ansible-playbook.yml

name: ansible-playbook
on: [push, pull_request]

env:
  ANSIBLE_FORCE_COLOR: '1'

jobs:
  # Performing test ID BANN-7126 (Check issue banner file contents)
  # Test: Checking file /etc/issue contents for legal key words
  # Result: found string 'authori'
  # Result: found string 'monitor'
  # Result: found string 'report'
  # Result: Found only 3 key words (5 or more suggested), to warn unauthorized users and could be increased
  # Suggestion: Add a legal banner to /etc/issue, to warn unauthorized users [test:BANN-7126] [details:-] [solution:-]
  # Hardening: assigned partial number of hardening points (0 of 1). Currently having 0 points (out of 1)
  #
  # Performing test ID BANN-7130 (Check issue.net banner file contents)
  # Test: Checking file /etc/issue.net contents for legal key words
  # Result: found string 'authori'
  # Result: found string 'monitor'
  # Result: found string 'report'
  # Result: Found only 3 key words, to warn unauthorized users and could be increased
  # Suggestion: Add legal banner to /etc/issue.net, to warn unauthorized users [test:BANN-7130] [details:-] [solution:-]
  # Hardening: assigned partial number of hardening points (0 of 1). Currently having 0 points (out of 2)
  banners:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Ansible playbook for banners
        run: ansible-playbook -v harden.yml --tags banners --extra-vars run_lynis_after_hardening=true
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-banner.log
          path: /var/log/lynis.log
  authentication:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group authentication
      - name: Run Ansible playbook for passwords, pam & umask
        run: ansible-playbook harden.yml --tags passwords,pam,umask,accounts --skip-tags slackware,centos
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group authentication
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: authentication
          # We can't use common-* here because "Error: The path for one of the files in artifact is not valid: etc/pam.d/common-auth.10050.2024-12-18@17:28:53~. Contains the following character:  Colon :"
          path: |
            /var/log/lynis.log
            /etc/pam.d/common-account
            /etc/pam.d/common-auth
            /etc/pam.d/common-password
            /etc/pam.d/common-session
      # 2025-01-08 20:44:29 Performing test ID AUTH-9229 (Check password hashing methods)
      # 2025-01-08 20:44:29 Test: Checking password hashing methods
      # 2025-01-08 20:44:29 Result: poor password hashing methods found: sha256crypt/sha512crypt(default=5000rounds) 
      # 2025-01-08 20:44:29 Suggestion: Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [test:AUTH-9229] [details:-] [solution:-]
      # 2025-01-08 20:44:29 Hardening: assigned partial number of hardening points (0 of 2). Currently having 2 points (out of 4)
      - name: Check Lynis score
        run: sudo bash tests/check_lynis_score.sh 93
  accounting:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group accounting
      - name: Run Ansible playbook for accounting, audit & sysstat
        run: ansible-playbook harden.yml --tags accounting,audit,sysstat --skip-tags slackware,centos
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group accounting
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-accounting.log
          path: /var/log/lynis.log
      - name: Check Lynis score
        run: sudo bash tests/check_lynis_score.sh 100
  # The only test that would be (positively) scored in this category is SCHD-7720,
  # but that test is skipped if/when atd is not running.
  scheduling:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group scheduling
      - name: Run Ansible playbook for cron
        run: ansible-playbook harden.yml --tags cron --skip-tags slackware
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group scheduling
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-scheduling.log
          path: /var/log/lynis.log
  shells:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group shells
      - name: Run Ansible playbook for umask & shells
        run: ansible-playbook harden.yml --tags umask,shells --skip-tags slackware
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group shells
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-shells.log
          path: /var/log/lynis.log
      - name: Check Lynis score
        run: sudo bash tests/check_lynis_score.sh 100
  malware:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group malware
      - name: Install jmespath
        run: sudo pipx inject ansible-core jmespath
      - name: Run Ansible playbook for clamav, rkhunter & chkrootkit
        run: ansible-playbook harden.yml --tags clamav,rkhunter,chkrootkit --skip-tags slackware,yara
      - name: Run rkhunter
        run: sudo rkhunter --check --skip-keypress
      - name: Check rkhunter.log for warnings
        run: sudo grep '\[ Warning \]$' /var/log/rkhunter.log
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group malware
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-malware.log
          path: |
            /var/log/lynis.log
            /var/log/rkhunter.log
      # MALW-3280
      # 2025-01-08 21:22:22 Result: no commercial anti-virus tools found
      # 2025-01-08 21:22:22 Hardening: assigned partial number of hardening points (0 of 3). Currently having 4 points (out of 7)
      - name: Check Lynis score
        run: sudo bash tests/check_lynis_score.sh 66
  mac_frameworks:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group mac_frameworks
      - name: Run Ansible playbook for apparmor
        run: ansible-playbook harden.yml --tags apparmor
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group mac_frameworks
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-mac_frameworks.log
          path: /var/log/lynis.log
      - name: Check Lynis score
        run: sudo bash tests/check_lynis_score.sh 100
  # Not scored
  file_permissions:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group file_permissions
      - name: Run Ansible playbook for cron & permissions
        run: ansible-playbook harden.yml --tags cron,permissions --skip-tags slackware
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group file_permissions
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-file_permissions.log
          path: /var/log/lynis.log
  # Not scored
  homedirs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group homedirs
      - name: Run Ansible playbook for permissions
        run: ansible-playbook harden.yml --tags permissions --skip-tags slackware
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group homedirs
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-homedirs.log
          path: /var/log/lynis.log
  kernel_hardening:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group kernel_hardening
      - name: Run Ansible playbook for kernel
        run: ansible-playbook harden.yml --tags kernel
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group kernel_hardening
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-kernel_hardening.log
          path: /var/log/lynis.log
      - name: Check Lynis score
        run: sudo bash tests/check_lynis_score.sh 94
  file_integrity:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group file_integrity
      - name: Run Ansible playbook for aide
        run: ansible-playbook harden.yml --tags aide
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group file_integrity
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-file_integrity.log
          path: /var/log/lynis.log
      - name: Check Lynis score
        run: sudo bash tests/check_lynis_score.sh 100
  storage:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group storage
      - name: Run Ansible playbook for kernel
        run: ansible-playbook harden.yml --tags kernel
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group storage
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-storage.log
          path: /var/log/lynis.log
      - name: Check Lynis score
        run: sudo bash tests/check_lynis_score.sh 100
  #firewalls:
  #  runs-on: ubuntu-latest
  #  steps:
  #    - name: Checkout
  #      uses: actions/checkout@v3
  #    - name: Install Lynis
  #      run: |
  #        ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
  #        echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
  #    - name: Run Lynis (pre-harden)
  #      run: sudo lynis audit system --skip-plugins --tests-from-group firewalls
  #    - name: Run Ansible playbook for network
  #      run: ansible-playbook harden.yml --tags firewall --skip-tags slackware
  #    - name: Run Lynis
  #      run: sudo lynis audit system --skip-plugins --tests-from-group firewalls
  #    - name: chmod Lynis log
  #      run: sudo chmod -c 644 /var/log/lynis.log
  #    - name: Archive Lynis log
  #      uses: actions/upload-artifact@v4
  #      with:
  #        name: lynis-firewalls.log
  #        path: /var/log/lynis.log
  #almost-whole-playbook:
  #  runs-on: ubuntu-latest
  #  steps:
  #    - name: Checkout
  #      uses: actions/checkout@v3
  #    - name: Install Lynis
  #      run: |
  #        ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
  #        echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
  #    - name: Run Lynis (pre-harden)
  #      run: sudo lynis audit system --skip-plugins
  #    - name: Run Ansible playbook
  #      run: ansible-playbook harden.yml --skip-tags slackware,centos,lynis,firewall,yara,sudo
  #    - name: Run Lynis
  #      run: sudo lynis audit system --skip-plugins
  #    - name: chmod Lynis log
  #      run: sudo chmod -c 644 /var/log/lynis.log
  #    - name: Archive Lynis log
  #      uses: actions/upload-artifact@v4
  #      with:
  #        name: lynis.log
  #        path: /var/log/lynis.log
  ssh:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Lynis
        run: |
          ansible-playbook harden.yml --tags lynis --skip-tags slackware,centos
          echo 'skip-upgrade-test=yes' | sudo tee -a /etc/lynis/custom.prf
      - name: Run Lynis (pre-harden)
        run: sudo lynis audit system --skip-plugins --tests-from-group ssh
      - name: Run Ansible playbook for SSH
        run: ansible-playbook harden.yml --tags ssh
      - name: Run Lynis
        run: sudo lynis audit system --skip-plugins --tests-from-group ssh
      - name: chmod Lynis log
        run: sudo chmod -c 644 /var/log/lynis.log
      - name: Archive Lynis log
        uses: actions/upload-artifact@v4
        with:
          name: lynis-ssh.log
          path: /var/log/lynis.log