lukehinds · April 3, 2019 07:45
diff --git a/ansible-hardening.sh b/ansible-hardening.sh
 #!/bin/bash
 #set -x

 if [[ `whoami` != "stack" ]]; then
    echo -e "Please run this script as the stack user"
    exit
 fi

 source ~/stackrc

 APPHOME="/home/stack/.ansible"
 AH_ROLE="${APPHOME}/roles/ansible-hardening"
 ARA_ROLE="${APPHOME}/.ansible/roles/ansible-role-ara"

 intro_text (){
 echo ""
 echo -e "WARNING! This script is experiment, use --mode check for a dry run and"
 echo -e "only use --mode apply against a deployment which you don't mind potentially breaking.\n"
 echo ""
 echo -e "This script will automatically generate a playbook and an inventory file.\n"
 echo -e "Should you wish to remove a node, run the script and let it generate the inventory file"
 echo -e "and then remove any entries from ~.ansible/hosts and re run again (making sure to say 'n'"
 echo -e "when prompted to create an inventory file.\n"
 echo ""
 echo -e "Select yes when prompted to install Ansible Run Analysis, should you wish to view"
 echo -e "the results in the ARA GUI.\n"
 }

 # GetOpts
 for arg in "$@"; do
  shift
  case "$arg" in
    "--type") set -- "$@" "-t" ;;
    "--mode") set -- "$@" "-m" ;;
    *)        set -- "$@" "$arg"
  esac
 done

 usage() {
    echo "Usage: $0 [-t stig|osp] [-m check|apply]" 1>&2; exit 1;
 }

 while getopts ":t:m:" arg; do
    case "${arg}" in
        t)
            t=${OPTARG}
            ((t == stig || c == osp)) || usage
            ;;
        m)
            m=${OPTARG}
            ((m == check || c == run)) || usage
            ;;
        *)
            usage
            ;;
    esac
 done
 shift $((OPTIND-1))

 if [ -z "${t}" ] || [ -z "${m}" ]; then
    usage
 fi

 # Package Install Function
 install_deps () {
    wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
    sudo rpm -Uvh epel-release-6*.rpm
    sudo yum -y install \
        /usr/bin/git \
        /usr/bin/virtualenv \
        python-pip \
        gcc \
        libyaml \
        libselinux-python \
        libffi-devel \
        openssl-devel \
        redhat-rpm-config
 }

 install_deps
 intro_text

 if [ ! -d "$APP_HOME" ]; then
    echo  -e "Creating role and playbook directory.\n"
    mkdir -p ${APPHOME}/roles/
 else
    #TODO --clean
    echo " existing ~/.ansible folder found"
 fi

 install_ara (){
 #TODO add some checks to see if already installed
 if [ ! -d "$ARA_ROLE" ]; then
    echo  -e "Install Anisble Hardening Role.\n"
    sudo git clone https://git.openstack.org/openstack/ansible-role-ara \
    $ARA_ROLE
 fi

 # Create Ansible Ara Playbook
 cat <<EOF >> ${APPHOME}/ansible-ara-playbook.yaml
 ---

 - name: Ansible Role Ara Playbook
  hosts: localhost
  roles:
    - ansible-role-ara
 EOF

 # Create ansible.cfg
 cat <<EOF >> ~/.ansible.cfg
 [defaults]
 local_tmp = /home/stack/.ansible/tmp
 callback_plugins = /usr/lib/python2.7/site-packages/ara/plugins/callbacks
 [ara]
 dir = /home/stack/.ara
 EOF

 # Create Virtualenv
 echo -e "Creating virtualenv.\n"
 virtualenv $APPHOME/venv
 . $APPHOME/venv/bin/activate

 # Install Ara
 echo -e "Install Ara.\n"
 pip install --upgrade ara

 # Configure systemd service for flask / ara
 sudo bash -c 'cat <<EOF >> /etc/systemd/system/ara.service
 [Unit]
 Description=ARA
 After=network.target

 [Service]
 Type=simple
 User=stack
 Group=stack
 TimeoutStartSec=0
 Restart=on-failure
 RestartSec=10
 RemainAfterExit=yes
 ExecStart=/bin/ara-manage runserver -h 0.0.0.0 -p 9192

 [Install]
 WantedBy=multi-user.target" > /etc/systemd/system/ara.service
 EOF'
 sudo systemctl daemon-reload
 sudo systemctl start ara

 echo -e "Ansible Run Analysis can be accessed at http://<undercloud_ip>:9192"
 }

 read -p "Would you like to deploy Ansible Run Analysis? " -n 1 -r
 echo
 if [[ $REPLY =~ ^[Yy]$ ]]
    then
        install_ara
 fi

 # Check the ansible-hardening role exists
 if [ ! -d "$AH_ROLE" ]; then
    echo  -e "Install Anisble Hardening Role.\n"
    git clone https://git.openstack.org/openstack/ansible-hardening \
        ~/.ansible/roles/ansible-hardening
 else
    echo -e "Hardening role found.\n"
 fi

 # Construct security-playbook
 playbook () {
 echo -e "Creating security playbook.\n"
 cat <<EOF >> ${APPHOME}/ansible-hardening-playbook.yaml
 ---

 - name: TripleO Security Hardening
  hosts: all
  become: yes
  roles:
    - ansible-hardening
 EOF
 }

 # Construct Inventory File
 hostsfile () {
 echo -e "Creating anisble inventory file (this can take a few seconds..)\n"
 names=`nova list --fields name | awk '{print $4}' | grep -v ^$ | grep -v ^"|" |sed "1 d"`
 arr=(`echo ${names}`);
 for i in "${arr[@]}"
  do
    echo "Creating entry for node: ${i}"
    ip=`nova list | grep "$i" | awk -F  '|' '{print $7}' | awk -F  '=' '{print $2}'`
    cat <<EOF >> ${APPHOME}/hosts
 [$i]
 $ip ansible_user=heat-admin
 EOF
 done
 echo "Creating entry for node: undercloud"
 echo "[undercloud]" >> ${APPHOME}/hosts
 echo "127.0.0.2 ansible_connection=local ansible_python_interpreter=/usr/bin/python2" >> ${APPHOME}/hosts
 }

 # Check for existing playbook
 if [ ! -f ${APPHOME}/ansible-hardening-playbook.yaml ]; then
    read -p "No ansible-hardening playbook present, should we create one? " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]
        then
            playbook
    fi
 fi

 # Check for existing hosts file
 if [ ! -f ${APPHOME}/hosts ]; then
    read -p "No inventory files are present, should we create one? " -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]
        then
            hostsfile
    fi
 else
    echo -e "Existing Inventory file found.\n"
    read -p "Would you like to remove and recreate? " -n 1 -r
    echo "";echo ""
    if [[ $REPLY =~ ^[Yy]$ ]]
        then
            echo -e "Removing current hosts file\n"
            rm ~/.ansible/hosts
            hostsfile
    fi
 fi

 # Perform anisble-playbook run
 if [[ $m = "check" ]]; then
    echo "Running Playbook in check mode"
    ansible-playbook -i ${APPHOME}/hosts ${APPHOME}/ansible-hardening-playbook.yaml --check
 else
    read -p $'\e[31mWarning! Running in non-check mode will result in system changes. Are you sure you wish to proceed: [y/n]?\e[0m ' -n 1 -r
    echo
    if [[ $REPLY =~ ^[Yy]$ ]]
        then
        ansible-playbook -i ${APPHOME}/hosts ${APPHOME}/ansible-hardening-playbook.yaml
    else
        echo "Bailing out.."
        exit
    fi
 fi
	#!/bin/bash
	#set -x

	if [[ `whoami` != "stack" ]]; then
	echo -e "Please run this script as the stack user"
	exit
	fi

	source ~/stackrc

	APPHOME="/home/stack/.ansible"
	AH_ROLE="${APPHOME}/roles/ansible-hardening"
	ARA_ROLE="${APPHOME}/.ansible/roles/ansible-role-ara"

	intro_text (){
	echo ""
	echo -e "WARNING! This script is experiment, use --mode check for a dry run and"
	echo -e "only use --mode apply against a deployment which you don't mind potentially breaking.\n"
	echo ""
	echo -e "This script will automatically generate a playbook and an inventory file.\n"
	echo -e "Should you wish to remove a node, run the script and let it generate the inventory file"
	echo -e "and then remove any entries from ~.ansible/hosts and re run again (making sure to say 'n'"
	echo -e "when prompted to create an inventory file.\n"
	echo ""
	echo -e "Select yes when prompted to install Ansible Run Analysis, should you wish to view"
	echo -e "the results in the ARA GUI.\n"
	}

	# GetOpts
	for arg in "$@"; do
	shift
	case "$arg" in
	"--type") set -- "$@" "-t" ;;
	"--mode") set -- "$@" "-m" ;;
	*) set -- "$@" "$arg"
	esac
	done

	usage() {
	echo "Usage: $0 [-t stig\|osp] [-m check\|apply]" 1>&2; exit 1;
	}

	while getopts ":t:m:" arg; do
	case "${arg}" in
	t)
	t=${OPTARG}
	((t == stig \|\| c == osp)) \|\| usage
	;;
	m)
	m=${OPTARG}
	((m == check \|\| c == run)) \|\| usage
	;;
	*)
	usage
	;;
	esac
	done
	shift $((OPTIND-1))

	if [ -z "${t}" ] \|\| [ -z "${m}" ]; then
	usage
	fi

	# Package Install Function
	install_deps () {
	wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
	sudo rpm -Uvh epel-release-6*.rpm
	sudo yum -y install \
	/usr/bin/git \
	/usr/bin/virtualenv \
	python-pip \
	gcc \
	libyaml \
	libselinux-python \
	libffi-devel \
	openssl-devel \
	redhat-rpm-config
	}

	install_deps
	intro_text

	if [ ! -d "$APP_HOME" ]; then
	echo -e "Creating role and playbook directory.\n"
	mkdir -p ${APPHOME}/roles/
	else
	#TODO --clean
	echo " existing ~/.ansible folder found"
	fi

	install_ara (){
	#TODO add some checks to see if already installed
	if [ ! -d "$ARA_ROLE" ]; then
	echo -e "Install Anisble Hardening Role.\n"
	sudo git clone https://git.openstack.org/openstack/ansible-role-ara \
	$ARA_ROLE
	fi

	# Create Ansible Ara Playbook
	cat <<EOF >> ${APPHOME}/ansible-ara-playbook.yaml
	---

	- name: Ansible Role Ara Playbook
	hosts: localhost
	roles:
	- ansible-role-ara
	EOF

	# Create ansible.cfg
	cat <<EOF >> ~/.ansible.cfg
	[defaults]
	local_tmp = /home/stack/.ansible/tmp
	callback_plugins = /usr/lib/python2.7/site-packages/ara/plugins/callbacks
	[ara]
	dir = /home/stack/.ara
	EOF

	# Create Virtualenv
	echo -e "Creating virtualenv.\n"
	virtualenv $APPHOME/venv
	. $APPHOME/venv/bin/activate

	# Install Ara
	echo -e "Install Ara.\n"
	pip install --upgrade ara

	# Configure systemd service for flask / ara
	sudo bash -c 'cat <<EOF >> /etc/systemd/system/ara.service
	[Unit]
	Description=ARA
	After=network.target

	[Service]
	Type=simple
	User=stack
	Group=stack
	TimeoutStartSec=0
	Restart=on-failure
	RestartSec=10
	RemainAfterExit=yes
	ExecStart=/bin/ara-manage runserver -h 0.0.0.0 -p 9192

	[Install]
	WantedBy=multi-user.target" > /etc/systemd/system/ara.service
	EOF'
	sudo systemctl daemon-reload
	sudo systemctl start ara

	echo -e "Ansible Run Analysis can be accessed at http://<undercloud_ip>:9192"
	}

	read -p "Would you like to deploy Ansible Run Analysis? " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	install_ara
	fi

	# Check the ansible-hardening role exists
	if [ ! -d "$AH_ROLE" ]; then
	echo -e "Install Anisble Hardening Role.\n"
	git clone https://git.openstack.org/openstack/ansible-hardening \
	~/.ansible/roles/ansible-hardening
	else
	echo -e "Hardening role found.\n"
	fi

	# Construct security-playbook
	playbook () {
	echo -e "Creating security playbook.\n"
	cat <<EOF >> ${APPHOME}/ansible-hardening-playbook.yaml
	---

	- name: TripleO Security Hardening
	hosts: all
	become: yes
	roles:
	- ansible-hardening
	EOF
	}

	# Construct Inventory File
	hostsfile () {
	echo -e "Creating anisble inventory file (this can take a few seconds..)\n"
	names=`nova list --fields name \| awk '{print $4}' \| grep -v ^$ \| grep -v ^"\|" \|sed "1 d"`
	arr=(`echo ${names}`);
	for i in "${arr[@]}"
	do
	echo "Creating entry for node: ${i}"
	ip=`nova list \| grep "$i" \| awk -F '\|' '{print $7}' \| awk -F '=' '{print $2}'`
	cat <<EOF >> ${APPHOME}/hosts
	[$i]
	$ip ansible_user=heat-admin
	EOF
	done
	echo "Creating entry for node: undercloud"
	echo "[undercloud]" >> ${APPHOME}/hosts
	echo "127.0.0.2 ansible_connection=local ansible_python_interpreter=/usr/bin/python2" >> ${APPHOME}/hosts
	}

	# Check for existing playbook
	if [ ! -f ${APPHOME}/ansible-hardening-playbook.yaml ]; then
	read -p "No ansible-hardening playbook present, should we create one? " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	playbook
	fi
	fi

	# Check for existing hosts file
	if [ ! -f ${APPHOME}/hosts ]; then
	read -p "No inventory files are present, should we create one? " -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	hostsfile
	fi
	else
	echo -e "Existing Inventory file found.\n"
	read -p "Would you like to remove and recreate? " -n 1 -r
	echo "";echo ""
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	echo -e "Removing current hosts file\n"
	rm ~/.ansible/hosts
	hostsfile
	fi
	fi

	# Perform anisble-playbook run
	if [[ $m = "check" ]]; then
	echo "Running Playbook in check mode"
	ansible-playbook -i ${APPHOME}/hosts ${APPHOME}/ansible-hardening-playbook.yaml --check
	else
	read -p $'\e[31mWarning! Running in non-check mode will result in system changes. Are you sure you wish to proceed: [y/n]?\e[0m ' -n 1 -r
	echo
	if [[ $REPLY =~ ^[Yy]$ ]]
	then
	ansible-playbook -i ${APPHOME}/hosts ${APPHOME}/ansible-hardening-playbook.yaml
	else
	echo "Bailing out.."
	exit
	fi
	fi
No results found