diff --git a/.github/workflows/verify-vagrant.yml b/.github/workflows/verify-vagrant.yml index ec31145..8acf582 100644 --- a/.github/workflows/verify-vagrant.yml +++ b/.github/workflows/verify-vagrant.yml @@ -12,49 +12,73 @@ on: jobs: my-job: name: Validate my profile - runs-on: macos-latest + runs-on: ubuntu-22.04 env: CHEF_LICENSE: accept-silent + CHEF_LICENSE_KEY: ${{ secrets.SAF_CHEF_LICENSE_KEY }} KITCHEN_YAML: kitchen.vagrant.yml strategy: matrix: suite: ['hardened'] fail-fast: false steps: - - name: Add jq for output formatting - run: brew install jq + - name: Add needed packages + run: | + sudo apt-get update + sudo apt-get -y install jq + + - name: Add VirtualBox + run: sudo apt-get install virtualbox + + - name: Add vagrant + run: | + wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg + echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list + sudo apt update && sudo apt install vagrant + - name: Check out repository uses: actions/checkout@v4 + - name: Setup Ruby uses: ruby/setup-ruby@v1 with: ruby-version: '3.1' + - name: Disable ri and rdoc run: 'echo "gem: --no-ri --no-rdoc" >> ~/.gemrc' - - name: Setup caching - uses: actions/cache@v3 - with: - path: vendor/bundle - key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }} - restore-keys: | - ${{ runner.os }}-gems- + + # - name: Setup caching + # uses: actions/cache@v3 + # with: + # path: vendor/bundle + # key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }} + # restore-keys: | + # ${{ runner.os }}-gems- + - name: Bundle install - run: | - gem install bundler - bundle config path vendor/bundle - bundle install + run: bundle install + + - name: Installed Inspec + run: bundle exec inspec version + + - name: Vendor the Profile + run: bundle exec inspec vendor . --overwrite + - name: Run kitchen test run: | cd test/cookbooks/Win2019STIG bundle exec kitchen test ${{ matrix.suite }} || true + - name: Save Test Result JSON uses: actions/upload-artifact@v4 with: path: test/cookbooks/Win2019STIG/results/*.json + - name: Display our ${{ matrix.suite }} results summary uses: mitre/saf_action@v1 with: command_string: 'view summary -i test/cookbooks/Win2019STIG/results/${{ matrix.suite }}-test-result.json' + - name: Ensure the scan meets our ${{ matrix.suite }} results threshold uses: mitre/saf_action@v1 with: diff --git a/Gemfile b/Gemfile index 6c675c3..db68018 100644 --- a/Gemfile +++ b/Gemfile @@ -4,6 +4,5 @@ gem 'test-kitchen' gem 'kitchen-vagrant' gem 'kitchen-inspec' gem 'inspec-bin' -gem 'inspec_tools' gem 'berkshelf' gem 'inspec' \ No newline at end of file diff --git a/controls/V-92963.rb b/controls/V-92963.rb index 47267bb..1d89f15 100644 --- a/controls/V-92963.rb +++ b/controls/V-92963.rb @@ -61,7 +61,6 @@ end else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/controls/V-92965.rb b/controls/V-92965.rb index c348739..3416a7d 100644 --- a/controls/V-92965.rb +++ b/controls/V-92965.rb @@ -88,7 +88,6 @@ case domain_role when '4', '5' impact 0.0 - desc 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' end diff --git a/controls/V-92989.rb b/controls/V-92989.rb index 7334b34..64823e7 100644 --- a/controls/V-92989.rb +++ b/controls/V-92989.rb @@ -64,9 +64,8 @@ end when '2', '3' impact 0.0 - desc 'This system is exempt from this control' - describe 'This system is exempt from this control' do - skip 'This system is exempt from this control' + describe 'This applies to domain controllers. It is NA for other systems.' do + skip 'This applies to domain controllers. It is NA for other systems.' end end end diff --git a/controls/V-93009.rb b/controls/V-93009.rb index 023f3db..ebabe47 100644 --- a/controls/V-93009.rb +++ b/controls/V-93009.rb @@ -95,7 +95,6 @@ case domain_role when '4', '5' impact 0.0 - desc 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' end diff --git a/controls/V-93011.rb b/controls/V-93011.rb index 738f538..af20c44 100644 --- a/controls/V-93011.rb +++ b/controls/V-93011.rb @@ -76,7 +76,6 @@ case domain_role when '4', '5' impact 0.0 - desc 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' end diff --git a/controls/V-93013.rb b/controls/V-93013.rb index b4e1f30..4f4a8e3 100644 --- a/controls/V-93013.rb +++ b/controls/V-93013.rb @@ -73,7 +73,6 @@ case domain_role when '4', '5' impact 0.0 - desc 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' end diff --git a/controls/V-93015.rb b/controls/V-93015.rb index 1cd6956..a9a99ef 100644 --- a/controls/V-93015.rb +++ b/controls/V-93015.rb @@ -77,7 +77,6 @@ case domain_role when '4', '5' impact 0.0 - desc 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' describe 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' do skip 'This system is dedicated to the management of Active Directory, therefore this system is exempt from this control' end diff --git a/controls/V-93035.rb b/controls/V-93035.rb index 001d6d5..c6ad064 100644 --- a/controls/V-93035.rb +++ b/controls/V-93035.rb @@ -180,7 +180,6 @@ end else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/controls/V-93037.rb b/controls/V-93037.rb index b7c6a25..a107053 100644 --- a/controls/V-93037.rb +++ b/controls/V-93037.rb @@ -254,7 +254,6 @@ end else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/controls/V-93121.rb b/controls/V-93121.rb index 287a597..21ee49c 100644 --- a/controls/V-93121.rb +++ b/controls/V-93121.rb @@ -174,7 +174,6 @@ end else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/controls/V-93123.rb b/controls/V-93123.rb index c751095..a1d3237 100644 --- a/controls/V-93123.rb +++ b/controls/V-93123.rb @@ -214,7 +214,6 @@ end else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/controls/V-93125.rb b/controls/V-93125.rb index 2a83f89..6b8d75e 100644 --- a/controls/V-93125.rb +++ b/controls/V-93125.rb @@ -158,7 +158,6 @@ end else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/controls/V-93127.rb b/controls/V-93127.rb index 610d1b6..00ceb70 100644 --- a/controls/V-93127.rb +++ b/controls/V-93127.rb @@ -189,7 +189,6 @@ else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/controls/V-93129.rb b/controls/V-93129.rb index 650ad52..c4da4c4 100644 --- a/controls/V-93129.rb +++ b/controls/V-93129.rb @@ -162,7 +162,6 @@ end else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/controls/V-93131.rb b/controls/V-93131.rb index b076e9f..fd82924 100644 --- a/controls/V-93131.rb +++ b/controls/V-93131.rb @@ -158,7 +158,6 @@ end else impact 0.0 - desc 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' describe 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' do skip 'This system is not a domain controller, therefore this control is not applicable as it only applies to domain controllers' end diff --git a/inspec.yml b/inspec.yml index caab43f..ff58c15 100644 --- a/inspec.yml +++ b/inspec.yml @@ -5,7 +5,7 @@ copyright: The Authors copyright_email: you@example.com license: Apache-2.0 summary: "Inspec Validation Profile for Microsoft Windows Member Server 2019 STIG" -version: 1.3.24 +version: 1.3.25 inspec_version: ">= 4.0" inputs: