Merge branch 'develop'

.gitignore

@@ -0,0 +1,15 @@
+# Swap files
+*.swp
+
+# Python bytecode
+*.pyc
+
+# Pytest
+.cache
+
+# Vagrant
+.vagrant
+*.retry
+
+# Bundle
+.bundle

.travis.yml

@@ -0,0 +1,62 @@
+---
+
+# Travis file for lynis role
+
+dist: trusty
+sudo: required
+
+services:
+  - docker
+
+language: ruby
+rvm:
+  - 2.1.5
+
+env:
+    - ANSIBLE_ROLES_PATH="${TRAVIS_BUILD_DIR%/*/*}"
+
+before_install:
+  # Make sure everything's up to date.
+  - sudo apt-get update -qq
+
+  # Install ruby dependencies to run serverspec tests
+  - rvmsudo gem install serverspec rspec
+
+  # Install Ansible and pytest.
+  - >
+    sudo pip install ansible paramiko PyYAML Jinja2 httplib2 six pytest
+    ansible-lint
+
+  # Remove rvmsudo warning
+  - >
+    [[ $(sudo grep secure_path /etc/sudoers) ]]
+    && export rvmsudo_secure_path=1 || export rvmsudo_secure_path=0
+
+script:
+  # Check the role/playbook's syntax.
+  - ansible-playbook -i tests/inventory tests/test_travis.yml --syntax-check
+
+  # Run linter on role
+  - ansible-lint tasks/main.yml
+
+  # Run filter plugins tests
+  - py.test -v
+
+  # Run the role/playbook with ansible-playbook.
+  - >
+    ansible-playbook -i tests/inventory tests/test_travis.yml
+    --connection=local --sudo
+
+  # Run the role/playbook again, checking to make sure it's idempotent.
+  - >
+    ansible-playbook -i tests/inventory tests/test_travis.yml
+    --connection=local --sudo
+    | grep -q 'changed=[0].*failed=0'
+    && (echo 'Idempotence test: pass' && exit 0)
+    || (echo 'Idempotence test: fail' && exit 1)
+
+  # Run serverspec tests
+  - rvmsudo rspec
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

LICENSE

@@ -0,0 +1,24 @@
+
+The MIT License (MIT)
+
+Copyright (c) 2015 infOpen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+

README.md

@@ -0,0 +1,58 @@
+# lynis
+
+[![Build Status](https://travis-ci.org/infOpen/ansible-role-lynis.svg?branch=master)](https://travis-ci.org/infOpen/ansible-role-lynis)
+
+Ansible role to manage Lynis installation and configuration
+
+## Requirements
+
+This role requires Ansible 2.0 or higher,
+and platform requirements are listed in the metadata file.
+
+## Testing
+
+This role contains two tests methods :
+- locally using Vagrant
+- automatically with Travis
+
+### Testing dependencies
+- install [Vagrant](https://www.vagrantup.com)
+- install [Vagrant serverspec plugin](https://github.com/jvoorhis/vagrant-serverspec)
+    $ vagrant plugin install vagrant-serverspec
+- install ruby dependencies
+    $ bundle install
+
+### Running tests
+
+#### Run playbook and test
+
+- if Vagrant box not running
+    $ vagrant up
+
+- if Vagrant box running
+    $ vagrant provision
+
+## Role Variables
+
+### Default role variables
+
+## Dependencies
+
+None
+
+## Example Playbook
+
+    - hosts: servers
+      roles:
+         - { role: infOpen.lynis }
+
+## License
+
+MIT
+
+## Author Information
+
+Alexandre Chaussier (for Infopen company)
+- http://www.infopen.pro
+- a.chaussier [at] infopen.pro
+

Vagrantfile

@@ -0,0 +1,95 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# Vagrantfile API/syntax version. Don't touch unless you know what you're doing!
+VAGRANTFILE_API_VERSION = "2"
+
+# Ansible version
+ANSIBLE_DOWNLOAD_SOURCE = ENV['ANSIBLE_DOWNLOAD_SOURCE'] || "pip"
+ANSIBLE_GIT_CHECKOUT = ENV['ANSIBLE_GIT_CHECKOUT'] || "HEAD"
+ANSIBLE_GIT_REPOSITORY = ENV['ANSIBLE_GIT_REPOSITORY'] \
+                          || "https://github.com/ansible/ansible.git"
+
+# Managed boxes for this role (should have all platform and version defined in
+# meta/main.yml)
+VMS = {
+  :trusty => {
+    :box => "ubuntu/trusty64"
+  }
+}
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+
+  VMS.each_pair do |name, options|
+
+    config.vm.define name do |vm_config|
+
+      # Set proper box
+      vm_config.vm.box = options[:box]
+
+      # Update system and install requirements
+      vm_config.vm.provision "shell" do |sh|
+        if ANSIBLE_DOWNLOAD_SOURCE == 'git'
+          sh.inline = "test -d /usr/local/src/ansible \
+                        || (sudo apt-get update \
+                            && sudo apt-get install python-dev python-pip \
+                                                    curl git libffi-dev \
+                                                    libssl-dev -y \
+                            && sudo pip install paramiko PyYAML Jinja2 \
+                                                httplib2 six pytest \
+                                                ansible-lint \
+                            && cd /usr/local/src \
+                            && sudo git clone #{ANSIBLE_GIT_REPOSITORY} \
+                            && cd ansible \
+                            && sudo git checkout #{ANSIBLE_GIT_CHECKOUT} \
+                            && sudo git submodule init \
+                            && sudo git submodule update \
+                            && sudo make install)"
+        else
+          sh.inline = "test -f /usr/local/bin/ansible \
+                        || (sudo apt-get update \
+                            && sudo apt-get install python-dev python-pip \
+                                                    curl git libffi-dev \
+                                                    libssl-dev -y \
+                            && sudo pip install paramiko PyYAML Jinja2 \
+                                                httplib2 six pytest ansible \
+                                                ansible-lint)"
+        end
+      end
+
+      # Run pytest tests for filter plugins
+      vm_config.vm.provision "shell" do |sh|
+        sh.inline = "cd /vagrant \
+                      && rm -f tests/__pycache__/*.pyc \
+                      && py.test -v"
+        sh.privileged = false
+      end
+
+      # Use trigger plugin to set environment variable used by Ansible
+      # Needed with 2.0 home path change
+      vm_config.vm.provision "trigger" do |trigger|
+        trigger.fire do
+          ENV['ANSIBLE_ROLES_PATH'] = '../'
+          ENV['ANSIBLE_ROLE_NAME'] = File.basename(Dir.getwd)
+        end
+      end
+
+      # Run Ansible linter
+      vm_config.vm.provision "shell" do |sh|
+        sh.inline = "cd /vagrant && ansible-lint tasks/main.yml"
+        sh.privileged = false
+      end
+
+      # Run Ansible provisioning
+      vm_config.vm.provision "ansible" do |ansible|
+        ansible.playbook  = "tests/test_vagrant.yml"
+      end
+
+      # Run Serverspec tests
+      vm_config.vm.provision "serverspec" do |serverspec|
+        serverspec.pattern = 'spec/*_spec.rb'
+      end
+
+    end
+  end
+end

defaults/main.yml

@@ -0,0 +1,65 @@
+---
+
+# Defaults vars file for lynis role
+
+# Managed installation types:
+#   - 'git'
+lynis_installation_type: 'git'
+
+
+# Global installation vars
+lynis_installation_dir: '/var/lib/lynis'
+lynis_installation_version: '2.2.0'
+
+lynis_installation_owner: 'root'
+lynis_installation_group: 'root'
+
+# Default vars used with git installation type
+#---------------------------------------------
+
+# Add Github host key
+# See: https://help.github.com/articles/what-are-github-s-ssh-key-fingerprints/
+lynis_git_host_keys:
+  - name: 'github.com'
+    key: |
+      |1|XSnxOghgS/1AkYu80DtXWOBnhcQ=|fc7xOMfZJSHGhNmO1FJ5sAQt2eA= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    state: 'present'
+
+lynis_git_accept_host_key: False
+lynis_git_repository: 'https://github.com/CISOfy/lynis.git'
+
+# Reports directory management
+#-----------------------------
+lynis_reports_dir_path: '/var/log/lynis-reports'
+lynis_reports_dir_owner: "{{ lynis_installation_owner }}"
+lynis_reports_dir_group: "{{ lynis_installation_group }}"
+lynis_reports_dir_mode: '0750'
+
+# Crontab management
+#-------------------
+lynis_manage_crontab: True
+lynis_crontab_file_name: 'lynis'
+lynis_crontab_vars:
+  - name: 'CURRENT_DATE'
+    value: 'date +%Y%m%d'
+    user: "{{ lynis_installation_owner }}"
+    state: 'present'
+lynis_crontab_jobs:
+  - name: 'Automatic Lynis daily report'
+    file_name: "{{ lynis_crontab_file_name }}"
+    minute: 13
+    hour: 12
+    weekday: '*'
+    day: '*'
+    month: '*'
+    job: "{{
+      'cd ' ~ lynis_installation_dir
+        ~ ' && ./lynis --cronjob --auditor \"Automatic daily scan\"'
+        ~ ' --report-file \"'
+                ~ lynis_reports_dir_path ~ '/$($CURRENT_DATE)-auto.dat\"'
+        ~ ' --logfile \"'
+                ~ lynis_reports_dir_path ~ '/$($CURRENT_DATE)-auto.log\"'
+        ~ ' > \"' ~ lynis_reports_dir_path ~ '/$($CURRENT_DATE)-cron.log\"'
+        ~ ' 2>&1' }}"
+    user: "{{ lynis_installation_owner }}"
+    state: 'present'

handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+# Handlers main file for lynis role
+

meta/main.yml

@@ -0,0 +1,18 @@
+---
+
+galaxy_info:
+  author: Alexandre Chaussier
+  description: Ansible role to manage Lynis installation and configuration
+  company: Infopen (http://www.infopen.pro)
+  license: MIT
+  min_ansible_version: 2.0
+  github_branch: master
+  platforms:
+    - name: Ubuntu
+      versions:
+        - trusty
+  galaxy_tags:
+    - system
+    - security
+dependencies: []
+

pytest.ini

@@ -0,0 +1,4 @@
+# Configuration for pytest
+
+[pytest]
+testpaths = tests

spec/installation_spec.rb

@@ -0,0 +1,33 @@
+require 'serverspec'
+
+if ENV['TRAVIS']
+    set :backend, :exec
+end
+
+describe 'lynis Ansible role' do
+
+    # Installation dir should be owned by root
+    describe file('/var/lib/lynis') do
+        it { should exist }
+        it { should be_directory }
+        it { should be_owned_by 'root' }
+        it { should be_grouped_into 'root' }
+    end
+
+    # Reports directory should exists and owned by root
+    describe file('/var/log/lynis-reports') do
+        it { should exist }
+        it { should be_directory }
+        it { should be_owned_by 'root' }
+        it { should be_grouped_into 'root' }
+    end
+
+    # Crontab file should be defined and executed by root
+    describe file('/etc/cron.d/lynis') do
+        it { should exist }
+        it { should be_file }
+        it { should be_owned_by 'root' }
+        it { should be_grouped_into 'root' }
+        its(:content) { should match /\*\s+root/ }
+    end
+end