wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-03 10:33:13 +02:00
Code Issues Projects Releases Wiki Activity

Merge 2ca2d8c4e2 into 2170a8ff25

Browse source
This commit is contained in:
Jack Ivanov 2017-07-09 11:51:19 +00:00 committed by GitHub
commit 09bf951ff1
32 changed files with 118 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
.travis.yml
View file

@ -10,14 +10,14 @@ matrix:
addons:
apt:
sources:
- sourceline: 'ppa:ubuntu-lxc/stable'
- sourceline: 'ppa:ubuntu-lxc/stable'
packages:
- python-pip
- lxc
- lxc-templates
- expect-dev
- debootstrap
- shellcheck
- python-pip
- lxc
- lxc-templates
- expect-dev
- debootstrap
- shellcheck
cache:
directories:
@ -34,6 +34,7 @@ env:
- LXC_NAME=ubuntu1704 LXC_DISTRO=ubuntu LXC_RELEASE=zesty
install:
- pip install ansible-lint
- sudo tar xf $HOME/lxc/cache.tar -C / || echo "Didn't extract cache."
- export LXC_ROOTFS=/var/lib/lxc/$LXC_NAME/rootfs
- 'sudo lxc-create -n $LXC_NAME -t ubuntu -- -r $LXC_RELEASE --mirror http://mirrors.us.kernel.org/ubuntu --packages python || true'
@ -49,8 +50,8 @@ install:
script:
- awesome_bot --allow-dupe --skip-save-results *.md docs/*.md --white-list paypal.com,do.co,microsoft.com,https://github.com/trailofbits/algo/archive/master.zip,https://github.com/trailofbits/algo/issues/new
# - shellcheck algo
# - ansible-lint deploy.yml users.yml deploy_client.yml
- shellcheck algo
- ansible-lint deploy.yml users.yml deploy_client.yml
- ansible-playbook deploy.yml --syntax-check
- ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"

9
algo
View file

@ -5,7 +5,8 @@ set -e
ACTIVATE_SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/env/bin/activate"
if [ -f "$ACTIVATE_SCRIPT" ]
then
source $ACTIVATE_SCRIPT
# shellcheck disable=SC1090
source "$ACTIVATE_SCRIPT"
else
echo "$ACTIVATE_SCRIPT not found. Did you follow documentation to install dependencies?"
exit 1
@ -176,7 +177,7 @@ Enter the number of your desired region:
esac
ROLES="azure vpn cloud"
EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name ssh_public_key=$ssh_public_key region=$region"
EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name region=$region"
}
digitalocean () {
@ -287,7 +288,7 @@ Enter the number of your desired region:
esac
ROLES="ec2 vpn cloud"
EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name region=$region"
}
gce () {
@ -372,7 +373,7 @@ Please choose the number of your zone. Press enter for default (#14) zone.
esac
ROLES="gce vpn cloud"
EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone max_mss=1316"
EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name zone=$zone max_mss=1316"
}
non_cloud () {

8
deploy.yml
View file

@ -19,7 +19,7 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]
roles:
- { role: cloud-digitalocean, tags: ['digitalocean'] }
@ -38,7 +38,7 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]
- name: Configure the server and install required software
hosts: vpn-host
@ -57,7 +57,7 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]
roles:
- { role: security, tags: [ 'security' ] }
@ -93,4 +93,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

1
deploy_client.yml
View file

@ -24,6 +24,7 @@
- name: Get the OS
raw: uname -a
register: distribution
changed_when: false
- name: Modify the server name fact
set_fact:

2
roles/client/handlers/main.yml
View file

@ -1,4 +1,4 @@
---
- name: restart strongswan
service: name=strongswan state=restarted

2
roles/client/tasks/main.yml
View file

@ -1,3 +1,5 @@
---
- name: Gather Facts
setup:

3
roles/client/tasks/systems/CentOS.yml
View file

@ -1,6 +1,7 @@
---
- set_fact:
- name: Set system-based facts
set_fact:
prerequisites:
- epel-release
configs_prefix: /etc/strongswan/

3
roles/client/tasks/systems/Debian.yml
View file

@ -1,5 +1,6 @@
---
- set_fact:
- name: Set system-based facts
set_fact:
prerequisites: []
configs_prefix: /etc/

3
roles/client/tasks/systems/Fedora.yml
View file

@ -1,6 +1,7 @@
---
- set_fact:
- name: Set system-based facts
set_fact:
prerequisites:
- libselinux-python
configs_prefix: /etc/strongswan/

3
roles/client/tasks/systems/Ubuntu.yml
View file

@ -1,5 +1,6 @@
---
- set_fact:
- name: Set system-based facts
set_fact:
prerequisites: []
configs_prefix: /etc/

11
roles/cloud-azure/tasks/main.yml
View file

@ -1,6 +1,7 @@
---
- block:
- set_fact:
- name: Extract credentials
set_fact:
resource_group: "Algo_{{ region }}"
secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}"
tenant: "{{ azure_tenant | default(lookup('env','AZURE_TENANT'), true) }}"
@ -94,7 +95,8 @@
# To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt?
- set_fact:
- name: Set network facts
set_fact:
ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}"
networkinterface_name: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].name }}"
@ -120,7 +122,8 @@
cloud_provider: azure
ipv6_support: no
- set_fact:
- name: Set the instance IP
set_fact:
cloud_instance_ip: "{{ ip_address }}"
- name: Ensure the group azure exists in the dynamic inventory file
@ -140,4 +143,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

5
roles/cloud-digitalocean/tasks/main.yml
View file

@ -66,7 +66,8 @@
cloud_provider: digitalocean
ipv6_support: true
- set_fact:
- name: Set the instance IP
set_fact:
cloud_instance_ip: "{{ do.droplet.ip_address }}"
- name: Tag the droplet
@ -105,4 +106,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

6
roles/cloud-ec2/tasks/encrypt_image.yml
View file

@ -12,7 +12,8 @@
region: "{{ region }}"
register: search_crypt
- set_fact:
- name: Set the Image ID
set_fact:
ami_image: "{{ search_crypt.results[0].ami_id }}"
when: search_crypt.results
@ -32,6 +33,7 @@
register: enc_image
when: not search_crypt.results
- set_fact:
- name: Set the Image ID
set_fact:
ami_image: "{{ enc_image.image_id }}"
when: not search_crypt.results

11
roles/cloud-ec2/tasks/main.yml
View file

@ -1,5 +1,6 @@
- block:
- set_fact:
- name: Extract credentials
set_fact:
access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}"
secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}"
stack_name: "{{ aws_server_name | replace('.', '-') }}"
@ -16,7 +17,8 @@
region: "{{ region }}"
register: ami_search
- set_fact:
- name: Set the Image ID
set_fact:
ami_image: "{{ ami_search.results[0].ami_id }}"
- include: encrypt_image.yml
@ -34,7 +36,8 @@
cloud_provider: ec2
ipv6_support: yes
- set_fact:
- name: Set the instance IP
set_fact:
cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}"
- name: Get EC2 instances
@ -66,4 +69,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

20
roles/cloud-gce/tasks/main.yml
View file

@ -1,20 +1,23 @@
- block:
- set_fact:
- name: Extract credentials
set_fact:
credentials_file_path: "{{ credentials_file | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}"
ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
- set_fact:
- name: Extract credentials
set_fact:
credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}"
- set_fact:
- name: Extract credentials
set_fact:
service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env','GCE_EMAIL')) }}"
project_id: "{{ credentials_file_lookup.project_id | default(lookup('env','GCE_PROJECT')) }}"
- name: Network configured
gce_net:
name: "algo-{{ server_name }}"
fwname: "algo-{{ server_name }}-fw"
allowed: "udp:500,4500;tcp:22;icmp"
name: "algo-net-{{ server_name }}"
fwname: "algo-net-{{ server_name }}-fw"
allowed: "udp:500,4500;tcp:22"
state: "present"
mode: auto
src_range: 0.0.0.0/0
@ -47,7 +50,8 @@
cloud_provider: gce
ipv6_support: no
- set_fact:
- name: Set the instance IP
set_fact:
cloud_instance_ip: "{{ google_vm.instance_data[0].public_ip }}"
- name: Ensure the group gce exists in the dynamic inventory file
@ -67,4 +71,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

4
roles/common/tasks/freebsd.yml
View file

@ -1,6 +1,7 @@
---
- set_fact:
- name: Set system-based facts
set_fact:
tools:
- git
- subversion
@ -48,5 +49,6 @@
shell: >
kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
changed_when: false
- meta: flush_handlers

2
roles/common/tasks/main.yml
View file

@ -25,4 +25,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

12
roles/common/tasks/ubuntu.yml
View file

@ -11,6 +11,7 @@
args:
executable: /bin/bash
register: reboot_required
changed_when: "'required' in reboot_required.stdout"
tags:
- cloud
@ -63,15 +64,18 @@
- always
- name: Check apparmor support
shell: apparmor_status
command: apparmor_status
ignore_errors: yes
changed_when: false
register: apparmor_status
- set_fact:
- name: Seth the apparmor fact
set_fact:
apparmor_enabled: true
when: '"profiles are in enforce mode" in apparmor_status.stdout'
when: apparmor_status|succeeded
- set_fact:
- name: Set system-based facts
set_fact:
tools:
- git
- screen

6
roles/dns_adblocking/handlers/main.yml
View file

@ -1,5 +1,7 @@
---
- name: restart dnsmasq
service: name=dnsmasq state=restarted
service: name=dnsmasq state=restarted daemon_reload=yes
- name: restart apparmor
service: name=apparmor state=restarted
service: name=apparmor state=restarted daemon_reload=yes

8
roles/dns_adblocking/tasks/main.yml
View file

@ -1,6 +1,5 @@
---
- block:
- name: The DNS tag is defined
set_fact:
local_dns: Y
@ -44,8 +43,9 @@
user: dnsmasq
- name: Update adblock hosts
shell: >
sudo -u dnsmasq "/usr/local/sbin/adblock.sh"
command: /usr/local/sbin/adblock.sh
become: true
become_user: dnsmasq
- meta: flush_handlers
@ -58,4 +58,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

5
roles/dns_adblocking/tasks/ubuntu.yml
View file

@ -12,7 +12,9 @@
- restart dnsmasq
- name: Ubuntu | Enforce the dnsmasq AppArmor policy
shell: aa-enforce usr.sbin.dnsmasq
command: aa-enforce usr.sbin.dnsmasq
register: output
changed_when: false
when: apparmor_enabled is defined and apparmor_enabled == true
tags: ['apparmor']
@ -29,5 +31,4 @@
src: 100-CustomLimitations.conf.j2
dest: /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
notify:
- daemon-reload
- restart dnsmasq

5
roles/local/tasks/main.yml
View file

@ -19,7 +19,8 @@
cloud_provider: local
when: server_ip == "localhost"
- set_fact:
- name: Set the instance IP
set_fact:
cloud_instance_ip: "{{ server_ip }}"
- name: Ensure the group local exists in the dynamic inventory file
@ -39,4 +40,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

3
roles/security/tasks/main.yml
View file

@ -4,6 +4,7 @@
apt: name="{{ item }}" state=latest
with_items:
- unattended-upgrades
tags: skip_ansible_lint
- name: Configure unattended-upgrades
template:
@ -165,4 +166,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

2
roles/ssh_tunneling/tasks/main.yml
View file

@ -102,4 +102,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

12
roles/vpn/handlers/main.yml
View file

@ -1,17 +1,17 @@
- name: restart strongswan
service: name=strongswan state=restarted
---
- name: daemon-reload
shell: systemctl daemon-reload
- name: restart strongswan
systemd: name=strongswan state=restarted daemon_reload=yes
- name: restart apparmor
service: name=apparmor state=restarted
- name: save iptables
shell: service netfilter-persistent save
command: service netfilter-persistent save
tags: skip_ansible_lint
- name: restart iptables
service: name=netfilter-persistent state=restarted
- name: rereadcrls
shell: ipsec rereadcrls
command: ipsec rereadcrls

1
roles/vpn/tasks/client_configs.yml
View file

@ -3,6 +3,7 @@
- name: Register p12 PayloadContent
shell: cat private/{{ item }}.p12 | base64
register: PayloadContent
changed_when: false
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
with_items: "{{ users }}"

2
roles/vpn/tasks/freebsd.yml
View file

@ -70,6 +70,7 @@
- fail:
msg: "Something went wrong. Check the debug output above."
tags: skip_ansible_lint
- block:
- name: FreeBSD / HardenedBSD | The kernel is being built...
@ -97,6 +98,7 @@
- fail:
msg: "Something went wrong. Check the debug output above."
tags: skip_ansible_lint
- name: FreeBSD / HardenedBSD | Reboot
shell: sleep 2 && shutdown -r now

1
roles/vpn/tasks/ipec_configuration.yml
View file

@ -30,6 +30,7 @@
shell: >
find {{ config_prefix|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; | cut -f1 -d.
register: strongswan_plugins
changed_when: false
- name: Disable unneeded plugins
lineinfile:

2
roles/vpn/tasks/main.yml
View file

@ -32,4 +32,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]

7
roles/vpn/tasks/openssl.yml
View file

@ -52,6 +52,7 @@
creates: "{{ IP_subject_alt_name }}_ca_generated"
environment:
subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
tags: skip_ansible_lint
- name: Copy the CA certificate
copy:
@ -64,6 +65,7 @@
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: serial_generated
tags: skip_ansible_lint
- name: Build the server pair
shell: >
@ -86,6 +88,7 @@
creates: certs/{{ IP_subject_alt_name }}_crt_generated
environment:
subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
tags: skip_ansible_lint
- name: Build the client's pair
shell: >
@ -109,6 +112,7 @@
environment:
subjectAltName: "DNS:{{ item }}"
with_items: "{{ users }}"
tags: skip_ansible_lint
- name: Build the client's p12
shell: >
@ -124,6 +128,7 @@
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
with_items: "{{ users }}"
register: p12
tags: skip_ansible_lint
- name: Copy the p12 certificates
copy:
@ -142,6 +147,7 @@
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
register: valid_certs
tags: skip_ansible_lint
- name: Revoke non-existing users
shell: >
@ -157,6 +163,7 @@
subjectAltName: "DNS:{{ item }}"
when: item not in users
with_items: "{{ valid_certs.stdout_lines }}"
tags: skip_ansible_lint
delegate_to: localhost
become: no

7
roles/vpn/tasks/ubuntu.yml
View file

@ -1,6 +1,7 @@
---
- set_fact:
- name: Set system-based facts
set_fact:
strongswan_additional_plugins: []
- name: Ubuntu | Install strongSwan
@ -9,9 +10,10 @@
state: latest
update_cache: yes
install_recommends: yes
tags: skip_ansible_lint
- name: Ubuntu | Enforcing ipsec with apparmor
shell: aa-enforce "{{ item }}"
command: aa-enforce "{{ item }}"
when: apparmor_enabled is defined and apparmor_enabled == true
with_items:
- /usr/lib/ipsec/charon
@ -41,7 +43,6 @@
src: 100-CustomLimitations.conf.j2
dest: /etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
notify:
- daemon-reload
- restart strongswan
- include: iptables.yml

6
users.yml
View file

@ -33,7 +33,7 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]
- name: User management
hosts: vpn-host
@ -51,7 +51,7 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]
roles:
- { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
@ -68,4 +68,4 @@
- debug: var=fail_hint
tags: always
- fail:
tags: always
tags: [ 'always', 'skip_ansible_lint' ]