .github/workflows
+        env:
+          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+          PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+        run: |
+          mkdir .ssh
+          chmod 700 .ssh
+          echo $PRIVATE_KEY > .ssh/github_actions.pem
+          chmod 600 .ssh/github_actions.pem
+
+### Build out the server
+      - name: Terraform_Init
+        working-directory: .github/workflows
+        run: terraform init
+
+      - name: Terraform_Validate
+        working-directory: .github/workflows
+        run: terraform validate
+
+      - name: Terraform_Apply
+        working-directory: .github/workflows
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+
+## Debug Section
+      - name: DEBUG - Show Ansible hostfile
+        if: env.ENABLE_DEBUG == 'true'
+        working-directory: .github/workflows
+        run: cat hosts.yml
+
+# Centos 7 images take a while to come up insert sleep or playbook fails
+
+      - name: Check if test os is rhel7
+        working-directory: .github/workflows
+        id: test_os
+        run: >-
+          echo "::set-output name=RHEL7::$(
+          grep -c RHEL7 OS.tfvars
+          )"
+
+      - name: if RHEL7 - Sleep for 60 seconds
+        if: steps.test_os.outputs.RHEL7 >= 1
+        run: sleep 60s
+        shell: bash
+
+# Run the ansible playbook
+      - name: Run_Ansible_Playbook
+        uses: arillso/action.playbook@master
+        with:
+          playbook: site.yml
+          inventory: .github/workflows/hosts.yml
+          galaxy_file: collections/requirements.yml
+          private_key: ${{ secrets.SSH_PRV_KEY }}
+#          verbose: 3
+        env:
+          ANSIBLE_HOST_KEY_CHECKING: "false"
+          ANSIBLE_DEPRECATION_WARNINGS: "false"
+
+# Remove test system - User secrets to keep if necessary
+
+      - name: Terraform_Destroy
+        working-directory: .github/workflows
+        if: always() && env.ENABLE_DEBUG == 'false'
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false

.github/workflows/github_vars.tfvars

@@ -0,0 +1,83 @@
+provider "aws" {
+  profile = ""
+  region  = var.aws_region
+}
+
+// Create a security group with access to port 22 and port 80 open to serve HTTP traffic
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+resource "random_id" "server" {
+  keepers = {
+    # Generate a new id each time we switch to a new AMI id
+    ami_id = "${var.ami_id}"
+  }
+
+  byte_length = 8
+}
+
+resource "aws_security_group" "github_actions" {
+  name   = "${var.namespace}-${random_id.server.hex}"
+  vpc_id = data.aws_vpc.default.id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "${var.namespace}-SG"
+ }
+}
+
+// instance setup
+
+resource "aws_instance" "testing_vm" {
+  ami                         = var.ami_id
+  associate_public_ip_address = true
+  key_name                    = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
+  instance_type               = var.instance_type
+  tags                        = var.instance_tags
+  vpc_security_group_ids      = [aws_security_group.github_actions.id]
+  root_block_device {
+        delete_on_termination = true
+  }
+}
+
+// generate inventory file
+resource "local_file" "inventory" {
+  filename = "./hosts.yml"
+  directory_permission = "0755"
+  file_permission      = "0644"
+  content  = <<EOF
+    # benchmark host
+    all:
+      hosts:
+        ${var.ami_os}:
+          ansible_host: ${aws_instance.testing_vm.public_ip}
+          ansible_user: ${var.ami_username}
+      vars:
+        setup_audit: true
+        run_audit: true
+        system_is_ec2: true
+        audit_git_version: devel
+    EOF
+}
+

.github/workflows/linux_benchmark_testing.yml

@@ -0,0 +1,5 @@
+// vars should be loaded by OSname.tfvars
+aws_region    = "us-east-1"
+ami_os        = var.ami_os
+ami_username  = var.ami_username
+instance_tags = var.instance_tags

.github/workflows/main.tf

@@ -0,0 +1,6 @@
+RHEL7=$(grep -c RHEL7 OS.tfvars)
+if [ `echo $?` != 0 ]; then
+   exit 0
+fi
+    
+  

.github/workflows/terraform.tfvars

@@ -0,0 +1,65 @@
+// Taken from the OSname.tfvars
+
+variable "aws_region" {
+  description = "AWS region"
+  default     = "us-east-1"
+  type        = string
+}
+
+variable "instance_type" {
+  description = "EC2 Instance Type"
+  default     = "t3.micro"
+  type        = string
+}
+
+variable "instance_tags" {
+  description = "Tags to set for instances"
+  type        = map(string)
+}
+
+variable "ami_key_pair_name" {
+  description = "Name of key pair in AWS thats used"
+  type        = string
+}
+
+variable "ami_os" {
+  description = "AMI OS Type"
+  type        = string
+}
+
+variable "ami_id" {
+  description = "AMI ID reference"
+  type = string
+}
+
+variable "ami_username" {
+  description = "Username for the ami id"
+  type        = string
+}
+
+variable "ami_user_home" {
+  description = "home dir for the username"
+  type        = string
+}
+
+variable "namespace" {
+  description = "Name used across all tags"
+  type        = string
+}
+
+// taken from github_vars.tfvars &
+
+variable "main_vpc_cidr" {
+  description = "Private cidr block to be used for vpc"
+  type        = string
+}
+
+variable "public_subnets" {
+  description = "public subnet cidr block"
+  type        = string
+}
+
+variable "private_subnets" {
+  description = "private subnet cidr block"
+  type        = string
+}