CIS controls and e2e tests (#9)

Compliance & E2E test

.github/workflows/molecule.yml

@@ -12,13 +12,9 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: checkout
-        uses: actions/checkout@v3
-        with:
-          path: "${{ github.repository }}"
-      - name: molecule
-        uses: robertdebock/[email protected]
-        with:
-          command: lint
+        uses: actions/checkout@v4
+      - name: ansible-lint
+        uses: ansible-community/ansible-lint-action@main
   test:
     needs:
       - lint
@@ -27,11 +23,11 @@ jobs:
       fail-fast: false
     steps:
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: "${{ github.repository }}"
       - name: molecule
-        uses: robertdebock/molecule-action@2.7.2
+        uses: robertdebock/molecule-action@6.0.1
         with:
           image: ${{ matrix.config.image }}
           tag: ${{ matrix.config.tag }}

.yamllint

@@ -2,9 +2,10 @@
 extends: default
 
 rules:
+  line-length:
+    max: 160
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: false
   truthy:
     allowed-values: ['true', 'false']
     check-keys: false
-
-ignore: |
-  .tox/

README.md

@@ -1,6 +1,6 @@
-[![Galaxy](https://img.shields.io/badge/galaxy-dockpack.base__rsyslog-blue.svg?style=flat)](https://galaxy.ansible.com/dockpack/base_rsyslog)
-![Build Status](https://travis-ci.com/dockpack/base_rsyslog.svg?branch=master)
-
 # base_rsyslog
 
-Ansible role to configure syslog in a compliant way.
+## Ansible role to configure rsyslog in a C2S compliant way.
+- Includes CIS benchmark verification with Molecule.
+- Includes an end-to-end test with a client and server docker network.
+- Configures client and server

defaults/main.yml

@@ -1,3 +1,19 @@
 ---
 
-log_host: 'loghost'
+# Define loghost address and define inventory group
+#
+# [loghost]
+# syslog_host: '127.0.0.1'
+
+# default syslog port
+syslog_port: 514
+syslog_tls: 'off'
+
+# other configs will be deleted
+rsyslog_allowed_configs:
+  - /etc/rsyslog.d/01_modules.conf
+  - /etc/rsyslog.d/02_rules.conf
+  - /etc/rsyslog.d/21-cloudinit.conf
+  - /etc/rsyslog.conf
+
+...

handlers/main.yml

@@ -1,12 +1,11 @@
 ---
-- name: 'Remove sysklogd'
-  yum:
-    name: sysklogd
-    state: absent
 
-- name: 'Restart rsyslog'
-  service:
+- name: Reload systemd
+  ansible.builtin.command: systemctl daemon-reexec  # noqa: command-instead-of-module
+  changed_when: true
+
+- name: Restart rsyslog
+  ansible.builtin.systemd:
     name: rsyslog
     state: restarted
-  tags:
-    - rsyslog
+...

meta/main.yml

@@ -2,7 +2,7 @@
 
 galaxy_info:
   author: Bas Meijer
-  description: RSyslog
+  description: CIS compliant remote Syslog with e2e tests
   company: dockpack
   role_name: base_rsyslog
   namespace: dockpack

molecule/default/converge.yml

@@ -3,6 +3,8 @@
   hosts: all
   vars:
     this_role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+    syslog_host: '10.16.0.10'
+    syslog_tls: 'off'
 
   tasks:
     - name: "Include {{ this_role }}"

molecule/default/molecule.yml

@@ -4,19 +4,47 @@ dependency:
   name: galaxy
 driver:
   name: docker
-lint: |
-  set -e
-  yamllint .
-  ansible-lint
 platforms:
-  - name: base-rsyslog
+  - name: rsyslog-server
     image: dokken/almalinux-8
     pre_build_image: true
     command: /sbin/init
     privileged: true
     cgroupns_mode: host
     capabilities:
-      - CAP_NET_BIND_SERVICE
+      - SYS_ADMIN
+    docker_networks:
+      - name: 'syslog'
+        ipam_config:
+          - subnet: '10.16.0.0/24'
+    networks:
+      - name: "syslog"
+        ipv4_address: '10.16.0.10'
+    published_ports:
+      - 127.0.0.1:9514:514
+    groups:
+      - loghost
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /var/lib/containerd
+  - name: rsyslog-client
+    image: dokken/almalinux-8
+    pre_build_image: true
+    command: /sbin/init
+    privileged: true
+    cgroupns_mode: host
+    capabilities:
+      - SYS_ADMIN
+    docker_networks:
+      - name: 'syslog'
+        ipam_config:
+          - subnet: '10.16.0.0/24'
+    networks:
+      - name: "syslog"
+        ipv4_address: '10.16.0.11'
     tmpfs:
       - /run
       - /tmp
@@ -28,6 +56,8 @@ provisioner:
   config_options:
     defaults:
       stdout_callback: yaml
+      callbacks_enabled: profile_tasks, timer
       executable: /bin/bash
+      remote_tmp: /tmp/.ansible
 verifier:
   name: ansible

molecule/default/verify.yml

@@ -1,61 +1,60 @@
 ---
-# This is an example playbook to execute goss tests.
-# Tests need distributed to the appropriate ansible host/groups
-# prior to execution by `goss validate`.
-
 - name: Verify
-  hosts: all
-  become: true
+  hosts: rsyslog-client
   vars:
-    goss_version: v0.3.7
-    goss_arch: amd64
-    goss_dst: /usr/local/bin/goss
-    # yamllint disable-line rule:line-length
-    goss_sha256sum: 357f5c7f2e7949b412bce44349cd32ab19eb3947255a8ac805f884cc2c326059
-    # yamllint disable-line rule:line-length
-    goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}"
-    goss_test_directory: /tmp
-    goss_format: tap
+    this_role: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+
+  tasks:
+    - name: Gather package facts
+      ansible.builtin.package_facts:
+        manager: rpm
+
+    - name: Gather service facts
+      ansible.builtin.service_facts:
+
+    - name: Audit rsyslog
+      ansible.builtin.include_role:
+        name: "{{ this_role }}"
+        tasks_from: verify
+
+- name: Test E2E security events
+  hosts: rsyslog-client
+
   tasks:
-    - name: Download and install Goss
-      get_url:
-        url: "{{ goss_url }}"
-        dest: "{{ goss_dst }}"
-        checksum: "sha256:{{ goss_sha256sum }}"
-        mode: 0755
-      register: download_goss
-      until: download_goss is succeeded
-      retries: 3
-
-    - name: Copy Goss tests to remote
-      copy:
-        src: "{{ item }}"
-        dest: "{{ goss_test_directory }}/{{ item | basename }}"
-        mode: 0644
-      with_fileglob:
-        - "{{ lookup('env', 'MOLECULE_VERIFIER_TEST_DIRECTORY') }}/test_*.yml"
-
-    - name: Register test files
-      shell: "ls {{ goss_test_directory }}/test_*.yml"
+    - name: Test a privileged useradd operation
+      ansible.builtin.user:
+        name: test_user
+        shell: /bin/bash
+
+    - name: Test a command as test_ user
+      become: true
+      become_user: test_user
+      ansible.builtin.command: id
       changed_when: false
-      register: test_files
 
-    - name: Execute Goss tests
-      environment:
-        # yamllint disable-line rule:line-length
-        PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
-      command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}"
+    - name: Test a command as root
+      become: true
+      ansible.builtin.command: 'ps -ef'
       changed_when: false
-      register: test_results
-      with_items: "{{ test_files.stdout_lines }}"
-
-    - name: Display details about the Goss results
-      debug:
-        msg: "{{ item.stdout_lines }}"
-      with_items: "{{ test_results.results }}"
-
-    - name: Fail when tests fail
-      fail:
-        msg: "Goss failed to validate"
-      when: item.rc != 0
-      with_items: "{{ test_results.results }}"
+      register: processes
+
+    - name: List processes
+      ansible.builtin.debug:
+        msg: "{{ processes.stdout_lines }}"
+        verbosity: 2
+
+- name: Verify E2E result
+  hosts: rsyslog-server
+  tasks:
+    - name: Collect the log on server
+      ansible.builtin.command: cat /var/log/remotes
+      changed_when: false
+      register: remote_log
+
+    - name: Search the remote log to assert events are logged
+      ansible.builtin.assert:
+        that:
+          - remote_log.stdout_lines is search('sudo')
+          - remote_log.stdout_lines is search('useradd')
+
+...

requirements.txt

@@ -1,15 +1,8 @@
 # these python extensions are for testing
-tox
-pipx
-attrs>=19.2.0
 rich==12.5.1
-ansible==8.5.0
 ansible-lint==6.16.2
-molecule==5.0.1
-molecule-docker==2.0.0
+molecule
+molecule-docker
 pre-commit==3.3.0
-yamllint==1.34.0
+yamllint
 docker>=4.3.1
-ssh-audit
-anyconfig>=0.10.0 # not directly required, pinned by Snyk to avoid a vulnerability
-setuptools>=65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability