-
-
Notifications
You must be signed in to change notification settings - Fork 113
/
runTests.sh
129 lines (95 loc) · 3.04 KB
/
runTests.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/bin/bash -l
# shellcheck disable=SC2013
set -o pipefail
export ANSIBLE_NOCOWS=1
if ! [ -x "$(command -v vagrant)" ]; then
echo 'Vagrant is required.'
exit 1
elif ! [ -x "$(command -v molecule)" ]; then
echo 'Ansible Molecule is required.'
exit 1
else
echo "Vagrant and Ansible Molecule installed."
fi
function lint {
echo "Linting."
set -x
echo "# Running ansible-lint"
ansible-lint --version
if ! ansible-lint --exclude .git --exclude .github --exclude tests/ -vv; then
echo 'ansible-lint failed.'
exit 1
fi
set +x
}
function prep {
echo "Updating Vagrant boxes."
vagrant box update --insecure || true
}
if [ "$1" == "prep" ]; then
prep
exit
fi
lint
ANSIBLE_V0="$(ansible --version | grep '^ansible' | awk '{print $NF}')"
if [ "$1" == "vagrant" ]; then
prep
grep config.vm.define Vagrantfile | grep -o '".*"' | tr -d '"' | while read -r v; do
vagrant up "${v}"
done
wait
grep config.vm.define Vagrantfile | grep -o '".*"' | tr -d '"' | while read -r v; do
vagrant reload "${v}"
done
wait
VMFILE="$(mktemp)"
vagrant status | grep 'running.*virtualbox' | awk '{print $1}' >> "${VMFILE}"
for VM in $(grep -v '^#' "${VMFILE}"); do
echo "Copying postChecks.sh to ${VM}."
# vagrant scp <local_path> [vm_name]:<remote_path>
vagrant scp ./postChecks.sh "${VM}":~/postChecks.sh
echo "Rebooting ${VM}."
vagrant ssh "${VM}" -c 'sudo -i reboot'
SLEEP_COUNT=0
while ! vagrant ssh "${VM}" -c 'id' && [ ${SLEEP_COUNT} -le 9 ]; do
echo "Waiting for ${VM}."
sleep 10
((SLEEP_COUNT++))
done
vagrant reload "${VM}"
SLEEP_COUNT=0
while ! vagrant ssh "${VM}" -c 'id' && [ ${SLEEP_COUNT} -le 9 ]; do
echo "Waiting for ${VM}."
sleep 10
((SLEEP_COUNT++))
done
echo "Running postChecks.sh."
vagrant ssh "${VM}" -c 'sh ~/postChecks.sh || exit 1 && cat ~/lynis-report.dat' > "${VM}-$(date +%y%m%d)-lynis.log"
echo "Saving suid.list."
vagrant ssh "${VM}" -c 'cat ~/suid.list' >> "$(date +%y%m%d)-suid.list"
echo "Saving bats results."
vagrant ssh "${VM}" -c 'cat ~/bats.log' | grep 'not ok' > "${VM}-$(date +%y%m%d)-bats.log"
echo "Saving OpenSCAP reports."
vagrant scp "${VM}:*.html" "."
done
rm "${VMFILE}"
curl -sSL https://raw.githubusercontent.com/konstruktoid/ansible-role-hardening/master/defaults/main/suid_sgid_blocklist.yml | grep ' - ' >> "$(date +%y%m%d)-suid.list"
if command -v dos2unix; then
dos2unix ./*.list
fi
printf '\n\n'
find ./ -name '*-lynis.log' -type f | while read -r f; do
if test -s "$f"; then
echo "$f:"
grep -E '^hardening_index|^ansible_version' "$f"
else
echo "$f is empty, a test stage failed."
fi
done
grep -iE 'warn.*\[]|sugg.*\[]' ./*-lynis.log | sed 's/-.*-lynis.log:/: /g' |\
sort | uniq > "$(date +%y%m%d)-warnings-suggestions.log"
grep 'not ok' ./*-bats.log | sed 's/-.*:/: /g' | sort -r | uniq > "$(date +%y%m%d)-not-ok.log"
else
molecule test || exit 1
echo "Tested with Ansible version: $ANSIBLE_V0"
fi