From 5b66061e9224fef019f472ad1846068a25f2f146 Mon Sep 17 00:00:00 2001 From: J. Alexander Jacocks <alexander@redhat.com> Date: Fri, 13 Mar 2020 19:53:49 +0100 Subject: [PATCH] Add SELinux policy writing workshop (#1329) --- ansible/roles/selinux-policy/README.adoc | 2 ansible/configs/selinux-policy/env_vars.yml | 153 +++++++++ ansible/configs/selinux-policy/files/repos_template.j2 | 32 + ansible/configs/selinux-policy/post_infra.yml | 8 ansible/configs/selinux-policy/sample_vars.yml | 39 ++ ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2 | 428 +++++++++++++++++++++++++ ansible/configs/selinux-policy/pre_infra.yml | 8 ansible/roles/selinux-policy/defaults/main.yml | 1 ansible/configs/selinux-policy/software.yml | 123 +++++++ ansible/configs/selinux-policy/pre_software.yml | 51 +++ ansible/configs/selinux-policy/README.md | 42 ++ ansible/configs/selinux-policy/files/hosts_template.j2 | 15 ansible/roles/selinux-policy/handlers/main.yml | 1 ansible/configs/selinux-policy/destroy_env.yml | 39 ++ ansible/configs/selinux-policy/post_software.yml | 19 + ansible/roles/selinux-policy/tasks/main.yml | 52 +++ 16 files changed, 1,013 insertions(+), 0 deletions(-) diff --git a/ansible/configs/selinux-policy/README.md b/ansible/configs/selinux-policy/README.md new file mode 100644 index 0000000..801da75 --- /dev/null +++ b/ansible/configs/selinux-policy/README.md @@ -0,0 +1,42 @@ +# Simple example + +A simple deplyoment creating a bastion host and two worker nodes. It can't get simpler ... + +### Environment variables + +Deployment is controlled by two configuration files: + +* env_vars.yml +* sample_vars.yml + +`env_vars.yml` defines all configuration parameters that COULD be modified, whereas `sample_vars.yml` is a *template* for all environment specific values that HAVE to be changed. + +Start by creating a copy of `sample_vars.yml` and rename it (e.g. `my_sample_vars.yml`). Then modifiy all parameters to match your environment. + +#### Secrets + +Some deployments need **secrets** e.g. your AWS credentials or API tokens. + +DO NOT add these to git ! + +Instead create a file called e.g. `./ansible/my_secret_vars.yml` and store all secrets etc. there. This file can also be reused for other deplyoments. + +NOTE: + +Both `my_sample_vars.yml` `my_secret.vars.yml` are in the `.gitignore` configuration which SHOULD protect you from adding them to git! + +### Run the Ansible playbooks + +Run follwoing commands from the `./ansible` folder: + +#### Install + +```shell +ansible-playbook main.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml +``` + +#### Uninstall + +```shell +ansible-playbook destroy.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml +``` diff --git a/ansible/configs/selinux-policy/destroy_env.yml b/ansible/configs/selinux-policy/destroy_env.yml new file mode 100644 index 0000000..3f5c9d2 --- /dev/null +++ b/ansible/configs/selinux-policy/destroy_env.yml @@ -0,0 +1,39 @@ +--- +- name: Build inventory + hosts: localhost + connection: local + gather_facts: False + become: no + tasks: + - when: cloud_provider == 'ec2' + block: + - name: Run infra-ec2-create-inventory Role + include_role: + name: infra-ec2-create-inventory + + - name: Run Common SSH Config Generator Role + include_role: + name: infra-common-ssh-config-generate + when: "'bastions' in groups" + +- name: Set ssh config + hosts: all + gather_facts: false + become: no + tasks: + - name: Set facts for remote access + set_fact: + ansible_ssh_extra_args: >- + {{ ansible_ssh_extra_args|d() }} + -F {{hostvars.localhost.output_dir}}/{{ env_type }}_{{ guid }}_ssh_conf + +- name: Unsubscribe systems + hosts: all + become: true + gather_facts: false + ignore_errors: true + tasks: + - shell: "subscription-manager unsubscribe --all" + +- name: Import default destroy playbook + import_playbook: ../../cloud_providers/{{cloud_provider}}_destroy_env.yml diff --git a/ansible/configs/selinux-policy/env_vars.yml b/ansible/configs/selinux-policy/env_vars.yml new file mode 100644 index 0000000..585bd33 --- /dev/null +++ b/ansible/configs/selinux-policy/env_vars.yml @@ -0,0 +1,153 @@ + +bastion_instance_type: + ec2: "t2.medium" + azure: Standard_A2_V2 + +bastion_instance_image: RHEL75 + +node_instance_type: + ec2: "t2.medium" + azure: Standard_A2_V2 + +node_instance_image: RHEL75 + +# How many do you want for each instance type +node_instance_count: 0 + +# Environment Instances +instances: + - name: "bastion" + count: 1 + unique: true + public_dns: true + dns_loadbalancer: false + image: "{{ bastion_instance_image }}" + flavor: + ec2: "t2.medium" + azure: Standard_A2_V2 + tags: + - key: "AnsibleGroup" + value: "bastions" + - key: "ostype" + value: "linux" + - key: "instance_filter" + value: "{{ env_type }}-{{ email }}" + volumes: + - name: '/dev/sda1' + size: 20 + security_groups: + - "BastionSG" + + - name: "node" + count: "{{node_instance_count}}" + public_dns: true + dns_loadbalancer: false + image: "{{ node_instance_image }}" + flavor: + ec2: "t2.medium" + azure: Standard_A2_V2 + tags: + - key: "AnsibleGroup" + value: "nodes" + - key: "ostype" + value: "linux" + - key: "instance_filter" + value: "{{ env_type }}-{{ email }}" + + +# DNS settings for environmnet +subdomain_base_short: "{{ guid }}" +subdomain_base_suffix: ".example.opentlc.com" +subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}" + +zone_internal_dns: "{{guid}}.internal." +chomped_zone_internal_dns: "{{guid}}.internal" + +# Stuff that only GPTE cares about: +install_ipa_client: false + + +repo_method: file +repo_version: "3.10" +# Do you want to run a full yum update +update_packages: false +common_packages: + - python + - unzip + - bash-completion + - tmux + - wget + - git + - vim-enhanced + - at + +rhel_repos: + - rhel-7-server-rpms + - rhel-7-server-extras-rpms + - epel-release-latest-7 + +###V2WORK, these should just be set as default listed in the documentation +install_bastion: true +install_common: true +## SB Don't set software_to_deploy from here, always use extra vars (-e) or "none" will be used +#software_to_deploy: none + + +## guid is the deployment unique identifier, it will be appended to all tags, +## files and anything that identifies this environment from another. +# Using GUID is required, if it is not passed in the command line or uncommented +# here the deployment will fail +#guid: defaultguid + + + +###V2WORK, these should just be set as default listed in the documentation +# This is where the ssh_config file will be created, this file is used to +# define the communication method to all the hosts in the deployment +deploy_local_ssh_config_location: "{{output_dir}}/" + + +### If you want a Key Pair name created and injected into the hosts, +# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key` +# you can use the key used to create the environment or use your own self generated key +# if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}}) + +###V2WORK, these should just be set as default listed in the documentation +use_own_key: true +env_authorized_key: "{{guid}}key" +set_env_authorized_key: true + +################################################################################ +################################################################################ +### AWS EC2 Specific Variables +################################################################################ +################################################################################ + +### Route 53 Zone ID (AWS) +# This is the Route53 HostedZoneId where you will create your Public DNS entries +# This only needs to be defined if your CF template uses route53 +HostedZoneId: Z3IHLWJZOU9SRT +# The region to be used, if not specified by -e in the command line +aws_region: ap-southeast-2 +# The key that is used to connect to the AWS instance initially, it should +# exist in your aws account and the private key should exist on the local machine +# you are provisioning from. +#key_name: "default_key_name" + +###V2WORK THIS SHOULD MOVE INTO THE ROLE +# This var is used to identify stack (cloudformation, azure resourcegroup, ...) +project_tag: "{{ env_type }}-{{ guid }}" + +################################################################################ +################################################################################ +### Azure Specific Variables +################################################################################ +################################################################################ +# Create a dedicated resourceGroup for this deployment +az_destroy_method: resource_group +az_resource_group: "{{ project_tag }}" + +# you can operate differently: if you share on resourceGroup for all you deployments, +# you can specify a different resourceGroup and method: +#az_destroy_method: deployment +#az_resource_group: my-shared-resource-group diff --git a/ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2 b/ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2 new file mode 100644 index 0000000..7f92c64 --- /dev/null +++ b/ansible/configs/selinux-policy/files/cloud_providers/azure_cloud_template.j2 @@ -0,0 +1,428 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters" : { + "guid": { + "type" : "string", + "minLength" : 3, + "metadata" : { + "description" : "GUID of the environment" + } + }, + "DNSZone": { + "type" : "string", + "minLength" : 3, + "metadata" : { + "description" : "dns zone of the environment, to update or create" + } + }, + "adminUsername" : { + "type" : "string", + "minLength" : 1, + "defaultValue" : "azure", + "metadata" : { + "description" : "User name for the Virtual Machine." + } + }, + "sshKeyData" : { + "type" : "securestring", + "metadata" : { + "description" : "SSH RSA public key file as a string." + } + }, + "vmSize" : { + "type" : "string", + "defaultValue" : "Basic_A2", + "allowedValues" : [ + "Basic_A2", + "Standard_A2", + "Standard_A3", + "Standard_A4", + "Standard_A5", + "Standard_A6", + "Standard_A7", + "Standard_A8", + "Standard_A9", + "Standard_A10", + "Standard_A11", + "Standard_D2", + "Standard_D3", + "Standard_D4", + "Standard_D11", + "Standard_D12", + "Standard_D13", + "Standard_D14", + "Standard_D2_v2", + "Standard_D3_v2", + "Standard_D4_v2", + "Standard_D5_v2", + "Standard_D11_v2", + "Standard_D12_v2", + "Standard_D13_v2", + "Standard_D14_v2", + "Standard_G1", + "Standard_G2", + "Standard_G3", + "Standard_G4", + "Standard_G5", + "Standard_DS2", + "Standard_DS3", + "Standard_DS4", + "Standard_DS11", + "Standard_DS12", + "Standard_DS13", + "Standard_DS14", + "Standard_DS2_v2", + "Standard_DS3_v2", + "Standard_DS4_v2", + "Standard_DS5_v2", + "Standard_DS11_v2", + "Standard_DS12_v2", + "Standard_DS13_v2", + "Standard_DS14_v2", + "Standard_GS1", + "Standard_GS2", + "Standard_GS3", + "Standard_GS4", + "Standard_GS5" + ], + "metadata" : { + "description" : "The size of the each Node Virtual Machine." + } + } + }, + "variables" : { + "subzone": "[concat('{{guid}}.',parameters('DNSZone'))]", + "location" : "[resourceGroup().location]", + "virtualNetworkName" : "[concat('VNet', parameters('guid'))]", + "addressPrefix" : "10.0.0.0/16", + "vnetId" : "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", + "rhel" : { + "publisher" : "Redhat", + "offer" : "RHEL", + "sku" : "7-RAW", + "version" : "latest" + }, + "tenantId" : "[subscription().tenantId]", + "apiVersion" : "2015-06-15", + "apiVersionCompute" : "2015-06-15", + "apiVersionNetwork" : "2016-03-30", + "tmApiVersion" : "2015-11-01", + "apiVersionStorage" : "2015-06-15", + "apiVersionLinkTemplate" : "2015-01-01", + "nicName" : "OneVmNic", + "publicIPAddressType" : "Dynamic", + "subnetRef" : "[concat(variables('vnetID'),'/subnets/',variables('virtualNetworkName'))]", + "sshKeyPath" : "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]", + "sQuote" : "\"", + "vmStorageAccountContainerName": "vhds", + "storageAccountType": "Standard_LRS", + "vhdStorageType" : "Premium_LRS", + "storageAccountName": "[concat('vsts8',uniquestring(parameters('guid')))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('StorageAccountName')]", + "apiVersion": "2016-01-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "[variables('storageAccountType')]" + }, + "kind": "Storage", + "properties": { + } + }, +{% for instance in instances %} + +{% if instance['dns_loadbalancer']|d(false)|bool and not instance['unique']|d(false)|bool %} + { + "type": "Microsoft.Network/dnszones/a", + "name": "[concat(variables('subzone'), '/', '{{instance['name']}}')]", + "apiVersion": "2016-04-01", + "dependsOn": [ +{% for c in range(1,(instance['count'] |int)+1) %} + {% if instance['unique']|d(false)|bool %} + {% set instancename = instance['name'] %} + {% else %} + {% set instancename = instance['name'] + (loop.index|string) %} + {% endif %} + "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]", +{% endfor %} + "[resourceId('Microsoft.Network/dnsZones/', variables('subzone'))]", + ], + "properties": { + "TTL": 3600, + "ARecords": [ + { +{% for c in range(1,(instance['count'] |int)+1) %} + {% if instance['unique']|d(false)|bool %} + {% set instancename = instance['name'] %} + {% else %} + {% set instancename = instance['name'] + (loop.index|string) %} + {% endif %} + "ipv4Address": "[reference('{{instancename}}-PublicIP').ipAddress]" +{% endfor %} + } + ] + } + }, +{% endif %} + + +{% for c in range(1,(instance['count'] |int)+1) %} + + {% if instance['unique']|d(false)|bool %} + {% set instancename = instance['name'] %} + {% else %} + {% set instancename = instance['name'] + (loop.index|string) %} + {% endif %} + +{% if instance['public_dns']|d(false)|bool %} + { + "type": "Microsoft.Network/dnszones/a", + "name": "[concat(variables('subzone'), '/', '{{instancename}}')]", + "apiVersion": "2016-04-01", + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]", + "[resourceId('Microsoft.Network/dnsZones/', variables('subzone'))]", + ], + "properties": { + "TTL": 3600, + "ARecords": [ + { + "ipv4Address": "[reference('{{instancename}}-PublicIP').ipAddress]" + } + ] + } + }, + { + "apiVersion" : "2017-04-01", + "type" : "Microsoft.Network/publicIPAddresses", + "name" : "{{instancename}}-PublicIP", + "location" : "[resourceGroup().location]", + "properties" : { + "publicIPAllocationMethod" : "Static", + "dnsSettings" : { + "domainNameLabel" : "{{instancename}}-{{guid}}" + } + } + }, + { + "apiVersion" : "2017-04-01", + "type" : "Microsoft.Network/networkInterfaces", + "name" : "{{instancename}}-Interface", + "location" : "[resourceGroup().location]", + "dependsOn" : [ + "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]", + "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]" + ], + "properties" : { + "ipConfigurations" : [ + { + "name" : "ipconfig1", + "properties" : { + "privateIPAllocationMethod" : "Dynamic", + "publicIPAddress" : { + "id" : "[resourceId('Microsoft.Network/publicIPAddresses','{{instancename}}-PublicIP')]" + }, + "subnet" : { + "id" : "[variables('subnetRef')]" + } + } + } + ] + } + }, +{% endif %} + { + "apiVersion" : "2017-03-30", + "type" : "Microsoft.Compute/virtualMachines", + "name" : "{{instancename}}", + "location" : "[resourceGroup().location]", + "dependsOn" : [ + "[resourceId('Microsoft.Network/networkInterfaces/', '{{instancename}}-Interface')]" + ], + "tags": { + "Name": "{{instancename}}", + "internaldns": "{{instancename}}.{{chomped_zone_internal_dns}}", + "owner": "{{ email | default('unknownuser') }}", + "Project": "{{project_tag}}", +{% for tag in instance['tags'] %} + "{{tag['key']}}": "{{tag['value']}}", +{% endfor %} + "{{project_tag}}": "{{ instance['name'] }}" + }, + "properties" : { + "hardwareProfile" : { + "vmSize" : "{{instance['flavor'][cloud_provider]}}" + }, + "osProfile" : { + "computerName" : "{{instancename}}", + "adminUsername" : "[parameters('adminUsername')]", + "linuxConfiguration" : { + "disablePasswordAuthentication" : "true", + "ssh" : { + "publicKeys" : [ + { + "path" : "[variables('sshKeyPath')]", + "keyData" : "[parameters('sshKeyData')]" + } + ] + } + } + }, + "storageProfile" : { + "imageReference" : "[variables('rhel')]", + "osDisk" : { + "caching" : "ReadWrite", + "name" : "{{instancename}}-osdisk", + "createOption" : "FromImage", + "diskSizeGB" : "{{instance['rootfs_size']|d('50')}}" + }, + "dataDisks" : [ +{% for vol in instance['volumes']|default([]) %} + { + "caching" : "None", + "createOption" : "Empty", + "lun" : "{{loop.index}}", + "name": "{{instancename}}-{{vol['device_name']}}", + "diskSizeGB" : "{{vol['volume_size']}}" + }, +{% endfor %} + ] + }, + "networkProfile" : { + "networkInterfaces" : [ + { + "id" : "[resourceId('Microsoft.Network/networkInterfaces','{{instancename}}-Interface')]" + } + ] + }, + "diagnosticsProfile" : { + "bootDiagnostics" : { + "enabled" : "false", + "storageUri" : "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2016-01-01').primaryEndpoints.blob)]" + } + } + } + }, +{% endfor %} +{% endfor %} + { + "name": "[variables('subzone')]", + "type": "Microsoft.Network/dnsZones", + "apiVersion": "2017-09-01", + "location" : "global", + }, + { + "apiVersion": "2017-05-10", + "name": "nestedTemplate", + "type": "Microsoft.Resources/deployments", + "resourceGroup": "dns", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + ] + }, + "parameters": {} + } + }, + { + "apiVersion" : "[variables('apiVersion')]", + "type" : "Microsoft.Network/virtualNetworks", + "name" : "[variables('virtualNetworkName')]", + "location" : "[variables('location')]", + "tags" : { + "displayName" : "VirtualNetwork" + }, + "properties" : { + "addressSpace" : { + "addressPrefixes" : [ + "[variables('addressPrefix')]" + ] + }, + "subnets" : [ + { + "name" : "[variables('virtualNetworkName')]", + "properties" : { + "addressPrefix" : "[variables('addressPrefix')]" + } + } + ] + } + }, + { + "type" : "Microsoft.Network/networkSecurityGroups", + "name" : "[concat(resourceGroup().name, 'nsg')]", + "tags" : { + "displayName" : "NetworkSecurityGroup" + }, + "apiVersion" : "[variables('apiVersion')]", + "location" : "[resourceGroup().location]", + "properties" : { + "securityRules" : [ + { + "name" : "default-allow-openshift-router-https", + "properties" : { + "protocol" : "Tcp", + "sourcePortRange" : "*", + "destinationPortRange" : "443", + "sourceAddressPrefix" : "*", + "destinationAddressPrefix" : "*", + "access" : "Allow", + "priority" : 2000, + "direction" : "Inbound" + } + }, + { + "name" : "default-allow-openshift-router-http\n", + "properties" : { + "protocol" : "Tcp", + "sourcePortRange" : "*", + "destinationPortRange" : "80", + "sourceAddressPrefix" : "*", + "destinationAddressPrefix" : "*", + "access" : "Allow", + "priority" : 2001, + "direction" : "Inbound" + } + }, + { + "name" : "default-allow-openshift-master", + "properties" : { + "protocol" : "Tcp", + "sourcePortRange" : "*", + "destinationPortRange" : "8443", + "sourceAddressPrefix" : "*", + "destinationAddressPrefix" : "*", + "access" : "Allow", + "priority" : 2002, + "direction" : "Inbound" + } + }, + { + "name" : "default-allow-ssh", + "properties" : { + "protocol" : "Tcp", + "sourcePortRange" : "*", + "destinationPortRange" : "22", + "sourceAddressPrefix" : "*", + "destinationAddressPrefix" : "*", + "access" : "Allow", + "priority" : 2003, + "direction" : "Inbound" + } + } + ] + } + } + ], + "outputs" : { + } +} diff --git a/ansible/configs/selinux-policy/files/hosts_template.j2 b/ansible/configs/selinux-policy/files/hosts_template.j2 new file mode 100644 index 0000000..f4bfdf1 --- /dev/null +++ b/ansible/configs/selinux-policy/files/hosts_template.j2 @@ -0,0 +1,15 @@ +[all:vars] +########################################################################### +### Ansible Vars +########################################################################### +timeout=60 +ansible_become=yes +ansible_user={{remote_user}} +ansible_ssh_private_key_file="~/.ssh/{{guid}}key.pem" +ansible_ssh_common_args="-o StrictHostKeyChecking=no" + +[nodes] +## These are the frontends +{% for host in groups['nodes']|d([]) %} +node{{loop.index}}.{{chomped_zone_internal_dns}} ansible_ssh_host=frontend{{loop.index}}.{{subdomain_base}} +{% endfor %} diff --git a/ansible/configs/selinux-policy/files/repos_template.j2 b/ansible/configs/selinux-policy/files/repos_template.j2 new file mode 100644 index 0000000..ca88e64 --- /dev/null +++ b/ansible/configs/selinux-policy/files/repos_template.j2 @@ -0,0 +1,32 @@ +[rhel-7-server-rpms] +name=Red Hat Enterprise Linux 7 +baseurl={{own_repo_path}}/rhel-7-server-rpms +enabled=1 +gpgcheck=0 + +[rhel-7-server-rh-common-rpms] +name=Red Hat Enterprise Linux 7 Common +baseurl={{own_repo_path}}/rhel-7-server-rh-common-rpms +enabled=1 +gpgcheck=0 + +[rhel-7-server-extras-rpms] +name=Red Hat Enterprise Linux 7 Extras +baseurl={{own_repo_path}}/rhel-7-server-extras-rpms +enabled=1 +gpgcheck=0 + +[rhel-7-server-optional-rpms] +name=Red Hat Enterprise Linux 7 Optional +baseurl={{own_repo_path}}/rhel-7-server-optional-rpms +enabled=1 +gpgcheck=0 + +[epel] +name=Extra Packages for Enterprise Linux 7 - $basearch +baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch +mirrorlist=http://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch +failovermethod=priority +enabled=1 +gpgcheck=0 +#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 diff --git a/ansible/configs/selinux-policy/post_infra.yml b/ansible/configs/selinux-policy/post_infra.yml new file mode 100644 index 0000000..e25481b --- /dev/null +++ b/ansible/configs/selinux-policy/post_infra.yml @@ -0,0 +1,8 @@ + +- name: Step 002 Post Infrastructure + hosts: localhost + gather_facts: false + become: false + tasks: + - debug: + msg: "Step 002 Post Infrastructure" diff --git a/ansible/configs/selinux-policy/post_software.yml b/ansible/configs/selinux-policy/post_software.yml new file mode 100644 index 0000000..d637f70 --- /dev/null +++ b/ansible/configs/selinux-policy/post_software.yml @@ -0,0 +1,19 @@ + +- name: Step 005 Post Software + hosts: localhost + gather_facts: false + become: false + tasks: + - debug: + msg: "Step 005 Post Software" + +- name: PostSoftware flight-check + hosts: localhost + connection: local + gather_facts: false + become: false + tags: + - post_flight_check + tasks: + - debug: + msg: "Post-Software checks completed successfully" diff --git a/ansible/configs/selinux-policy/pre_infra.yml b/ansible/configs/selinux-policy/pre_infra.yml new file mode 100644 index 0000000..88897e5 --- /dev/null +++ b/ansible/configs/selinux-policy/pre_infra.yml @@ -0,0 +1,8 @@ + +- name: Step 000 Pre Infrastructure + hosts: localhost + gather_facts: false + become: false + tasks: + - debug: + msg: "Step 000 Pre Infrastructure" diff --git a/ansible/configs/selinux-policy/pre_software.yml b/ansible/configs/selinux-policy/pre_software.yml new file mode 100644 index 0000000..418e8cb --- /dev/null +++ b/ansible/configs/selinux-policy/pre_software.yml @@ -0,0 +1,51 @@ + +- name: Step 003 Pre Software + hosts: localhost + gather_facts: false + become: false + tasks: + - debug: + msg: "Step 003 Pre Software" + + - import_role: + name: infra-local-create-ssh_key + when: set_env_authorized_key | bool + + +- name: Configure all hosts with Repositories, Common Files and Set environment key + hosts: + - all:!windows + become: true + gather_facts: False + tags: + - common_tasks + roles: + - role: set-repositories + when: repo_method is defined + + - role: common + when: install_common | bool + + - role: set_env_authorized_key + when: set_env_authorized_key | bool + +- name: Configuring Bastion Hosts + hosts: bastions + become: true + gather_facts: False + roles: + - role: bastion + when: install_bastion | bool + tags: + - bastion_tasks + +- name: PreSoftware flight-check + hosts: localhost + connection: local + gather_facts: false + become: false + tags: + - presoftware_flight_check + tasks: + - debug: + msg: "Pre-Software checks completed successfully" diff --git a/ansible/configs/selinux-policy/sample_vars.yml b/ansible/configs/selinux-policy/sample_vars.yml new file mode 100644 index 0000000..2ce5757 --- /dev/null +++ b/ansible/configs/selinux-policy/sample_vars.yml @@ -0,0 +1,39 @@ +--- +# Sample configuration file. +# Make a copy (e.g. my_sample_vars.yml) and change the settings to match your environment. +# +# Usage: +# +# ansible-playbook main.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml +# +# To destroy your deployment: +# +# ansible-playbook destroy.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml +# + +env_type: simple-example # Name of config to deploy +output_dir: /tmp/workdir # Writable working scratch directory +node_instance_count: 2 # Number of nodes to deploy +email: name@example.com # User info for notifications + +guid: guid02 # Unique string used in FQDN +subdomain_base_suffix: .example.opentlc.com # Your domain used in FQDN + +# Path to yum repos +own_repo_path: http://admin.example.com/repos/version + +# Cloud specfic settings - example given here for AWS + +cloud_provider: ec2 # Which AgnosticD Cloud Provider to use +aws_region: us-east-1 # AWS Region to deploy in +HostedZoneId: Z3IHLWJZOU9SRT # You will need to change this + +key_name: ocpkey # Keyname must exist in AWS + +# DANGER ZONE +# +# AWS Credentials. These are required (don't sync them to your fork!!) +# aws_access_key_id: +# aws_secret_access_key: +# Create a file e.g. agnosticd/ansible/my_secret_vars.yml and put all your keys etc into it. +# diff --git a/ansible/configs/selinux-policy/software.yml b/ansible/configs/selinux-policy/software.yml new file mode 100644 index 0000000..523d97f --- /dev/null +++ b/ansible/configs/selinux-policy/software.yml @@ -0,0 +1,123 @@ +--- +- name: Step 004 Environment specific Software + hosts: localhost + gather_facts: False + become: false + tasks: + - debug: + msg: "Software tasks Started" + + +- name: Deploy Roles if infra_workloads defined + hosts: + - nodes + gather_facts: false + run_once: false + become: yes + tags: + - infra_workloads + tasks: + - name: apply infra workloads roles on nodes + when: + - infra_workloads|d("")|length > 0 + block: + - name: Apply role "{{ workload_loop_var }}" on nodes + include_role: + name: "{{ workload_loop_var }}" + vars: + ACTION: "provision" + loop: "{{ infra_workloads.split(',')|list }}" + loop_control: + loop_var: workload_loop_var + +- name: Configure bastion for SELinux workshop + hosts: all + gather_facts: false + become: true + vars: + avc: | + '---- + time->Mon Nov 17 01:45:36 2008 + type=AVC msg=audit(1226882736.442:86): avc: denied { getattr } for pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file + type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)' + + tasks: + - name: Install all needed packages + package: + state: present + name: + - selinux-policy-devel + - ansible + - policycoreutils + - policycoreutils-python-utils + - audit + - git + - setools-console + - selinux-policy-doc + - policycoreutils-newrole + - setroubleshoot-server + - make + - gcc-c++ + - rpm-build + - libcurl-devel + - cockpit + - cockpit-dashboard + - cockpit-shell + - cockpit-system + - cockpit-ws + - subscription-manager-cockpit + - cockpit-composer + - cockpit-session-recording + - cockpit-machines + - cockpit-packagekit + - cockpit-podman + - cockpit-storaged + + - name: Ensure cockpit is started + systemd: + name: "cockpit.socket" + state: "started" + enabled: true + daemon_reload: true + + - name: Enable SELinux + selinux: + policy: targeted + state: enforcing + + - name: Create testaudit file + copy: + mode: '0644' + owner: root + dest: /root/testaudit + content: "{{ avc }}" + + - name: Copy testaudit also to user dir + copy: + src: /root/testaudit + dest: /home/ec2-user + owner: ec2-user + group: ec2-user + mode: '0644' + force: true + remote_src: yes + + - name: Create .vimrc in user home dir + copy: + content: "" + dest: /home/ec2-user/.vimrc + owner: ec2-user + group: ec2-user + mode: '0644' + force: no + +- name: Software flight-check + hosts: localhost + connection: local + gather_facts: false + become: false + tags: + - post_flight_check + tasks: + - debug: + msg: "Software checks completed successfully" diff --git a/ansible/roles/selinux-policy/README.adoc b/ansible/roles/selinux-policy/README.adoc new file mode 100644 index 0000000..0fc2238 --- /dev/null +++ b/ansible/roles/selinux-policy/README.adoc @@ -0,0 +1,2 @@ += selinux-policy role + diff --git a/ansible/roles/selinux-policy/defaults/main.yml b/ansible/roles/selinux-policy/defaults/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/ansible/roles/selinux-policy/defaults/main.yml @@ -0,0 +1 @@ +--- diff --git a/ansible/roles/selinux-policy/handlers/main.yml b/ansible/roles/selinux-policy/handlers/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/ansible/roles/selinux-policy/handlers/main.yml @@ -0,0 +1 @@ +--- diff --git a/ansible/roles/selinux-policy/tasks/main.yml b/ansible/roles/selinux-policy/tasks/main.yml new file mode 100644 index 0000000..b702a94 --- /dev/null +++ b/ansible/roles/selinux-policy/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: Install all needed packages + block: + package: + state: present + name: + - selinux-policy-devel + - ansible + - policycoreutils + - policycoreutils-python-utils + - audit + - git + - setools-console + - selinux-policy-doc + - policycoreutils-newrole + - setroubleshoot-server + - make + - gcc-c++ + - rpm-build + - libcurl-devel + - cockpit + - cockpit-dashboard + - cockpit-shell + - cockpit-system + - cockpit-ws + - subscription-manager-cockpit + - cockpit-composer + - cockpit-session-recording + - cockpit-machines + - cockpit-packagekit + - cockpit-podman + - cockpit-storaged + check_mode: yes + +- name: Ensure cockpit is started + systemd: + name: "cockpit.socket" + state: "started" + enabled: true + daemon_reload: true + check_mode: yes + +- name: Check if SELinux is in Enforcing state + selinux: + policy: targeted + state: enforcing + check_mode: yes + +- name: Check if testaudit file exists + stat: + path: /root/testaudit + -- Gitblit v1.9.3