Final Base project 1.0

mosip-security-playbook/group_vars/all.yml

@@ -37,4 +37,8 @@ port: '8090'
 #OpenScap Variables
 oscap_report_dir: '{{report_dir}}/oscap'
 oscap_profile: 'xccdf_org.ssgproject.content_profile_pci-dss'
-oscap_policy: 'ssg-centos7-ds'
+oscap_policy: 'ssg-centos7-ds'
+
+
+#docker bench security variables
+dbs_report_dir: '{{report_dir}}/dbs'

mosip-security-playbook/playbooks/docker-security-cluster.yml

@@ -1,14 +1,17 @@
----
-- hosts: "{{cluster1}}"
+# This play perform all the tasks needed for docker security scanning.
+# Here we have split tasks and roles into seperate
+# play as tasks only run after roles if they are in the same play (for some reason)
+# and for us sequencing is important.
 
+- hosts: security-console
+  gather_facts: true
   tasks:
-    - name: running scan for docker configurations
-      command: docker run -it --net host --pid host --userns host --cap-add audit_control \
-        -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-        -v /var/lib:/var/lib \
-        -v /var/run/docker.sock:/var/run/docker.sock \
-        -v /usr/lib/systemd:/usr/lib/systemd \
-        -v /etc:/etc --label docker_bench_security \
-        -v /tmp:/tmp \
-        mandeepdhiman90/docker-bench-security:latest
-      ignore_errors: yes
+    - {name: 'Create docker bench security report folder', file: {name: "{{ dbs_report_dir }}", state: directory}}
+
+- hosts: scancluster
+  gather_facts: true
+  become_user: root
+  become: yes
+  roles:
+    - {role: docker-security/scanning, tags: [scanning]}
+    - {role: docker-security/reporting, tags: [reporting]}

mosip-security-playbook/playbooks/os-hardening-cluster.yml

@@ -1,5 +1,5 @@
 # This play install all the tools needed on the security console for
-# further execution of automation. Here we have split tasks and roles into seperate
+# execution of automation related to OS hardening. Here we have split tasks and roles into seperate
 # play as tasks only run after roles if they are in the same play (for some reason)
 # and for us sequencing is important.
 
@@ -10,6 +10,8 @@
 
 - hosts: scancluster
   gather_facts: true
+  become_user: root
+  become: yes
   roles:
     - {role: cluster-hardening/setup, tags: [setup]}
     - {role: cluster-hardening/scanning, tags: [scanning]}

mosip-security-playbook/roles/docker-security/reporting/tasks/main.yml

@@ -0,0 +1,11 @@
+- name: copy log from remote
+  fetch:
+    src: /tmp/docker.log
+    dest: "{{ dbs_report_dir }}/{{ inventory_hostname }}-docker.log"
+    flat: yes
+
+- name: copy json log from remote
+  fetch:
+    src: /tmp/docker.log.json
+    dest: "{{ dbs_report_dir }}/{{ inventory_hostname }}-docker.log.json"
+    flat: yes

mosip-security-playbook/roles/docker-security/scanning/tasks/main.yml

@@ -0,0 +1,10 @@
+- name: running scan for docker configurations
+  command: "docker run -it --net host --pid host --userns host --cap-add audit_control \
+    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
+    -v /var/lib:/var/lib \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v /usr/lib/systemd:/usr/lib/systemd \
+    -v /etc:/etc --label docker_bench_security \
+    -v /tmp:/tmp \
+    mandeepdhiman90/docker-bench-security:latest"
+  ignore_errors: yes

mosip-security-playbook/roles/os-hardening/setup/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: install openscap scanner on cluster machines
+  yum:
+    name: "{{ packages }}"
+  vars:
+    packages:
+      - openscap-scanner
+      - scap-security-guide

mosip-security-playbook/run.yml

@@ -3,7 +3,6 @@
 
 #- import_playbook: playbooks/base-setup.yml
 - import_playbook: playbooks/os-hardening-cluster.yml
-#- {import_playbook: playbooks/uninstall-scap.yml, vars: {cluster1: scancluster}}
 #- {import_playbook: playbooks/docker-security-cluster.yml, vars: {cluster1: scancluster}}
 #- {import_playbook: playbooks/docker-security-report.yml, vars: {console1: console1, cluster1: scancluster}}
 #- import_playbook: playbooks/api-scanning.yml