Ansible playbook and role to deploy Robinhood policy engine for testing in a Vagrant sandbox.
IMPORTANT NOTE:
- This role requires ansible-galaxy collection community.general on the ansible controller host
- To install: ansible-galaxy collection install community.general
- To check: ansible-galaxy collection list | grep community.general
LATEST:
- initial version
- not secure, ephemeral, for testing
- currently installs to vagrantbox
- now won't overwrite policy file if changes are made on vagrantbox, ansible will only write cfg files (vagrant_test.conf and vagrant_test_policy.inc) if they don't exist
Vagrantfile
and ansible role to quickly setup a Robinhood policy engine test instance.
The motivation in particular is to be able to test policies and file class definitions in a sandbox.
The latest code in the git repositoy will be compiled against, unless SUSE OS is used, in which case the Zypper repository package can be used.
Information on the Robinhood policy engine can be found here:
The Vagrantfile
used here (with ability to include 2nd disk) is based upon:
TLDR; THIS CONTENT IS FOR TESTING PURPOSES...
...this setup is not supposed to be secure, it is ephemeral and throw-away!
Vagrantbox (image) | Supported here | | OS Repo install | | Sourceforge RPM download install | | Git clone and compile | Comment | Known issues |
---|---|---|---|---|---|---|
Almalinux 8x | ✓ | ✗ No | ✓ Yes | ✓ | 8.7 tested | |
Centos 7x | ✓ | ✗ No | ✓ Yes | ✓ | 7.8 tested | |
Rocky 8x | ✓ | ✗ No | ✓ Yes | ✓ | 8.7 tested | |
SUSE Leap 15.4 | ✓ | ✓ Zypper | N/A | ✓ | use of xfs will require reboot | |
SUSE Tumbleweed 20230504 | ✓ | ✓ Zypper | N/A | ✓ | use of xfs will require reboot | |
------------------------ | -------------- | -------------- | -------------- | -------------- | -------------- | |
Debian 12 | ✗ | ✗ | Not yet working via alien |
Not working yet | make | |
Ubuntu 22.04 | ✗ | ✗ | Not yet working via alien |
Not working yet | make |
At the end of the ansible provision a summary message is printed.
Decide which Vagrant box you want to use by editing the VIMAGE
variable in the supplied Vagrantfile
.
Then use vagrant up
to instantiate. The first run will do a Vagrant provison (using ansible) and set everything up.
If you want to re-run the ansible (most likely to recreate files quickly and scan) then do vagrant provision
.
...And of course vagrant destroy
when you are done will remove the test vagrant vm. This will destroy [everything] asscociated with the VM and this could be your newly developed/tested policy files etc too unless you have safeguarded those!
In this test environ the policy only can be run (explicity) with:
robinhood --run=cleanup --once
- run policy named cleanup, which is configured here.
or
robinhood --run --once
would run all policies that you have defined.
Decisions will be made based upon the latest scan data available.
Actions can be seen in:
/var/log
robinhood_actions.log
Sometimes the git clone is not downloaded correctly to the vagrant box. To sort this out, delete the clone and re-provision:
vagrant ssh
sudo su -
rm -rf /root/robinhood_git
exit
vagrant provision
condition { last_mod > 1d }
condition { last_access > 1d }
which is max(atime, mtime) unless the global configurationlast_access_only_atime
is set, in which case it is exactly theatime
condition { creation > 1d }
By default the Robinhood packages will be installed from Zypper OS repos. If you don't want that, set variable suse_zypper_robinhood_install: false
(e.g. in vars/main.yml
) to compile.