canonical-ubuntu-20.04-lts-stig-baseline/kitchen.ec2.yml at main · mitre/canonical-ubuntu-20.04-lts-stig-baseline · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
---
platforms:
  - name: ubuntu-20.04

driver:
  name: ec2
  subnet_id: "<%= ENV['SAF_PIPELINE_SUBNET'] %>"
  security_group_ids:
    - "<%= ENV['SAF_PIPELINE_SG'] %>"
  metadata_options:
    http_tokens: required
    http_put_response_hop_limit: 1
    instance_metadata_tags: enabled
  instance_type: t2.small
  associate_public_ip: false
  interface: public
  skip_cost_warning: true
  privileged: true
  instance_initiated_shutdown_behavior: terminate

provisioner:
  name: ansible_playbook
  hosts: all
  require_chef_for_busser: false
  require_ruby_for_busser: false
  ansible_binary_path: /home/ubuntu/ansible/bin
  ansible_verbose: true
  roles_path: spec/ansible/roles
  galaxy_ignore_certs: true
  requirements_path: spec/ansible/roles/requirements.yml
  requirements_collection_path: spec/ansible/roles/requirements.yml
  ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>

suites:
  - name: vanilla
    provisioner:
      playbook: spec/ansible/roles/ansible-role-ubuntu-vanilla.yml
    driver:
      tags:
        Name: Vanilla-<%= ENV['USER'] %>
        CreatedBy: test-kitchen

  - name: hardened
    provisioner:
      playbook: spec/ansible/roles/ansible-role-ubuntu-hardened.yml
    driver:
      tags:
        Name: Hardened-<%= ENV['USER'] %>
        CreatedBy: test-kitchen

lifecycle:
  pre_converge:
    - remote: |
        export DEBIAN_FRONTEND=noninteractive

        echo "+++ Refreshing APT package cache +++"
        sudo apt-get -y update
        echo ""
        echo "+++ Updating APT Packages +++"
        sudo apt-get -y upgrade
        echo ""
        echo "+++ Installing base packages +++"
        sudo apt-get -y install bc dnsutils lsb-release vim git wget curl build-essential libssl-dev libffi-dev libbz2-dev
        sudo add-apt-repository -y universe || true
        sudo apt-get -y update
        echo ""
        echo "+++ Installing Python venv and pip +++"
        PYVER="$(python3 -V | awk '{print $2}' | cut -d. -f1,2)"
        if ! sudo apt-get -y install "python${PYVER}-venv" python3-pip; then
          sudo apt-get -y install python3-venv python3-pip
        fi
        echo ""
        echo "+++ Creating venv at $HOME/ansible +++"
        python3 -m venv "$HOME/ansible"
        "$HOME/ansible/bin/python" -m ensurepip --upgrade || true
        "$HOME/ansible/bin/python" -m pip install --upgrade pip setuptools wheel
        echo ""
        echo "+++ Installing ansible-core 2.13.x +++"
        "$HOME/ansible/bin/python" -m pip install 'ansible-core>=2.13,<2.14'
        echo ""
        echo "+++ Validating ansible-playbook binary +++"
        if [ ! -x "$HOME/ansible/bin/ansible-playbook" ]; then
          echo "ERROR: ansible-playbook missing at $HOME/ansible/bin/ansible-playbook"
          ls -la "$HOME/ansible/bin" || true
          exit 1
        fi
        "$HOME/ansible/bin/ansible-playbook" --version
        echo ""
        echo "+++ Updating the ubuntu user to keep sudo working after hardening phase +++"
        sudo chage -d "$(( $( date +%s ) / 86400 ))" ubuntu
        echo ""
        echo "+++ updating ubuntu sudo config for hardening phase +++"
        sudo chmod 600 /etc/sudoers && sudo sed -i '/^ubuntu\b/d' /etc/sudoers && sudo chmod 440 /etc/sudoers
        echo ""
        echo "+++ add cinc-auditor for local shell +++"
        curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-auditor

transport:
  name: ssh
  #https://github.com/neillturner/kitchen-ansible/issues/295
  max_ssh_sessions: 2