Put in root checks, refactor functions

.gitignore

@@ -11,6 +11,7 @@
 /terraform/tf.plan
 __pycache__
 build/
+tmp/
 jmeter.log
 scan-xccdf-results.html
 scan-xccdf-results.xml

Jenkinsfile

@@ -165,24 +165,27 @@ if (params.Run_Packer) {
         node {
             wrap.call({
                 unstash 'src'
-                sh ("./bin/pack.sh")
-                archive (includes: 'build/**')
-                publishHTML (target: [
-                    allowMissing: true,
-                    alwaysLinkToLastBuild: false,
-                    keepAll: true,
-                    reportDir: 'build',
-                    reportFiles: 'scan-xccdf-results.html',
-                    reportName: "OpenSCAP Report"
-                ])
-                publishHTML (target: [
-                    allowMissing: true,
-                    alwaysLinkToLastBuild: false,
-                    keepAll: true,
-                    reportDir: 'build',
-                    reportFiles: 'gauntlt-results.txt',
-                    reportName: "Gauntlt Report"
-                ])
+                try {
+                    sh ("./bin/pack.sh")
+                } finally {
+                    archiveArtifacts artifacts: 'build/**', fingerprint: true
+                    publishHTML (target: [
+                        allowMissing: true,
+                        alwaysLinkToLastBuild: false,
+                        keepAll: true,
+                        reportDir: 'build',
+                        reportFiles: 'scan-xccdf-results.html',
+                        reportName: "OpenSCAP Report"
+                    ])
+                    publishHTML (target: [
+                        allowMissing: true,
+                        alwaysLinkToLastBuild: false,
+                        keepAll: true,
+                        reportDir: 'build',
+                        reportFiles: 'gauntlt-results.html',
+                        reportName: "Gauntlt Report"
+                    ])
+                }
             })
         }
     }

Vagrantfile

@@ -1,8 +1,8 @@
 Vagrant.configure("2") do |config|
   config.vm.box = "bento/centos-7.5"
   config.vm.synced_folder ".", "/app"
-  config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh"
-  config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh"
-  config.vm.provision "shell", inline: "cd /app/ansible && ansible-playbook  -l localhost bakery.yml app-AfterInstall.yml app-StartServer.yml", upload_path: "/home/vagrant/apl.sh"
+  config.vm.provision "shell", inline: "/app/bin/install-gauntlt.sh", upload_path: "/home/vagrant/install-gauntlt.sh", privileged: false
+  config.vm.provision "shell", inline: "/app/bin/install-ansible.sh", upload_path: "/home/vagrant/install-ansible.sh", privileged: false
+  config.vm.provision "shell", inline: "/app/bin/ansible.sh bakery.yml scan-openscap.yml scan-gauntlt.yml app-AfterInstall.yml app-StartServer.yml ", upload_path: "/home/vagrant/ansible.sh", privileged: false
   config.vm.network "forwarded_port", guest: 80, host: 6080, auto_correct: true
 end

ansible/bakery.yml

@@ -33,6 +33,8 @@
     - nginxinc.nginx
     - prepare-web-content
     - prepare-codedeploy
+  vars:
+    nginx_start: false
 
 
 - name: Harden Server
@@ -42,5 +44,3 @@
   roles:
     - extra-cis-remediation
     #- MindPointGroup.RHEL7-CIS
-    - scan-openscap
-    - scan-gauntlt

ansible/gauntlt-results.txt

@@ -100,3 +100,207 @@ cucumber /app/gauntlt/simple-env-var.attack:16 # Scenario: Verify server is avai
 6 scenarios (1 failed, 5 passed)
 27 steps (1 failed, 2 skipped, 24 passed)
 0m14.558s
+Feature: OS detection
+
+  Background:                  # /app/gauntlt/os_detection.attack:3
+    Given "nmap" is installed  # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4
+    And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9
+      | name     | value           |
+      | hostname | scanme.nmap.org |
+
+  @slow
+  Scenario: Detect OS                    # /app/gauntlt/os_detection.attack:10
+    When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -sV -p80 -PN <hostname>
+      """
+    Then the output should contain:      # aruba-0.7.4/lib/aruba/cucumber.rb:182
+      """
+      Apache
+      """
+
+@slow
+Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change the value in the profile
+
+  Background:                  # /app/gauntlt/nmap.attack:4
+    Given "nmap" is installed  # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4
+    And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9
+      | name           | value           |
+      | hostname       | scanme.nmap.org |
+      | host           | scanme.nmap.org |
+      | tcp_ping_ports | 22,25,80,443    |
+
+  Scenario: Verify server is open on expected set of ports using the nmap-fast attack step # /app/gauntlt/nmap.attack:12
+Checking nmap-fast and nmap-fastRunning a nmap-fast attack. This attack has this description:
+ This is a fast nmap scan that should run in 10 seconds or less on most networks.  It looks for the most common ports and services.
+    When I launch a "nmap-fast" attack                                                     # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:12
+    Then the output should match /80.tcp\s+open/                                           # aruba-0.7.4/lib/aruba/cucumber.rb:206
+
+  Scenario: Verify server is open on expected set of ports using the nmap fast flag # /app/gauntlt/nmap.attack:16
+    When I launch an "nmap" attack with:                                            # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -F <hostname>
+      """
+    Then the output should match:                                                   # aruba-0.7.4/lib/aruba/cucumber.rb:210
+      """
+      80/tcp\s+open
+      """
+
+  Scenario: Verify that there are no unexpected ports open # /app/gauntlt/nmap.attack:26
+    When I launch an "nmap" attack with:                   # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -F <hostname>
+      """
+    Then the output should not contain:                    # aruba-0.7.4/lib/aruba/cucumber.rb:186
+      """
+      22/tcp
+      25/tcp
+      """
+
+  Scenario: Output to XML                          # /app/gauntlt/nmap.attack:37
+    When I launch an "nmap" attack with:           # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -p 80,443 -oX foo.xml <hostname>
+      """
+    And the file "foo.xml" should contain XML:     # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:15
+      | css                                                         |
+      | ports port[protocol="tcp"][portid="80"] state[state="open"] |
+    And the file "foo.xml" should not contain XML: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:21
+      | css                                                          |
+      | ports port[protocol="tcp"][portid="123"] state[state="open"] |
+      | ports port[protocol="tcp"][portid="443"] state[state="open"] |
+
+@slow
+Feature: simple nmap attack (sanity check)
+
+  Background:                                # /app/gauntlt/simple-env-var.attack:4
+    Given "nmap" is installed                # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4
+    And the following environment variables: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:3
+      | name     | environment_variable_name |
+      | hostname | TEST_HOSTNAME             |
+    And the following profile:               # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9
+      | name       | value |
+      | https_port | 443   |
+      | http_port  | 80    |
+
+  Scenario: Verify server is available on standard web ports # /app/gauntlt/simple-env-var.attack:16
+    When I launch an "nmap" attack with:                     # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -p <http_port>,<https_port> <hostname>
+      """
+      no implicit conversion of nil into String (TypeError)
+      /app/gauntlt/simple-env-var.attack:17:in `When I launch an "nmap" attack with:'
+    Then the output should match /80.tcp\s+open/             # aruba-0.7.4/lib/aruba/cucumber.rb:206
+    And the output should not match:                         # aruba-0.7.4/lib/aruba/cucumber.rb:219
+      """
+      443/tcp\s+open 
+      """
+
+Failing Scenarios:
+cucumber /app/gauntlt/simple-env-var.attack:16 # Scenario: Verify server is available on standard web ports
+
+6 scenarios (1 failed, 5 passed)
+27 steps (1 failed, 2 skipped, 24 passed)
+0m17.076s
+Feature: OS detection
+
+  Background:                  # /app/gauntlt/os_detection.attack:3
+    Given "nmap" is installed  # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4
+    And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9
+      | name     | value           |
+      | hostname | scanme.nmap.org |
+
+  @slow
+  Scenario: Detect OS                    # /app/gauntlt/os_detection.attack:10
+    When I launch an "nmap" attack with: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -sV -p80 -PN <hostname>
+      """
+    Then the output should contain:      # aruba-0.7.4/lib/aruba/cucumber.rb:182
+      """
+      Apache
+      """
+
+@slow
+Feature: nmap attacks for scanme.nmap.org and to use this for your tests, change the value in the profile
+
+  Background:                  # /app/gauntlt/nmap.attack:4
+    Given "nmap" is installed  # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4
+    And the following profile: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9
+      | name           | value           |
+      | hostname       | scanme.nmap.org |
+      | host           | scanme.nmap.org |
+      | tcp_ping_ports | 22,25,80,443    |
+
+  Scenario: Verify server is open on expected set of ports using the nmap-fast attack step # /app/gauntlt/nmap.attack:12
+Checking nmap-fast and nmap-fastRunning a nmap-fast attack. This attack has this description:
+ This is a fast nmap scan that should run in 10 seconds or less on most networks.  It looks for the most common ports and services.
+    When I launch a "nmap-fast" attack                                                     # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:12
+    Then the output should match /80.tcp\s+open/                                           # aruba-0.7.4/lib/aruba/cucumber.rb:206
+
+  Scenario: Verify server is open on expected set of ports using the nmap fast flag # /app/gauntlt/nmap.attack:16
+    When I launch an "nmap" attack with:                                            # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -F <hostname>
+      """
+    Then the output should match:                                                   # aruba-0.7.4/lib/aruba/cucumber.rb:210
+      """
+      80/tcp\s+open
+      """
+
+  Scenario: Verify that there are no unexpected ports open # /app/gauntlt/nmap.attack:26
+    When I launch an "nmap" attack with:                   # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -F <hostname>
+      """
+    Then the output should not contain:                    # aruba-0.7.4/lib/aruba/cucumber.rb:186
+      """
+      22/tcp
+      25/tcp
+      """
+
+  Scenario: Output to XML                          # /app/gauntlt/nmap.attack:37
+    When I launch an "nmap" attack with:           # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -p 80,443 -oX foo.xml <hostname>
+      """
+    And the file "foo.xml" should contain XML:     # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:15
+      | css                                                         |
+      | ports port[protocol="tcp"][portid="80"] state[state="open"] |
+    And the file "foo.xml" should not contain XML: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:21
+      | css                                                          |
+      | ports port[protocol="tcp"][portid="123"] state[state="open"] |
+      | ports port[protocol="tcp"][portid="443"] state[state="open"] |
+
+@slow
+Feature: simple nmap attack (sanity check)
+
+  Background:                                # /app/gauntlt/simple-env-var.attack:4
+    Given "nmap" is installed                # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:4
+    And the following environment variables: # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:3
+      | name     | environment_variable_name |
+      | hostname | TEST_HOSTNAME             |
+    And the following profile:               # gauntlt-1.0.13/lib/gauntlt/attack_adapters/gauntlt.rb:9
+      | name       | value |
+      | https_port | 443   |
+      | http_port  | 80    |
+
+  Scenario: Verify server is available on standard web ports # /app/gauntlt/simple-env-var.attack:16
+    When I launch an "nmap" attack with:                     # gauntlt-1.0.13/lib/gauntlt/attack_adapters/nmap.rb:8
+      """
+      nmap -p <http_port>,<https_port> <hostname>
+      """
+      no implicit conversion of nil into String (TypeError)
+      /app/gauntlt/simple-env-var.attack:17:in `When I launch an "nmap" attack with:'
+    Then the output should match /80.tcp\s+open/             # aruba-0.7.4/lib/aruba/cucumber.rb:206
+    And the output should not match:                         # aruba-0.7.4/lib/aruba/cucumber.rb:219
+      """
+      443/tcp\s+open 
+      """
+
+Failing Scenarios:
+cucumber /app/gauntlt/simple-env-var.attack:16 # Scenario: Verify server is available on standard web ports
+
+6 scenarios (1 failed, 5 passed)
+27 steps (1 failed, 2 skipped, 24 passed)
+0m14.169s

ansible/roles/scan-gauntlt/defaults/main.yml

@@ -3,4 +3,4 @@
 gauntlt_version: "1.0.8"
 build_dir: /app/build/
 gauntlt_attacks: /app/gauntlt/*.attack
-output_file_html: gauntlt-results.txt
+output_file_html: /app/build/gauntlt-results.html

ansible/roles/scan-gauntlt/tasks/main.yml

@@ -9,4 +9,4 @@
     mode: 0775
 
 - name: Scan using gauntlt
-  shell: gauntlt "{{ gauntlt_attacks }}" | cat >> "{{ build_dir}}""{{ output_file_html }}" 
+  command: gauntlt -f html -o "{{ output_file_html }}" "{{ gauntlt_attacks }}"

ansible/roles/scan-openscap/defaults/main.yml

@@ -1,7 +1,7 @@
 ---
 # defaults file for scan-oscap
 build_dir: /app/build
-output_file_html: scan-xccdf-results.html
-output_file_xml: scan-xccdf-results.xml
+output_file_html: /app/build/scan-xccdf-results.html
+output_file_xml: /app/build/scan-xccdf-results.xml
 profile: C2S
 xccdf_file: /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml

ansible/roles/scan-openscap/tasks/main.yml

@@ -14,8 +14,8 @@
 
 - name: Scan with OpenSCAP
   shell: |
-    eet -euo pipefail
-    ed {{ build_dir }}
+    set -euo pipefail
+    cd {{ build_dir }}
     # This will have a non-zero exit if any of the scans fail, so do not fail immediately on that
     set +e
     oscap xccdf eval --fetch-remote-resources --profile {{ profile }} --results {{ output_file_xml }} {{ xccdf_file }}

ansible/scan-gauntlt.yml

@@ -0,0 +1,9 @@
+---
+# Thanks https://www.tricksofthetrades.net/2017/10/02/ansible-local-playbooks/ for
+# the trick on installing locally using "hosts: 127.0.0.1" and "connection:local"
+
+- name: Scan Server with Gauntlt
+  hosts: 127.0.0.1
+  connection: local
+  roles:
+    - scan-gauntlt

ansible/scan.yml → ansible/scan-openscap.yml

@@ -2,7 +2,7 @@
 # Thanks https://www.tricksofthetrades.net/2017/10/02/ansible-local-playbooks/ for
 # the trick on installing locally using "hosts: 127.0.0.1" and "connection:local"
 
-- name: Scan Server
+- name: Scan Server with OpenSCAP
   hosts: 127.0.0.1
   connection: local
   become: yes

bin/activate-rvm.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+# Activate rvm
+# Source this to activate RVM
+
+RVM_SH=${RVM_SH:-$HOME/.rvm/scripts/rvm}
+RUBY_VERSION=${RUBY_VERSION:-2.6.3}
+
+# rvm hates the bash options -eu
+
+if [[ ! -f "$RVM_SH" ]]; then
+    echo "Error: $0: RVM_SH $RVM_SH not found"
+    exit 1
+fi
+set +eu
+#shellcheck disable=SC1091,SC1090
+. "$RVM_SH"
+rvm reload
+rvm install "$RUBY_VERSION"
+rvm alias create default ruby-"$RUBY_VERSION"
+rvm list
+rvm use "$RUBY_VERSION" --default
+# We don't reactivate -u because even doing a "cd" will invoke an rvm
+# function in .rvm/scripts/cd that bombs with:
+# .rvm/scripts/functions/environment: line 267: rvm_bash_nounset: unbound variable
+
+set -e
+ruby --version
+

bin/ansible.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# Run ansible 
+#
+# Set bash unofficial strict mode http://redsymbol.net/articles/unofficial-bash-strict-mode/
+set -euo pipefail
+
+# Set DEBUG to true for enhanced debugging: run prefixed with "DEBUG=true"
+${DEBUG:-false} && set -vx
+# Credit to https://stackoverflow.com/a/17805088
+# and http://wiki.bash-hackers.org/scripting/debuggingtips
+export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
+
+# Credit to http://stackoverflow.com/a/246128/424301
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# shellcheck disable=SC1090
+. "$DIR/common.sh"
+# shellcheck disable=SC1090
+. "$DIR/activate-rvm.sh"
+
+ensure_not_root
+
+cd "$DIR/../ansible"
+ansible-playbook -l localhost "$@"