canonical-ubuntu-20.04-lts-stig-baseline/.github/workflows/verify-lxd-vm.yml at 78f51fb515fe34724227c02dce12290c21afea80 · mitre/canonical-ubuntu-20.04-lts-stig-baseline · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
name: Ubuntu 20 LXD VM Testing Matrix

on:
  pull_request:
  push:
    branches:
      - main

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  validate:
    name: Validate my profile
    runs-on: ubuntu-latest
    timeout-minutes: 120
    permissions:
      contents: read
    env:
      CHEF_LICENSE: accept-silent
      CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }}
      KITCHEN_LOCAL_YAML: kitchen.lxd.yml
      PLATFORM: "ubuntu-20"
      LC_ALL: "en_US.UTF-8"
      LXD_IMAGE: "ubuntu:20.04"
      LXD_VM_USERNAME: "ubuntu"
    strategy:
      matrix:
        suite: ["vanilla", "hardened"]
      fail-fast: false
    steps:
      - name: Install host packages
        run: sudo apt-get update && sudo apt-get -y install jq

      - name: Check out repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
        with:
          persist-credentials: false

      - name: Install and configure LXD
        run: sudo bash ./.github/scripts/setup-lxd.sh

      - name: Clone full repository so we can push
        run: git fetch --prune --unshallow

      - name: Set short git commit SHA
        id: vars
        run: |
          calculatedSha=$(git rev-parse --short ${{ github.sha }})
          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV

      - name: Confirm git commit SHA output
        run: echo ${{ env.COMMIT_SHORT_SHA }}

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: "3.1"

      - name: Disable ri and rdoc
        run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc'

      - name: Run Bundle Install
        run: bundle install

      - name: Installed Cinc-auditor
        run: bundle exec cinc-auditor version

      - name: Vendor the Profile
        run: bundle exec cinc-auditor vendor . --overwrite

      - name: Generate ephemeral SSH key for Kitchen
        run: |
          set -euo pipefail
          KEY="$RUNNER_TEMP/kitchen_ed25519"
          ssh-keygen -t ed25519 -a 64 -N "" -f "$KEY" -C "kitchen-ci-$(date -u +%Y%m%dT%H%M%SZ)" </dev/null
          chmod 600 "$KEY"
          chmod 644 "$KEY.pub"
          {
            echo "KITCHEN_SSH_KEY=$KEY"
            echo "KITCHEN_SSH_PUBKEY=$(cat "$KEY.pub")"
          } >> "$GITHUB_ENV"

      - name: Launch LXD VM with cloud-init enabling SSH
        run: |
          set -euo pipefail
          NAME="${{ matrix.suite }}-${{ env.PLATFORM }}"

          cat > user-data.yaml <<EOF
          #cloud-config
          write_files:
            - path: /etc/apt/apt.conf.d/99force-ipv4
              permissions: '0644'
              content: |
                Acquire::ForceIPv4 "true";
          package_update: true
          packages:
            - openssh-server
          users:
            - name: ${LXD_VM_USERNAME}
              groups: [sudo]
              sudo: ALL=(ALL) NOPASSWD:ALL
              shell: /bin/bash
              ssh_authorized_keys:
                - ${KITCHEN_SSH_PUBKEY}
          ssh_pwauth: false
          EOF

          sudo lxc launch ${LXD_IMAGE} "$NAME" --vm -c user.user-data="$(cat user-data.yaml)" -c limits.memory=4GiB

      - name: Wait for VM
        run: |
          set -euo pipefail
          NAME="${{ matrix.suite }}-${{ env.PLATFORM }}"
          for i in $(seq 1 30); do
            lxc list --format=csv | grep -q "$NAME.*RUNNING" && break
            sleep 10
          done
          lxc list --format=csv | grep -q "$NAME.*RUNNING" || { echo "VM never reached RUNNING"; lxc info "$NAME"; exit 1; }

      - name: Export VM IPv4 for Kitchen
        run: |
          set -euo pipefail
          NAME="${{ matrix.suite }}-${{ env.PLATFORM }}"
          for i in $(seq 1 24); do
            ipv4=$(lxc list "$NAME" --format=json | jq -r '.[0].state.network | to_entries[] | .value.addresses[]? | select(.family=="inet" and .scope=="global") | .address' | head -n1)
            [ -n "$ipv4" ] && break
            sleep 5
          done
          [ -n "$ipv4" ] || { echo "No VM IPv4 found"; lxc info "$NAME"; exit 1; }
          echo "KITCHEN_HOST=$ipv4" >> "$GITHUB_ENV"

      - name: Run kitchen test
        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
        continue-on-error: true
        run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }}

      - name: Save results summary JSON
        continue-on-error: true
        uses: mitre/saf_action@a19f76ed3721c14aa8a1afb8eded117d8bf16a5d  # v1.9.0
        with:
          command_string: "view summary -f json -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"

      - name: Upload Test Result JSON
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
        with:
          name: ${{ env.PLATFORM }}_${{ matrix.suite }}.json
          path: spec/results/

      - name: Upload to Heimdall
        continue-on-error: true
        env:
          SAF_HEIMDALL_UPLOAD_KEY: ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}
        run: |
          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json \
            -F "filename=${{ env.PLATFORM }}_${{ matrix.suite }}-${{ env.COMMIT_SHORT_SHA }}.json" \
            -F "public=true" \
            -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" \
            -H "Authorization: Api-Key $SAF_HEIMDALL_UPLOAD_KEY" \
            "${{ vars.SAF_HEIMDALL_URL }}/evaluations"

      - name: Display our ${{ matrix.suite }} results summary
        if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
        uses: mitre/saf_action@v1.5.2
        with:
          command_string: "view summary -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json"

      - name: Generate Markdown Summary
        continue-on-error: true
        id: generate-summary
        run: |
          cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md
          cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY

      - name: Validate scan threshold
        uses: mitre/saf_action@a19f76ed3721c14aa8a1afb8eded117d8bf16a5d  # v1.9.0
        with:
          command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ matrix.suite }}.threshold.yml"

      - name: Cleanup ephemeral SSH key
        if: always()
        run: rm -f "$RUNNER_TEMP/kitchen_ed25519" "$RUNNER_TEMP/kitchen_ed25519.pub"