Create Public Cloud Hardening profile for SLE Micro5 #4517
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Automatus Sanity | |
on: | |
pull_request: | |
branches: [ master, 'stabilization*' ] | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event.number || github.run_id }} | |
cancel-in-progress: true | |
env: | |
DATASTREAM: ssg-fedora-ds.xml | |
jobs: | |
build-content: | |
name: Build Content | |
runs-on: ubuntu-latest | |
container: | |
image: fedora:latest | |
steps: | |
- name: Install Deps | |
run: dnf install -y cmake make openscap-utils python3-pyyaml python3-jinja2 git python3-pip python3-setuptools | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
with: | |
fetch-depth: 0 | |
- name: Build product | |
run: ./build_product fedora --debug | |
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 | |
with: | |
name: ${{ env.DATASTREAM }} | |
path: build/${{ env.DATASTREAM }} | |
validate-automatus-ubuntu: | |
name: Run Tests | |
needs: build-content | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Install Deps | |
run: sudo apt-get update && sudo apt-get install cmake ninja-build libopenscap8 libxml2-utils xsltproc python3-jinja2 python3-yaml ansible-lint podman | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
- name: Generate id_rsa key | |
run: ssh-keygen -N '' -t rsa -f ~/.ssh/id_rsa | |
- name: Build test suite container | |
run: podman build --build-arg "CLIENT_PUBLIC_KEY=$(cat ~/.ssh/id_rsa.pub)" -t ssg_test_suite -f test_suite-fedora | |
working-directory: ./Dockerfiles | |
- name: Get oscap-ssh | |
run: | | |
wget https://raw.githubusercontent.com/OpenSCAP/openscap/maint-1.3/utils/oscap-ssh | |
sudo chmod 755 oscap-ssh | |
sudo mv -v oscap-ssh /usr/local/bin | |
sudo chown root:root /usr/local/bin/oscap-ssh | |
rm -f oscap-ssh | |
- name: Get Datastream | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4 | |
with: | |
name: ${{ env.DATASTREAM }} | |
- name: Check One Rule | |
run: ./tests/automatus.py rule --remove-platforms --make-applicable-in-containers --logdir log_rule --datastream ssg-fedora-ds.xml --container ssg_test_suite package_sudo_installed | |
- name: Check One Rule - Ansible | |
run: ./tests/automatus.py rule --remove-platforms --make-applicable-in-containers --logdir log_rule_ansible --remediate-using ansible --datastream ssg-fedora-ds.xml --container ssg_test_suite file_owner_etc_passwd | |
- name: Check Profile Mode | |
run: ./tests/automatus.py profile --remove-platforms --make-applicable-in-containers --logdir log_profile --datastream ssg-fedora-ds.xml --container ssg_test_suite test | |
- name: Check Combined Mode | |
run: ./tests/automatus.py combined --remove-platforms --make-applicable-in-containers --logdir log_combined --datastream ssg-fedora-ds.xml --container ssg_test_suite test | |
- name: Check Template Mode | |
run: ./tests/automatus.py template --logdir log_template --datastream ssg-fedora-ds.xml --container ssg_test_suite --slice 1 15 file_owner | |
- name: Check for ERROR in logs | |
run: grep -q "^ERROR" log_rule/test_suite.log log_rule_ansible/test_suite.log log_profile/test_suite.log log_combined/test_suite.log log_template/test_suite.log | |
id: check_results | |
# when grep returns 1 means it didn't find the ^ERROR string in the test_suite.log file | |
# and this means tests finished successfully without errors. So the job needs to keep going. | |
# By using continue-on-error: true the "conclusion" parameter is set to true so it's not possible to use | |
# it to determine whether the task has failed or succeed. The "outcome" parameter has to be used instead. | |
# See the step below | |
continue-on-error: true | |
- name: Fail in case of ERROR present in logs | |
if: ${{ steps.check_results.outcome == 'success' }} | |
run: | | |
[[ -f log_rule/test_suite.log ]] && echo "---------Rule Remediation Logs---------" && cat log_rule/test_suite.log | grep -v "DEBUG - " | |
[[ -f log_rule_ansible/test_suite.log ]] && echo "---------Rule Ansible Remediation Logs---------" && cat log_rule_ansible/test_suite.log | grep -v "DEBUG - " | |
[[ -f log_profile/test_suite.log ]] && echo "---------Profile Remediation Logs---------" && cat log_profile/test_suite.log | grep -v "DEBUG - " | |
[[ -f log_combined/test_suite.log ]] && echo "---------Combined Remediation Logs---------" && cat log_combined/test_suite.log | grep -v "DEBUG - " | |
[[ -f log_template/test_suite.log ]] && echo "---------Template Remediation Logs---------" && cat log_template/test_suite.log | grep -v "DEBUG - " | |
exit 1 |