Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Post dec24 updates - phase 2 #285

Open
wants to merge 39 commits into
base: main
Choose a base branch
from
Open

Post dec24 updates - phase 2 #285

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
8f5ca46
update rhel 8 benchmark link
p-oneil Dec 2, 2024
6a15883
Add enhanced-outcomes to default run. Grammar improvements
p-oneil Dec 2, 2024
2f542e1
Remove note about cd. cd is not necessary to run hardening script.
p-oneil Dec 2, 2024
1197a45
Separate interactive attestation command
p-oneil Dec 2, 2024
46b74ee
Add -i example for manual attestations
p-oneil Dec 3, 2024
f1902d3
fixing spacing
p-oneil Dec 3, 2024
a745fd9
second code block for attestation output
p-oneil Dec 3, 2024
3194938
add NIST NCP. Grammar
p-oneil Dec 3, 2024
5a8ca77
replace HDF with OHDF
p-oneil Dec 3, 2024
a7a447e
copy main branch is optional
p-oneil Dec 3, 2024
ccec080
remove extraneous quotes
p-oneil Dec 3, 2024
46fbad8
not all metadata is displayed in cli output
p-oneil Dec 3, 2024
7a7a378
Merge branch 'main' into post-dec24-updates
wdower Dec 4, 2024
702f503
Merge remote-tracking branch 'origin/main' into post-dec24-updates
p-oneil Dec 5, 2024
8b56f6b
remove all references of old lifecycle graphic
p-oneil Dec 5, 2024
2927502
Replace STIG source graphic
p-oneil Dec 5, 2024
ed350df
grammar correction
p-oneil Dec 5, 2024
912bc07
ensure student renames inputs file from user course and specifies fil…
p-oneil Dec 5, 2024
7814300
removing refs to my_nginx in user
wdower Dec 5, 2024
a2c4fd5
Advanced 9 - Multi-line commands
karikarshivani Dec 5, 2024
e411270
restructuring 3 to account for answer_key
wdower Dec 5, 2024
635d7f4
Dev - Fixed nav to avoid looping
karikarshivani Dec 6, 2024
c1f73d6
Merge branch 'main' into post-dec24-updates
wdower Dec 8, 2024
3452968
User 14 - Added 'Oasis' + grammar checks
karikarshivani Dec 9, 2024
38b8d2c
User 6 - Grammar checks
karikarshivani Dec 9, 2024
5cb9cba
User 2 - Duplicate graphic removed
karikarshivani Dec 9, 2024
a31983c
Merge branch 'main' into post-dec24-updates
aaronlippold Dec 9, 2024
a86bf72
seperated command from output
aaronlippold Dec 9, 2024
04a55cd
Replace Chef license agreement. Add more --enhanced
p-oneil Dec 10, 2024
fbc898e
8.2/8.3 enhanced outcomes
p-oneil Dec 10, 2024
abe160c
Updated output from vanilla nginx
p-oneil Dec 10, 2024
866eeed
multi-line commands for readability
p-oneil Dec 10, 2024
936777f
12.6 multi line command
p-oneil Dec 10, 2024
393de1b
fix saf-lifecycle graphic typo
p-oneil Dec 11, 2024
b0ae7d2
Add O to HDF. Second Inspec correction
p-oneil Dec 11, 2024
d5bf55c
Update formatting guidance 08
p-oneil Dec 11, 2024
5691a32
broken links in resources
p-oneil Dec 11, 2024
6a6af4f
Fix beginner 02 tree
p-oneil Dec 11, 2024
21303f6
Typo
p-oneil Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified src/assets/img/saf-lifecycle.jpg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
102 changes: 79 additions & 23 deletions src/courses/advanced/10.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,16 @@ Let's make this pipeline deploy, harden, validate, and verify an NGINX container

### Prep Steps

First, we need to make sure that the node that runs our pipeline will have access to the executables it needs. By default, Gitub's runners have quite a bit of software pre-installed, including Docker and Ansible (see the full list [here](https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2004-Readme.md)). However, the Ubuntu image we are using does not have InSpec installed, nor does it have a copy of our test code. Let's add to our pipeline file to fix this.
First, we need to make sure that the node that runs our pipeline will have access to the executables it needs. By default, GitHub's runners have quite a bit of software pre-installed, including Docker and Ansible (see the full list [here](https://github.com/actions/runner-images/blob/main/images/linux/Ubuntu2004-Readme.md)). However, the Ubuntu image we are using does not have InSpec installed, nor does it have a copy of our test code. Let's add to our pipeline file to fix this.

::: code-tabs#shell
@tab Adding More Steps

``` yaml
- name: PREP - Install InSpec executable
run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5
run: |
curl https://omnitruck.chef.io/install.sh | \
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to update these to cinc 6 correct?

sudo bash -s -- -P inspec -v 5

- name: PREP - Install SAF CLI
run: npm install -g @mitre/saf
Expand Down Expand Up @@ -55,7 +57,9 @@ jobs:
run: sudo apt-get update

- name: PREP - Install InSpec executable
run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5
run: |
curl https://omnitruck.chef.io/install.sh | \
sudo bash -s -- -P inspec -v 5

- name: PREP - Install SAF CLI
run: npm install -g @mitre/saf
Expand Down Expand Up @@ -121,7 +125,9 @@ jobs:
run: sudo apt-get update

- name: PREP - Install InSpec executable
run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5
run: |
curl https://omnitruck.chef.io/install.sh | \
sudo bash -s -- -P inspec -v 5

- name: PREP - Install SAF CLI
run: npm install -g @mitre/saf
Expand Down Expand Up @@ -188,7 +194,9 @@ jobs:
run: sudo apt-get update

- name: PREP - Install InSpec executable
run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5
run: |
curl https://omnitruck.chef.io/install.sh | \
sudo bash -s -- -P inspec -v 5

- name: PREP - Install SAF CLI
run: npm install -g @mitre/saf
Expand Down Expand Up @@ -233,15 +241,23 @@ Let's add the Hardening steps now.
# fetch the hardening role and requirements
- name: HARDEN - Fetch Ansible role
run: |
git clone --branch docker https://github.com/mitre/ansible-nginx-stigready-hardening.git || true
git clone \
https://github.com/mitre/ansible-nginx-stigready-hardening.git \
--branch docker \
|| true
chmod 755 ansible-nginx-stigready-hardening

- name: HARDEN - Fetch Ansible requirements
run: ansible-galaxy install -r ansible-nginx-stigready-hardening/requirements.yml
run: |
ansible-galaxy install \
-r ansible-nginx-stigready-hardening/requirements.yml

# harden!
- name: HARDEN - Run Ansible hardening
run: ansible-playbook --inventory=nginx, --connection=docker ansible-nginx-stigready-hardening/hardening-playbook.yml
run: |
ansible-playbook \
--inventory=nginx, \
--connection=docker ansible-nginx-stigready-hardening/hardening-playbook.yml
```

@tab `pipeline.yml` after adding hardening steps
Expand Down Expand Up @@ -270,7 +286,9 @@ jobs:
run: sudo apt-get update

- name: PREP - Install InSpec executable
run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5
run: |
curl https://omnitruck.chef.io/install.sh | \
sudo bash -s -- -P inspec -v 5

- name: PREP - Install SAF CLI
run: npm install -g @mitre/saf
Expand All @@ -296,15 +314,24 @@ jobs:
# fetch the hardening role and requirements
- name: HARDEN - Fetch Ansible role
run: |
git clone --branch docker https://github.com/mitre/ansible-nginx-stigready-hardening.git || true
git clone \
https://github.com/mitre/ansible-nginx-stigready-hardening.git \
--branch docker \
|| true
chmod 755 ansible-nginx-stigready-hardening

- name: HARDEN - Fetch Ansible requirements
run: ansible-galaxy install -r ansible-nginx-stigready-hardening/requirements.yml
run: |
ansible-galaxy install \
-r ansible-nginx-stigready-hardening/requirements.yml

# harden!
- name: HARDEN - Run Ansible hardening
run: ansible-playbook --inventory=nginx, --connection=docker ansible-nginx-stigready-hardening/hardening-playbook.yml
run: |
ansible-playbook \
--inventory=nginx, \
--connection=docker \
ansible-nginx-stigready-hardening/hardening-playbook.yml
```

:::
Expand All @@ -331,7 +358,9 @@ Let's run InSpec:
# attest
- name: VALIDATE - Apply an Attestation
run: |
saf attest apply -i results/pipeline_run.json attestation.json -o results/pipeline_run_attested.json
saf attest apply \
-i results/pipeline_run.json attestation.json \
-o results/pipeline_run_attested.json

# save our results to the pipeline artifacts, even if the InSpec run found failing tests
- name: VALIDATE - Save Test Result JSON
Expand Down Expand Up @@ -366,7 +395,9 @@ jobs:
run: sudo apt-get update

- name: PREP - Install InSpec executable
run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5
run: |
curl https://omnitruck.chef.io/install.sh | \
sudo bash -s -- -P inspec -v 5

- name: PREP - Install SAF CLI
run: npm install -g @mitre/saf
Expand All @@ -392,7 +423,10 @@ jobs:
# fetch the hardening role and requirements
- name: HARDEN - Fetch Ansible role
run: |
git clone --branch docker https://github.com/mitre/ansible-nginx-stigready-hardening.git || true
git clone \
https://github.com/mitre/ansible-nginx-stigready-hardening.git \
--branch docker \
|| true
chmod 755 ansible-nginx-stigready-hardening

- name: HARDEN - Fetch Ansible requirements
Expand All @@ -414,7 +448,9 @@ jobs:
# attest
- name: VALIDATE - Apply an Attestation
run: |
saf attest apply -i results/pipeline_run.json attestation.json -o results/pipeline_run_attested.json
saf attest apply \
-i results/pipeline_run.json attestation.json \
-o results/pipeline_run_attested.json

# save our results to the pipeline artifacts, even if the InSpec run found failing tests
- name: VALIDATE - Save Test Result JSON
Expand Down Expand Up @@ -586,7 +622,11 @@ However, we can now reference the secret name -- HEIMDALL_API_KEY -- inside our
- name: VALIDATE - Upload to Heimdall
continue-on-error: true
run: |
curl -# -s -F data=@results/pipeline_run_attested.json -F "filename=${{ github.actor }}-pipeline-demo-${{ github.sha }}.json" -F "public=true" -F "evaluationTags=${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_API_KEY }}" "https://heimdall-demo.mitre.org/evaluations"
curl -# -s \
-F data=@results/pipeline_run_attested.json \
-F "filename=${{ github.actor }}-pipeline-demo-${{ github.sha }}.json" \
-F "public=true" -F "evaluationTags=${{ github.repository }},${{ github.workflow }}" \
-H "Authorization: Api-Key ${{ secrets.HEIMDALL_API_KEY }}" "https://heimdall-demo.mitre.org/evaluations"

```

Expand Down Expand Up @@ -616,7 +656,9 @@ jobs:
run: sudo apt-get update

- name: PREP - Install InSpec executable
run: curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec -v 5
run: |
curl https://omnitruck.chef.io/install.sh | \
sudo bash -s -- -P inspec -v 5

- name: PREP - Install SAF CLI
run: npm install -g @mitre/saf
Expand All @@ -642,15 +684,23 @@ jobs:
# fetch the hardening role and requirements
- name: HARDEN - Fetch Ansible role
run: |
git clone --branch docker https://github.com/mitre/ansible-nginx-stigready-hardening.git || true
git clone \
https://github.com/mitre/ansible-nginx-stigready-hardening.git \
--branch docker \
|| true
chmod 755 ansible-nginx-stigready-hardening

- name: HARDEN - Fetch Ansible requirements
run: ansible-galaxy install -r ansible-nginx-stigready-hardening/requirements.yml
run: |
ansible-galaxy install \
-r ansible-nginx-stigready-hardening/requirements.yml

# harden!
- name: HARDEN - Run Ansible hardening
run: ansible-playbook --inventory=nginx, --connection=docker ansible-nginx-stigready-hardening/hardening-playbook.yml
run: |
ansible-playbook \
--inventory=nginx, \
--connection=docker ansible-nginx-stigready-hardening/hardening-playbook.yml

- name: VALIDATE - Run InSpec
# we dont want to stop if our InSpec run finds failures, we want to continue and record the result
Expand All @@ -664,7 +714,9 @@ jobs:
# attest
- name: VALIDATE - Apply an Attestation
run: |
saf attest apply -i results/pipeline_run.json attestation.json -o results/pipeline_run_attested.json
saf attest apply \
-i results/pipeline_run.json attestation.json \
-o results/pipeline_run_attested.json

# save our results to the pipeline artifacts, even if the InSpec run found failing tests
- name: VALIDATE - Save Test Result JSON
Expand All @@ -676,7 +728,11 @@ jobs:
- name: VALIDATE - Upload to Heimdall
continue-on-error: true
run: |
curl -# -s -F data=@results/pipeline_run_attested.json -F "filename=${{ github.actor }}-pipeline-demo-${{ github.sha }}.json" -F "public=true" -F "evaluationTags=${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_API_KEY }}" "https://heimdall-demo.mitre.org/evaluations"
curl -# -s \
-F data=@results/pipeline_run_attested.json \
-F "filename=${{ github.actor }}-pipeline-demo-${{ github.sha }}.json" \
-F "public=true" -F "evaluationTags=${{ github.repository }},${{ github.workflow }}" \
-H "Authorization: Api-Key ${{ secrets.HEIMDALL_API_KEY }}" "https://heimdall-demo.mitre.org/evaluations"
```

:::
24 changes: 12 additions & 12 deletions src/courses/beginner/02.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,18 +49,18 @@ We will be discussing the purpose and function of each of these elements during

```sh
# Example profile structure
nginx
└── profile
├── README.md
├── inputs.yml
├── controls
│ ├── V-2230.rb
│ └── V-2232.rb
├── files
│ └── services-and-ports.yml
├── inspec.yml
└── libraries
└── nginx_helper.rb

nginx_profile
├── README.md
├── inputs.yml
├── controls
│ ├── V-2230.rb
│ └── V-2232.rb
├── files
│ └── services-and-ports.yml
├── inspec.yml
└── libraries
└── nginx_helper.rb
```

---
Expand Down
Loading
Loading