awk_sandboxing.sh: Check that awk exists #180
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ansible-playbook | |
on: [push, pull_request] | |
env: | |
ANSIBLE_FORCE_COLOR: '1' | |
jobs: | |
# Performing test ID BANN-7126 (Check issue banner file contents) | |
# Test: Checking file /etc/issue contents for legal key words | |
# Result: found string 'authori' | |
# Result: found string 'monitor' | |
# Result: found string 'report' | |
# Result: Found only 3 key words (5 or more suggested), to warn unauthorized users and could be increased | |
# Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-] | |
# Hardening: assigned partial number of hardening points (0 of 1). Currently having 0 points (out of 1) | |
# | |
# Performing test ID BANN-7130 (Check issue.net banner file contents) | |
# Test: Checking file /etc/issue.net contents for legal key words | |
# Result: found string 'authori' | |
# Result: found string 'monitor' | |
# Result: found string 'report' | |
# Result: Found only 3 key words, to warn unauthorized users and could be increased | |
# Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] [details:-] [solution:-] | |
# Hardening: assigned partial number of hardening points (0 of 1). Currently having 0 points (out of 2) | |
banners: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Ansible playbook for banners | |
run: ansible-playbook -v harden.yml --tags banners --extra-vars run_lynis_after_hardening=true | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-banner.log | |
path: /var/log/lynis.log | |
authentication: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group authentication | |
- name: Run Ansible playbook for passwords, pam & umask | |
run: ansible-playbook harden.yml --tags passwords,pam,umask,accounts --skip-tags slackware,centos | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group authentication | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: authentication | |
# We can't use common-* here because "Error: The path for one of the files in artifact is not valid: etc/pam.d/common-auth.10050.2024-12-18@17:28:53~. Contains the following character: Colon :" | |
path: | | |
/var/log/lynis.log | |
/etc/pam.d/common-account | |
/etc/pam.d/common-auth | |
/etc/pam.d/common-password | |
/etc/pam.d/common-session | |
# 2025-01-08 20:44:29 Performing test ID AUTH-9229 (Check password hashing methods) | |
# 2025-01-08 20:44:29 Test: Checking password hashing methods | |
# 2025-01-08 20:44:29 Result: poor password hashing methods found: sha256crypt/sha512crypt(default=5000rounds) | |
# 2025-01-08 20:44:29 Suggestion: Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [test:AUTH-9229] [details:-] [solution:-] | |
# 2025-01-08 20:44:29 Hardening: assigned partial number of hardening points (0 of 2). Currently having 2 points (out of 4) | |
- name: Check Lynis score | |
run: sudo bash tests/check_lynis_score.sh 93 | |
accounting: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group accounting | |
- name: Run Ansible playbook for accounting, audit & sysstat | |
run: ansible-playbook harden.yml --tags accounting,audit,sysstat --skip-tags slackware,centos | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group accounting | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-accounting.log | |
path: /var/log/lynis.log | |
- name: Check Lynis score | |
run: sudo bash tests/check_lynis_score.sh 100 | |
# The only test that would be (positively) scored in this category is SCHD-7720, | |
# but that test is skipped if/when atd is not running. | |
scheduling: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group scheduling | |
- name: Run Ansible playbook for cron | |
run: ansible-playbook harden.yml --tags cron --skip-tags slackware | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group scheduling | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-scheduling.log | |
path: /var/log/lynis.log | |
shells: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group shells | |
- name: Run Ansible playbook for umask & shells | |
run: ansible-playbook harden.yml --tags umask,shells --skip-tags slackware | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group shells | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-shells.log | |
path: /var/log/lynis.log | |
- name: Check Lynis score | |
run: sudo bash tests/check_lynis_score.sh 100 | |
malware: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group malware | |
- name: Install jmespath | |
run: sudo pipx inject ansible-core jmespath | |
- name: Run Ansible playbook for clamav, rkhunter & chkrootkit | |
run: ansible-playbook harden.yml --tags clamav,rkhunter,chkrootkit --skip-tags slackware,yara | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group malware | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-malware.log | |
path: /var/log/lynis.log | |
# MALW-3280 | |
# 2025-01-08 21:22:22 Result: no commercial anti-virus tools found | |
# 2025-01-08 21:22:22 Hardening: assigned partial number of hardening points (0 of 3). Currently having 4 points (out of 7) | |
- name: Check Lynis score | |
run: sudo bash tests/check_lynis_score.sh 66 | |
mac_frameworks: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group mac_frameworks | |
- name: Run Ansible playbook for apparmor | |
run: ansible-playbook harden.yml --tags apparmor | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group mac_frameworks | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-mac_frameworks.log | |
path: /var/log/lynis.log | |
- name: Check Lynis score | |
run: sudo bash tests/check_lynis_score.sh 100 | |
# Not scored | |
file_permissions: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group file_permissions | |
- name: Run Ansible playbook for cron & permissions | |
run: ansible-playbook harden.yml --tags cron,permissions --skip-tags slackware | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group file_permissions | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-file_permissions.log | |
path: /var/log/lynis.log | |
# Not scored | |
homedirs: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group homedirs | |
- name: Run Ansible playbook for permissions | |
run: ansible-playbook harden.yml --tags permissions --skip-tags slackware | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group homedirs | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-homedirs.log | |
path: /var/log/lynis.log | |
kernel_hardening: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group kernel_hardening | |
- name: Run Ansible playbook for kernel | |
run: ansible-playbook harden.yml --tags kernel | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group kernel_hardening | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-kernel_hardening.log | |
path: /var/log/lynis.log | |
- name: Check Lynis score | |
run: sudo bash tests/check_lynis_score.sh 94 | |
file_integrity: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group file_integrity | |
- name: Run Ansible playbook for aide | |
run: ansible-playbook harden.yml --tags aide | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group file_integrity | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-file_integrity.log | |
path: /var/log/lynis.log | |
- name: Check Lynis score | |
run: sudo bash tests/check_lynis_score.sh 100 | |
storage: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group storage | |
- name: Run Ansible playbook for kernel | |
run: ansible-playbook harden.yml --tags kernel | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group storage | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-storage.log | |
path: /var/log/lynis.log | |
- name: Check Lynis score | |
run: sudo bash tests/check_lynis_score.sh 100 | |
#firewalls: | |
# runs-on: ubuntu-latest | |
# steps: | |
# - name: Checkout | |
# uses: actions/checkout@v3 | |
# - name: Install Lynis | |
# run: | | |
# ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
# echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
# - name: Run Lynis (pre-harden) | |
# run: sudo lynis audit system --skip-plugins --tests-from-group firewalls | |
# - name: Run Ansible playbook for network | |
# run: ansible-playbook harden.yml --tags firewall --skip-tags slackware | |
# - name: Run Lynis | |
# run: sudo lynis audit system --skip-plugins --tests-from-group firewalls | |
# - name: chmod Lynis log | |
# run: sudo chmod -c 644 /var/log/lynis.log | |
# - name: Archive Lynis log | |
# uses: actions/upload-artifact@v4 | |
# with: | |
# name: lynis-firewalls.log | |
# path: /var/log/lynis.log | |
#almost-whole-playbook: | |
# runs-on: ubuntu-latest | |
# steps: | |
# - name: Checkout | |
# uses: actions/checkout@v3 | |
# - name: Install Lynis | |
# run: | | |
# ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
# echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
# - name: Run Lynis (pre-harden) | |
# run: sudo lynis audit system --skip-plugins | |
# - name: Run Ansible playbook | |
# run: ansible-playbook harden.yml --skip-tags slackware,centos,lynis,firewall,yara,sudo | |
# - name: Run Lynis | |
# run: sudo lynis audit system --skip-plugins | |
# - name: chmod Lynis log | |
# run: sudo chmod -c 644 /var/log/lynis.log | |
# - name: Archive Lynis log | |
# uses: actions/upload-artifact@v4 | |
# with: | |
# name: lynis.log | |
# path: /var/log/lynis.log | |
ssh: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Lynis | |
run: | | |
ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos | |
echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf | |
- name: Run Lynis (pre-harden) | |
run: sudo lynis audit system --skip-plugins --tests-from-group ssh | |
- name: Run Ansible playbook for SSH | |
run: ansible-playbook harden.yml --tags ssh | |
- name: Run Lynis | |
run: sudo lynis audit system --skip-plugins --tests-from-group ssh | |
- name: chmod Lynis log | |
run: sudo chmod -c 644 /var/log/lynis.log | |
- name: Archive Lynis log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: lynis-ssh.log | |
path: /var/log/lynis.log |