Merge pull request #18 from dev-sec/kitchen_travis

Kitchen travis

Author: rndmh3ro

.github_changelog_generator

@@ -0,0 +1 @@
+unreleased=false

.kitchen.vagrant.yml

@@ -62,10 +62,6 @@ platforms:
 - name: oracle-7
   driver_config:
     box: boxcutter/ol72
-- name: debian-7
-  driver_config:
-    box: debian-7
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box
 - name: debian-8
   driver_config:
     box: debian-8

.kitchen.yml

@@ -21,8 +21,9 @@ provisioner:
   roles_path: ../ansible-nginx-hardening/
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
-  playbook: default.yml
+  playbook: tests/test.yml
   requirements_path: requirements.yml
+  galaxy_ignore_certs: true
 
 platforms:
 - name: centos6-ansible-latest
@@ -33,18 +34,22 @@ platforms:
   driver:
     image: rndmh3ro/docker-centos7-ansible:latest
     platform: centos
+    run_command: /sbin/init
+    provision_command:
+      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - systemctl enable sshd.service
 - name: oracle6-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle6-ansible:latest
     platform: centos
 - name: oracle7-ansible-latest
   driver:
     image: rndmh3ro/docker-oracle7-ansible:latest
+    run_command: /sbin/init
     platform: centos
-- name: ubuntu1204-ansible-latest
-  driver:
-    image: rndmh3ro/docker-ubuntu1204-ansible:latest
-    platform: ubuntu
+    provision_command:
+      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - systemctl enable sshd.service
 - name: ubuntu1404-ansible-latest
   driver:
     image: rndmh3ro/docker-ubuntu1404-ansible:latest
@@ -53,10 +58,9 @@ platforms:
   driver:
     image: rndmh3ro/docker-ubuntu1604-ansible:latest
     platform: ubuntu
-- name: debian7-ansible-latest
-  driver:
-    image: rndmh3ro/docker-debian7-ansible:latest
-    platform: debian
+    run_command: /sbin/init
+    provision_command:
+      - systemctl enable ssh.service
 - name: debian8-ansible-latest
   driver:
     image: rndmh3ro/docker-debian8-ansible:latest
@@ -65,12 +69,41 @@ platforms:
   driver:
     image: rndmh3ro/docker-debian9-ansible:latest
     platform: debian
+    run_command: /sbin/init
+    provision_command:
+      - apt install -y systemd-sysv
+      - systemctl enable ssh.service
+- name: amazon-ansible-latest
+  driver:
+    image: rndmh3ro/docker-amazon-ansible:latest
+    platform: centos
+    run_command: /sbin/init
+    provision_command:
+      - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
+      - systemctl enable sshd.service
 
 verifier:
   name: inspec
   sudo: true
   inspec_tests:
-    - https://github.com/dev-sec/nginx-baseline
+    - ../nginx-baseline
+    #- https://github.com/dev-sec/nginx-baseline
+  controls:
+    - nginx-01
+    - nginx-02
+    - nginx-03
+    - nginx-04
+    - nginx-05
+    - nginx-06
+    - nginx-07
+    - nginx-08
+    - nginx-09
+    - nginx-10
+    - nginx-12
+    - nginx-13
+    - nginx-14
+    - nginx-15
+    - nginx-17
 
 suites:
 - name: nginx

.travis.yml

@@ -7,18 +7,18 @@ env:
     init: /sbin/init
 
   - distro: centos7
-    init: /usr/lib/systemd/systemd
+    init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     version: latest
 
   - distro: oracle6
     version: latest
     init: /sbin/init
 
-  - distro: oracle7
-    init: /usr/lib/systemd/systemd
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
-    version: latest
+#  - distro: oracle7
+#    init: /usr/lib/systemd/systemd
+#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+#    version: latest
 
   - distro: ubuntu1604
     version: latest
@@ -29,20 +29,21 @@ env:
     version: latest
     init: /sbin/init
 
-#  - distro: debian7
-#    version: latest
-#    init: /sbin/init
-
   - distro: debian8
     version: latest
-    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
     init: /sbin/init
+    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
   - distro: debian9
     version: latest
     init: /lib/systemd/systemd
     run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
 
+#  - distro: amazon
+#    init: /lib/systemd/systemd
+#    version: latest
+#    run_opts: "--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro"
+
 before_install:
   # Pull container
   - 'docker pull rndmh3ro/docker-${distro}-ansible:${version}'
@@ -53,13 +54,14 @@ script:
   - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-nginx-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
   # Install ansible galaxy requirements
-  - 'docker exec "$(cat ${container_id})" ansible-galaxy install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/'
+  - 'docker exec "$(cat ${container_id})" ansible-galaxy -c install -r /etc/ansible/roles/ansible-nginx-hardening/requirements.yml -p /etc/ansible/roles/'
 
   # Test role.
-  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/default.yml -vv'
+  - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-nginx-hardening/tests/test.yml -vv'
 
   # Verify role
-  - 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id})'
+  #- 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id}) --controls=nginx-01 nginx-02 nginx-03 nginx-04 nginx-05 nginx-06 nginx-07 nginx-08 nginx-09 nginx-10 nginx-12 nginx-13 nginx-14 nginx-15 nginx-17 --no-distinct-exit'
+  - 'inspec exec https://github.com/dev-sec/nginx-baseline/ -t docker://$(cat ${container_id}) --controls=nginx-01 nginx-02 nginx-03 nginx-05 nginx-06 nginx-07 nginx-08 nginx-09 nginx-10 nginx-12 nginx-13 nginx-15 nginx-17 --no-distinct-exit'
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

Gemfile

@@ -16,3 +16,7 @@ end
 group :tools do
   gem 'github_changelog_generator', '~> 1'
 end
+
+gem 'kitchen-dokken'
+
+gem 'rb-readline'

default.yml

@@ -17,10 +17,13 @@ nginx_add_header: [
 # disable content-type sniffing
 "X-Content-Type-Options nosniff",
 # XSS filter
-"X-XSS-Protection \"1; mode=block\"" ]
+"X-XSS-Protection \"1; mode=block\"",
+"Strict-Transport-Security max-age=15768000",
+"Content-Security-Policy \"script-src 'self'; object-src 'self'\"" ]
 
-nginx_ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2"
-nginx_ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
+nginx_set_cookie_flag: "* HttpOnly secure"
 nginx_ssl_prefer_server_ciphers: "on"
-nginx_dh_param: "{{nginx_root_dir}}/dh{{nginx_dh_size}}.pem"
+nginx_ssl_protocols: "TLSv1.2"
+nginx_ssl_ciphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+nginx_ssl_session_tickets: "off"
 nginx_dh_size: "2048"

defaults/main.yml

@@ -1,2 +1,4 @@
-- name: reload nginx
-  service: name={{ nginx_service_name }} state=reloaded
+- name: restart nginx
+  service:
+    name: "nginx"
+    state: restarted

handlers/main.yml

@@ -1 +1,2 @@
+- src: nginxinc.nginx
 - src: geerlingguy.nginx