Add files via upload

Author: D3One

Ansible samples/README.md

@@ -0,0 +1,102 @@
+# Ansible DevSecOps Playbooks 
+
+This repository contains example Ansible playbooks designed to automate security tasks within a DevSecOps pipeline. These playbooks demonstrate how to integrate security checks and hardening procedures into your infrastructure automation process.
+
+<p align="center">
+  <img src="https://github.com/user-attachments/assets/a5169df1-bb06-42e2-9623-9ce33df20d75" alt="Sublime's custom image"/>
+</p>
+
+## What is an Ansible Playbook?
+
+An Ansible Playbook is a YAML file that defines a set of automation tasks, configurations, and policies to be enforced on remote hosts. It allows you to describe your desired state for infrastructure and applications in a code-like manner, making it versionable, repeatable, and idempotent (meaning you can run it multiple times without causing unintended changes).
+
+## Playbooks Overview
+
+### 1. Host Hardening Playbook (`host-hardening.yml`)
+
+This playbook performs basic security hardening on a Linux server by:
+- Disabling SSH root login.
+- Restricting SSH access to specific users.
+- Disabling weak SSH encryption algorithms.
+- Installing and configuring `fail2ban` to protect against brute-force attacks.
+- Configuring a firewall (UFW) to allow only essential ports (SSH, HTTP, HTTPS).
+
+### 2. Container & Dependency Scan Playbook (`container-dependency-scan.yml`)
+
+This playbook is designed to run in a CI/CD pipeline and performs security scans on:
+- **Docker Images**: Uses `Trivy` to scan container images for known vulnerabilities (CVEs), failing the pipeline if critical issues are found.
+- **Python Dependencies**: Uses `Safety` to check for vulnerabilities in Python packages listed in a `requirements.txt` file.
+
+## Prerequisites
+
+- Ansible installed on the control node.
+- For `host-hardening.yml`: Target hosts must be accessible via SSH.
+- For `container-dependency-scan.yml`: Docker and Python/pip must be installed on the runner.
+
+## Usage
+
+### 1. Clone the Repository
+```bash
+git clone https://github.com/D3One/Vault-backup-automation/tree/main/Ansible%20samples
+cd ansible-devsecops-playbooks
+```
+
+### 2. Create an Inventory File
+Create a file named `inventory.ini` to define your target hosts:
+```ini
+[webservers]
+web-server-1 ansible_host=192.168.1.10
+web-server-2 ansible_host=192.168.1.11
+
+[local]
+localhost ansible_connection=local
+```
+
+### 3. Run the Host Hardening Playbook
+```bash
+ansible-playbook -i inventory.ini host-hardening.yml --user <your-username> --become
+```
+
+### 4. Run the Security Scan Playbook (in CI/CD)
+Example command to run the scan locally:
+```bash
+ansible-playbook -i inventory.ini container-dependency-scan.yml -e "image_name=my-app:latest requirements_path=./requirements.txt"
+```
+
+## Example Integration in GitLab CI
+
+```yaml
+stages:
+  - security check
+
+trivy_scan:
+  stage: security check
+  image: docker:latest
+  services:
+    - docker:dind
+  before_script:
+    - apk add --no-cache ansible
+  script:
+    - ansible-playbook -i localhost, -c local container-dependency-scan.yml
+  artifacts:
+    paths:
+      - ./*security-scan-report*.txt
+```
+
+## Key Benefits
+
+- **Infrastructure as Code (IaC)**: Security policies are defined in code, versioned, and reviewable.
+- **Automation**: Eliminates manual security checks, reducing human error.
+- **Shift-Left Security**: Identifies vulnerabilities early in the development lifecycle.
+- **Compliance**: Helps enforce consistent security configurations across all environments.
+
+## Contributing
+
+Feel free to submit issues, fork the repository, and create pull requests to improve these playbooks.
+
+## License
+
+This project is licensed under the MIT License.
+
+---
+

Ansible samples/container-dependency-scan.yml

@@ -0,0 +1,54 @@
+---
+- name: 🔍 SCAN: Container Image and Dependencies for Vulnerabilities
+  hosts: localhost  
+  vars:
+    image_name: "my-app:latest"  # Имя сканируемого Docker-образа
+    requirements_path: "requirements.txt"  # Путь к файлу зависимостей Python
+
+  tasks:
+    - name: "1. 🐳 Install Trivy (if not installed)"
+      block:
+        - name: Download Trivy installer
+          ansible.builtin.get_url:
+            url: "https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.49.1_Linux-64bit.deb"
+            dest: "/tmp/trivy.deb"
+            mode: '0755'
+        - name: Install Trivy from .deb package
+          ansible.builtin.apt:
+            deb: "/tmp/trivy.deb"
+      become: yes
+
+    - name: "2. 🔎 Scan local Docker image for vulnerabilities with Trivy"
+      community.docker.docker_image_info:
+        name: "{{ image_name }}"
+      register: image_info
+
+    - name: Run Trivy scan and fail if critical vulnerabilities are found
+      ansible.builtin.command:
+        cmd: "trivy image --exit-code 1 --severity CRITICAL,HIGH {{ image_name }}"
+      register: trivy_scan_result
+      failed_when:
+        - trivy_scan_result.rc != 0
+        - "'ERROR' not in trivy_scan_result.stderr"  # Игнорируем ошибки скачивания и т.д., но не ошибки наличия уязвимостей.
+
+    - name: "3. 🐍 Install Safety (Python vulnerability scanner)"
+      ansible.builtin.pip:
+        name: safety
+        state: latest
+
+    - name: "4. 📦 Scan Python dependencies for known vulnerabilities"
+      ansible.builtin.command:
+        cmd: "safety check --file {{ requirements_path }} --full-report"
+      register: safety_scan_result
+      failed_when: safety_scan_result.rc != 0
+      ignore_errors: yes  # Можно изменить на 'no' для строгого режима
+
+    - name: "5. 📄 Save scan reports as artifacts (for CI/CD)"
+      ansible.builtin.copy:
+        content: |
+          TRIVY SCAN REPORT:
+          {{ trivy_scan_result.stdout }}
+
+          SAFETY SCAN REPORT:
+          {{ safety_scan_result.stdout }}
+        dest: "./security-scan-report-{{ ansible_date_time.epoch }}.txt"

Ansible samples/host-hardening.yml

@@ -0,0 +1,65 @@
+---
+- name: 🔒 Apply Basic Server Hardening for DevSecOps
+  hosts: all  # Целевые хосты (можно указать группу в инвентаре)
+  become: yes  # Запуск с повышенными привилегиями (sudo)
+  vars:
+    # Список пользователей, которым разрешен SSH доступ
+    allowed_ssh_users: "deployuser adminuser"
+    # Список устаревших и небезопасных алгоритмов для отключения
+    weak_kex_algorithms: "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1"
+    weak_ciphers: "3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc"
+
+  tasks:
+    - name: "🛡️ 1. Ensure SSH root login is disabled"
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?PermitRootLogin'
+        line: 'PermitRootLogin no'
+        state: present
+      notify: restart sshd
+
+    - name: "🛡️ 2. Configure allowed SSH users"
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?AllowUsers'
+        line: "AllowUsers {{ allowed_ssh_users }}"
+        state: present
+      notify: restart sshd
+
+    - name: "🛡️ 3. Disable weak SSH Key Exchange Algorithms and Ciphers"
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: '^#?KexAlgorithms'
+        line: "KexAlgorithms {{ weak_kex_algorithms }}"
+        state: absent
+      notify: restart sshd
+
+    - name: "🛡️ 4. Install and configure fail2ban to prevent brute-force attacks"
+      ansible.builtin.package:
+        name: fail2ban
+        state: latest
+      notify: restart fail2ban
+
+    - name: "🛡️ 5. Ensure firewall (UFW) is enabled and allows only SSH and HTTP/HTTPS"
+      community.general.ufw:
+        rule: allow
+        name: "{{ item }}"
+        state: enabled
+      loop:
+        - ssh
+        - http
+        - https
+      ignore_errors: yes  # На случай, если UFW не установлен
+
+  handlers:
+    - name: restart sshd
+      ansible.builtin.service:
+        name: sshd
+        state: restarted
+        enabled: yes
+
+    - name: restart fail2ban
+      ansible.builtin.service:
+        name: fail2ban
+        state: restarted
+        enabled: yes