Add script to audit account logins for past 90 days

.gitignore

@@ -0,0 +1,55 @@
+terraform/resources/.DS_Store
+terraform/.DS_Store
+.DS_Store
+
+terraform/resources/ssh/*.tfvars
+terraform/resources/ssh/*.tfstate
+terraform/resources/ssh/*.tfstate.backup
+terraform/resources/ssh/*.tfstate.lock.info
+terraform/resources/ssh/.terraform/
+terraform/resources/ssh/.vagrant/
+terraform/resources/ssh/.sentinel
+
+*.tfstate
+*.tfstate.backup
+*.tfstate.lock.info
+
+*.log
+
+.terraform/
+.vagrant/
+
+*.pem
+
+*.bak
+
+*gitignore*.tf
+
+.DS_Store
+
+.vscode/
+
+operations/automation-script/apply.json
+operations/automation-script/configversion.json
+operations/automation-script/run.template.json
+operations/automation-script/run.json
+operations/automation-script/variable.template.json
+operations/automation-script/variable.json
+operations/automation-script/workspace.template.json
+operations/automation-script/workspace.json
+operations/sentinel-policies-scripts/create-policy.template.json
+operations/sentinel-policies-scripts/create-policy.json
+operations/variable-scripts/variable.template.json
+operations/variable-scripts/variable.json
+
+
+.sentinel
+
+
+.sass-cache/
+.jekyll-metadata
+*.DS_Store
+package.json
+.vscode/settings.json
+*tfstate*
+audit.csv

CONTRIBUTING.md

@@ -1,6 +1,6 @@
-# Contributing to the project
+# Contributing to strongDM Contrib
 
-Thanks for considering contributing to our project!
+Thanks for considering contributing to our project! We welcome contributions from customers, enthusiasts, or anyone interested in strongDM!
 
 You can contribute in any of the following ways:
 * Submitting bugs or feature requests
@@ -25,7 +25,7 @@ In case you want to contribute with code (fixes, new functionalities) or documen
 6. Push changes to your fork
 7. Open a PR in our repository and follow the PR template so that we can efficiently review the changes.
 
-Please consider the following rules when creating your PR (adapted from the [Auth0 Contributing Guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)):
+Please consider the following rules when creating your PR:
 * Only fix/add the functionality in question OR address wide-spread whitespace/style issues, not both.
 * Add unit or integration tests for fixed or changed functionality (if a test suite already exists).
 * Address a single concern in the least number of changed lines as possible.

README.md

@@ -1,21 +1,13 @@
-# Garden Template
-The Garden Template contains sample files you could use for creating new [Code Garden](https://github.com/strongdm/garden) Repositories. It includes templates for:
-* [README](README-sample.md)
-* [License](LICENSE)
-* [Contributing](CONTRIBUTING.md)
-* [Support](SUPPORT.md)
-* Report [bug](.github/ISSUE_TEMPLATE/bug_report.md) or [feature requests](.github/ISSUE_TEMPLATE/feature_request.md)
-* [Pull Request](.github/PULL_REQUEST_TEMPLATE/pull_request_template.md)
-* [Documentation](docs)
+# strongDM Contrib
 
-In order to use this repository, you could:
-* Use it as a Template - Green button at the top of the repo
-* Clone it and manually adjust it - Useful if you want to start a fresh project history
+This repository provides sample code created by strongDM staff, customers, and others. This code may include shell scripts to use with the strongDM CLI, code snippets written for strongDM SDK's, Terraform templates, etc. Generally, this repo is organized by the task you are trying to accomplish (i.e. `authentication` for items related to SSO). So feel free to look around, we hope you find something helpful!
 
-After cloning the repo, remember to: 
-1. Remove this README file
-2. Rename the file README-sample.md to README.md and adjust the content
-3. Adjust the Contributing and Support guidelines
-4. Adjust the templates for bugs and feature requests under the .github folder 
+## Table of Contents
+* [Contributing](#contributing)
+* [Support](#support)
 
-A template repo that can be used as a reference: [Auth0 Open Source Template](https://github.com/auth0/open-source-template)
+## Contributing
+We welcome contributions from customers, enthusiasts, or anyone interested in strongDM! Please refer to the [contributing](CONTRIBUTING.md) page.
+
+## Support
+Code and scripts here are provided AS-IS and may or may not be updated in the future at our discretion. You should review and test any code thoroughly before deploying to production. For details on getting help, please see the [support](SUPPORT.md) guidelines.

SUPPORT.md

@@ -1,8 +1,5 @@
-# Garden Support
+# strongDM Contrib Support
 
-Here's a list of options you could try:
+Code and scripts here are provided AS-IS and may or may not be updated in the future at our discretion. You should review and test any code thoroughly before deploying to production.
 
-* [Documentation](docs)
-* [Discussions](../../discussions)
-
-On Discussions you could receive support from community members willing to point you in the right direction.
+If you do run into bugs or issues with these scripts, please start by searching [Issues](../../issues) or [Discussions](../../discussions). You can start a new discussion to get help from the community, or file a new ticket under Issues as needed. We also encourage you to respond to discussions or issues, and submit pull requests for new code or fixes.

ansible/aws_playbooks/README.md

@@ -0,0 +1,55 @@
+# Self register AWS Ansible Playbooks
+
+## AWS SDM Gateway
+
+Within the playbook there is a vars section you'll need to update within the AWS task and down in the scripts task. Some of the information you'll need to pull from AWS. You can find all EC2 vars examples [here](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html)
+
+- [Self Registering SDM AWS Gateway Playbook](aws_self_register_playbooks/aws-self-register-gateway.yml)
+
+Inside the script you'll need to add your SDM Admin Token.
+
+- [Ansible SDM Gateway Self Register Script](aws_self_register_playbooks/scripts/sdm-gatewayadd.sh)
+
+## AWS SSH Server
+
+Within the playbook there is a vars section you'll need to update within the AWS task and down in the scripts task. Some of the information you'll need to pull from AWS. You can find all EC2 vars examples [here](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html)
+
+- [Self Registering SDM SSH Resource Playbook](aws_self_register_playbooks/aws-self-register-ssh.yml)
+
+Inside the script you'll need to add your SDM Admin Token.
+
+- [Ansible SDM SSH Self Register Script](aws_self_register_playbooks/scripts/sdm-sshadd.sh)
+
+# Single Ansible Playbooks
+
+## SDM Gateway Install
+
+This playbook will run on any host within the inventory file. I've built a full playbook without the need of a script. To target a specific group changes the `hosts:` parameter. It will auto register any AWS machine with a public address.
+
+- [Self Registering SDM Gateway Playbook](playbooks/sdm_gateway_install.yml)
+
+_Example: `ansible-playbook sdm_gateway_install.yml -i sdm-gateways --extra-vars 'SDM_ADMIN_TOKEN={{string for sdm token}}'`_
+
+## SDM Relay Install
+
+This playbook will run on any host within the inventory file. To target a specific group changes the `hosts:` parameter.
+
+- [Self Registering SDM Relay Playbook](playbooks/sdm_relay_install.yml)
+
+_Example: `ansible-playbook sdm_relay_install.yml -i sdm-relays --extra-vars 'SDM_ADMIN_TOKEN={{string for sdm token}}'`_
+
+## SDM SSH Public Cert Install
+
+This playbook will run on any host within the inventory file. To target a specific group changes the `hosts:` parameter. You'll need to pass `SDM_PUB_CA` using `--extra-vars` to append in the public CA. 
+
+_Example: `ansible-playbook sdm_pub_cert_ssh_install.yml -i ssh-servers --extra-vars 'SDM_ADMIN_TOKEN={{string for sdm token}} SDM_PUB_CA={{string for sdm ca}}'`_
+
+- [Self Registering SDM Public SSH Cert Playbook](playbooks/sdm_pub_cert_ssh_install.yml)
+
+## SDM SSH Install
+
+This playbook will run on any host within the inventory file. To target a specific group changes the `hosts:` parameter.
+
+- [Self Registering SDM SSH Playbook](playbooks/sdm_ssh_install.yml)
+
+_Example: `ansible-playbook sdm_ssh_install.yml -i ssh-servers --extra-vars 'SDM_ADMIN_TOKEN={{string for sdm token}}'`_

ansible/aws_playbooks/aws_self_register_playbooks/aws-self-register-gateway.yml

@@ -0,0 +1,56 @@
+---
+# Basic provisioning example
+- name: Ansible AWS Variables
+  vars:
+      aws_region: 
+      aws_key_pair: 
+      aws_instance_type: 
+      aws_image_id: 
+      aws_subnet_id: 
+      aws_sec_group_name: 
+      instance_name: 
+      user_name: 
+  hosts: localhost
+  tasks:
+    - name: launching AWS instance using Ansible
+      ec2:
+        #Set AWS Region
+        region: "{{ aws_region }}"
+        #Set key pair in AWS
+        key_name: "{{ aws_key_pair }}"
+        #Set instance size
+        instance_type: "{{ aws_instance_type }}"
+        #Update AWS Image ID (Region specific)
+        image: "{{ aws_image_id }}"
+        wait: yes
+        count: 1
+        #Enter VPC Subnet ID
+        vpc_subnet_id: "{{ aws_subnet_id }}"
+        assign_public_ip: yes
+        #Enter AWS Security Group Name
+        group: "{{ aws_sec_group_name }}"
+        #Add Tags as needed
+        instance_tags:
+          Name: "{{ instance_name }}"
+          Creator: Ansible
+      register: ec2_sdm
+    - name: Add new instance to SDM's host group
+      add_host:
+        hostname: "{{ item.public_ip }}"
+        groupname: ec2sdm
+      with_items: "{{ ec2_sdm.instances }}"
+    - name: Let's wait for SSH to come up. Usually that takes ~10 seconds
+      local_action: wait_for 
+        host={{ item.public_ip }} 
+        port=22 
+        state=started
+      with_items: '{{ ec2_sdm.instances }}'
+#Self Registered Example
+- hosts: ec2sdm
+  name: configuration play
+  user: ubuntu
+  become: yes
+  gather_facts: true
+  tasks:
+    #Update Path to script
+    - script: scripts/sdm-gatewayadd.sh

ansible/aws_playbooks/aws_self_register_playbooks/aws-self-register-ssh.yml

@@ -0,0 +1,58 @@
+---
+# Basic provisioning example
+- name: Ansible test
+  vars:
+      aws_region: 
+      aws_key_pair:
+      aws_instance_type:
+      aws_image_id:
+      aws_subnet_id:
+      aws_sec_group_name:
+      instance_name:
+      instance_count:
+  hosts: localhost
+  tasks:
+    - name: launching AWS instance using Ansible
+      ec2:
+        #Set AWS Region
+        region: '{{ aws_region }}'
+        #Set key pair in AWS
+        key_name: '{{ aws_key_pair }}'
+        #Set instance size
+        instance_type: '{{ aws_instance_type }}'
+        #Update AWS Image ID (Region specific)
+        image: '{{ aws_image_id }}'
+        wait: yes
+        count: '{{ instance_count }}'
+        #Enter VPC Subnet ID
+        vpc_subnet_id: '{{ aws_subnet_id }}'
+        assign_public_ip: yes
+        #Enter AWS Security Group Name
+        group: '{{ aws_sec_group_name }}'
+        #Add Tags as needed
+        instance_tags:
+          Name: '{{ instance_name }}'
+          Creator: Ansible
+      register: ec2_sdm
+    - name: Add new instance to SDM's host group
+      add_host:
+        hostname: '{{ item.public_ip }}'
+        groupname: launched-ec2-sdm
+      with_items: '{{ ec2_sdm.instances }}'
+    - name: Let's wait for SSH to come up. Usually that takes ~10 seconds
+      local_action: wait_for 
+        host={{ item.public_ip }} 
+        port=22 
+        state=started
+      with_items: '{{ ec2_sdm.instances }}'
+#Self Registered Example
+- hosts: launched-ec2-sdm
+  vars:
+    username: 
+  name: configuration play
+  user: '{{ username }}'
+  become: yes
+  gather_facts: true
+  tasks:
+    #Update Path to script
+    - script: scripts/sdm-sshadd.sh

ansible/aws_playbooks/aws_self_register_playbooks/scripts/sdm-gatewayadd.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+apt update && apt upgrade -y
+apt install zip curl wget -y
+curl -J -O -L https://app.strongdm.com/releases/cli/linux
+unzip *.zip
+export SDM_ADMIN_TOKEN={{ SDM_ADMIN_TOKEN }}
+export INSTANCE_HOSTNAME=$(curl http://169.254.169.254/latest/meta-data/public-hostname)
+export SDM_RELAY_TOKEN=`./sdm relay create-gateway $INSTANCE_HOSTNAME:5000 0.0.0.0:5000`
+unset SDM_ADMIN_TOKEN
+./sdm install --relay --token=$SDM_RELAY_TOKEN

ansible/aws_playbooks/aws_self_register_playbooks/scripts/sdm-sshadd.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+ export SDM_ADMIN_TOKEN= {{ SDM_ADMIN_TOKEN }}
+ apt update
+ apt install -y unzip
+ curl -o sdm.zip -L https://app.strongdm.com/releases/cli/linux
+ unzip sdm.zip
+ ./sdm admin ssh add \
+   -p `curl http://169.254.169.254/latest/meta-data/instance-id` \
+   $USERNAME@`curl http://169.254.169.254/latest/meta-data/public-hostname` \
+   | tee -a "/home/$USERNAME/.ssh/authorized_keys"
+ ./sdm admin roles grant `curl http://169.254.169.254/latest/meta-data/instance-id` {{ SDM_Role }}
+ rm sdm.zip