├── pictures
├── README.md
├── app.png
├── workflow.png
├── workflow-k8s.png
├── infrastructure-aws.png
├── visitors-dashboard.png
├── infrastructure-vagrant.png
└── infrastructure-k8s-simple.png
├── app
├── docker
│ ├── visitors-service
│ │ ├── visitors
│ │ │ ├── __init__.py
│ │ │ ├── service
│ │ │ │ ├── __init__.py
│ │ │ │ ├── migrations
│ │ │ │ │ ├── __init__.py
│ │ │ │ │ └── 0001_initial.py
│ │ │ │ ├── admin.py
│ │ │ │ ├── tests.py
│ │ │ │ ├── apps.py
│ │ │ │ ├── serializers.py
│ │ │ │ ├── models.py
│ │ │ │ └── views.py
│ │ │ ├── urls.py
│ │ │ └── wsgi.py
│ │ ├── .gitignore
│ │ ├── requirements.txt
│ │ ├── startup.sh
│ │ ├── Dockerfile
│ │ └── manage.py
│ ├── visitors-webui
│ │ ├── src
│ │ │ ├── index.css
│ │ │ ├── index.js
│ │ │ ├── App.test.js
│ │ │ ├── App.css
│ │ │ └── App.js
│ │ ├── report.json
│ │ ├── public
│ │ │ ├── favicon.ico
│ │ │ └── index.html
│ │ ├── .gitignore
│ │ ├── package.json
│ │ └── Dockerfile
│ ├── visitors-db
│ │ └── Dockerfile
│ ├── docker-compose.yml
│ └── README.md
└── README.md
├── infrastructure
├── k8s
│ ├── aws-KOPS
│ │ ├── pictures
│ │ │ ├── README.md
│ │ │ ├── k8-saas-LB.png
│ │ │ ├── k8s-user-group.png
│ │ │ ├── k8s-master-node.png
│ │ │ ├── k8s-user-summary.png
│ │ │ ├── k8s-saas-IAM-roles.png
│ │ │ └── k8s-saas-sec-groups.png
│ │ └── manifests
│ │ │ ├── frontend.yaml
│ │ │ ├── backend.yaml
│ │ │ └── database.yaml
│ └── minikube
│ │ ├── setup-environment.sh
│ │ ├── manifests
│ │ ├── frontend.yaml
│ │ ├── backend.yaml
│ │ └── database.yaml
│ │ └── README.md
├── aws
│ ├── terraform
│ │ └── Jenkins-EC2
│ │ │ ├── versions.tf
│ │ │ ├── output.tf
│ │ │ ├── variables.tf
│ │ │ ├── main.tf
│ │ │ ├── main.tf.Route53
│ │ │ └── user-data.tpl
│ └── ansible
│ │ └── README.md
├── vagrant
│ ├── scripts
│ │ ├── cleanup.sh
│ │ ├── jenkins-install.sh
│ │ ├── jenkins-ssh.sh
│ │ ├── clean.sh
│ │ ├── vagrant.sh
│ │ ├── virtualbox.sh
│ │ ├── jenkins-master-ssh.sh
│ │ ├── base.sh
│ │ ├── jenkins-master-install.sh
│ │ └── docker-install.sh
│ ├── ansible-vagrant
│ │ └── README.md
│ ├── Vagrantfile.DevSecOps-example2
│ ├── README.md
│ └── http
│ │ └── kickstart.ks
└── README.md
└── utils
├── 9-jenkins-pipeline-python-end-to-end
├── reports
│ ├── README.md
│ └── docker_lynis-report.dat
├── pictures
│ ├── README.md
│ ├── DevSecOps-ec2.png
│ ├── DevSecOps-workspace.png
│ ├── DevSecOps-pipeline-full.png
│ └── DevSecOps-pipeline-steps-UI.png
├── jenkins_home
│ ├── ansible_hosts
│ ├── killec2.yml
│ ├── configureWAF.yml
│ ├── strategy.ini
│ ├── configureTestEnv.yml
│ ├── hostaudit.yml
│ └── createAwsEc2.yml
├── jenkins
│ ├── ansible.cfg
│ ├── setupJenkins.groovy
│ └── plugins.txt
├── docker-compose.yml
├── config.xml
└── setup-ubuntu.sh
├── 8-jenkins-docker-utils
├── docker-owasp-depcheck
│ ├── .gitignore
│ └── owasp-check.sh
├── docker-bandit
│ ├── Dockerfile
│ ├── .travis.yml
│ └── Jenkinsfile-SAST-Bandit-PYTHON_PROJECT-example
└── docker-clair-scanner
│ ├── .travis.yml
│ ├── Dockerfile.GO-install.sh
│ └── Dockerfile
├── 1-ansible-aws-infra
├── roles
│ ├── scan-artefact
│ │ ├── tests
│ │ │ ├── inventory
│ │ │ └── test.yml
│ │ ├── vars
│ │ │ └── main.yml
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── .travis.yml
│ │ └── meta
│ │ │ └── main.yml
│ ├── deploy-application
│ │ ├── tests
│ │ │ ├── inventory
│ │ │ └── test.yml
│ │ ├── vars
│ │ │ └── main.yml
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── .travis.yml
│ │ └── meta
│ │ │ └── main.yml
│ ├── deploy-infrastructure
│ │ ├── tests
│ │ │ ├── inventory
│ │ │ └── test.yml
│ │ ├── vars
│ │ │ └── main.yml
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── .travis.yml
│ │ └── meta
│ │ │ └── main.yml
│ ├── geerlingguy.docker
│ │ ├── .ansible-lint
│ │ ├── .gitignore
│ │ ├── meta
│ │ │ ├── .galaxy_install_info
│ │ │ └── main.yml
│ │ ├── .yamllint
│ │ ├── handlers
│ │ │ └── main.yml
│ │ ├── .github
│ │ │ └── FUNDING.yml
│ │ ├── tasks
│ │ │ ├── docker-users.yml
│ │ │ ├── docker-compose.yml
│ │ │ ├── main.yml
│ │ │ ├── setup-Debian.yml
│ │ │ └── setup-RedHat.yml
│ │ ├── molecule
│ │ │ └── default
│ │ │ │ ├── converge.yml
│ │ │ │ └── molecule.yml
│ │ ├── .travis.yml
│ │ ├── LICENSE
│ │ └── defaults
│ │ │ └── main.yml
│ ├── set-infrastructure-build
│ │ ├── tests
│ │ │ ├── inventory
│ │ │ └── test.yml
│ │ ├── vars
│ │ │ └── main.yml
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── handlers
│ │ │ └── main.yml
│ │ └── meta
│ │ │ └── main.yml
│ ├── geerlingguy.pip
│ │ ├── .gitignore
│ │ ├── meta
│ │ │ ├── .galaxy_install_info
│ │ │ └── main.yml
│ │ ├── molecule
│ │ │ └── default
│ │ │ │ ├── yaml-lint.yml
│ │ │ │ ├── tests
│ │ │ │ └── test_default.py
│ │ │ │ ├── playbook.yml
│ │ │ │ └── molecule.yml
│ │ ├── defaults
│ │ │ └── main.yml
│ │ ├── tasks
│ │ │ └── main.yml
│ │ ├── .travis.yml
│ │ └── LICENSE
│ └── requirements.yml
├── hosts
├── attack
│ ├── simple_curl.attack.j2
│ ├── cookies.attack.j2
│ ├── xss.attack.j2
│ ├── xss.attack.j2.back
│ └── verbs.attack.j2
└── group_vars
│ └── all.yml
├── 4-ansible-devsecops-general-utils
├── DVSW
│ └── dvsw-playbook
│ │ ├── inventory
│ │ └── site.yml
├── Lynis
│ └── lynis
│ │ ├── inventory
│ │ └── main.yml
├── Nessus
│ ├── autonessus
│ │ ├── roles
│ │ │ ├── pausescan
│ │ │ │ ├── vars
│ │ │ │ │ └── main.yml
│ │ │ │ └── tasks
│ │ │ │ │ └── main.yml
│ │ │ ├── startscan
│ │ │ │ ├── vars
│ │ │ │ │ └── main.yml
│ │ │ │ └── tasks
│ │ │ │ │ └── main.yml
│ │ │ ├── stopscan
│ │ │ │ ├── vars
│ │ │ │ │ └── main.yml
│ │ │ │ └── tasks
│ │ │ │ │ └── main.yml
│ │ │ ├── resumescan
│ │ │ │ ├── vars
│ │ │ │ │ └── main.yml
│ │ │ │ └── tasks
│ │ │ │ │ └── main.yml
│ │ │ ├── setup
│ │ │ │ ├── vars
│ │ │ │ │ └── main.yml
│ │ │ │ └── tasks
│ │ │ │ │ └── main.yml
│ │ │ ├── listpolices
│ │ │ │ └── tasks
│ │ │ │ │ └── main.yml
│ │ │ └── listscans
│ │ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── inventory
│ │ └── site.yml
│ ├── nessus-setup
│ │ ├── inventory
│ │ ├── site.yml
│ │ ├── group_vars
│ │ │ └── nessus.yml
│ │ └── roles
│ │ │ └── setup
│ │ │ └── tasks
│ │ │ └── main.yml
│ └── nessus-restapi
│ │ └── main.yml
├── OWASP-ZAP
│ ├── zap-full-scan
│ │ ├── inventory
│ │ └── site.yml
│ ├── zap-baseline-scan
│ │ ├── inventory
│ │ └── site.yml
│ └── zap-setup-playbook
│ │ ├── inventory
│ │ ├── zap-full-scan
│ │ ├── inventory
│ │ └── site.yml
│ │ ├── zap-baseline-scan
│ │ ├── inventory
│ │ └── site.yml
│ │ └── site.yml
├── OWASP-brakeman
│ └── brakeman-scan
│ │ ├── inventory
│ │ └── main.yml
├── Nikto
│ └── nikto-scan
│ │ ├── inventory
│ │ └── main.yml
├── OWASP-dependency-check
│ ├── owasp-dependency-check
│ │ ├── inventory
│ │ └── main.yml
│ └── owasp-scala-dependency-check
│ │ ├── README.md
│ │ └── Jenkinsfile-SCALA-PROJECT-example
├── Viper
│ └── viper-setup
│ │ ├── inventory
│ │ ├── roles
│ │ ├── dependencies
│ │ │ ├── templates
│ │ │ │ └── ssdeep.sh
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ └── setup
│ │ │ └── tasks
│ │ │ └── main.yml
│ │ └── main.yml
└── Nmap
│ ├── nmap-nse
│ └── main.yml
│ └── nmap-basic-scan
│ └── main.yml
├── 0-jenkins-shared-library
├── README.md
└── vars
│ ├── goCheck.groovy
│ ├── clean.groovy
│ ├── runJmeter.groovy
│ ├── ansiblePlay.groovy
│ ├── mailNotifier.groovy
│ ├── bashCheck.groovy
│ └── slackNotifier.groovy
├── 3-ansible-devops-utils
├── gitlab
│ ├── .gitignore
│ ├── .ansible-lint
│ ├── .github
│ │ ├── FUNDING.yml
│ │ └── workflows
│ │ │ ├── release.yml
│ │ │ └── ci.yml
│ ├── .yamllint
│ ├── handlers
│ │ └── main.yml
│ ├── vars
│ │ ├── Debian.yml
│ │ └── RedHat.yml
│ ├── molecule
│ │ └── default
│ │ │ ├── molecule.yml
│ │ │ ├── converge.yml
│ │ │ └── version.yml
│ ├── meta
│ │ └── main.yml
│ └── LICENSE
└── jenkins
│ └── site.yml
├── 7-ansible-log-monitoring-elk-aws-serverless-utils
├── elastic-stack
│ ├── inventory
│ ├── roles
│ │ ├── logstash
│ │ │ ├── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── configure-logstash.yml
│ │ │ │ └── install-logstash.yml
│ │ │ ├── handlers
│ │ │ │ └── main.yml
│ │ │ └── templates
│ │ │ │ ├── 02-beats-input.conf.j2
│ │ │ │ ├── 30-elasticsearch-output.conf.j2
│ │ │ │ ├── 11-weblog-filter.conf.j2
│ │ │ │ └── 10-sshlog-filter.conf.j2
│ │ ├── elasticsearch
│ │ │ ├── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── configure-elasticsearch.yml
│ │ │ │ └── install-elasticsearch.yml
│ │ │ └── handlers
│ │ │ │ └── main.yml
│ │ ├── nginx-reverse-proxy
│ │ │ ├── handlers
│ │ │ │ └── main.yml
│ │ │ ├── tasks
│ │ │ │ └── main.yml
│ │ │ └── templates
│ │ │ │ └── nginxdefault.j2
│ │ ├── kibana
│ │ │ ├── handlers
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ └── common
│ │ │ └── tasks
│ │ │ └── main.yml
│ ├── main.yml
│ └── group_vars
│ │ └── elastic-stack.yml
├── beats-for-elastic-stack
│ ├── inventory
│ ├── roles
│ │ ├── filebeat
│ │ │ ├── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── configure-filebeat.yml
│ │ │ │ └── install-filebeat.yml
│ │ │ ├── handlers
│ │ │ │ └── main.yml
│ │ │ └── templates
│ │ │ │ └── filebeat.yml.j2
│ │ ├── metricbeat
│ │ │ ├── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── configure-metricbeat.yml
│ │ │ │ └── install-metricbeat.yml
│ │ │ └── handlers
│ │ │ │ └── main.yml
│ │ └── packetbeat
│ │ │ ├── tasks
│ │ │ ├── main.yml
│ │ │ ├── configure-packetbeat.yml
│ │ │ └── install-packetbeat.yml
│ │ │ └── handlers
│ │ │ └── main.yml
│ └── main.yml
└── elastalert
│ ├── roles
│ ├── aws-serverless
│ │ ├── templates
│ │ │ ├── aws-credentials.j2
│ │ │ ├── serverless.yml.j2
│ │ │ ├── config.js.j2
│ │ │ ├── iamRoleStatements.json.j2
│ │ │ └── initDb.js.j2
│ │ └── tasks
│ │ │ └── main.yml
│ └── setup
│ │ ├── templates
│ │ ├── elastalert-config.j2
│ │ ├── elastalert-service.j2
│ │ └── elastalert-sshrule.j2
│ │ └── tasks
│ │ └── main.yml
│ └── site.yml
├── 5-ansible-devsecops-docker-utils
├── vuls
│ ├── inventory
│ ├── main.yml
│ ├── group_vars
│ │ └── vuls.yml
│ └── roles
│ │ ├── vuls_containers_download
│ │ └── tasks
│ │ │ └── main.yml
│ │ └── vuls_database_download
│ │ └── tasks
│ │ └── main.yml
├── vuls-scanning
│ ├── inventory
│ └── templates
│ │ ├── config.toml
│ │ └── 192-168-33-80
├── anchore-server
│ ├── inventory
│ └── main.yml
├── anchore-cli-scan
│ ├── inventory
│ └── main.yml
├── clair-scanner-setup
│ ├── inventory
│ └── main.yaml
├── clair-scanning-images
│ ├── inventory
│ └── main.yaml
├── osquery-setup
│ ├── inventory
│ ├── templates
│ │ ├── fim.conf
│ │ └── osquery.conf
│ └── main.yml
└── docker-bench-security
│ └── main.yml
├── 6-ansible-devsecops-aws-utils
├── log-collection
│ ├── inventory
│ └── main.yml
├── aws-security-benchmark
│ ├── README.md
│ ├── architecture
│ │ ├── cis-benchmark-matrix.xlsx
│ │ ├── assets
│ │ │ └── cis-benchmark-architecture.jpg
│ │ └── README.md
│ └── aws_cis_foundation_framework
│ │ ├── CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf
│ │ └── README.md
├── s3-backup
│ ├── templates
│ │ └── s3cmd.j2
│ └── main.yml
├── Scout2
│ ├── scout2-setup
│ │ └── main.yml
│ └── scout2-scan
│ │ └── main.yml
└── aws-cis-benchmarks
│ └── main.yml
└── 2-ansible-vagrant-infra
└── README.md
/pictures/README.md:
--------------------------------------------------------------------------------
1 | TBD
2 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/service/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/infrastructure/k8s/aws-KOPS/pictures/README.md:
--------------------------------------------------------------------------------
1 | TBD
2 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/service/migrations/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/reports/README.md:
--------------------------------------------------------------------------------
1 | TBD
2 |
--------------------------------------------------------------------------------
/utils/8-jenkins-docker-utils/docker-owasp-depcheck/.gitignore:
--------------------------------------------------------------------------------
1 | *ORIG
2 |
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/pictures/README.md:
--------------------------------------------------------------------------------
1 | TBD
2 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/scan-artefact/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-application/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-infrastructure/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.docker/.ansible-lint:
--------------------------------------------------------------------------------
1 | skip_list:
2 | - '306'
3 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/set-infrastructure-build/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/DVSW/dvsw-playbook/inventory:
--------------------------------------------------------------------------------
1 | [dvsw]
2 | 192.168.33.111
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Lynis/lynis/inventory:
--------------------------------------------------------------------------------
1 | [lynis]
2 | 192.168.1.5
3 |
--------------------------------------------------------------------------------
/utils/0-jenkins-shared-library/README.md:
--------------------------------------------------------------------------------
1 | ### Description
2 |
3 | Shared-libray for Jenkins
4 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.pip/.gitignore:
--------------------------------------------------------------------------------
1 | *.retry
2 | */__pycache__
3 | *.pyc
4 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/scan-artefact/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for scan-artefact
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/pausescan/vars/main.yml:
--------------------------------------------------------------------------------
1 | scan_id: 17
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/startscan/vars/main.yml:
--------------------------------------------------------------------------------
1 | scan_id: 17
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/stopscan/vars/main.yml:
--------------------------------------------------------------------------------
1 | scan_id: 17
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/nessus-setup/inventory:
--------------------------------------------------------------------------------
1 | [nessus]
2 | 192.168.56.101
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-ZAP/zap-full-scan/inventory:
--------------------------------------------------------------------------------
1 | [zap]
2 | 192.168.56.100
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-infrastructure/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for deploy-infra
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.docker/.gitignore:
--------------------------------------------------------------------------------
1 | *.retry
2 | */__pycache__
3 | *.pyc
4 |
--------------------------------------------------------------------------------
/utils/3-ansible-devops-utils/gitlab/.gitignore:
--------------------------------------------------------------------------------
1 | *.retry
2 | */__pycache__
3 | *.pyc
4 | .cache
5 |
6 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/inventory:
--------------------------------------------------------------------------------
1 | [nessus]
2 | 192.168.33.109
3 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/resumescan/vars/main.yml:
--------------------------------------------------------------------------------
1 | scan_id: 17
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-ZAP/zap-baseline-scan/inventory:
--------------------------------------------------------------------------------
1 | [zap]
2 | 192.168.56.100
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-ZAP/zap-setup-playbook/inventory:
--------------------------------------------------------------------------------
1 | [zap]
2 | 192.168.56.100
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-application/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for deploy-application
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/scan-artefact/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for scan-artefact
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/scan-artefact/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for scan-artefact
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-brakeman/brakeman-scan/inventory:
--------------------------------------------------------------------------------
1 | [scanner]
2 | 192.168.1.5
3 |
--------------------------------------------------------------------------------
/pictures/app.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/pictures/app.png
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-infrastructure/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for deploy-infra
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-infrastructure/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for deploy-infra
--------------------------------------------------------------------------------
/infrastructure/aws/terraform/Jenkins-EC2/versions.tf:
--------------------------------------------------------------------------------
1 |
2 | terraform {
3 | required_version = ">= 0.12"
4 | }
5 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-application/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for deploy-application
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-application/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for deploy-application
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/set-infrastructure-build/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for roles/set-infra-build
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-ZAP/zap-setup-playbook/zap-full-scan/inventory:
--------------------------------------------------------------------------------
1 | [zap]
2 | 192.168.56.100
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastic-stack/inventory:
--------------------------------------------------------------------------------
1 | [elastic-stack]
2 | 192.168.33.222
3 |
--------------------------------------------------------------------------------
/app/docker/visitors-webui/src/index.css:
--------------------------------------------------------------------------------
1 | body {
2 | margin: 0;
3 | padding: 0;
4 | font-family: sans-serif;
5 | }
6 |
--------------------------------------------------------------------------------
/pictures/workflow.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/pictures/workflow.png
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/set-infrastructure-build/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for roles/set-infra-build
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/set-infrastructure-build/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for roles/set-infra-build
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-ZAP/zap-setup-playbook/zap-baseline-scan/inventory:
--------------------------------------------------------------------------------
1 | [zap]
2 | 192.168.56.100
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/beats-for-elastic-stack/inventory:
--------------------------------------------------------------------------------
1 | [monitor]
2 | 192.168.56.200
3 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/service/admin.py:
--------------------------------------------------------------------------------
1 | from django.contrib import admin
2 |
3 | # Register your models here.
4 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/service/tests.py:
--------------------------------------------------------------------------------
1 | from django.test import TestCase
2 |
3 | # Create your tests here.
4 |
--------------------------------------------------------------------------------
/pictures/workflow-k8s.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/pictures/workflow-k8s.png
--------------------------------------------------------------------------------
/utils/3-ansible-devops-utils/gitlab/.ansible-lint:
--------------------------------------------------------------------------------
1 | skip_list:
2 | - 'yaml'
3 | - 'role-name'
4 | - 'package-latest'
5 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/.gitignore:
--------------------------------------------------------------------------------
1 | db.sqlite3
2 |
3 | .DS_Store
4 | .vscode
5 |
6 | **__pycache__
7 | *.pyc
8 | *.egg-info
9 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.pip/meta/.galaxy_install_info:
--------------------------------------------------------------------------------
1 | {install_date: 'Sun Apr 26 20:37:35 2020', version: 1.3.0}
2 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nikto/nikto-scan/inventory:
--------------------------------------------------------------------------------
1 | [scanner]
2 | 192.168.1.10 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/pictures/infrastructure-aws.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/pictures/infrastructure-aws.png
--------------------------------------------------------------------------------
/pictures/visitors-dashboard.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/pictures/visitors-dashboard.png
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.docker/meta/.galaxy_install_info:
--------------------------------------------------------------------------------
1 | {install_date: 'Sun Apr 26 20:37:37 2020', version: 2.7.0}
2 |
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/jenkins_home/ansible_hosts:
--------------------------------------------------------------------------------
1 | [local]
2 | localhost ansible_connection=local
3 |
4 | [tstlaunched]
5 |
--------------------------------------------------------------------------------
/pictures/infrastructure-vagrant.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/pictures/infrastructure-vagrant.png
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/scan-artefact/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - scan-artefact
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/jenkins/ansible.cfg:
--------------------------------------------------------------------------------
1 | [defaults]
2 | host_key_checking = False
3 | private_key_file = ~/.ssh/devsecops
4 |
--------------------------------------------------------------------------------
/app/docker/visitors-webui/report.json:
--------------------------------------------------------------------------------
1 | {
2 | "image": "davarski/visitors-webui:1.0.0",
3 | "unapproved": [],
4 | "vulnerabilities": []
5 | }
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/vuls/inventory:
--------------------------------------------------------------------------------
1 | [vuls]
2 | 192.168.33.60 ansible_host=192.168.33.60 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/pictures/infrastructure-k8s-simple.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/pictures/infrastructure-k8s-simple.png
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-application/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - deploy-application
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-infrastructure/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - deploy-infra
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/vuls-scanning/inventory:
--------------------------------------------------------------------------------
1 | [vuls]
2 | 192.168.33.60 ansible_host=192.168.33.60 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/service/apps.py:
--------------------------------------------------------------------------------
1 | from django.apps import AppConfig
2 |
3 |
4 | class ServiceConfig(AppConfig):
5 | name = 'service'
6 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.docker/.yamllint:
--------------------------------------------------------------------------------
1 | ---
2 | extends: default
3 | rules:
4 | line-length:
5 | max: 200
6 | level: warning
7 |
--------------------------------------------------------------------------------
/utils/3-ansible-devops-utils/gitlab/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | ---
3 | github: geerlingguy
4 | patreon: geerlingguy
5 |
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/anchore-server/inventory:
--------------------------------------------------------------------------------
1 | [anchore]
2 | 192.168.33.60 ansible_host=192.168.33.60 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/app/docker/visitors-webui/public/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/app/docker/visitors-webui/public/favicon.ico
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/set-infrastructure-build/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - roles/set-infra-build
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-dependency-check/owasp-dependency-check/inventory:
--------------------------------------------------------------------------------
1 | [scanner]
2 | 192.168.1.10 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/anchore-cli-scan/inventory:
--------------------------------------------------------------------------------
1 | [anchore]
2 | 192.168.33.60 ansible_host=192.168.33.60 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/clair-scanner-setup/inventory:
--------------------------------------------------------------------------------
1 | [docker]
2 | 192.168.1.10 ansible_host=192.168.1.10 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/clair-scanning-images/inventory:
--------------------------------------------------------------------------------
1 | [docker]
2 | 192.168.1.10 ansible_host=192.168.1.10 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/osquery-setup/inventory:
--------------------------------------------------------------------------------
1 | [linuxservers]
2 | 192.168.33.60 ansible_host=192.168.33.60 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.docker/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart docker
3 | service: "name=docker state={{ docker_restart_handler_state }}"
4 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Viper/viper-setup/inventory:
--------------------------------------------------------------------------------
1 | [viper]
2 | 192.168.33.22 ansible_host=192.168.33.22 ansible_user=ubuntu ansible_password=vagrant
3 |
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastic-stack/roles/logstash/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: install-logstash.yml
2 | - include: configure-logstash.yml
3 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.docker/.github/FUNDING.yml:
--------------------------------------------------------------------------------
1 | # These are supported funding model platforms
2 | ---
3 | github: geerlingguy
4 | patreon: geerlingguy
5 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.pip/molecule/default/yaml-lint.yml:
--------------------------------------------------------------------------------
1 | ---
2 | extends: default
3 | rules:
4 | line-length:
5 | max: 120
6 | level: warning
7 |
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/beats-for-elastic-stack/roles/filebeat/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: install-filebeat.yml
2 | - include: configure-filebeat.yml
--------------------------------------------------------------------------------
/infrastructure/k8s/aws-KOPS/pictures/k8-saas-LB.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/infrastructure/k8s/aws-KOPS/pictures/k8-saas-LB.png
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/requirements.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Install a role for pip
3 | - src: geerlingguy.pip
4 |
5 | # Install a role for docker
6 | - src: geerlingguy.docker
7 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/requirements.txt:
--------------------------------------------------------------------------------
1 | Django==2.2.2
2 | djangorestframework==3.9.4
3 | django-cors-headers==2.4.0
4 | mysqlclient==1.3.13
5 | pytz==2019.1
6 | sqlparse==0.3.0
7 |
--------------------------------------------------------------------------------
/infrastructure/k8s/aws-KOPS/pictures/k8s-user-group.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/infrastructure/k8s/aws-KOPS/pictures/k8s-user-group.png
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/beats-for-elastic-stack/roles/metricbeat/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: install-metricbeat.yml
2 | - include: configure-metricbeat.yml
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/beats-for-elastic-stack/roles/packetbeat/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: install-packetbeat.yml
2 | - include: configure-packetbeat.yml
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastic-stack/roles/elasticsearch/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - include: install-elasticsearch.yml
2 | - include: configure-elasticsearch.yml
3 |
--------------------------------------------------------------------------------
/app/docker/visitors-db/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM mysql:5.7
2 |
3 | ENV MYSQL_DATABASE visitors_db
4 | ENV MYSQL_USER visitors
5 | ENV MYSQL_PASSWORD password
6 | ENV MYSQL_RANDOM_ROOT_PASSWORD yes
7 |
--------------------------------------------------------------------------------
/infrastructure/k8s/aws-KOPS/pictures/k8s-master-node.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/infrastructure/k8s/aws-KOPS/pictures/k8s-master-node.png
--------------------------------------------------------------------------------
/infrastructure/k8s/aws-KOPS/pictures/k8s-user-summary.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/infrastructure/k8s/aws-KOPS/pictures/k8s-user-summary.png
--------------------------------------------------------------------------------
/infrastructure/k8s/aws-KOPS/pictures/k8s-saas-IAM-roles.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/infrastructure/k8s/aws-KOPS/pictures/k8s-saas-IAM-roles.png
--------------------------------------------------------------------------------
/infrastructure/k8s/aws-KOPS/pictures/k8s-saas-sec-groups.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/infrastructure/k8s/aws-KOPS/pictures/k8s-saas-sec-groups.png
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Viper/viper-setup/roles/dependencies/templates/ssdeep.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | cd /tmp/ssdeep-2.14.1
4 | ./configure
5 | ./bootstrap
6 | make
7 | make install
--------------------------------------------------------------------------------
/utils/3-ansible-devops-utils/gitlab/.yamllint:
--------------------------------------------------------------------------------
1 | ---
2 | extends: default
3 |
4 | rules:
5 | line-length:
6 | max: 180
7 | level: warning
8 |
9 | ignore: |
10 | .github/stale.yml
11 |
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastic-stack/roles/nginx-reverse-proxy/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: restart nginx
2 | service:
3 | name: nginx
4 | state: restarted
5 |
--------------------------------------------------------------------------------
/infrastructure/vagrant/scripts/cleanup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | echo "debug: Executing scripts/cleanup.sh"
4 |
5 | dd if=/dev/zero of=/EMPTY bs=1M
6 | rm -f /EMPTY
7 | sync
8 | yum clean all
9 | rm -rf /var/cache/yum
--------------------------------------------------------------------------------
/utils/0-jenkins-shared-library/vars/goCheck.groovy:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env groovy
2 |
3 | def call() {
4 | sh 'golint \${WORKSPACE}/fake-backend/config.go'
5 | sh 'golint \${WORKSPACE}/fake-backend/main.go'
6 | }
7 |
--------------------------------------------------------------------------------
/utils/3-ansible-devops-utils/gitlab/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: restart gitlab
3 | command: gitlab-ctl reconfigure
4 | register: gitlab_restart
5 | failed_when: gitlab_restart_handler_failed_when | bool
6 |
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastalert/roles/aws-serverless/templates/aws-credentials.j2:
--------------------------------------------------------------------------------
1 | [default]
2 | aws_access_key_id=YOUR_ACCESS_KEY_ID
3 | aws_secret_access_key=YOUR_SECRET_ACCESS_KEY
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/pictures/DevSecOps-ec2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/utils/9-jenkins-pipeline-python-end-to-end/pictures/DevSecOps-ec2.png
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/vuls/main.yml:
--------------------------------------------------------------------------------
1 | - name: setting up vuls using docker containers
2 | hosts: vuls
3 | become: yes
4 |
5 | roles:
6 | - vuls_containers_download
7 | - vuls_database_download
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/pictures/DevSecOps-workspace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/utils/9-jenkins-pipeline-python-end-to-end/pictures/DevSecOps-workspace.png
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/vuls/group_vars/vuls.yml:
--------------------------------------------------------------------------------
1 | vuls_data_directory: "/vuls_data"
2 | nvd_database_years: 2017
3 | redhat_oval_versions:
4 | - 6
5 | - 7
6 | ubuntu_oval_versions:
7 | - 12
8 | - 14
9 | - 16
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/hosts:
--------------------------------------------------------------------------------
1 | [all:vars]
2 | ansible_ssh_common_args='-o StrictHostKeyChecking=no -o userknownhostsfile=/dev/null'
3 |
4 | [local]
5 | 127.0.0.1 ansible_connection=local ansible_python_interpreter=/usr/bin/python
6 |
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/pictures/DevSecOps-pipeline-full.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/utils/9-jenkins-pipeline-python-end-to-end/pictures/DevSecOps-pipeline-full.png
--------------------------------------------------------------------------------
/utils/3-ansible-devops-utils/gitlab/vars/Debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 | gitlab_package_version_separator: '='
3 | gitlab_repository_installation_script_url: "https://packages.gitlab.com/install/repositories/gitlab/{{ gitlab_edition }}/script.deb.sh"
4 |
--------------------------------------------------------------------------------
/utils/3-ansible-devops-utils/gitlab/vars/RedHat.yml:
--------------------------------------------------------------------------------
1 | ---
2 | gitlab_package_version_separator: '-'
3 | gitlab_repository_installation_script_url: "https://packages.gitlab.com/install/repositories/gitlab/{{ gitlab_edition }}/script.rpm.sh"
4 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/nessus-setup/site.yml:
--------------------------------------------------------------------------------
1 | - name: installing nessus server
2 | hosts: nessus
3 | remote_user: "{{ remote_user_name }}"
4 | gather_facts: no
5 | become: yes
6 |
7 | roles:
8 | - setup
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/setup/vars/main.yml:
--------------------------------------------------------------------------------
1 | nessus_user_token: ""
2 | nessus_user_name: "bbbbbbb" # Must required
3 | nessus_user_password: "ccccccc" # Must required
4 | nessus_url: "https://localhost:8834"
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/pictures/DevSecOps-pipeline-steps-UI.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/utils/9-jenkins-pipeline-python-end-to-end/pictures/DevSecOps-pipeline-steps-UI.png
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Viper/viper-setup/main.yml:
--------------------------------------------------------------------------------
1 | - name: Setting up Viper - binary management and analysis framework
2 | hosts: viper
3 | remote_user: ubuntu
4 | become: yes
5 |
6 | roles:
7 | - dependencies
8 | - setup
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/log-collection/inventory:
--------------------------------------------------------------------------------
1 | [servers]
2 | 192.168.100.10 ansible_host=192.168.100.10 ansible_user=ubuntu ansible_password=vagrant
3 | 192.168.100.20 ansible_host=192.168.100.20 ansible_user=ubuntu ansible_password=vagrant
--------------------------------------------------------------------------------
/app/docker/visitors-webui/src/index.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import ReactDOM from 'react-dom';
3 | import App from './App';
4 | import './index.css';
5 |
6 | ReactDOM.render(
7 | ,
8 | document.getElementById('root')
9 | );
10 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.pip/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # For Python 3, use python3-pip.
3 | pip_package: python-pip
4 | pip_executable: "{{ 'pip3' if pip_package.startswith('python3') else 'pip' }}"
5 |
6 | pip_install_packages: []
7 |
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/README.md:
--------------------------------------------------------------------------------
1 | # aws-security-benchmark
2 | Collection of resources related to security benchmark frameworks.
3 | Currently covered frameworks:
4 | - CIS Amazon Web Services Foundations Benchmark 1.1
5 |
--------------------------------------------------------------------------------
/utils/0-jenkins-shared-library/vars/clean.groovy:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env groovy
2 |
3 | def call() {
4 | cleanWs(cleanWhenAborted: true, cleanWhenFailure: true, cleanWhenNotBuilt: true, cleanWhenSuccess: true, cleanWhenUnstable: true, deleteDirs: true)
5 |
6 | }
7 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.docker/tasks/docker-users.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Ensure docker users are added to the docker group.
3 | user:
4 | name: "{{ item }}"
5 | groups: docker
6 | append: true
7 | with_items: "{{ docker_users }}"
8 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/nessus-setup/group_vars/nessus.yml:
--------------------------------------------------------------------------------
1 | remote_user_name: ubuntu
2 | nessus_download_url: "http://downloads.nessus.org/nessus3dl.php?file=Nessus-6.11.2-ubuntu1110_amd64.deb&licence_accept=yes&t=84ed6ee87f926f3d17a218b2e52b61f0"
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/architecture/cis-benchmark-matrix.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/architecture/cis-benchmark-matrix.xlsx
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/listpolices/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: list current policies using autoNessus
2 | command: "autoNessus -p"
3 | register: list_policies_output
4 |
5 | - debug:
6 | msg: "{{ list_policies_output.stdout_lines }}"
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/listscans/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: list current scans and IDs using autoNessus
2 | command: "autoNessus -l"
3 | register: list_scans_output
4 |
5 | - debug:
6 | msg: "{{ list_scans_output.stdout_lines }}"
--------------------------------------------------------------------------------
/utils/8-jenkins-docker-utils/docker-bandit/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine
2 |
3 | MAINTAINER A.Davarski
4 |
5 | RUN mkdir -p /app
6 | WORKDIR /app
7 |
8 | RUN apk add --no-cache py2-pip python2 bash && pip install --no-cache-dir -U pip && pip install --no-cache-dir -U bandit
9 |
--------------------------------------------------------------------------------
/app/docker/visitors-webui/src/App.test.js:
--------------------------------------------------------------------------------
1 | import React from 'react';
2 | import ReactDOM from 'react-dom';
3 | import App from './App';
4 |
5 | it('renders without crashing', () => {
6 | const div = document.createElement('div');
7 | ReactDOM.render(, div);
8 | });
9 |
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastalert/site.yml:
--------------------------------------------------------------------------------
1 | - name: setting up elastalert & automated defence in aws
2 | hosts: elastic-stack
3 | remote_user: ubuntu
4 | become: yes
5 | gather_facts: no
6 |
7 | roles:
8 | - setup
9 | - aws-serverless
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastic-stack/roles/kibana/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: start kibana
2 | service:
3 | name: kibana
4 | state: started
5 |
6 | - name: restart kibana
7 | service:
8 | name: kibana
9 | state: restarted
10 |
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/beats-for-elastic-stack/roles/filebeat/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: start filebeat
2 | service:
3 | name: filebeat
4 | state: started
5 |
6 | - name: restart filebeat
7 | service:
8 | name: filebeat
9 | state: restarted
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/urls.py:
--------------------------------------------------------------------------------
1 | from django.contrib import admin
2 | from django.urls import path
3 |
4 | from visitors.service import views
5 |
6 | urlpatterns = [
7 | path('admin/', admin.site.urls),
8 | path('visitors/', views.VisitorAPI.as_view()),
9 | ]
10 |
--------------------------------------------------------------------------------
/infrastructure/aws/terraform/Jenkins-EC2/output.tf:
--------------------------------------------------------------------------------
1 | output "instance_ips" {
2 | value = [aws_instance.jenkins-tf.*.public_ip]
3 | }
4 |
5 | output "ip" {
6 | value = aws_instance.jenkins-tf.public_dns
7 | description = "The URL of the server instance."
8 | }
9 |
10 |
11 |
--------------------------------------------------------------------------------
/utils/2-ansible-vagrant-infra/README.md:
--------------------------------------------------------------------------------
1 | ### ansible roles & playbooks for Vagrant environment
2 | - Deployment Infrastructure
3 | - Install Prerequiest
4 | - Set Environment Build
5 | - Scan and Push atrtifact
6 | - Deploy Application in preproduction
7 | - Deploy Application in production
8 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/pausescan/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: pausing nessus scan "{{ scan_id }}" using autoNessus
2 | command: "autoNessus -pS {{ scan_id }}"
3 | register: pause_scan_output
4 |
5 | - debug:
6 | msg: "{{ pause_scan_output.stdout_lines }}"
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/stopscan/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: stopping nessus scan "{{ scan_id }}" using autoNessus
2 | command: "autoNessus -sP {{ scan_id }}"
3 | register: stop_scan_output
4 |
5 | - debug:
6 | msg: "{{ stop_scan_output.stdout_lines }}"
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/vuls/roles/vuls_containers_download/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: pulling containers locally
2 | docker_image:
3 | name: "{{ item }}"
4 | pull: yes
5 |
6 | with_items:
7 | - vuls/go-cve-dictionary
8 | - vuls/goval-dictionary
9 | - vuls/vuls
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/architecture/assets/cis-benchmark-architecture.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/architecture/assets/cis-benchmark-architecture.jpg
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastic-stack/roles/logstash/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: start logstash
2 | service:
3 | name: logstash
4 | state: started
5 |
6 | - name: restart logstash
7 | service:
8 | name: logstash
9 | state: restarted
10 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/resumescan/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: resume nessus scan "{{ scan_id }}" using autoNessus
2 | command: "autoNessus -sR {{ scan_id }}"
3 | register: resume_scan_output
4 |
5 | - debug:
6 | msg: "{{ resume_scan_output.stdout_lines }}"
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/roles/startscan/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: starting nessus scan "{{ scan_id }}" using autoNessus
2 | command: "autoNessus -sS {{ scan_id }}"
3 | register: start_scan_output
4 |
5 | - debug:
6 | msg: "{{ start_scan_output.stdout_lines }}"
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/beats-for-elastic-stack/roles/metricbeat/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: start metricbeat
2 | service:
3 | name: metricbeat
4 | state: started
5 |
6 | - name: restart metricbeat
7 | service:
8 | name: metricbeat
9 | state: restarted
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/beats-for-elastic-stack/roles/packetbeat/handlers/main.yml:
--------------------------------------------------------------------------------
1 | - name: start packetbeat
2 | service:
3 | name: packetbeat
4 | state: started
5 |
6 | - name: restart packetbeat
7 | service:
8 | name: packetbeat
9 | state: restarted
--------------------------------------------------------------------------------
/infrastructure/vagrant/scripts/jenkins-install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | yum install java-1.8.0-openjdk-devel -y
3 | systemctl enable docker
4 | useradd -s /bin/bash -m -d /var/lib/jenkins jenkins
5 | usermod -a -G docker jenkins
6 | cat >> /etc/sudoers < 5044
4 | #ssl => true
5 | #ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
6 | #ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
7 | }
8 | }
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastalert/roles/setup/templates/elastalert-config.j2:
--------------------------------------------------------------------------------
1 | rules_folder: "/opt/elastalert/rules"
2 | run_every:
3 | seconds: 30
4 | buffer_time:
5 | minutes: 5
6 | es_host: localhost
7 | es_port: 9200
8 | writeback_index: elastalert_status
9 | alert_time_limit:
10 | days: 2
--------------------------------------------------------------------------------
/app/docker/visitors-webui/.gitignore:
--------------------------------------------------------------------------------
1 | # See https://help.github.com/ignore-files/ for more about ignoring files.
2 |
3 | # dependencies
4 | /node_modules
5 |
6 | # testing
7 | /coverage
8 |
9 | # production
10 | /build
11 |
12 | # misc
13 | .DS_Store
14 | .env
15 | npm-debug.log*
16 | yarn-debug.log*
17 | yarn-error.log*
18 |
19 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/autonessus/site.yml:
--------------------------------------------------------------------------------
1 | - name: installing autonessus
2 | hosts: nessus
3 | remote_user: ubuntu
4 | gather_facts: no
5 | become: yes
6 |
7 | roles:
8 | - setup
9 | - listpolices
10 | - listscans
11 | - startscan
12 | - pausescan
13 | - resumescan
14 | - stopscan
--------------------------------------------------------------------------------
/app/docker/visitors-service/startup.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | for i in {1..10}
4 | do
5 | echo "Migrating Database..."
6 | python manage.py migrate
7 |
8 | if [ $? == "0" ]; then
9 | echo "Migration Complete"
10 | break
11 | fi
12 |
13 | sleep 3
14 | done
15 |
16 | python manage.py runserver 0.0.0.0:8000
17 |
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/s3-backup/templates/s3cmd.j2:
--------------------------------------------------------------------------------
1 | [default]
2 | access_key = {{ s3_access_key }}
3 | secret_key = {{ s3_access_secret }}
4 | host_base = s3.amazonaws.com
5 | host_bucket = %(bucket)s.s3.amazonaws.com
6 | website_endpoint = http://%(bucket)s.s3-website-%(location)s.amazonaws.com/
7 | use_https = True
8 | signature_v2 = True
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/beats-for-elastic-stack/main.yml:
--------------------------------------------------------------------------------
1 | - name: setting up elastic beats on ubuntu 16.04
2 | hosts: monitor
3 | remote_user: ubuntu
4 | become: yes
5 | vars:
6 | logstash_server_ip: "192.168.56.102"
7 |
8 | roles:
9 | - filebeat
10 | - packetbeat
11 | - metricbeat
12 |
--------------------------------------------------------------------------------
/app/README.md:
--------------------------------------------------------------------------------
1 | ### Application Overview (simple app example)
2 |
3 | • A web frontend, implemented in React
4 |
5 | • A REST API, implemented in Python using the Django framework
6 |
7 | • A database, using MySQL
8 |
9 | 
10 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/service/serializers.py:
--------------------------------------------------------------------------------
1 | from rest_framework.serializers import ModelSerializer
2 |
3 | from visitors.service.models import Visitor
4 |
5 |
6 | class VisitorSerializer(ModelSerializer):
7 |
8 | class Meta:
9 | model = Visitor
10 | fields = ('id', 'client_ip', 'service_ip', 'timestamp')
11 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.docker/molecule/default/converge.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Converge
3 | hosts: all
4 | become: true
5 |
6 | pre_tasks:
7 | - name: Update apt cache.
8 | apt: update_cache=yes cache_valid_time=600
9 | when: ansible_os_family == 'Debian'
10 |
11 | roles:
12 | - role: geerlingguy.docker
13 |
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/aws_cis_foundation_framework/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/adavarski/DevSecOps-full-integration-chain/HEAD/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/aws_cis_foundation_framework/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.1.0.pdf
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastic-stack/roles/logstash/templates/30-elasticsearch-output.conf.j2:
--------------------------------------------------------------------------------
1 | output {
2 | elasticsearch {
3 | hosts => ["localhost:9200"]
4 | #sniffing => true
5 | manage_template => false
6 | index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
7 | document_type => "%{[@metadata][type]}"
8 | }
9 | }
--------------------------------------------------------------------------------
/infrastructure/vagrant/scripts/jenkins-ssh.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | mkdir -p /var/lib/jenkins/.ssh
4 | chmod 700 /var/lib/jenkins/.ssh
5 | touch /var/lib/jenkins/.ssh/authorized_keys
6 | chmod 600 /var/lib/jenkins/.ssh/authorized_keys
7 |
8 | cat >> /var/lib/jenkins/.ssh/authorized_keys <>/etc/environment
10 | LANG=en_US.utf-8
11 | LC_ALL=en_US.utf-8
12 | EOT
13 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/nessus-setup/roles/setup/tasks/main.yml:
--------------------------------------------------------------------------------
1 | - name: install python 2
2 | raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
3 |
4 | - name: downloading the package and installing
5 | apt:
6 | deb: "{{ nessus_download_url }}"
7 |
8 | - name: start the nessus daemon
9 | service:
10 | name: "nessusd"
11 | enabled: yes
12 | state: started
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/service/models.py:
--------------------------------------------------------------------------------
1 | from django.db import models
2 |
3 |
4 | class Visitor(models.Model):
5 |
6 | service_ip = models.CharField(max_length=16)
7 | client_ip = models.CharField(max_length=16)
8 | timestamp = models.DateTimeField(auto_now_add=True)
9 |
10 | def __str__(self):
11 | return 'Client IP [%s] Timestamp [%s]' % (
12 | self.client_ip, self.timestamp)
13 |
--------------------------------------------------------------------------------
/infrastructure/vagrant/scripts/vagrant.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | echo "debug: Executing scripts/vagrant.sh"
4 |
5 | # Install vagrant key
6 | mkdir /home/vagrant/.ssh
7 | chmod 700 /home/vagrant/.ssh
8 | wget --no-check-certificate 'https://raw.githubusercontent.com/mitchellh/vagrant/master/keys/vagrant.pub' -O /home/vagrant/.ssh/authorized_keys
9 | chmod 600 /home/vagrant/.ssh/authorized_keys
10 | chown -R vagrant /home/vagrant/.ssh
--------------------------------------------------------------------------------
/utils/8-jenkins-docker-utils/docker-bandit/.travis.yml:
--------------------------------------------------------------------------------
1 | sudo: 'required'
2 |
3 | services:
4 | - 'docker'
5 |
6 | script:
7 | - docker build . -t bandit:$TRAVIS_COMMIT
8 |
9 | after_success:
10 | - if [[ "$TRAVIS_BRANCH" == "master" ]]; then
11 | docker login -u $DOCKER_HUB_USER -p $DOCKER_HUB_PASSWORD ;
12 | docker tag bandit:$TRAVIS_COMMIT davarski/bandit:latest ;
13 | docker push davarski/bandit:latest ;
14 | fi
15 |
--------------------------------------------------------------------------------
/utils/0-jenkins-shared-library/vars/mailNotifier.groovy:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env groovy
2 |
3 | def call() {
4 |
5 | mail bcc: '',
6 | body: "${currentBuild.result}: Job ${env.JOB_NAME} build ${env.BUILD_NUMBER}\n More info at: ${env.BUILD_URL}",
7 | cc: '',
8 | from: 'Jenkins',
9 | replyTo: '',
10 | subject: "Jenkins Build ${currentBuild.result}: Job ${env.JOB_NAME}, on branch ${env.BRANCH_NAME}",
11 | to: 'davar@gmail.com'
12 | }
13 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.pip/molecule/default/tests/test_default.py:
--------------------------------------------------------------------------------
1 | import os
2 |
3 | import testinfra.utils.ansible_runner
4 |
5 | testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
6 | os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
7 |
8 |
9 | def test_hosts_file(host):
10 | f = host.file('/etc/hosts')
11 |
12 | assert f.exists
13 | assert f.user == 'root'
14 | assert f.group == 'root'
15 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nmap/nmap-nse/main.yml:
--------------------------------------------------------------------------------
1 | - name: Advanced NMAP Scan using NSE
2 | hosts: localhost
3 | vars:
4 | ports:
5 | - 80
6 | - 443
7 | scan_host: scanme.nmap.org
8 |
9 | tasks:
10 | - name: Running Nmap NSE scan
11 | shell: "nmap -Pn -p {{ ports|join(',') }} --script {{ item }} -oA nmap-{{ item }}-results-%Y-%m-%d {{ scan_host }}"
12 |
13 | with_items:
14 | - http-methods
15 | - http-enum
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/Scout2/scout2-setup/main.yml:
--------------------------------------------------------------------------------
1 | - name: AWS Security Audit using Scout2
2 | hosts: localhost
3 | become: yes
4 |
5 | tasks:
6 | - name: installing python and pip
7 | apt:
8 | name: "{{ item }}"
9 | state: present
10 | update_cache: yes
11 |
12 | with_items:
13 | - python
14 | - python-pip
15 |
16 | - name: install aws scout2
17 | pip:
18 | name: awsscout2
--------------------------------------------------------------------------------
/app/docker/visitors-webui/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "visitors-webui",
3 | "version": "0.1.0",
4 | "private": true,
5 | "dependencies": {
6 | "react": "^16.8.6",
7 | "react-dom": "^16.8.6",
8 | "react-scripts": "0.9.5"
9 | },
10 | "devDependencies": {},
11 | "scripts": {
12 | "start": "react-scripts start",
13 | "build": "react-scripts build",
14 | "test": "react-scripts test --env=jsdom",
15 | "eject": "react-scripts eject"
16 | }
17 | }
--------------------------------------------------------------------------------
/app/docker/visitors-webui/src/App.css:
--------------------------------------------------------------------------------
1 | .App {
2 | text-align: center;
3 | }
4 |
5 | .App-logo {
6 | animation: App-logo-spin infinite 20s linear;
7 | height: 80px;
8 | }
9 |
10 | .App-header {
11 | background-color: #222;
12 | height: 150px;
13 | padding: 20px;
14 | color: white;
15 | }
16 |
17 | .App-intro {
18 | font-size: large;
19 | }
20 |
21 | @keyframes App-logo-spin {
22 | from { transform: rotate(0deg); }
23 | to { transform: rotate(360deg); }
24 | }
25 |
--------------------------------------------------------------------------------
/infrastructure/vagrant/scripts/virtualbox.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -x
2 |
3 | echo "debug: Executing scripts/virtualbox.sh"
4 |
5 | mount -o loop /home/vagrant/VBoxGuestAdditions.iso /mnt
6 | sh /mnt/VBoxLinuxAdditions.run
7 | rc=$?
8 |
9 | umount /mnt
10 | rm -rf /home/vagrant/VBoxGuestAdditions.iso
11 |
12 | if [ $rc -ne 0 ]
13 | then
14 | cat /var/log/VBoxGuestAdditions.log
15 | exit $rc
16 | else
17 | echo "Virtualbox guest addons have been installed successfully"
18 | exit 0
19 | fi
--------------------------------------------------------------------------------
/app/docker/visitors-service/visitors/wsgi.py:
--------------------------------------------------------------------------------
1 | """
2 | WSGI config for visitors project.
3 |
4 | It exposes the WSGI callable as a module-level variable named ``application``.
5 |
6 | For more information on this file, see
7 | https://docs.djangoproject.com/en/2.2/howto/deployment/wsgi/
8 | """
9 |
10 | import os
11 |
12 | from django.core.wsgi import get_wsgi_application
13 |
14 | os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'visitors.settings')
15 |
16 | application = get_wsgi_application()
17 |
--------------------------------------------------------------------------------
/utils/8-jenkins-docker-utils/docker-clair-scanner/.travis.yml:
--------------------------------------------------------------------------------
1 | sudo: 'required'
2 |
3 | services:
4 | - 'docker'
5 |
6 | script:
7 | - docker build . -t docker-clair-scanner:$TRAVIS_COMMIT
8 |
9 | after_success:
10 | - if [[ "$TRAVIS_BRANCH" == "master" ]]; then
11 | docker login -u $DOCKER_HUB_USER -p $DOCKER_HUB_PASSWORD ;
12 | docker tag docker-clair-scanner:$TRAVIS_COMMIT davarski/docker-clair-scanner:latest ;
13 | docker push davarski/docker-clair-scanner:latest ;
14 | fi
15 |
--------------------------------------------------------------------------------
/infrastructure/vagrant/scripts/jenkins-master-ssh.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | mkdir -p /var/lib/jenkins/.ssh
4 | chmod 700 /var/lib/jenkins/.ssh
5 | touch /var/lib/jenkins/.ssh/authorized_keys
6 | chmod 600 /var/lib/jenkins/.ssh/authorized_keys
7 | cat >> /var/lib/jenkins/.ssh/id_rsa <> /var/lib/jenkins/.ssh/id_rsa.pub <> /var/lib/jenkins/.ssh/authorized_keys <> /etc/sudoers <
13 | """
14 | # check for 302 or 301 response code
15 | Then the output should match /30\d+/
16 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/geerlingguy.pip/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Ensure Pip is installed.
3 | package:
4 | name: "{{ pip_package }}"
5 | state: present
6 |
7 | - name: Ensure pip_install_packages are installed.
8 | pip:
9 | name: "{{ item.name | default(item) }}"
10 | version: "{{ item.version | default(omit) }}"
11 | virtualenv: "{{ item.virtualenv | default(omit) }}"
12 | state: "{{ item.state | default(omit) }}"
13 | executable: "{{ pip_executable }}"
14 | with_items: "{{ pip_install_packages }}"
15 |
--------------------------------------------------------------------------------
/app/docker/visitors-service/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM python:3
2 |
3 | EXPOSE 8000
4 |
5 | ENV HOME=/code
6 | RUN mkdir -p ${HOME} && \
7 | useradd -u 1001 -r -g 0 -d ${HOME} -s /sbin/nologin \
8 | -c "Visitors Application User" default
9 | WORKDIR ${HOME}
10 |
11 | ADD visitors ${HOME}/visitors
12 | ADD requirements.txt manage.py startup.sh ${HOME}/
13 |
14 | RUN pip install -r requirements.txt
15 |
16 | RUN chown -R 1001:0 ${HOME} && \
17 | find ${HOME} -type d -exec chmod g+ws {} \;
18 |
19 | USER 1001
20 | CMD ["bash", "startup.sh"]
21 |
--------------------------------------------------------------------------------
/infrastructure/aws/terraform/Jenkins-EC2/variables.tf:
--------------------------------------------------------------------------------
1 | variable "region" {
2 | description = "AWS region to host your infrastructure"
3 | default = "us-east-2"
4 | }
5 |
6 | variable "key_name" {
7 | description = "Private key name to use with instance"
8 | default = "demo"
9 | }
10 |
11 | variable "instance_type" {
12 | description = "AWS instance type"
13 | default = "t2.micro"
14 | }
15 |
16 | variable "ami" {
17 | description = "AWS AMI latest"
18 |
19 | # Ubuntu 20.04
20 | default = "ami-0a91cd140a1fc148a"
21 | }
22 |
23 |
--------------------------------------------------------------------------------
/app/docker/visitors-webui/src/App.js:
--------------------------------------------------------------------------------
1 | import React, { Component } from 'react';
2 |
3 | import VisitorsTable from './VisitorsTable.js';
4 |
5 | class App extends Component {
6 | render() {
7 |
8 | let title = process.env.REACT_APP_TITLE || 'Visitors Dashboard'
9 |
10 | return (
11 |
12 |
13 |
{title}
14 |
15 |
16 |
17 |
18 |
30 |
31 |
32 | Cleaning up:
33 |
34 | ```
35 | $ kubectl delete -f manifests/frontend.yaml
36 | $ kubectl delete -f manifests/backend.yaml
37 | $ kubectl delete -f manifests/database.yaml
38 |
39 | ```
40 | ### Ref1: minikube + GitLab example:
41 |
42 | https://github.com/adavarski/minikube-gitlab-development
43 |
44 | ### Ref2: Kubernetes Operators (Helm, Ansible, Go) example:
45 |
46 | https://github.com/adavarski/k8s-operators-playground
47 |
48 |
49 |
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/jenkins_home/createAwsEc2.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # Create ec2 instance and add it to ansible inventory
3 | - name: Create a sandbox instance
4 | hosts: localhost
5 | connection: local
6 | gather_facts: False
7 | vars:
8 | keyname: devsecops
9 | instance_type: t2.micro
10 | security_group: devsecops-python
11 | image: ami-0be057a22c63962cb
12 | region: eu-west-2
13 | tagname: Name=DevSecOps
14 |
15 | tasks:
16 | - name: Upload public key to AWS
17 | ec2_key:
18 | name: "{{ keyname }}"
19 | key_material: "{{ lookup('file', '~/.ssh/{{ keyname }}.pub') }}"
20 | region: "{{ region }}"
21 |
22 | - name: Launch instance
23 | ec2:
24 | key_name: "{{ keyname }}"
25 | group: "{{ security_group }}"
26 | instance_type: "{{ instance_type }}"
27 | image: "{{ image }}"
28 | wait: true
29 | region: "{{ region }}"
30 | vpc_subnet_id: subnet-f97e5d90
31 | assign_public_ip: yes
32 | instance_tags: "{{tagname}}"
33 | register: ec2
34 |
35 | - name: Add new instance to hosts group for test
36 | local_action: lineinfile
37 | dest="~/ansible_hosts"
38 | regexp={{ item.public_ip }}
39 | insertafter="[tstlaunched]"
40 | line="{{ item.public_ip }}"
41 | state=present
42 | with_items: "{{ ec2.instances }}"
43 |
44 | - name: Wait for SSH to come up
45 | local_action: wait_for
46 | host={{ item.public_ip }}
47 | port=22
48 | state=started
49 | with_items: "{{ ec2.instances }}"
50 |
--------------------------------------------------------------------------------
/utils/5-ansible-devsecops-docker-utils/osquery-setup/templates/osquery.conf:
--------------------------------------------------------------------------------
1 | {
2 | "options": {
3 | "config_plugin": "filesystem",
4 | "logger_plugin": "filesystem",
5 | "logger_path": "/var/log/osquery",
6 | "disable_logging": "false",
7 | "log_result_events": "true",
8 | "schedule_splay_percent": "10",
9 | "pidfile": "/var/osquery/osquery.pidfile",
10 | "events_expiry": "3600",
11 | "database_path": "/var/osquery/osquery.db",
12 | "verbose": "false",
13 | "worker_threads": "2",
14 | "enable_monitor": "true",
15 | "disable_events": "false",
16 | "disable_audit": "false",
17 | "audit_allow_config": "true",
18 | "host_identifier": "hostname",
19 | "enable_syslog": "true",
20 | "audit_allow_sockets": "true",
21 | "schedule_default_interval": "3600"
22 | },
23 | "schedule": {
24 | "crontab": {
25 | "query": "SELECT * FROM crontab;",
26 | "interval": 300
27 | },
28 | "system_profile": {
29 | "query": "SELECT * FROM osquery_schedule;"
30 | },
31 | "system_info": {
32 | "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
33 | "interval": 3600
34 | }
35 | },
36 | "decorators": {
37 | "load": [
38 | "SELECT uuid AS host_uuid FROM system_info;",
39 | "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
40 | ]
41 | },
42 | "packs": {
43 | "fim": "/usr/share/osquery/packs/fim.conf",
44 | "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
45 | "incident-response": "/usr/share/osquery/packs/incident-response.conf",
46 | "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
47 | "vuln-management": "/usr/share/osquery/packs/vuln-management.conf"
48 | }
49 | }
--------------------------------------------------------------------------------
/app/docker/visitors-webui/public/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | Visitors Dashboard
24 |
25 |
26 |
27 |
37 |
38 |
39 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/scan-artefact/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-application/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/deploy-infrastructure/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/utils/1-ansible-aws-infra/roles/set-infrastructure-build/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-dependency-check/owasp-dependency-check/main.yml:
--------------------------------------------------------------------------------
1 | - name: OWASP Dependency Check Playbook
2 | hosts: scanner
3 | remote_user: ubuntu
4 | become: yes
5 | vars:
6 | repo_url: https://github.com/psiinon/bodgeit.git
7 | output_dir: /tmp/bodgeit/
8 | project_name: bodgeit
9 | report_name: report.html
10 |
11 | tasks:
12 | - name: installing pre requisuites
13 | apt:
14 | name: "{{ item }}"
15 | state: present
16 | update_cache: yes
17 |
18 | with_items:
19 | - git
20 | - unzip
21 | - mono-runtime
22 | - mono-devel
23 | - default-jre
24 |
25 | - name: downloading owasp dependency-check
26 | unarchive:
27 | src: http://dl.bintray.com/jeremy-long/owasp/dependency-check-3.0.2-release.zip
28 | dest: /usr/share/
29 | remote_src: yes
30 |
31 | - name: adding symlink to the system
32 | file:
33 | src: /usr/share/dependency-check/bin/dependency-check.sh
34 | dest: /usr/bin/dependency-check
35 | mode: 0755
36 | state: link
37 |
38 | - name: cloning the {{ repo_url }}
39 | git:
40 | repo: "{{ repo_url }}"
41 | dest: "{{ output_dir }}"
42 |
43 | - name: updating CVE database
44 | command: "dependency-check --updateonly"
45 |
46 | - name: OWASP dependency-check scanning in action
47 | # Output available in XML, HTML, CSV, JSON, VULN, ALL formats
48 | command: "dependency-check --project {{ project_name }} --scan {{ output_dir }} -o {{ output_dir }}{{ project_name }}-report.html"
49 |
50 | - name: Downloading the report
51 | fetch:
52 | src: "{{ output_dir }}{{ project_name }}-report.html"
53 | dest: "{{ report_name }}"
54 | flat: yes
55 |
56 | - debug:
57 | msg: "Report can be found at {{ report_name }}"
58 |
--------------------------------------------------------------------------------
/utils/9-jenkins-pipeline-python-end-to-end/jenkins/plugins.txt:
--------------------------------------------------------------------------------
1 | pipeline-input-step:2.11
2 | git-server:1.9
3 | junit:1.28
4 | workflow-multibranch:2.21
5 | apache-httpcomponents-client-4-api:4.5.10-2.0
6 | lockable-resources:2.7
7 | matrix-auth:2.5
8 | pipeline-milestone-step:1.3.1
9 | workflow-job:2.36
10 | ldap:1.21
11 | token-macro:2.10
12 | structs:1.20
13 | script-security:1.68
14 | workflow-support:3.3
15 | ssh-credentials:1.18
16 | pipeline-model-declarative-agent:1.1.1
17 | ws-cleanup:0.38
18 | git-client:3.0.0
19 | resource-disposer:0.14
20 | display-url-api:2.3.2
21 | gradle:1.35
22 | ant:1.10
23 | email-ext:2.68
24 | ace-editor:1.1
25 | docker-commons:1.16
26 | cloudbees-folder:6.10.1
27 | authentication-tokens:1.3
28 | pipeline-model-definition:1.5.0
29 | antisamy-markup-formatter:1.6
30 | workflow-scm-step:2.9
31 | bouncycastle-api:2.17
32 | trilead-api:1.0.5
33 | ssh-slaves:1.31.0
34 | timestamper:1.10
35 | workflow-step-api:2.21
36 | jdk-tool:1.4
37 | durable-task:1.33
38 | mailer:1.29
39 | workflow-api:2.38
40 | workflow-aggregator:2.6
41 | pipeline-github-lib:1.0
42 | pipeline-model-extensions:1.5.0
43 | pipeline-model-api:1.5.0
44 | workflow-durable-task-step:2.35
45 | github-branch-source:2.5.8
46 | branch-api:2.5.5
47 | jackson2-api:2.10.1
48 | build-timeout:1.19
49 | pam-auth:1.6
50 | jsch:0.1.55.1
51 | workflow-cps-global-lib:2.15
52 | jquery-detached:1.2.1
53 | git:4.0.0
54 | pipeline-stage-step:2.3
55 | subversion:2.13.0
56 | github:1.29.5
57 | pipeline-stage-tags-metadata:1.5.0
58 | command-launcher:1.4
59 | scm-api:2.6.3
60 | matrix-project:1.14
61 | pipeline-graph-analysis:1.10
62 | mapdb-api:1.0.9.0
63 | momentjs:1.1.1
64 | workflow-cps:2.78
65 | pipeline-stage-view:2.12
66 | plain-credentials:1.5
67 | credentials-binding:1.20
68 | credentials:2.3.0
69 | pipeline-build-step:2.10
70 | handlebars:1.1.1
71 | docker-workflow:1.21
72 | workflow-basic-steps:2.18
73 | github-api:1.95
74 | pipeline-rest-api:2.12
75 |
--------------------------------------------------------------------------------
/app/docker/README.md:
--------------------------------------------------------------------------------
1 |
2 | ### Application Overview
3 |
4 | • A web frontend, implemented in React
5 |
6 | • A REST API, implemented in Python using the Django framework
7 |
8 | • A database, using MySQL
9 |
10 | ### Build docker images
11 |
12 | ```
13 | $ docker login
14 |
15 | $ cd visitor-service
16 | $ docker build --tag visitors-service:1.0.0 .
17 | $ docker push davarski/visitors-service:1.0.0
18 |
19 | $ cd visitor-webui
20 | $ docker build --tag visitors-webui:1.0.0 .
21 | $ docker push davarski/visitors-webui:1.0.0
22 | ```
23 |
24 | ### Runing app on Docker (using docker-compose)
25 | ```
26 | docker-compose up -d
27 | ```
28 | Example:
29 | ```
30 | $ docker-compose up -d
31 | Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
32 | Creating network "docker_default" with the default driver
33 | Creating docker_visitors-mysql_1 ... done
34 | Creating docker_visitors-service_1 ... done
35 | Creating docker_visitors-webui_1 ... done
36 | $ docker-compose ps
37 | Name Command State Ports
38 | ---------------------------------------------------------------------------------------------------
39 | docker_visitors-mysql_1 docker-entrypoint.sh mysqld Up 0.0.0.0:3306->3306/tcp, 33060/tcp
40 | docker_visitors-service_1 bash startup.sh Up 0.0.0.0:8000->30685/tcp, 8000/tcp
41 | docker_visitors-webui_1 npm start Up 0.0.0.0:3000->3000/tcp
42 |
43 | ```
44 |
45 | After executing, you will have 3 running cointainers on your Docker host: visitor-service, visitors-webui and visitors-mysql. For accessing the web application, open your browser and go to http://your-docker-host-ip-address:3000 (or http://localhost:3000/)
46 |
47 | To destroy the containers, execute:
48 | ```
49 | docker-compose down
50 |
51 | or (remove docker images)
52 |
53 | docker-compose down --rmi all
54 | ```
55 |
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/architecture/README.md:
--------------------------------------------------------------------------------
1 | # aws-security-benchmark
2 | ```create-benchmark-rules.yaml``` is an AWS CloudFormation template for establishing CIS AWS 1.1 benchmark governance rules (download the benchmarks [here](https://benchmarks.cisecurity.org/en-us/?route=downloads.form.awsfoundations.110)).
3 |
4 | ```cis-benchmark-matrix.xlsx``` is a spreadsheet that maps the CIS Amazon Web Services Foundations benchmarks to the specific security controls provisioned in the CloudFormation template.
5 |
6 | The AWS services used for these benchmarks are used in the following relationship:
7 |
8 | 
9 |
10 | The following preconditions must be met before the stack can be launched:
11 |
12 | 1. AWS Config must be running in the region where this template will be run. This is needed for Config Rules.
13 | 2. Amazon CloudTrail must be delivering logs to CloudWatch Logs. This is needed for CloudWatch metrics and alarms.
14 | 3. AWS Lambda must be supported in the region where this template will be launched. See [this](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) page for region support.
15 |
16 | The controls are a combination of AWS Config Rules (both AWS-managed and custom), Amazon CloudWatch rules, and Amazon CloudWatch alarms.
17 | Please note that these resources will incur costs in your account; please refer to the pricing model for each service.
18 |
19 | For example, an estimate in us-east-1:
20 | * Config Rules: 17 rules @ $2.00/rule/month = $34.00/month
21 | * CloudWatch Alarms: 6 alarms @ $0.10/alarm/month = $0.60/month
22 | * CloudWatch Metrics: 6 metrics @ $0.30/metric/month = $1.80/month
23 | * CloudWatch Logs: 17 logs @ $0.50/GB ingested = based on usage
24 | * Lambda: variable (first 1 million requests per month are free)
25 |
--------------------------------------------------------------------------------
/utils/3-ansible-devops-utils/gitlab/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: CI
3 | 'on':
4 | pull_request:
5 | push:
6 | branches:
7 | - master
8 | schedule:
9 | - cron: "0 7 * * 1"
10 |
11 | defaults:
12 | run:
13 | working-directory: 'geerlingguy.gitlab'
14 |
15 | jobs:
16 |
17 | lint:
18 | name: Lint
19 | runs-on: ubuntu-latest
20 | steps:
21 | - name: Check out the codebase.
22 | uses: actions/checkout@v2
23 | with:
24 | path: 'geerlingguy.gitlab'
25 |
26 | - name: Set up Python 3.
27 | uses: actions/setup-python@v2
28 | with:
29 | python-version: '3.x'
30 |
31 | - name: Install test dependencies.
32 | run: pip3 install yamllint ansible ansible-lint
33 |
34 | - name: Lint code.
35 | run: |
36 | yamllint .
37 | ansible-lint
38 |
39 | molecule:
40 | name: Molecule
41 | runs-on: ubuntu-latest
42 | strategy:
43 | matrix:
44 | include:
45 | - distro: centos7
46 | playbook: converge.yml
47 | - distro: ubuntu1804
48 | playbook: converge.yml
49 | - distro: debian9
50 | playbook: converge.yml
51 | - distro: centos7
52 | playbook: version.yml
53 | - distro: ubuntu1804
54 | playbook: version.yml
55 |
56 | steps:
57 | - name: Check out the codebase.
58 | uses: actions/checkout@v2
59 | with:
60 | path: 'geerlingguy.gitlab'
61 |
62 | - name: Set up Python 3.
63 | uses: actions/setup-python@v2
64 | with:
65 | python-version: '3.x'
66 |
67 | - name: Install test dependencies.
68 | run: pip3 install ansible molecule[docker] docker
69 |
70 | - name: Run Molecule tests.
71 | run: molecule test
72 | env:
73 | PY_COLORS: '1'
74 | ANSIBLE_FORCE_COLOR: '1'
75 | MOLECULE_DISTRO: ${{ matrix.distro }}
76 | MOLECULE_PLAYBOOK: ${{ matrix.playbook }}
77 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/OWASP-dependency-check/owasp-scala-dependency-check/Jenkinsfile-SCALA-PROJECT-example:
--------------------------------------------------------------------------------
1 | pipeline {
2 | agent {
3 | label 'jenkins-slave10'
4 | }
5 | options {
6 | timestamps()
7 | disableConcurrentBuilds()
8 | }
9 |
10 | stages {
11 | stage('Clone SCALA-PROJECT Master Branch') {
12 | steps {
13 |
14 | checkout([$class: 'GitSCM',
15 | branches: [[name: "master"]],
16 | doGenerateSubmoduleConfigurations: false,
17 | extensions: [[$class: 'RelativeTargetDirectory', relativeTargetDir: 'SCALA-PROJECT']],
18 | submoduleCfg: [],
19 | userRemoteConfigs: [[credentialsId: 'adavarski-github', url: 'git@github.com:adavarski/SCALA-PROJECT.git']]
20 | ])
21 | }
22 | }
23 |
24 |
25 | stage('PenTesting SCALA-PROJECT') {
26 | steps {
27 | dir('SCALA-PROJECT') {
28 | script {
29 | sh 'sbt dependencyCheck'
30 | }
31 | }
32 | }
33 |
34 | }
35 |
36 |
37 | stage('Publish Pentesting Vulnerability Report') {
38 | steps {
39 | script {
40 | publishHTML (target: [
41 | allowMissing: false,
42 | alwaysLinkToLastBuild: false,
43 | keepAll: true,
44 | reportDir: './SCALA-PROJECT/target',
45 | reportFiles: 'dependency-check-vulnerability.html',
46 | reportName: "Petntesting Vulnerability Report"
47 | ])
48 | }
49 | }
50 | }
51 |
52 | stage('Publish Pentesting Full Report') {
53 | steps {
54 | script {
55 | publishHTML (target: [
56 | allowMissing: false,
57 | alwaysLinkToLastBuild: false,
58 | keepAll: true,
59 | reportDir: './SCALA-PROJECT/target',
60 | reportFiles: 'dependency-check-report.html',
61 | reportName: "Petntesting Full Report"
62 | ])
63 | }
64 | }
65 | }
66 |
67 | }
68 |
69 |
70 |
71 |
72 | }
73 |
--------------------------------------------------------------------------------
/utils/4-ansible-devsecops-general-utils/Nessus/nessus-restapi/main.yml:
--------------------------------------------------------------------------------
1 | - name: working with nessus rest api
2 | connection: local
3 | hosts: localhost
4 | gather_facts: no
5 | vars:
6 | scan_id: 17
7 | nessus_access_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
8 | nessus_secret_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
9 | nessus_url: https://192.168.33.109:8834
10 | nessus_report_format: html
11 |
12 | tasks:
13 | - name: export the report for given scan "{{ scan_id }}"
14 | uri:
15 | url: "{{ nessus_url }}/scans/{{ scan_id }}/export"
16 | method: POST
17 | validate_certs: no
18 | headers:
19 | X-ApiKeys: "accessKey={{ nessus_access_key }}; secretKey={{ nessus_secret_key }}"
20 | body: "format={{ nessus_report_format }}&chapters=vuln_by_host;remediations"
21 | register: export_request
22 |
23 | - debug:
24 | msg: "File id is {{ export_request.json.file }} and scan id is {{ scan_id }}"
25 |
26 | - name: check the report status for "{{ export_request.json.file }}"
27 | uri:
28 | url: "{{ nessus_url }}/scans/{{ scan_id }}/export/{{ export_request.json.file }}/status"
29 | method: GET
30 | validate_certs: no
31 | headers:
32 | X-ApiKeys: "accessKey={{ nessus_access_key }}; secretKey={{ nessus_secret_key }}"
33 | register: report_status
34 |
35 | - debug:
36 | msg: "Report status is {{ report_status.json.status }}"
37 |
38 | - name: downloading the report locally
39 | uri:
40 | url: "{{ nessus_url }}/scans/{{ scan_id }}/export/{{ export_request.json.file }}/download"
41 | method: GET
42 | validate_certs: no
43 | headers:
44 | X-ApiKeys: "accessKey={{ nessus_access_key }}; secretKey={{ nessus_secret_key }}"
45 | return_content: yes
46 | dest: "./{{ scan_id }}_{{ export_request.json.file }}.{{ nessus_report_format }}"
47 | register: report_output
48 |
49 | - debug:
50 | msg: "Report can be found at ./{{ scan_id }}_{{ export_request.json.file }}.{{ nessus_report_format }}"
--------------------------------------------------------------------------------
/utils/6-ansible-devsecops-aws-utils/aws-security-benchmark/aws_cis_foundation_framework/README.md:
--------------------------------------------------------------------------------
1 | # aws-cis-foundation-benchmark-checklist
2 | Script to evaluate your AWS account against the full CIS Amazon Web Services
3 | Foundations Benchmark 1.1
4 | The script have a number of different outputs, all optional by changing the
5 | settings inside the script.
6 | All outputs will generate a single report of all supported controls in short
7 | format, full JSON or HTML.
8 | Delivery of the report is console output for JSON structure, S3 SignedURL for
9 | HTML file and optional publish to SNS for the S3 SignedURL if you wish to
10 | receive an email or trigger other functions any time a new report is done.
11 | You can also store the reports in a central S3 bucket if you run this for
12 | multiple accounts
13 |
14 | ## Execution
15 | ### Requirement
16 | Verified with Python 2.7.
17 | Python 3.6 support in process.
18 |
19 | ### Config Rules
20 | By adding the script to you AWS account as a Lambda function you can tie it
21 | to a Config Rule.
22 | You don't need to change or enable anything in the script when using with
23 | Config Rule, the script will autosense it and automatically start reporting
24 | compliance status at the account level.
25 | The script will also report back a short-form version of the result using
26 | the annotation field. You can see this value using the Config API:
27 | ```aws configservice get-compliance-details-by-config-rule --config-rule-name```
28 | ***Keep in mind that the lambda function needs to have timeout set to max time.***
29 |
30 | ### Local execution
31 | You can also run this script from a admin console using python and AWS SDK.
32 | It will use the credentials you have stored in your profiles.
33 |
34 | Run without parameters to use default profile:')
35 | ```python aws-cis-foundation-benchmark-checklist.py```
36 | Specify profile by using the -p or --profile
37 | ```python aws-cis-foundation-benchmark-checklist.py [-p|--profile] ```
38 |
39 | ## IAM Policy
40 | The IAM policy required to run the script is located in the file
41 | aws-cis-foundation-benchmark-checklist-lambdarole.json
42 |
--------------------------------------------------------------------------------
/utils/7-ansible-log-monitoring-elk-aws-serverless-utils/elastalert/roles/aws-serverless/templates/initDb.js.j2:
--------------------------------------------------------------------------------
1 | var config = require('./config.js')
2 |
3 | var AWS = require("aws-sdk")
4 | AWS.config.update({
5 | region: config.region
6 | });
7 |
8 | var dynamodb = new AWS.DynamoDB();
9 |
10 | var params = {
11 | "AttributeDefinitions": [
12 | {
13 | "AttributeName": "id",
14 | "AttributeType": "N"
15 | },
16 | {
17 | "AttributeName": "ip",
18 | "AttributeType": "S"
19 | },
20 | {
21 | "AttributeName": "expirymin",
22 | "AttributeType": "N"
23 | }
24 | ],
25 | "GlobalSecondaryIndexes": [
26 | {
27 | "IndexName": "ip_index",
28 | "KeySchema": [
29 | {
30 | "AttributeName": "ip",
31 | "KeyType": "HASH"
32 | }
33 | ],
34 | "Projection": {
35 | "ProjectionType": "ALL"
36 | },
37 | "ProvisionedThroughput": {
38 | "ReadCapacityUnits": 100,
39 | "WriteCapacityUnits": 100
40 | }
41 | },
42 | {
43 | "IndexName": "expirymin_index",
44 | "KeySchema": [
45 | {
46 | "AttributeName": "expirymin",
47 | "KeyType": "HASH"
48 | }
49 | ],
50 | "Projection": {
51 | "ProjectionType": "ALL"
52 | },
53 | "ProvisionedThroughput": {
54 | "ReadCapacityUnits": 100,
55 | "WriteCapacityUnits": 100
56 | }
57 | }
58 | ],
59 | "KeySchema": [
60 | {
61 | "AttributeName": "id",
62 | "KeyType": "HASH"
63 | }
64 | ],
65 | "ProvisionedThroughput": {
66 | "ReadCapacityUnits": 100,
67 | "WriteCapacityUnits": 100
68 | },
69 | "TableName": config.tableName
70 | }
71 |
72 | dynamodb.createTable(params, function(err, data) {
73 | if (err) {
74 | console.error("Unable to create table. Error JSON:", JSON.stringify(err, null, 2));
75 | } else {
76 | console.log("Created table. Table description JSON:", JSON.stringify(data, null, 2));
77 | }
78 | });
--------------------------------------------------------------------------------