Skip to content

awk_sandboxing.sh: Check that awk exists #180

awk_sandboxing.sh: Check that awk exists

awk_sandboxing.sh: Check that awk exists #180

name: ansible-playbook
on: [push, pull_request]
env:
ANSIBLE_FORCE_COLOR: '1'
jobs:
# Performing test ID BANN-7126 (Check issue banner file contents)
# Test: Checking file /etc/issue contents for legal key words
# Result: found string 'authori'
# Result: found string 'monitor'
# Result: found string 'report'
# Result: Found only 3 key words (5 or more suggested), to warn unauthorized users and could be increased
# Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-]
# Hardening: assigned partial number of hardening points (0 of 1). Currently having 0 points (out of 1)
#
# Performing test ID BANN-7130 (Check issue.net banner file contents)
# Test: Checking file /etc/issue.net contents for legal key words
# Result: found string 'authori'
# Result: found string 'monitor'
# Result: found string 'report'
# Result: Found only 3 key words, to warn unauthorized users and could be increased
# Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] [details:-] [solution:-]
# Hardening: assigned partial number of hardening points (0 of 1). Currently having 0 points (out of 2)
banners:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Ansible playbook for banners
run: ansible-playbook -v harden.yml --tags banners --extra-vars run_lynis_after_hardening=true
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-banner.log
path: /var/log/lynis.log
authentication:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group authentication
- name: Run Ansible playbook for passwords, pam & umask
run: ansible-playbook harden.yml --tags passwords,pam,umask,accounts --skip-tags slackware,centos
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group authentication
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: authentication
# We can't use common-* here because "Error: The path for one of the files in artifact is not valid: etc/pam.d/common-auth.10050.2024-12-18@17:28:53~. Contains the following character: Colon :"
path: |
/var/log/lynis.log
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
# 2025-01-08 20:44:29 Performing test ID AUTH-9229 (Check password hashing methods)
# 2025-01-08 20:44:29 Test: Checking password hashing methods
# 2025-01-08 20:44:29 Result: poor password hashing methods found: sha256crypt/sha512crypt(default=5000rounds)
# 2025-01-08 20:44:29 Suggestion: Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [test:AUTH-9229] [details:-] [solution:-]
# 2025-01-08 20:44:29 Hardening: assigned partial number of hardening points (0 of 2). Currently having 2 points (out of 4)
- name: Check Lynis score
run: sudo bash tests/check_lynis_score.sh 93
accounting:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group accounting
- name: Run Ansible playbook for accounting, audit & sysstat
run: ansible-playbook harden.yml --tags accounting,audit,sysstat --skip-tags slackware,centos
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group accounting
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-accounting.log
path: /var/log/lynis.log
- name: Check Lynis score
run: sudo bash tests/check_lynis_score.sh 100
# The only test that would be (positively) scored in this category is SCHD-7720,
# but that test is skipped if/when atd is not running.
scheduling:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group scheduling
- name: Run Ansible playbook for cron
run: ansible-playbook harden.yml --tags cron --skip-tags slackware
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group scheduling
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-scheduling.log
path: /var/log/lynis.log
shells:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group shells
- name: Run Ansible playbook for umask & shells
run: ansible-playbook harden.yml --tags umask,shells --skip-tags slackware
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group shells
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-shells.log
path: /var/log/lynis.log
- name: Check Lynis score
run: sudo bash tests/check_lynis_score.sh 100
malware:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group malware
- name: Install jmespath
run: sudo pipx inject ansible-core jmespath
- name: Run Ansible playbook for clamav, rkhunter & chkrootkit
run: ansible-playbook harden.yml --tags clamav,rkhunter,chkrootkit --skip-tags slackware,yara
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group malware
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-malware.log
path: /var/log/lynis.log
# MALW-3280
# 2025-01-08 21:22:22 Result: no commercial anti-virus tools found
# 2025-01-08 21:22:22 Hardening: assigned partial number of hardening points (0 of 3). Currently having 4 points (out of 7)
- name: Check Lynis score
run: sudo bash tests/check_lynis_score.sh 66
mac_frameworks:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group mac_frameworks
- name: Run Ansible playbook for apparmor
run: ansible-playbook harden.yml --tags apparmor
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group mac_frameworks
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-mac_frameworks.log
path: /var/log/lynis.log
- name: Check Lynis score
run: sudo bash tests/check_lynis_score.sh 100
# Not scored
file_permissions:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group file_permissions
- name: Run Ansible playbook for cron & permissions
run: ansible-playbook harden.yml --tags cron,permissions --skip-tags slackware
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group file_permissions
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-file_permissions.log
path: /var/log/lynis.log
# Not scored
homedirs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group homedirs
- name: Run Ansible playbook for permissions
run: ansible-playbook harden.yml --tags permissions --skip-tags slackware
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group homedirs
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-homedirs.log
path: /var/log/lynis.log
kernel_hardening:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group kernel_hardening
- name: Run Ansible playbook for kernel
run: ansible-playbook harden.yml --tags kernel
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group kernel_hardening
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-kernel_hardening.log
path: /var/log/lynis.log
- name: Check Lynis score
run: sudo bash tests/check_lynis_score.sh 94
file_integrity:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group file_integrity
- name: Run Ansible playbook for aide
run: ansible-playbook harden.yml --tags aide
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group file_integrity
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-file_integrity.log
path: /var/log/lynis.log
- name: Check Lynis score
run: sudo bash tests/check_lynis_score.sh 100
storage:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group storage
- name: Run Ansible playbook for kernel
run: ansible-playbook harden.yml --tags kernel
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group storage
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-storage.log
path: /var/log/lynis.log
- name: Check Lynis score
run: sudo bash tests/check_lynis_score.sh 100
#firewalls:
# runs-on: ubuntu-latest
# steps:
# - name: Checkout
# uses: actions/checkout@v3
# - name: Install Lynis
# run: |
# ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
# echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
# - name: Run Lynis (pre-harden)
# run: sudo lynis audit system --skip-plugins --tests-from-group firewalls
# - name: Run Ansible playbook for network
# run: ansible-playbook harden.yml --tags firewall --skip-tags slackware
# - name: Run Lynis
# run: sudo lynis audit system --skip-plugins --tests-from-group firewalls
# - name: chmod Lynis log
# run: sudo chmod -c 644 /var/log/lynis.log
# - name: Archive Lynis log
# uses: actions/upload-artifact@v4
# with:
# name: lynis-firewalls.log
# path: /var/log/lynis.log
#almost-whole-playbook:
# runs-on: ubuntu-latest
# steps:
# - name: Checkout
# uses: actions/checkout@v3
# - name: Install Lynis
# run: |
# ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
# echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
# - name: Run Lynis (pre-harden)
# run: sudo lynis audit system --skip-plugins
# - name: Run Ansible playbook
# run: ansible-playbook harden.yml --skip-tags slackware,centos,lynis,firewall,yara,sudo
# - name: Run Lynis
# run: sudo lynis audit system --skip-plugins
# - name: chmod Lynis log
# run: sudo chmod -c 644 /var/log/lynis.log
# - name: Archive Lynis log
# uses: actions/upload-artifact@v4
# with:
# name: lynis.log
# path: /var/log/lynis.log
ssh:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Install Lynis
run: |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
- name: Run Lynis (pre-harden)
run: sudo lynis audit system --skip-plugins --tests-from-group ssh
- name: Run Ansible playbook for SSH
run: ansible-playbook harden.yml --tags ssh
- name: Run Lynis
run: sudo lynis audit system --skip-plugins --tests-from-group ssh
- name: chmod Lynis log
run: sudo chmod -c 644 /var/log/lynis.log
- name: Archive Lynis log
uses: actions/upload-artifact@v4
with:
name: lynis-ssh.log
path: /var/log/lynis.log