From 01b445ea84b95cc9cf1e07cab68625fac95dfc28 Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Mon, 1 Apr 2019 15:42:13 -0400 Subject: [PATCH 01/53] Add in startup script --- Vagrantfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index d5eaffa..4ef714b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,7 +1,8 @@ Vagrant.configure("2") do |config| - config.vm.box = "bento/centos-7.5" + config.vm.box = "bento/centos-7.2" config.vm.synced_folder ".", "/app" config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh" config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" + config.vm.provision "shell", inline: "gem install gauntlt" config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end From 540fe49840a94e8778cdc51bf02e5464d4cdd6e3 Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 2 Apr 2019 11:20:22 -0400 Subject: [PATCH 02/53] Add in Ruby updates --- Vagrantfile | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 4ef714b..887bb13 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,8 +1,17 @@ Vagrant.configure("2") do |config| - config.vm.box = "bento/centos-7.2" + config.vm.box = "bento/centos-7.5" config.vm.synced_folder ".", "/app" config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh" config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" - config.vm.provision "shell", inline: "gem install gauntlt" + config.vm.provision "shell", inline: "curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -" + config.vm.provision "shell", inline: "curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import -" + config.vm.provision "shell", inline: "curl -L get.rvm.io | bash -s stable" + config.vm.provision "shell", inline: "source /etc/profile.d/rvm.sh" + config.vm.provision "shell", inline: "rvm reload" + config.vm.provision "shell", inline: "rvm requirements run" + config.vm.provision "shell", inline: "rvm install 2.6" + config.vm.provision "shell", inline: "rvm alias create default ruby-2.6.0" + config.vm.provision "shell", inline: "rvm list && rvm use 2.6 --default && ruby --version" + config.vm.provision "shell", inline: "yum -y install ruby-devel && gem install gauntlt" config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end From b64776030e561a1d53fb6df9ebfacdb900a9e6b3 Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 2 Apr 2019 12:38:26 -0400 Subject: [PATCH 03/53] Added namp installation --- Vagrantfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrantfile b/Vagrantfile index 887bb13..2f84769 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -13,5 +13,6 @@ Vagrant.configure("2") do |config| config.vm.provision "shell", inline: "rvm alias create default ruby-2.6.0" config.vm.provision "shell", inline: "rvm list && rvm use 2.6 --default && ruby --version" config.vm.provision "shell", inline: "yum -y install ruby-devel && gem install gauntlt" + config.vm.provision "shell", inline: "yum -y install nmap" config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end From e61cb73d21f40058ec61f179a9441764f9d9d5fa Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 2 Apr 2019 12:38:45 -0400 Subject: [PATCH 04/53] Added in test script for running with gauntlet --- gauntlt/nmap.attack | 49 +++++++++++++++++++++++++++++++++++ gauntlt/os_detection.attack | 18 +++++++++++++ gauntlt/readme.md | 5 ++++ gauntlt/simple-env-var.attack | 25 ++++++++++++++++++ 4 files changed, 97 insertions(+) create mode 100644 gauntlt/nmap.attack create mode 100644 gauntlt/os_detection.attack create mode 100644 gauntlt/readme.md create mode 100644 gauntlt/simple-env-var.attack diff --git a/gauntlt/nmap.attack b/gauntlt/nmap.attack new file mode 100644 index 0000000..d463db0 --- /dev/null +++ b/gauntlt/nmap.attack @@ -0,0 +1,49 @@ +@slow + +Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change the value in the profile + Background: + Given "nmap" is installed + And the following profile: + | name | value | + | hostname | scanme.nmap.org | + | host | scanme.nmap.org | + | tcp_ping_ports | 22,25,80,443 | + + Scenario: Verify server is open on expected set of ports using the nmap-fast attack step + When I launch a "nmap-fast" attack + Then the output should match /80.tcp\s+open/ + + Scenario: Verify server is open on expected set of ports using the nmap fast flag + When I launch an "nmap" attack with: + """ + nmap -F + """ + Then the output should match: + """ + 80/tcp\s+open + """ + + Scenario: Verify that there are no unexpected ports open + When I launch an "nmap" attack with: + """ + nmap -F + """ + Then the output should not contain: + """ + 22/tcp + 25/tcp + """ + + Scenario: Output to XML + When I launch an "nmap" attack with: + """ + nmap -p 80,443 -oX foo.xml + """ + And the file "foo.xml" should contain XML: + | css | + | ports port[protocol="tcp"][portid="80"] state[state="open"] | + And the file "foo.xml" should not contain XML: + | css | + | ports port[protocol="tcp"][portid="123"] state[state="open"] | + | ports port[protocol="tcp"][portid="443"] state[state="open"] | + diff --git a/gauntlt/os_detection.attack b/gauntlt/os_detection.attack new file mode 100644 index 0000000..c47d084 --- /dev/null +++ b/gauntlt/os_detection.attack @@ -0,0 +1,18 @@ +Feature: OS detection + + Background: + Given "nmap" is installed + And the following profile: + | name | value | + | hostname | scanme.nmap.org | + + @slow + Scenario: Detect OS + When I launch an "nmap" attack with: + """ + nmap -sV -p80 -PN + """ + Then the output should contain: + """ + Apache + """ diff --git a/gauntlt/readme.md b/gauntlt/readme.md new file mode 100644 index 0000000..c415246 --- /dev/null +++ b/gauntlt/readme.md @@ -0,0 +1,5 @@ +##Attacks + +NMAP attacks taken from here: + +https://github.com/gauntlt/gauntlt/tree/master/examples/nmap diff --git a/gauntlt/simple-env-var.attack b/gauntlt/simple-env-var.attack new file mode 100644 index 0000000..4b76788 --- /dev/null +++ b/gauntlt/simple-env-var.attack @@ -0,0 +1,25 @@ +@slow +Feature: simple nmap attack (sanity check) + + Background: + Given "nmap" is installed + + And the following environment variables: + | name | environment_variable_name | + | hostname | TEST_HOSTNAME | + + And the following profile: + | name | value | + | https_port | 443 | + | http_port | 80 | + + Scenario: Verify server is available on standard web ports + When I launch an "nmap" attack with: + """ + nmap -p , + """ + Then the output should match /80.tcp\s+open/ + And the output should not match: + """ + 443/tcp\s+open + """ From 7e45f27d0d87bf0aee0cc2aa510d4126f2a5b299 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 3 Apr 2019 13:02:57 -0400 Subject: [PATCH 05/53] Refactor Vagrant scripts and readme for gauntlt --- Vagrantfile | 12 +----------- bin/install-gauntlt.sh | 39 +++++++++++++++++++++++++++++++++++++++ gauntlt/readme.md | 8 ++++++++ 3 files changed, 48 insertions(+), 11 deletions(-) create mode 100644 bin/install-gauntlt.sh diff --git a/Vagrantfile b/Vagrantfile index 2f84769..9ba5f5a 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -3,16 +3,6 @@ Vagrant.configure("2") do |config| config.vm.synced_folder ".", "/app" config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh" config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" - config.vm.provision "shell", inline: "curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -" - config.vm.provision "shell", inline: "curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import -" - config.vm.provision "shell", inline: "curl -L get.rvm.io | bash -s stable" - config.vm.provision "shell", inline: "source /etc/profile.d/rvm.sh" - config.vm.provision "shell", inline: "rvm reload" - config.vm.provision "shell", inline: "rvm requirements run" - config.vm.provision "shell", inline: "rvm install 2.6" - config.vm.provision "shell", inline: "rvm alias create default ruby-2.6.0" - config.vm.provision "shell", inline: "rvm list && rvm use 2.6 --default && ruby --version" - config.vm.provision "shell", inline: "yum -y install ruby-devel && gem install gauntlt" - config.vm.provision "shell", inline: "yum -y install nmap" + config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh" config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh new file mode 100644 index 0000000..2c1739b --- /dev/null +++ b/bin/install-gauntlt.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash +# Install rvm +# Set bash unofficial strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/ +set -euo pipefail +IFS=$'\n\t' + +# Set DEBUG to true for enhanced debugging: run prefixed with "DEBUG=true" +${DEBUG:-false} && set -vx +# Credit to https://stackoverflow.com/a/17805088 +# and http://wiki.bash-hackers.org/scripting/debuggingtips +export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + +function quick_yum_install() { + declare package + package=${1?"You must specify a package to install"} + if ! rpm -q "$package" > /dev/null; then + sudo yum -y -q install "$package" + fi +} + +quick_yum_install ruby-devel +quick_yum_install nmap + +if [[ ! -f /etc/profile.d/rvm.sh ]]; then + curl -sSL https://rvm.io/mpapis.asc | gpg2 --import - + curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import - + curl -L get.rvm.io | bash -s stable + #shellcheck disable=SC1091 + source /etc/profile.d/rvm.sh + rvm reload + rvm requirements run + rvm install 2.6.0 +fi +rvm alias create default ruby-2.6.0 +rvm list +rvm use 2.6 --default +ruby --version + +gem list gauntlt || gem install gauntlt diff --git a/gauntlt/readme.md b/gauntlt/readme.md index c415246..65b4825 100644 --- a/gauntlt/readme.md +++ b/gauntlt/readme.md @@ -1,3 +1,11 @@ +# Running gauntlt + +## Vagrant +You can run gauntlt through Vagrant: + + vagrant up --provision + vagrant ssh -c "cd /app/gauntlt && gauntlt" + ##Attacks NMAP attacks taken from here: From f3a00cf680e05947e4a0a26980bb52be7d64ecd1 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 3 Apr 2019 13:26:05 -0400 Subject: [PATCH 06/53] Fix file permissions --- bin/install-gauntlt.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 bin/install-gauntlt.sh diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh old mode 100644 new mode 100755 From c9ef9e98c4507f6ac780b42c7ed6564fc842d1c4 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 3 Apr 2019 13:58:42 -0400 Subject: [PATCH 07/53] Fix up rvm install, make gauntlt install first --- Vagrantfile | 2 +- bin/install-gauntlt.sh | 27 ++++++++++++++++++++++++--- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 9ba5f5a..abb4d43 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,7 +2,7 @@ Vagrant.configure("2") do |config| config.vm.box = "bento/centos-7.5" config.vm.synced_folder ".", "/app" config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh" - config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh" + config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 2c1739b..4e44be6 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -# Install rvm +# Install gauntlt using rvm + # Set bash unofficial strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/ set -euo pipefail IFS=$'\n\t' @@ -10,6 +11,11 @@ ${DEBUG:-false} && set -vx # and http://wiki.bash-hackers.org/scripting/debuggingtips export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +# Credit to http://stackoverflow.com/a/246128/424301 +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +#shellcheck disable=SC1090 +. "$DIR/common.sh" + function quick_yum_install() { declare package package=${1?"You must specify a package to install"} @@ -25,15 +31,30 @@ if [[ ! -f /etc/profile.d/rvm.sh ]]; then curl -sSL https://rvm.io/mpapis.asc | gpg2 --import - curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import - curl -L get.rvm.io | bash -s stable + # rvm hates the bash options -eu + set +eu #shellcheck disable=SC1091 source /etc/profile.d/rvm.sh rvm reload rvm requirements run - rvm install 2.6.0 +else + echo "rvm already installed" fi +# rvm hates the bash options -eu +set +eu +#shellcheck disable=SC1091 +source /etc/profile.d/rvm.sh +rvm reload +rvm install 2.6.0 rvm alias create default ruby-2.6.0 rvm list rvm use 2.6 --default +set -eu +if is_ec2; then + usermod -a -G rvm centos +else + usermod -a -G rvm vagrant +fi ruby --version -gem list gauntlt || gem install gauntlt +gem list gauntlt || gem install gauntlt --no-ri --no-rdoc From 6a6b6e82ef4ad4226f6e00ac0800920174ca3b62 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 3 Apr 2019 17:16:37 -0400 Subject: [PATCH 08/53] Remove redundant invocation --- Vagrantfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index abb4d43..d5eaffa 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -2,7 +2,6 @@ Vagrant.configure("2") do |config| config.vm.box = "bento/centos-7.5" config.vm.synced_folder ".", "/app" config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh" - config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh" config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end From 67da7b2e75ff62bf8aaabb1f8ea9866c3f924fa5 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 3 Apr 2019 18:31:52 -0400 Subject: [PATCH 09/53] Put install back in, add debug code, gem better --- Vagrantfile | 1 + bin/install-gauntlt.sh | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index d5eaffa..eeda2ac 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,6 +1,7 @@ Vagrant.configure("2") do |config| config.vm.box = "bento/centos-7.5" config.vm.synced_folder ".", "/app" + config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh" config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh" config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 4e44be6..3c60aec 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -21,6 +21,8 @@ function quick_yum_install() { package=${1?"You must specify a package to install"} if ! rpm -q "$package" > /dev/null; then sudo yum -y -q install "$package" + else + echo "$package already installed, skipping" fi } @@ -57,4 +59,6 @@ else fi ruby --version -gem list gauntlt || gem install gauntlt --no-ri --no-rdoc +if ! (gem list gauntlt | grep gauntlt > /dev/null); then + gem install gauntlt --no-ri --no-rdoc +fi From bb42a2e8dbd8c86084393968327b88574015a10f Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 3 Apr 2019 20:13:17 -0400 Subject: [PATCH 10/53] Install guntlt properly with no rdoc or ri --- bin/install-gauntlt.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 3c60aec..843d51c 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -60,5 +60,6 @@ fi ruby --version if ! (gem list gauntlt | grep gauntlt > /dev/null); then - gem install gauntlt --no-ri --no-rdoc + echo 'gem: --no-rdoc --no-ri' > ~/.gemrc + gem install gauntlt fi From 381b9e730dddd64f90b0a5103bcdbc0303ec3606 Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 6 Aug 2019 14:48:00 -0400 Subject: [PATCH 11/53] Added support for gauntlt report --- Jenkinsfile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Jenkinsfile b/Jenkinsfile index 5e981fc..cd04adb 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -175,6 +175,14 @@ if (params.Run_Packer) { reportFiles: 'scan-xccdf-results.html', reportName: "OpenSCAP Report" ]) + publishHTML (target: [ + allowMissing: true, + alwaysLinkToLastBuild: false, + keepAll: true, + reportDir: 'build', + reportFiles: 'gauntlt-results.txt', + reportName: "Gauntlt Report" + ]) }) } } From 84f2f88fca354766c10516054494f5b9c417483a Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 6 Aug 2019 14:48:56 -0400 Subject: [PATCH 12/53] Ansible gauntlt playbook and example results --- ansible/bakery.yml | 1 + ansible/gauntlt-results.txt | 102 +++++++++++++++++++ ansible/roles/scan-gauntlt/README.md | 0 ansible/roles/scan-gauntlt/defaults/main.yml | 6 ++ ansible/roles/scan-gauntlt/meta/main.yml | 14 +++ ansible/roles/scan-gauntlt/tasks/main.yml | 12 +++ 6 files changed, 135 insertions(+) create mode 100644 ansible/gauntlt-results.txt create mode 100644 ansible/roles/scan-gauntlt/README.md create mode 100644 ansible/roles/scan-gauntlt/defaults/main.yml create mode 100644 ansible/roles/scan-gauntlt/meta/main.yml create mode 100644 ansible/roles/scan-gauntlt/tasks/main.yml diff --git a/ansible/bakery.yml b/ansible/bakery.yml index e7d1649..c03607c 100644 --- a/ansible/bakery.yml +++ b/ansible/bakery.yml @@ -43,3 +43,4 @@ - extra-cis-remediation #- MindPointGroup.RHEL7-CIS - scan-openscap + - scan-gauntlt diff --git a/ansible/gauntlt-results.txt b/ansible/gauntlt-results.txt new file mode 100644 index 0000000..fc25590 --- /dev/null +++ b/ansible/gauntlt-results.txt @@ -0,0 +1,102 @@ +Feature: OS detection + + Background: # /app/gauntlt/os_detection.attack:3 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | hostname | scanme.nmap.org | + + @slow + Scenario: Detect OS # /app/gauntlt/os_detection.attack:10 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -sV -p80 -PN + """ + Then the output should contain: # aruba-0.7.4/lib/aruba/cucumber.rb:182 + """ + Apache + """ + +@slow +Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change the value in the profile + + Background: # /app/gauntlt/nmap.attack:4 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | hostname | scanme.nmap.org | + | host | scanme.nmap.org | + | tcp_ping_ports | 22,25,80,443 | + + Scenario: Verify server is open on expected set of ports using the nmap-fast attack step # /app/gauntlt/nmap.attack:12 +Checking nmap-fast and nmap-fastRunning a nmap-fast attack. This attack has this description: + This is a fast nmap scan that should run in 10 seconds or less on most networks. It looks for the most common ports and services. + When I launch a "nmap-fast" attack # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:12 + Then the output should match /80.tcp\s+open/ # aruba-0.7.4/lib/aruba/cucumber.rb:206 + + Scenario: Verify server is open on expected set of ports using the nmap fast flag # /app/gauntlt/nmap.attack:16 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -F + """ + Then the output should match: # aruba-0.7.4/lib/aruba/cucumber.rb:210 + """ + 80/tcp\s+open + """ + + Scenario: Verify that there are no unexpected ports open # /app/gauntlt/nmap.attack:26 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -F + """ + Then the output should not contain: # aruba-0.7.4/lib/aruba/cucumber.rb:186 + """ + 22/tcp + 25/tcp + """ + + Scenario: Output to XML # /app/gauntlt/nmap.attack:37 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -p 80,443 -oX foo.xml + """ + And the file "foo.xml" should contain XML: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:15 + | css | + | ports port[protocol="tcp"][portid="80"] state[state="open"] | + And the file "foo.xml" should not contain XML: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:21 + | css | + | ports port[protocol="tcp"][portid="123"] state[state="open"] | + | ports port[protocol="tcp"][portid="443"] state[state="open"] | + +@slow +Feature: simple nmap attack (sanity check) + + Background: # /app/gauntlt/simple-env-var.attack:4 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following environment variables: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:3 + | name | environment_variable_name | + | hostname | TEST_HOSTNAME | + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | https_port | 443 | + | http_port | 80 | + + Scenario: Verify server is available on standard web ports # /app/gauntlt/simple-env-var.attack:16 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -p , + """ + no implicit conversion of nil into String (TypeError) + /app/gauntlt/simple-env-var.attack:17:in `When I launch an "nmap" attack with:' + Then the output should match /80.tcp\s+open/ # aruba-0.7.4/lib/aruba/cucumber.rb:206 + And the output should not match: # aruba-0.7.4/lib/aruba/cucumber.rb:219 + """ + 443/tcp\s+open + """ + +Failing Scenarios: +cucumber /app/gauntlt/simple-env-var.attack:16 # Scenario: Verify server is available on standard web ports + +6 scenarios (1 failed, 5 passed) +27 steps (1 failed, 2 skipped, 24 passed) +0m14.558s diff --git a/ansible/roles/scan-gauntlt/README.md b/ansible/roles/scan-gauntlt/README.md new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/scan-gauntlt/defaults/main.yml b/ansible/roles/scan-gauntlt/defaults/main.yml new file mode 100644 index 0000000..47f9d64 --- /dev/null +++ b/ansible/roles/scan-gauntlt/defaults/main.yml @@ -0,0 +1,6 @@ +--- + +gauntlt_version: "1.0.8" +build_dir: /app/build +gauntlt_attacks: /app/gauntlt/*.attack +output_file_html: gauntlt-results.txt diff --git a/ansible/roles/scan-gauntlt/meta/main.yml b/ansible/roles/scan-gauntlt/meta/main.yml new file mode 100644 index 0000000..6bbb75f --- /dev/null +++ b/ansible/roles/scan-gauntlt/meta/main.yml @@ -0,0 +1,14 @@ +--- +dependencies: [] + +galaxy_info: + author: "rpigu-i" + description: "Gauntlt installation role for EC2" + company: "Modus Create" + license: "license (MIT)" + min_ansible_version: 1.2 + galaxy_tags: + - security + - gauntlt + - DevSecOps + - InfoSec diff --git a/ansible/roles/scan-gauntlt/tasks/main.yml b/ansible/roles/scan-gauntlt/tasks/main.yml new file mode 100644 index 0000000..f67537f --- /dev/null +++ b/ansible/roles/scan-gauntlt/tasks/main.yml @@ -0,0 +1,12 @@ +--- +# tasks file for scan-gauntlt + + +- name: Ensure build directory exists + file: + path: "{{ build_dir }}" + state: directory + mode: 0775 + +- name: Scan using gauntlt + shell: gauntlt "{{ gauntlt_attacks }}" | cat >> "{{ output_file_html }}" From 21019f92d0ab3cc7ad6ded5cda4cd3cc4c954d90 Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 6 Aug 2019 14:49:39 -0400 Subject: [PATCH 13/53] Add into packer esecution of gauntlt install shell script --- packer/machines/web-server.json | 1 + 1 file changed, 1 insertion(+) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 461d40d..6aad513 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -46,6 +46,7 @@ { "type": "shell", "inline": [ + "bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", "ansible-playbook -l localhost /app/ansible/bakery.yml", "bash /app/bin/scan.sh" From d20df03bf43707c3ed3f3d3c9435675dc48619b1 Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 6 Aug 2019 15:39:03 -0400 Subject: [PATCH 14/53] run guantlt provisioning script as sudo --- packer/machines/web-server.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 6aad513..39007cf 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -47,7 +47,7 @@ "type": "shell", "inline": [ "bash /app/bin/install-gauntlt.sh", - "bash /app/bin/install-ansible.sh", + "sudo bash /app/bin/install-ansible.sh", "ansible-playbook -l localhost /app/ansible/bakery.yml", "bash /app/bin/scan.sh" ] From 0be3ec610da4b368685e61b264caac03e7a68f68 Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 6 Aug 2019 15:48:33 -0400 Subject: [PATCH 15/53] Fix sudo and add to correct place --- packer/machines/web-server.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 39007cf..ffeb488 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -46,8 +46,8 @@ { "type": "shell", "inline": [ - "bash /app/bin/install-gauntlt.sh", - "sudo bash /app/bin/install-ansible.sh", + "sudo bash /app/bin/install-gauntlt.sh", + "bash /app/bin/install-ansible.sh", "ansible-playbook -l localhost /app/ansible/bakery.yml", "bash /app/bin/scan.sh" ] From 2bbd91f96506b310e107b2dedba9f9ed69c44013 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 6 Aug 2019 16:20:11 -0400 Subject: [PATCH 16/53] Put in root checks, refactor functions --- bin/common.sh | 17 +++++++++++++++++ bin/install-ansible.sh | 13 ++++++------- bin/install-gauntlt.sh | 13 ++----------- packer/machines/web-server.json | 2 +- 4 files changed, 26 insertions(+), 19 deletions(-) diff --git a/bin/common.sh b/bin/common.sh index 5baddf6..59d8f1a 100755 --- a/bin/common.sh +++ b/bin/common.sh @@ -85,3 +85,20 @@ function get_docker_shellcheck() { echo "docker run --rm -i ${USE_TTY} -v $(pwd):/mnt koalaman/shellcheck" } +function ensure_root () { + # Thanks Unix Stack Exchange https://unix.stackexchange.com/a/389407 + if ((EUID != 0)); then + echo >&2 "Error: script not running as root or with sudo! Exiting..." + exit 1 + fi +} + +function quick_yum_install() { + declare package + package=${1?"You must specify a package to install"} + if ! rpm -q "$package" > /dev/null; then + yum -y -q install "$package" + else + echo "$package already installed, skipping" >&2 + fi +} diff --git a/bin/install-ansible.sh b/bin/install-ansible.sh index 585ae0c..6c78eac 100755 --- a/bin/install-ansible.sh +++ b/bin/install-ansible.sh @@ -11,13 +11,12 @@ ${DEBUG:-false} && set -vx # and http://wiki.bash-hackers.org/scripting/debuggingtips export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' -function quick_yum_install() { - declare package - package=${1?"You must specify a package to install"} - if ! rpm -q "$package" > /dev/null; then - sudo yum -y -q install "$package" - fi -} +# Credit to http://stackoverflow.com/a/246128/424301 +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +#shellcheck disable=SC1090 +. "$DIR/common.sh" + +ensure_root quick_yum_install epel-release quick_yum_install ansible quick_yum_install git diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 843d51c..52b8f08 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -16,16 +16,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" #shellcheck disable=SC1090 . "$DIR/common.sh" -function quick_yum_install() { - declare package - package=${1?"You must specify a package to install"} - if ! rpm -q "$package" > /dev/null; then - sudo yum -y -q install "$package" - else - echo "$package already installed, skipping" - fi -} - +ensure_root quick_yum_install ruby-devel quick_yum_install nmap @@ -40,7 +31,7 @@ if [[ ! -f /etc/profile.d/rvm.sh ]]; then rvm reload rvm requirements run else - echo "rvm already installed" + echo "rvm already installed" >&2 fi # rvm hates the bash options -eu set +eu diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index ffeb488..82a6d57 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -47,7 +47,7 @@ "type": "shell", "inline": [ "sudo bash /app/bin/install-gauntlt.sh", - "bash /app/bin/install-ansible.sh", + "sudo bash /app/bin/install-ansible.sh", "ansible-playbook -l localhost /app/ansible/bakery.yml", "bash /app/bin/scan.sh" ] From c398e58a6851f1c2daf25eef395d9505208c6dae Mon Sep 17 00:00:00 2001 From: rpigu-i <8628078+rpigu-i@users.noreply.github.com> Date: Tue, 6 Aug 2019 16:36:16 -0400 Subject: [PATCH 17/53] Add back in path to write report to buid dir --- ansible/roles/scan-gauntlt/defaults/main.yml | 2 +- ansible/roles/scan-gauntlt/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/scan-gauntlt/defaults/main.yml b/ansible/roles/scan-gauntlt/defaults/main.yml index 47f9d64..fb0556f 100644 --- a/ansible/roles/scan-gauntlt/defaults/main.yml +++ b/ansible/roles/scan-gauntlt/defaults/main.yml @@ -1,6 +1,6 @@ --- gauntlt_version: "1.0.8" -build_dir: /app/build +build_dir: /app/build/ gauntlt_attacks: /app/gauntlt/*.attack output_file_html: gauntlt-results.txt diff --git a/ansible/roles/scan-gauntlt/tasks/main.yml b/ansible/roles/scan-gauntlt/tasks/main.yml index f67537f..2e1db5d 100644 --- a/ansible/roles/scan-gauntlt/tasks/main.yml +++ b/ansible/roles/scan-gauntlt/tasks/main.yml @@ -9,4 +9,4 @@ mode: 0775 - name: Scan using gauntlt - shell: gauntlt "{{ gauntlt_attacks }}" | cat >> "{{ output_file_html }}" + shell: gauntlt "{{ gauntlt_attacks }}" | cat >> "{{ build_dir}}""{{ output_file_html }}" From f19afa80275bbb078a576a18e6a3eb79c3a9ae2e Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 6 Aug 2019 16:50:17 -0400 Subject: [PATCH 18/53] Be more sophisticated about sudo --- bin/common.sh | 4 +++- bin/install-ansible.sh | 1 - packer/machines/web-server.json | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/bin/common.sh b/bin/common.sh index 59d8f1a..398f38b 100755 --- a/bin/common.sh +++ b/bin/common.sh @@ -96,8 +96,10 @@ function ensure_root () { function quick_yum_install() { declare package package=${1?"You must specify a package to install"} + local sudo_maybe='' + ((EUID != 0)) && sudo_maybe='sudo' if ! rpm -q "$package" > /dev/null; then - yum -y -q install "$package" + $sudo_maybe yum -y -q install "$package" else echo "$package already installed, skipping" >&2 fi diff --git a/bin/install-ansible.sh b/bin/install-ansible.sh index 6c78eac..b0a82c4 100755 --- a/bin/install-ansible.sh +++ b/bin/install-ansible.sh @@ -16,7 +16,6 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" #shellcheck disable=SC1090 . "$DIR/common.sh" -ensure_root quick_yum_install epel-release quick_yum_install ansible quick_yum_install git diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 82a6d57..ffeb488 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -47,7 +47,7 @@ "type": "shell", "inline": [ "sudo bash /app/bin/install-gauntlt.sh", - "sudo bash /app/bin/install-ansible.sh", + "bash /app/bin/install-ansible.sh", "ansible-playbook -l localhost /app/ansible/bakery.yml", "bash /app/bin/scan.sh" ] From 647a13407fecd591d9ef55b1dd773673f77bbd20 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 6 Aug 2019 16:59:57 -0400 Subject: [PATCH 19/53] Try different build directory --- ansible/roles/scan-gauntlt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/scan-gauntlt/defaults/main.yml b/ansible/roles/scan-gauntlt/defaults/main.yml index 47f9d64..94a5e6f 100644 --- a/ansible/roles/scan-gauntlt/defaults/main.yml +++ b/ansible/roles/scan-gauntlt/defaults/main.yml @@ -1,6 +1,6 @@ --- gauntlt_version: "1.0.8" -build_dir: /app/build +build_dir: build gauntlt_attacks: /app/gauntlt/*.attack output_file_html: gauntlt-results.txt From bf8d21d1370e1d6a6b0f2182064ddefb911689d5 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 6 Aug 2019 17:15:27 -0400 Subject: [PATCH 20/53] Reshuffle where scans occur --- Vagrantfile | 2 +- ansible/bakery.yml | 2 - ansible/gauntlt-results.txt | 204 ++++++++++++++++++++++++ ansible/scan-gauntlt.yml | 10 ++ ansible/{scan.yml => scan-openscap.yml} | 2 +- packer/machines/web-server.json | 3 +- 6 files changed, 217 insertions(+), 6 deletions(-) create mode 100644 ansible/scan-gauntlt.yml rename ansible/{scan.yml => scan-openscap.yml} (88%) diff --git a/Vagrantfile b/Vagrantfile index eeda2ac..d525fc8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -3,6 +3,6 @@ Vagrant.configure("2") do |config| config.vm.synced_folder ".", "/app" config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh" config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh" - config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" + config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml scan-openscap.yml scan-gauntlt.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end diff --git a/ansible/bakery.yml b/ansible/bakery.yml index c03607c..fa91e1d 100644 --- a/ansible/bakery.yml +++ b/ansible/bakery.yml @@ -42,5 +42,3 @@ roles: - extra-cis-remediation #- MindPointGroup.RHEL7-CIS - - scan-openscap - - scan-gauntlt diff --git a/ansible/gauntlt-results.txt b/ansible/gauntlt-results.txt index fc25590..67d42c3 100644 --- a/ansible/gauntlt-results.txt +++ b/ansible/gauntlt-results.txt @@ -100,3 +100,207 @@ cucumber /app/gauntlt/simple-env-var.attack:16 # Scenario: Verify server is avai 6 scenarios (1 failed, 5 passed) 27 steps (1 failed, 2 skipped, 24 passed) 0m14.558s +Feature: OS detection + + Background: # /app/gauntlt/os_detection.attack:3 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | hostname | scanme.nmap.org | + + @slow + Scenario: Detect OS # /app/gauntlt/os_detection.attack:10 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -sV -p80 -PN + """ + Then the output should contain: # aruba-0.7.4/lib/aruba/cucumber.rb:182 + """ + Apache + """ + +@slow +Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change the value in the profile + + Background: # /app/gauntlt/nmap.attack:4 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | hostname | scanme.nmap.org | + | host | scanme.nmap.org | + | tcp_ping_ports | 22,25,80,443 | + + Scenario: Verify server is open on expected set of ports using the nmap-fast attack step # /app/gauntlt/nmap.attack:12 +Checking nmap-fast and nmap-fastRunning a nmap-fast attack. This attack has this description: + This is a fast nmap scan that should run in 10 seconds or less on most networks. It looks for the most common ports and services. + When I launch a "nmap-fast" attack # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:12 + Then the output should match /80.tcp\s+open/ # aruba-0.7.4/lib/aruba/cucumber.rb:206 + + Scenario: Verify server is open on expected set of ports using the nmap fast flag # /app/gauntlt/nmap.attack:16 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -F + """ + Then the output should match: # aruba-0.7.4/lib/aruba/cucumber.rb:210 + """ + 80/tcp\s+open + """ + + Scenario: Verify that there are no unexpected ports open # /app/gauntlt/nmap.attack:26 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -F + """ + Then the output should not contain: # aruba-0.7.4/lib/aruba/cucumber.rb:186 + """ + 22/tcp + 25/tcp + """ + + Scenario: Output to XML # /app/gauntlt/nmap.attack:37 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -p 80,443 -oX foo.xml + """ + And the file "foo.xml" should contain XML: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:15 + | css | + | ports port[protocol="tcp"][portid="80"] state[state="open"] | + And the file "foo.xml" should not contain XML: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:21 + | css | + | ports port[protocol="tcp"][portid="123"] state[state="open"] | + | ports port[protocol="tcp"][portid="443"] state[state="open"] | + +@slow +Feature: simple nmap attack (sanity check) + + Background: # /app/gauntlt/simple-env-var.attack:4 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following environment variables: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:3 + | name | environment_variable_name | + | hostname | TEST_HOSTNAME | + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | https_port | 443 | + | http_port | 80 | + + Scenario: Verify server is available on standard web ports # /app/gauntlt/simple-env-var.attack:16 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -p , + """ + no implicit conversion of nil into String (TypeError) + /app/gauntlt/simple-env-var.attack:17:in `When I launch an "nmap" attack with:' + Then the output should match /80.tcp\s+open/ # aruba-0.7.4/lib/aruba/cucumber.rb:206 + And the output should not match: # aruba-0.7.4/lib/aruba/cucumber.rb:219 + """ + 443/tcp\s+open + """ + +Failing Scenarios: +cucumber /app/gauntlt/simple-env-var.attack:16 # Scenario: Verify server is available on standard web ports + +6 scenarios (1 failed, 5 passed) +27 steps (1 failed, 2 skipped, 24 passed) +0m17.076s +Feature: OS detection + + Background: # /app/gauntlt/os_detection.attack:3 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | hostname | scanme.nmap.org | + + @slow + Scenario: Detect OS # /app/gauntlt/os_detection.attack:10 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -sV -p80 -PN + """ + Then the output should contain: # aruba-0.7.4/lib/aruba/cucumber.rb:182 + """ + Apache + """ + +@slow +Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change the value in the profile + + Background: # /app/gauntlt/nmap.attack:4 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | hostname | scanme.nmap.org | + | host | scanme.nmap.org | + | tcp_ping_ports | 22,25,80,443 | + + Scenario: Verify server is open on expected set of ports using the nmap-fast attack step # /app/gauntlt/nmap.attack:12 +Checking nmap-fast and nmap-fastRunning a nmap-fast attack. This attack has this description: + This is a fast nmap scan that should run in 10 seconds or less on most networks. It looks for the most common ports and services. + When I launch a "nmap-fast" attack # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:12 + Then the output should match /80.tcp\s+open/ # aruba-0.7.4/lib/aruba/cucumber.rb:206 + + Scenario: Verify server is open on expected set of ports using the nmap fast flag # /app/gauntlt/nmap.attack:16 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -F + """ + Then the output should match: # aruba-0.7.4/lib/aruba/cucumber.rb:210 + """ + 80/tcp\s+open + """ + + Scenario: Verify that there are no unexpected ports open # /app/gauntlt/nmap.attack:26 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -F + """ + Then the output should not contain: # aruba-0.7.4/lib/aruba/cucumber.rb:186 + """ + 22/tcp + 25/tcp + """ + + Scenario: Output to XML # /app/gauntlt/nmap.attack:37 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -p 80,443 -oX foo.xml + """ + And the file "foo.xml" should contain XML: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:15 + | css | + | ports port[protocol="tcp"][portid="80"] state[state="open"] | + And the file "foo.xml" should not contain XML: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:21 + | css | + | ports port[protocol="tcp"][portid="123"] state[state="open"] | + | ports port[protocol="tcp"][portid="443"] state[state="open"] | + +@slow +Feature: simple nmap attack (sanity check) + + Background: # /app/gauntlt/simple-env-var.attack:4 + Given "nmap" is installed # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4 + And the following environment variables: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:3 + | name | environment_variable_name | + | hostname | TEST_HOSTNAME | + And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9 + | name | value | + | https_port | 443 | + | http_port | 80 | + + Scenario: Verify server is available on standard web ports # /app/gauntlt/simple-env-var.attack:16 + When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8 + """ + nmap -p , + """ + no implicit conversion of nil into String (TypeError) + /app/gauntlt/simple-env-var.attack:17:in `When I launch an "nmap" attack with:' + Then the output should match /80.tcp\s+open/ # aruba-0.7.4/lib/aruba/cucumber.rb:206 + And the output should not match: # aruba-0.7.4/lib/aruba/cucumber.rb:219 + """ + 443/tcp\s+open + """ + +Failing Scenarios: +cucumber /app/gauntlt/simple-env-var.attack:16 # Scenario: Verify server is available on standard web ports + +6 scenarios (1 failed, 5 passed) +27 steps (1 failed, 2 skipped, 24 passed) +0m14.169s diff --git a/ansible/scan-gauntlt.yml b/ansible/scan-gauntlt.yml new file mode 100644 index 0000000..a45b521 --- /dev/null +++ b/ansible/scan-gauntlt.yml @@ -0,0 +1,10 @@ +--- +# Thanks https://www.tricksofthetrades.net/2017/10/02/ansible-local-playbooks/ for +# the trick on installing locally using "hosts: 127.0.0.1" and "connection:local" + +- name: Scan Server with Gauntlt + hosts: 127.0.0.1 + connection: local + become: yes + roles: + - scan-gauntlt diff --git a/ansible/scan.yml b/ansible/scan-openscap.yml similarity index 88% rename from ansible/scan.yml rename to ansible/scan-openscap.yml index 79c1165..e9c3edf 100644 --- a/ansible/scan.yml +++ b/ansible/scan-openscap.yml @@ -2,7 +2,7 @@ # Thanks https://www.tricksofthetrades.net/2017/10/02/ansible-local-playbooks/ for # the trick on installing locally using "hosts: 127.0.0.1" and "connection:local" -- name: Scan Server +- name: Scan Server with OpenSCAP hosts: 127.0.0.1 connection: local become: yes diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index ffeb488..8847180 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -48,8 +48,7 @@ "inline": [ "sudo bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", - "ansible-playbook -l localhost /app/ansible/bakery.yml", - "bash /app/bin/scan.sh" + "ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml" ] }, { From 9490000b6999ceb7b451812a6ee47aa0c6023857 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 6 Aug 2019 22:23:44 +0000 Subject: [PATCH 21/53] Changed up how scanning is done --- Jenkinsfile | 2 +- ansible/roles/scan-gauntlt/defaults/main.yml | 4 ++-- ansible/roles/scan-gauntlt/tasks/main.yml | 2 +- bin/install-gauntlt.sh | 10 ++++++---- bin/scan.sh | 2 +- 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index cd04adb..66c5af7 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -180,7 +180,7 @@ if (params.Run_Packer) { alwaysLinkToLastBuild: false, keepAll: true, reportDir: 'build', - reportFiles: 'gauntlt-results.txt', + reportFiles: 'gauntlt-results.html', reportName: "Gauntlt Report" ]) }) diff --git a/ansible/roles/scan-gauntlt/defaults/main.yml b/ansible/roles/scan-gauntlt/defaults/main.yml index 94a5e6f..c1b36d6 100644 --- a/ansible/roles/scan-gauntlt/defaults/main.yml +++ b/ansible/roles/scan-gauntlt/defaults/main.yml @@ -1,6 +1,6 @@ --- gauntlt_version: "1.0.8" -build_dir: build +build_dir: /app/build gauntlt_attacks: /app/gauntlt/*.attack -output_file_html: gauntlt-results.txt +output_file_html: gauntlt-results.html diff --git a/ansible/roles/scan-gauntlt/tasks/main.yml b/ansible/roles/scan-gauntlt/tasks/main.yml index 2e1db5d..5393fb9 100644 --- a/ansible/roles/scan-gauntlt/tasks/main.yml +++ b/ansible/roles/scan-gauntlt/tasks/main.yml @@ -9,4 +9,4 @@ mode: 0775 - name: Scan using gauntlt - shell: gauntlt "{{ gauntlt_attacks }}" | cat >> "{{ build_dir}}""{{ output_file_html }}" + shell: gauntlt -f html -o "{{ build_dir}}/{{ output_file_html }}" "{{ gauntlt_attacks }}" diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 52b8f08..6402e42 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -16,6 +16,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" #shellcheck disable=SC1090 . "$DIR/common.sh" +RUBY_VERSION=2.6.3 + ensure_root quick_yum_install ruby-devel quick_yum_install nmap @@ -38,10 +40,10 @@ set +eu #shellcheck disable=SC1091 source /etc/profile.d/rvm.sh rvm reload -rvm install 2.6.0 -rvm alias create default ruby-2.6.0 +rvm install "$RUBY_VERSION" +rvm alias create default ruby-"$RUBY_VERSION" rvm list -rvm use 2.6 --default +rvm use "$RUBY_VERSION" --default set -eu if is_ec2; then usermod -a -G rvm centos @@ -52,5 +54,5 @@ ruby --version if ! (gem list gauntlt | grep gauntlt > /dev/null); then echo 'gem: --no-rdoc --no-ri' > ~/.gemrc - gem install gauntlt + gem install gauntlt syntax fi diff --git a/bin/scan.sh b/bin/scan.sh index 00716a3..60329eb 100755 --- a/bin/scan.sh +++ b/bin/scan.sh @@ -15,7 +15,7 @@ mkdir -p build cd build # This will have a non-zero exit if any of the scans fail, so do not fail immediately on that set +e -sudo oscap xccdf eval --profile C2S --results scan-xccdf-results.xml /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml +sudo oscap xccdf eval --profile C2S --results scan-xccdf-results.xml --fetch-remote-resources /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml set -e oscap xccdf generate report scan-xccdf-results.xml > scan-xccdf-results.html From e8812de72895416ede4f094a479a8557f17926c2 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 6 Aug 2019 18:29:32 -0400 Subject: [PATCH 22/53] Get Gauntlt tests passing in Vagrant --- .gitignore | 1 + gauntlt/nmap.attack | 19 +++++++++---------- gauntlt/os_detection.attack | 18 ------------------ gauntlt/simple-env-var.attack | 25 ------------------------- 4 files changed, 10 insertions(+), 53 deletions(-) delete mode 100644 gauntlt/os_detection.attack delete mode 100644 gauntlt/simple-env-var.attack diff --git a/.gitignore b/.gitignore index 8409a05..0d48e99 100644 --- a/.gitignore +++ b/.gitignore @@ -11,6 +11,7 @@ /terraform/tf.plan __pycache__ build/ +tmp/ jmeter.log scan-xccdf-results.html scan-xccdf-results.xml diff --git a/gauntlt/nmap.attack b/gauntlt/nmap.attack index d463db0..6467c14 100644 --- a/gauntlt/nmap.attack +++ b/gauntlt/nmap.attack @@ -1,17 +1,17 @@ @slow -Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change the value in the profile +Feature: nmap attacks for localhost and to use this for your tests, change the value in the profile Background: Given "nmap" is installed And the following profile: | name | value | - | hostname | scanme.nmap.org | - | host | scanme.nmap.org | + | hostname | localhost | + | host | localhost | | tcp_ping_ports | 22,25,80,443 | Scenario: Verify server is open on expected set of ports using the nmap-fast attack step When I launch a "nmap-fast" attack - Then the output should match /80.tcp\s+open/ + Then the output should match /22.tcp\s+open/ Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: @@ -20,7 +20,7 @@ Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change """ Then the output should match: """ - 80/tcp\s+open + 22/tcp\s+open """ Scenario: Verify that there are no unexpected ports open @@ -30,20 +30,19 @@ Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change """ Then the output should not contain: """ - 22/tcp - 25/tcp + 443/tcp """ Scenario: Output to XML When I launch an "nmap" attack with: """ - nmap -p 80,443 -oX foo.xml + nmap -p 22,80,443 -oX foo.xml """ And the file "foo.xml" should contain XML: | css | - | ports port[protocol="tcp"][portid="80"] state[state="open"] | + | ports port[protocol="tcp"][portid="22"] state[state="open"] | And the file "foo.xml" should not contain XML: | css | - | ports port[protocol="tcp"][portid="123"] state[state="open"] | + | ports port[protocol="tcp"][portid="80"] state[state="open"] | | ports port[protocol="tcp"][portid="443"] state[state="open"] | diff --git a/gauntlt/os_detection.attack b/gauntlt/os_detection.attack deleted file mode 100644 index c47d084..0000000 --- a/gauntlt/os_detection.attack +++ /dev/null @@ -1,18 +0,0 @@ -Feature: OS detection - - Background: - Given "nmap" is installed - And the following profile: - | name | value | - | hostname | scanme.nmap.org | - - @slow - Scenario: Detect OS - When I launch an "nmap" attack with: - """ - nmap -sV -p80 -PN - """ - Then the output should contain: - """ - Apache - """ diff --git a/gauntlt/simple-env-var.attack b/gauntlt/simple-env-var.attack deleted file mode 100644 index 4b76788..0000000 --- a/gauntlt/simple-env-var.attack +++ /dev/null @@ -1,25 +0,0 @@ -@slow -Feature: simple nmap attack (sanity check) - - Background: - Given "nmap" is installed - - And the following environment variables: - | name | environment_variable_name | - | hostname | TEST_HOSTNAME | - - And the following profile: - | name | value | - | https_port | 443 | - | http_port | 80 | - - Scenario: Verify server is available on standard web ports - When I launch an "nmap" attack with: - """ - nmap -p , - """ - Then the output should match /80.tcp\s+open/ - And the output should not match: - """ - 443/tcp\s+open - """ From e87fbf50c962c68cb299ff989f60ef71f8660b05 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 15:45:34 -0400 Subject: [PATCH 23/53] Make everything that can run as non-root --- ansible/roles/scan-gauntlt/tasks/main.yml | 4 +++- bin/common.sh | 9 +++++++++ bin/install-ansible.sh | 2 ++ bin/install-gauntlt.sh | 19 +++++++++++-------- packer/machines/web-server.json | 2 +- 5 files changed, 26 insertions(+), 10 deletions(-) diff --git a/ansible/roles/scan-gauntlt/tasks/main.yml b/ansible/roles/scan-gauntlt/tasks/main.yml index 5393fb9..411940d 100644 --- a/ansible/roles/scan-gauntlt/tasks/main.yml +++ b/ansible/roles/scan-gauntlt/tasks/main.yml @@ -9,4 +9,6 @@ mode: 0775 - name: Scan using gauntlt - shell: gauntlt -f html -o "{{ build_dir}}/{{ output_file_html }}" "{{ gauntlt_attacks }}" + become: true + become_user: root + command: gauntlt -f html -o "{{ build_dir}}/{{ output_file_html }}" "{{ gauntlt_attacks }}" diff --git a/bin/common.sh b/bin/common.sh index 398f38b..57cb52f 100755 --- a/bin/common.sh +++ b/bin/common.sh @@ -93,6 +93,15 @@ function ensure_root () { fi } +function ensure_not_root () { + # Thanks Unix Stack Exchange https://unix.stackexchange.com/a/389407 + if ((EUID == 0)); then + echo >&2 "Error: do not run script as root or with sudo! Exiting..." + exit 1 + fi +} + + function quick_yum_install() { declare package package=${1?"You must specify a package to install"} diff --git a/bin/install-ansible.sh b/bin/install-ansible.sh index b0a82c4..0e8c04c 100755 --- a/bin/install-ansible.sh +++ b/bin/install-ansible.sh @@ -16,6 +16,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" #shellcheck disable=SC1090 . "$DIR/common.sh" +ensure_not_root + quick_yum_install epel-release quick_yum_install ansible quick_yum_install git diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 6402e42..2110050 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -16,20 +16,23 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" #shellcheck disable=SC1090 . "$DIR/common.sh" +ensure_not_root + RUBY_VERSION=2.6.3 +RVM_SH=/etc/profile.d/rvm.sh -ensure_root quick_yum_install ruby-devel quick_yum_install nmap -if [[ ! -f /etc/profile.d/rvm.sh ]]; then + +if [[ ! -f "$RVM_SH" ]]; then curl -sSL https://rvm.io/mpapis.asc | gpg2 --import - curl -sSL https://rvm.io/pkuczynski.asc | gpg2 --import - curl -L get.rvm.io | bash -s stable # rvm hates the bash options -eu set +eu - #shellcheck disable=SC1091 - source /etc/profile.d/rvm.sh + #shellcheck disable=SC1091,SC1090 + . "$RVM_SH" rvm reload rvm requirements run else @@ -37,8 +40,8 @@ else fi # rvm hates the bash options -eu set +eu -#shellcheck disable=SC1091 -source /etc/profile.d/rvm.sh +#shellcheck disable=SC1091,SC1090 +. "$RVM_SH" rvm reload rvm install "$RUBY_VERSION" rvm alias create default ruby-"$RUBY_VERSION" @@ -46,9 +49,9 @@ rvm list rvm use "$RUBY_VERSION" --default set -eu if is_ec2; then - usermod -a -G rvm centos + sudo usermod -a -G rvm centos else - usermod -a -G rvm vagrant + sudo usermod -a -G rvm vagrant fi ruby --version diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 8847180..ac4e6c5 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -46,7 +46,7 @@ { "type": "shell", "inline": [ - "sudo bash /app/bin/install-gauntlt.sh", + "bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", "ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml" ] From b5517c2d67d33d7d79c15d5efd9d5678836be8a5 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 15:46:40 -0400 Subject: [PATCH 24/53] Run gauntlt as normal user --- ansible/roles/scan-gauntlt/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/ansible/roles/scan-gauntlt/tasks/main.yml b/ansible/roles/scan-gauntlt/tasks/main.yml index 411940d..d736dfb 100644 --- a/ansible/roles/scan-gauntlt/tasks/main.yml +++ b/ansible/roles/scan-gauntlt/tasks/main.yml @@ -9,6 +9,4 @@ mode: 0775 - name: Scan using gauntlt - become: true - become_user: root command: gauntlt -f html -o "{{ build_dir}}/{{ output_file_html }}" "{{ gauntlt_attacks }}" From d5e47ae12719a80c224340b2227bd88c9982280a Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 16:11:43 -0400 Subject: [PATCH 25/53] Fix up install to work with non-root user --- Vagrantfile | 6 +++--- bin/install-gauntlt.sh | 41 +++++++++++++++++++++++++++++++++-------- 2 files changed, 36 insertions(+), 11 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index d525fc8..5599975 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,8 +1,8 @@ Vagrant.configure("2") do |config| config.vm.box = "bento/centos-7.5" config.vm.synced_folder ".", "/app" - config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh" - config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh" - config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml scan-openscap.yml scan-gauntlt.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh" + config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh", privileged: false + config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh", privileged: false + config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml scan-openscap.yml scan-gauntlt.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh", privileged: false config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 2110050..2f0a15d 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -19,11 +19,41 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" ensure_not_root RUBY_VERSION=2.6.3 -RVM_SH=/etc/profile.d/rvm.sh +RVM_SH="$HOME/.rvm/scripts/rvm" -quick_yum_install ruby-devel -quick_yum_install nmap +PACKAGES='nmap +ruby-devel +autoconf +automake +bison +gcc-c++ +libffi-devel +libtool +patch +readline-devel +sqlite-devel +zlib-devel +glibc-headers +glibc-devel +openssl-devel +requirements_centos_libs_install +patch +autoconf +automake +bison +gcc-c++ +libffi-devel +libtool +patch +readline-devel +sqlite-devel +zlib-devel +glibc-headers +glibc-devel +openssl-devel' +#shellcheck disable=SC2086 +sudo yum install -y $PACKAGES if [[ ! -f "$RVM_SH" ]]; then curl -sSL https://rvm.io/mpapis.asc | gpg2 --import - @@ -48,11 +78,6 @@ rvm alias create default ruby-"$RUBY_VERSION" rvm list rvm use "$RUBY_VERSION" --default set -eu -if is_ec2; then - sudo usermod -a -G rvm centos -else - sudo usermod -a -G rvm vagrant -fi ruby --version if ! (gem list gauntlt | grep gauntlt > /dev/null); then From 0f0319d4d626e2e26f5aee5ed197fad17bdc38e5 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 16:56:40 -0400 Subject: [PATCH 26/53] Try to get rvm paths worked out --- ansible/scan-gauntlt.yml | 1 - packer/machines/web-server.json | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/scan-gauntlt.yml b/ansible/scan-gauntlt.yml index a45b521..7b456b4 100644 --- a/ansible/scan-gauntlt.yml +++ b/ansible/scan-gauntlt.yml @@ -5,6 +5,5 @@ - name: Scan Server with Gauntlt hosts: 127.0.0.1 connection: local - become: yes roles: - scan-gauntlt diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index ac4e6c5..8e94bdb 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -48,7 +48,7 @@ "inline": [ "bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", - "ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml" + "PATH=$PATH:$HOME/.rvm/bin && . .rvm/scripts/rvm && ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml" ] }, { From f1159f08ee3cc3a364382adeaa7fcd2e074f4065 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 17:14:06 -0400 Subject: [PATCH 27/53] Debug ruby version --- packer/machines/web-server.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 8e94bdb..c818eba 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -47,8 +47,7 @@ "type": "shell", "inline": [ "bash /app/bin/install-gauntlt.sh", - "bash /app/bin/install-ansible.sh", - "PATH=$PATH:$HOME/.rvm/bin && . .rvm/scripts/rvm && ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml" + "PATH=$PATH:$HOME/.rvm/bin && . .rvm/scripts/rvm && ruby --version" ] }, { From a11d1997632d3231d0de9183cc01e278fe4a2ea7 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 17:15:25 -0400 Subject: [PATCH 28/53] Debug more stuff --- packer/machines/web-server.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index c818eba..832cbdf 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -47,7 +47,7 @@ "type": "shell", "inline": [ "bash /app/bin/install-gauntlt.sh", - "PATH=$PATH:$HOME/.rvm/bin && . .rvm/scripts/rvm && ruby --version" + "PATH=$PATH:$HOME/.rvm/bin && . .rvm/scripts/rvm && id -a && echo $PATH && ruby --version && gauntlt -h" ] }, { From 5f487aa11e955cfc4ed026c3decebbb0a2dc88bd Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 21:33:37 -0400 Subject: [PATCH 29/53] Use full shell scripts for fiddly things --- bin/activate-rvm.sh | 19 +++++++++++++++++++ bin/ansible.sh | 24 ++++++++++++++++++++++++ bin/install-gauntlt.sh | 13 ++----------- packer/machines/web-server.json | 2 +- 4 files changed, 46 insertions(+), 12 deletions(-) create mode 100755 bin/activate-rvm.sh create mode 100755 bin/ansible.sh diff --git a/bin/activate-rvm.sh b/bin/activate-rvm.sh new file mode 100755 index 0000000..2c1b5f0 --- /dev/null +++ b/bin/activate-rvm.sh @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +# Activate rvm +# Source this to activate RVM + +RVM_SH=${RVM_SH:-$HOMW/.rvm/shell/rvm} +RUBY_VERSION=${RUBY_VERSION:-2.6.3} + +# rvm hates the bash options -eu +set +eu +#shellcheck disable=SC1091,SC1090 +. "$RVM_SH" +rvm reload +rvm install "$RUBY_VERSION" +rvm alias create default ruby-"$RUBY_VERSION" +rvm list +rvm use "$RUBY_VERSION" --default +set -eu +ruby --version + diff --git a/bin/ansible.sh b/bin/ansible.sh new file mode 100755 index 0000000..9089fcf --- /dev/null +++ b/bin/ansible.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +# Run ansible +# +# Set bash unofficial strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/ +set -euo pipefail + +# Set DEBUG to true for enhanced debugging: run prefixed with "DEBUG=true" +${DEBUG:-false} && set -vx +# Credit to https://stackoverflow.com/a/17805088 +# and http://wiki.bash-hackers.org/scripting/debuggingtips +export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' + +# Credit to http://stackoverflow.com/a/246128/424301 +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" + +# shellcheck disable=SC1090 +. "$DIR/common.sh" +# shellcheck disable=SC1090 +. "$DIR/activate_rvm.sh" + +ensure_not_root + +#ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml +ansible-playbook -l localhost /app/ansible/scan-gauntlt.yml diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 2f0a15d..972c1aa 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -68,17 +68,8 @@ if [[ ! -f "$RVM_SH" ]]; then else echo "rvm already installed" >&2 fi -# rvm hates the bash options -eu -set +eu -#shellcheck disable=SC1091,SC1090 -. "$RVM_SH" -rvm reload -rvm install "$RUBY_VERSION" -rvm alias create default ruby-"$RUBY_VERSION" -rvm list -rvm use "$RUBY_VERSION" --default -set -eu -ruby --version + +. "$DIR/activate_rvm.sh" if ! (gem list gauntlt | grep gauntlt > /dev/null); then echo 'gem: --no-rdoc --no-ri' > ~/.gemrc diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 832cbdf..c9c3ca3 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -47,7 +47,7 @@ "type": "shell", "inline": [ "bash /app/bin/install-gauntlt.sh", - "PATH=$PATH:$HOME/.rvm/bin && . .rvm/scripts/rvm && id -a && echo $PATH && ruby --version && gauntlt -h" + "bash /app/bin/ansible.sh" ] }, { From b3f382498fae93eca4e55a8f27da5b93c16a6b5f Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 21:41:29 -0400 Subject: [PATCH 30/53] Fix path to activate-rvm.sh --- bin/ansible.sh | 2 +- bin/install-gauntlt.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/ansible.sh b/bin/ansible.sh index 9089fcf..5b56a1f 100755 --- a/bin/ansible.sh +++ b/bin/ansible.sh @@ -16,7 +16,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # shellcheck disable=SC1090 . "$DIR/common.sh" # shellcheck disable=SC1090 -. "$DIR/activate_rvm.sh" +. "$DIR/activate-rvm.sh" ensure_not_root diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 972c1aa..4f501a5 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -69,7 +69,7 @@ else echo "rvm already installed" >&2 fi -. "$DIR/activate_rvm.sh" +. "$DIR/activate-rvm.sh" if ! (gem list gauntlt | grep gauntlt > /dev/null); then echo 'gem: --no-rdoc --no-ri' > ~/.gemrc From 2dc07a7d256a68552f549a7b0ee36eed77ca2909 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 21:44:58 -0400 Subject: [PATCH 31/53] Fix up shellcheck issues --- bin/install-gauntlt.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 4f501a5..f13e59a 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -19,6 +19,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" ensure_not_root RUBY_VERSION=2.6.3 +export RUBY_VERSION RVM_SH="$HOME/.rvm/scripts/rvm" PACKAGES='nmap @@ -69,6 +70,7 @@ else echo "rvm already installed" >&2 fi +#shellcheck disable=SC1090 . "$DIR/activate-rvm.sh" if ! (gem list gauntlt | grep gauntlt > /dev/null); then From cdd08a3ad388319aae98a34cb538052f6bdfa8c2 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 21:49:19 -0400 Subject: [PATCH 32/53] Quiet down yum --- bin/install-gauntlt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index f13e59a..7b2a3e8 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -54,7 +54,7 @@ glibc-devel openssl-devel' #shellcheck disable=SC2086 -sudo yum install -y $PACKAGES +sudo yum -q install -y $PACKAGES if [[ ! -f "$RVM_SH" ]]; then curl -sSL https://rvm.io/mpapis.asc | gpg2 --import - From 7ef6f6ff0425cc824f8e682c7d7c5ae3f3a07916 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 21:58:24 -0400 Subject: [PATCH 33/53] Fix spelling of HOME --- bin/activate-rvm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/activate-rvm.sh b/bin/activate-rvm.sh index 2c1b5f0..7091455 100755 --- a/bin/activate-rvm.sh +++ b/bin/activate-rvm.sh @@ -2,7 +2,7 @@ # Activate rvm # Source this to activate RVM -RVM_SH=${RVM_SH:-$HOMW/.rvm/shell/rvm} +RVM_SH=${RVM_SH:-$HOME/.rvm/shell/rvm} RUBY_VERSION=${RUBY_VERSION:-2.6.3} # rvm hates the bash options -eu From f74b65b7706f1601051a496725119d59ebb56ff7 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 22:07:47 -0400 Subject: [PATCH 34/53] Install ansible, duh --- packer/machines/web-server.json | 1 + 1 file changed, 1 insertion(+) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index c9c3ca3..dafbf8e 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -47,6 +47,7 @@ "type": "shell", "inline": [ "bash /app/bin/install-gauntlt.sh", + "bash /app/bin/install-ansible.sh", "bash /app/bin/ansible.sh" ] }, From 734d17086453c3fed25f77bb87b20a3c759b72ba Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 22:48:28 -0400 Subject: [PATCH 35/53] Bail if rvm cannot be activated --- bin/activate-rvm.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/bin/activate-rvm.sh b/bin/activate-rvm.sh index 7091455..c93d9ba 100755 --- a/bin/activate-rvm.sh +++ b/bin/activate-rvm.sh @@ -6,6 +6,11 @@ RVM_SH=${RVM_SH:-$HOME/.rvm/shell/rvm} RUBY_VERSION=${RUBY_VERSION:-2.6.3} # rvm hates the bash options -eu + +if [[ ! -f "$RVM_SH" ]]; then + echo "Error: $0: RVM_SH $RVM_SH not found" + exit 1 +fi set +eu #shellcheck disable=SC1091,SC1090 . "$RVM_SH" From 64ad2f321849e8475ae4844a8e44159fd540c9e2 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 23:22:32 -0400 Subject: [PATCH 36/53] Fix up path to rvm --- bin/activate-rvm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/activate-rvm.sh b/bin/activate-rvm.sh index c93d9ba..a1861c1 100755 --- a/bin/activate-rvm.sh +++ b/bin/activate-rvm.sh @@ -2,7 +2,7 @@ # Activate rvm # Source this to activate RVM -RVM_SH=${RVM_SH:-$HOME/.rvm/shell/rvm} +RVM_SH=${RVM_SH:-$HOME/.rvm/scripts/rvm} RUBY_VERSION=${RUBY_VERSION:-2.6.3} # rvm hates the bash options -eu From f56b788dcf24e16bfe46716c8b2eb636c1535f78 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 23:45:12 -0400 Subject: [PATCH 37/53] Ensure gauntlt attack files get packed --- packer/machines/web-server.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index dafbf8e..ddccc03 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -28,6 +28,11 @@ "sudo chown centos:centos /app" ] }, + { + "type": "file", + "source": "/app/ansible", + "destination": "/app" + }, { "type": "file", "source": "/app/application", @@ -40,7 +45,7 @@ }, { "type": "file", - "source": "/app/ansible", + "source": "/app/gauntlt", "destination": "/app" }, { From c17e6608fa392c88d714b45a27ed6e8319d81bd7 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Wed, 7 Aug 2019 23:53:18 -0400 Subject: [PATCH 38/53] Ensure artifacts get saved even if pack fails --- Jenkinsfile | 39 +++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 66c5af7..e87ccd9 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -165,24 +165,27 @@ if (params.Run_Packer) { node { wrap.call({ unstash 'src' - sh ("./bin/pack.sh") - archive (includes: 'build/**') - publishHTML (target: [ - allowMissing: true, - alwaysLinkToLastBuild: false, - keepAll: true, - reportDir: 'build', - reportFiles: 'scan-xccdf-results.html', - reportName: "OpenSCAP Report" - ]) - publishHTML (target: [ - allowMissing: true, - alwaysLinkToLastBuild: false, - keepAll: true, - reportDir: 'build', - reportFiles: 'gauntlt-results.html', - reportName: "Gauntlt Report" - ]) + try { + sh ("./bin/pack.sh") + } finally { + archive (includes: 'build/**') + publishHTML (target: [ + allowMissing: true, + alwaysLinkToLastBuild: false, + keepAll: true, + reportDir: 'build', + reportFiles: 'scan-xccdf-results.html', + reportName: "OpenSCAP Report" + ]) + publishHTML (target: [ + allowMissing: true, + alwaysLinkToLastBuild: false, + keepAll: true, + reportDir: 'build', + reportFiles: 'gauntlt-results.html', + reportName: "Gauntlt Report" + ]) + } }) } } From d890a5b06e8cd48ffedeaa714e79b180ab73308b Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Thu, 8 Aug 2019 00:03:27 -0400 Subject: [PATCH 39/53] Centralize output into /app/build --- ansible/roles/scan-openscap/defaults/main.yml | 4 ++-- bin/ansible.sh | 3 +-- packer/machines/web-server.json | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/ansible/roles/scan-openscap/defaults/main.yml b/ansible/roles/scan-openscap/defaults/main.yml index d89ecc3..ed0b37a 100644 --- a/ansible/roles/scan-openscap/defaults/main.yml +++ b/ansible/roles/scan-openscap/defaults/main.yml @@ -1,7 +1,7 @@ --- # defaults file for scan-oscap build_dir: /app/build -output_file_html: scan-xccdf-results.html -output_file_xml: scan-xccdf-results.xml +output_file_html: /app/build/scan-xccdf-results.html +output_file_xml: /app/build/scan-xccdf-results.xml profile: C2S xccdf_file: /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml diff --git a/bin/ansible.sh b/bin/ansible.sh index 5b56a1f..3eecfda 100755 --- a/bin/ansible.sh +++ b/bin/ansible.sh @@ -20,5 +20,4 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" ensure_not_root -#ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml -ansible-playbook -l localhost /app/ansible/scan-gauntlt.yml +ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index ddccc03..8f0b203 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -58,7 +58,7 @@ }, { "type": "file", - "source": "build/", + "source": "/app/build/", "direction": "download", "destination": "/app" } From 97a8da1fede9ae9f44c6cf55069d00ccd07b0fd4 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Thu, 8 Aug 2019 09:40:15 -0400 Subject: [PATCH 40/53] Fix permissions issue, Jenkinsfile deprecation --- Jenkinsfile | 2 +- packer/machines/web-server.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index e87ccd9..5a6db2b 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -168,7 +168,7 @@ if (params.Run_Packer) { try { sh ("./bin/pack.sh") } finally { - archive (includes: 'build/**') + archiveArtifacts artifacts: 'build/**', fingerprint: true publishHTML (target: [ allowMissing: true, alwaysLinkToLastBuild: false, diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 8f0b203..18d2d61 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -24,8 +24,8 @@ { "type": "shell", "inline": [ - "sudo mkdir /app", - "sudo chown centos:centos /app" + "sudo mkdir -p /app/build", + "sudo chown -R centos:centos /app" ] }, { From edd9575ce7059051caf05ebfcda01143881e1c20 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 10:57:17 -0400 Subject: [PATCH 41/53] Add exit trap to show what is in the build dir --- bin/pack.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bin/pack.sh b/bin/pack.sh index 25743ab..f4200d5 100755 --- a/bin/pack.sh +++ b/bin/pack.sh @@ -18,6 +18,12 @@ export BASE_DIR # shellcheck disable=SC1090 . "$DIR/common.sh" +function finish() { + ls -l "$BASE_DIR" "$BASE_DIR/build" +} + +trap finish EXIT + DOCKER_PACKER=$(get_docker_packer) $DOCKER_PACKER validate app/packer/machines/web-server.json $DOCKER_PACKER build app/packer/machines/web-server.json From 6d3c423548894e297f7f30fed12390c2d1405cc7 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 11:57:06 -0400 Subject: [PATCH 42/53] Simplify, fix syntax --- ansible/roles/scan-gauntlt/defaults/main.yml | 4 ++-- ansible/roles/scan-gauntlt/tasks/main.yml | 2 +- ansible/roles/scan-openscap/tasks/main.yml | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ansible/roles/scan-gauntlt/defaults/main.yml b/ansible/roles/scan-gauntlt/defaults/main.yml index c1b36d6..aba7d8d 100644 --- a/ansible/roles/scan-gauntlt/defaults/main.yml +++ b/ansible/roles/scan-gauntlt/defaults/main.yml @@ -1,6 +1,6 @@ --- gauntlt_version: "1.0.8" -build_dir: /app/build +build_dir: /app/build/ gauntlt_attacks: /app/gauntlt/*.attack -output_file_html: gauntlt-results.html +output_file_html: /app/build/gauntlt-results.html diff --git a/ansible/roles/scan-gauntlt/tasks/main.yml b/ansible/roles/scan-gauntlt/tasks/main.yml index d736dfb..4ae3445 100644 --- a/ansible/roles/scan-gauntlt/tasks/main.yml +++ b/ansible/roles/scan-gauntlt/tasks/main.yml @@ -9,4 +9,4 @@ mode: 0775 - name: Scan using gauntlt - command: gauntlt -f html -o "{{ build_dir}}/{{ output_file_html }}" "{{ gauntlt_attacks }}" + command: gauntlt -f html -o "{{ output_file_html }}" "{{ gauntlt_attacks }}" diff --git a/ansible/roles/scan-openscap/tasks/main.yml b/ansible/roles/scan-openscap/tasks/main.yml index 3cc27e1..f8bf305 100644 --- a/ansible/roles/scan-openscap/tasks/main.yml +++ b/ansible/roles/scan-openscap/tasks/main.yml @@ -14,8 +14,8 @@ - name: Scan with OpenSCAP shell: | - eet -euo pipefail - ed {{ build_dir }} + set -euo pipefail + cd {{ build_dir }} # This will have a non-zero exit if any of the scans fail, so do not fail immediately on that set +e oscap xccdf eval --fetch-remote-resources --profile {{ profile }} --results {{ output_file_xml }} {{ xccdf_file }} From c3958ecd51e97b0bdbf71a711a6649eed3cf7424 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 12:01:55 -0400 Subject: [PATCH 43/53] Use same script in Vagrant as in Packer Also fix up rvm and bash script options --- Vagrantfile | 2 +- bin/install-gauntlt.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 5599975..68adab1 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -3,6 +3,6 @@ Vagrant.configure("2") do |config| config.vm.synced_folder ".", "/app" config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh", privileged: false config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh", privileged: false - config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook -l localhost bakery.yml scan-openscap.yml scan-gauntlt.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh", privileged: false + config.vm.provision "shell", inline: "/app/bin/ansible.sh", upload_path: "/home/vagrant/ansible.sh", privileged: false config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end diff --git a/bin/install-gauntlt.sh b/bin/install-gauntlt.sh index 7b2a3e8..7e91256 100755 --- a/bin/install-gauntlt.sh +++ b/bin/install-gauntlt.sh @@ -66,6 +66,7 @@ if [[ ! -f "$RVM_SH" ]]; then . "$RVM_SH" rvm reload rvm requirements run + set -eu else echo "rvm already installed" >&2 fi From 502621c66470b3ecfa921564b7ee28d17d060a3d Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 12:51:52 -0400 Subject: [PATCH 44/53] Ensure nginx stays stopped in bakery stage --- ansible/bakery.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/bakery.yml b/ansible/bakery.yml index fa91e1d..4282248 100644 --- a/ansible/bakery.yml +++ b/ansible/bakery.yml @@ -33,6 +33,8 @@ - nginxinc.nginx - prepare-web-content - prepare-codedeploy + vars: + nginx_start: false - name: Harden Server From 1ed7f52991f64e38c3b0044204c5162f891ff9c8 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 12:59:20 -0400 Subject: [PATCH 45/53] Try to fix up paths --- Vagrantfile | 2 +- bin/ansible.sh | 4 +++- bin/pack.sh | 3 ++- packer/machines/web-server.json | 4 ++-- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 68adab1..54b2902 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -3,6 +3,6 @@ Vagrant.configure("2") do |config| config.vm.synced_folder ".", "/app" config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh", privileged: false config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh", privileged: false - config.vm.provision "shell", inline: "/app/bin/ansible.sh", upload_path: "/home/vagrant/ansible.sh", privileged: false + config.vm.provision "shell", inline: "/app/bin/ansible.sh bakery.yml scan-openscap.yml scan-gauntlt.yml app-AfterInstall.yml app-StartServer.yml ", upload_path: "/home/vagrant/ansible.sh", privileged: false config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true end diff --git a/bin/ansible.sh b/bin/ansible.sh index 3eecfda..5bdcd1d 100755 --- a/bin/ansible.sh +++ b/bin/ansible.sh @@ -20,4 +20,6 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" ensure_not_root -ansible-playbook -l localhost /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml +cd "$DIR/../ansible" +ansible-playbook -l localhost $@ +/app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml diff --git a/bin/pack.sh b/bin/pack.sh index f4200d5..5eee183 100755 --- a/bin/pack.sh +++ b/bin/pack.sh @@ -19,7 +19,8 @@ export BASE_DIR . "$DIR/common.sh" function finish() { - ls -l "$BASE_DIR" "$BASE_DIR/build" + pwd + ls -l "$BASE_DIR" "$BASE_DIR/build" build } trap finish EXIT diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 18d2d61..912a3b9 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -53,12 +53,12 @@ "inline": [ "bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", - "bash /app/bin/ansible.sh" + "bash /app/bin/ansible.sh bakery.yml scan-openscap.yml scan-gauntlt.yml" ] }, { "type": "file", - "source": "/app/build/", + "source": "build/", "direction": "download", "destination": "/app" } From cef080dc6ededed609e065001ba815a15d6390b2 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 13:56:45 -0400 Subject: [PATCH 46/53] Change bash error checking strategy when rvm is on --- bin/activate-rvm.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/activate-rvm.sh b/bin/activate-rvm.sh index a1861c1..dc8a93e 100755 --- a/bin/activate-rvm.sh +++ b/bin/activate-rvm.sh @@ -19,6 +19,10 @@ rvm install "$RUBY_VERSION" rvm alias create default ruby-"$RUBY_VERSION" rvm list rvm use "$RUBY_VERSION" --default -set -eu +# We don't reactivate -u because even doing a "cd" will invoke an rvm +# function in .rvm/scripts/cd that bombs with: +# .rvm/scripts/functions/environment: line 267: rvm_bash_nounset: unbound variable + +set -e ruby --version From 917888f646a4944d0dad911ef9fc151124d879b5 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 13:59:47 -0400 Subject: [PATCH 47/53] Fix shellcheck array warning --- bin/ansible.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/ansible.sh b/bin/ansible.sh index 5bdcd1d..35c0307 100755 --- a/bin/ansible.sh +++ b/bin/ansible.sh @@ -21,5 +21,5 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" ensure_not_root cd "$DIR/../ansible" -ansible-playbook -l localhost $@ +ansible-playbook -l localhost "$@" /app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml From 4937619928bee4f232a7f67992c7e0240364bd8f Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 14:28:20 -0400 Subject: [PATCH 48/53] Ooopsie, left a line in by mistake --- bin/ansible.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/ansible.sh b/bin/ansible.sh index 35c0307..f5dee25 100755 --- a/bin/ansible.sh +++ b/bin/ansible.sh @@ -22,4 +22,3 @@ ensure_not_root cd "$DIR/../ansible" ansible-playbook -l localhost "$@" -/app/ansible/bakery.yml /app/ansible/scan-openscap.yml /app/ansible/scan-gauntlt.yml From 325a1a0f2eb97e0fb0f4a391c066faae20abef34 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 14:35:29 -0400 Subject: [PATCH 49/53] Desperation sets in --- bin/pack.sh | 1 + packer/machines/web-server.json | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/bin/pack.sh b/bin/pack.sh index 5eee183..ad6bf93 100755 --- a/bin/pack.sh +++ b/bin/pack.sh @@ -28,3 +28,4 @@ trap finish EXIT DOCKER_PACKER=$(get_docker_packer) $DOCKER_PACKER validate app/packer/machines/web-server.json $DOCKER_PACKER build app/packer/machines/web-server.json +find "$BASE_DIR" -name '*.html' | grep -E 'gauntlt|scan' diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 912a3b9..673f762 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -54,6 +54,7 @@ "bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", "bash /app/bin/ansible.sh bakery.yml scan-openscap.yml scan-gauntlt.yml" + "find / -name '*.html' | grep -E 'gauntlt|scan'" ] }, { @@ -61,6 +62,12 @@ "source": "build/", "direction": "download", "destination": "/app" + }, + { + "type": "file", + "source": "/app/build", + "direction": "download", + "destination": "/app/build" } ] } From d04b7bea10ead1dc7ee5d2133c81dc4d4978f529 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 14:36:28 -0400 Subject: [PATCH 50/53] Fix JSON syntax --- packer/machines/web-server.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 673f762..81844d1 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -53,7 +53,7 @@ "inline": [ "bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", - "bash /app/bin/ansible.sh bakery.yml scan-openscap.yml scan-gauntlt.yml" + "bash /app/bin/ansible.sh bakery.yml scan-openscap.yml scan-gauntlt.yml", "find / -name '*.html' | grep -E 'gauntlt|scan'" ] }, From ce753ef95137941972823fc0e10a438b54353f82 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 15:09:21 -0400 Subject: [PATCH 51/53] Tweak file locations --- packer/machines/web-server.json | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index 81844d1..be2e7ff 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -54,20 +54,14 @@ "bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", "bash /app/bin/ansible.sh bakery.yml scan-openscap.yml scan-gauntlt.yml", - "find / -name '*.html' | grep -E 'gauntlt|scan'" + "find / -name '*.html' 2>&1 | grep -E 'gauntlt|scan'; ls -l /app/build" ] }, { "type": "file", - "source": "build/", + "source": "/app/build/", "direction": "download", "destination": "/app" - }, - { - "type": "file", - "source": "/app/build", - "direction": "download", - "destination": "/app/build" } ] } From 1aca1db1905e0d47ea8d83e6686cdafa211eb1f1 Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 15:47:05 -0400 Subject: [PATCH 52/53] Troubleshoot file locations --- packer/machines/web-server.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packer/machines/web-server.json b/packer/machines/web-server.json index be2e7ff..5194a59 100644 --- a/packer/machines/web-server.json +++ b/packer/machines/web-server.json @@ -54,7 +54,8 @@ "bash /app/bin/install-gauntlt.sh", "bash /app/bin/install-ansible.sh", "bash /app/bin/ansible.sh bakery.yml scan-openscap.yml scan-gauntlt.yml", - "find / -name '*.html' 2>&1 | grep -E 'gauntlt|scan'; ls -l /app/build" + "find / -name '*.html' 2>/dev/null | grep -E 'gauntlt|scan'", + "ls -l /app /app/build" ] }, { From 269e383fc9516a3e9bec63efbd4372a977e0158b Mon Sep 17 00:00:00 2001 From: Richard Bullington-McGuire Date: Tue, 13 Aug 2019 18:39:08 -0400 Subject: [PATCH 53/53] Fix up domain for test --- jmeter/api-spin.jmx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jmeter/api-spin.jmx b/jmeter/api-spin.jmx index cc44fcb..0f080db 100644 --- a/jmeter/api-spin.jmx +++ b/jmeter/api-spin.jmx @@ -32,7 +32,7 @@ - ${__P(domain,devops-infra-demo.modus.app)} + ${__P(domain,devops-infra-demo.moduscreate.com)} 80