INTRODUCTION TO TFSEC

• Brief: Introduce “tfsec,” a specialized static analysis tool designed for scanning Terraform codebases​
• Purpose: Explain that tfsec is used to identify potential security risks and vulnerabilities present in Infrastructure as Code projects written using Terraform​

WHY IT’S IMPORTANT

• Security Emphasis: Highlight the critical role of security in IaC projects, as they define the foundation of cloud infrastructure​
• Risk Mitigation: Discuss that tfsec aids in preventing potential data breaches, unauthorized access, and system vulnerabilities by proactively catching security issues early in the development lifecycle​

HOW TO USE TFSEC

• Setup Options: Describe installation methods, including using package managers like Homebrew or pip, Docker containers, or integration as part of CI/CD pipelines​
• Simple Integration: Provide a sample command-line usage, illustrating how developers can effortlessly scan their Terraform code with tfsec to identify security flaws​

 EXAMPLES OF TFSEC USAGE​

• Scenario Illustration: Display snippets of insecure Terraform code, such as hardcoded secrets or overly permissive access controls​
• Visual Output: Present tfsec’s output alongside each example, demonstrating how the tool provides detailed information about detected vulnerabilities and recommended remediations​

CHALLENGES AND CONSIDERATIONS​

• Integration Challenges: Address potential challenges in seamlessly integrating tfsec into existing workflows, including learning curves and adapting to new processes​
• Continuous Vigilance: Emphasize the importance of continuous monitoring as infrastructure evolves over time, highlighting that security should be an ongoing concern rather than a one-time check​

Ansible_Role_Template_Example

In this example, I am using RHEL7 with below configuration.

[root@feenixdv apache_ntp]# ansible --version
ansible 2.7.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  2 2016, 04:20:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]

I am creating below task using roles and template.

1. Copy customize “resolve.conf” and “ntp.conf” on target servers.
2. Install Apache and copy customize “index.html” on target servers.

Here I am creating two roles inside “/etc/ansible/roles/apache_ntp”.

1. Common
2. web

To create role and template structure use “ansible-galaxy" command.

[root@feenixdv apache_ntp]# ansible-galaxy init /etc/ansible/roles/apache_ntp/common  --offline
/etc/ansible/roles/apache_ntp/common  was created successfully

[root@feenixdv apache_ntp]# ansible-galaxy init /etc/ansible/roles/apache_ntp/web  --offline
/etc/ansible/roles/apache_ntp/web  was created successfully

Finally, we have below the directory structure for common.

[root@feenixdv apache_ntp]# pwd
/etc/ansible/roles/apache_ntp
[root@feenixdv apache_ntp]# tree common/
common/
├── defaults
│   └── main.yml
├── files
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── README.md
├── tasks
│   └── main.yml
├── templates
│   ├── ntp.conf
│   └── resolv.conf
├── tests
│   ├── inventory
│   └── test.yml
└── vars
    └── main.yml
8 directories, 10 files

And below directory structure for the web.

[root@feenixdv apache_ntp]# pwd
/etc/ansible/roles/apache_ntp

[root@feenixdv apache_ntp]# tree web/
web/
├── defaults
│   └── main.yml
├── files
│   └── index.html
├── handlers
│   └── main.yml
├── meta
│   └── main.yml
├── README.md
├── tasks
│   └── main.yml
├── templates
├── tests
│   ├── inventory
│   └── test.yml
└── vars
    └── main.yml
8 directories, 9 files

For common roles:-

For “common/tasks/main.yml”

[root@feenixdv apache_ntp]# cat common/tasks/main.yml
---
- name: Configure DNS client
  template: src=resolv.conf dest=/etc/resolv.conf
  tags: dns

- name: Install NTP
  yum: name=ntp state=present
  tags: ntp

- name: Copy NTP file
  template: src=ntp.conf dest=/etc/ntp.conf
  tags: ntp
  notify: restart ntp service

For “common/templates/resolv.conf”

[root@feenixdv apache_ntp]# cat common/templates/resolv.conf
# Generated by NetworkManager
search {{ dnsserver }}
nameserver {{ dnsserver }}

Here “dnsserver” variable picked from “group_vars/all” which is looking like below.

[root@feenixdv apache_ntp]# pwd
/etc/ansible/roles/apache_ntp
[root@feenixdv apache_ntp]# cat group_vars/all
---

dnsserver: 8.8.8.8
ntpserver: 192.168.40.177

For “common/templates/ntp.conf”

[root@feenixdv apache_ntp]# cat common/templates/ntp.conf
##anisible managed file
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1

server {{ ntpserver  }}
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys

Here “ntpserver” variable picked from “group_vars/all”

For “common/handlers/main.yml”

[root@feenixdv apache_ntp]# cat common/handlers/main.yml
---
# handlers file for apache_ntp/common
- name: restart ntp service
  service: name=ntpd state=started

For web roles:-

For “web/tasks/main.yml”

[root@feenixdv apache_ntp]# cat web/tasks/main.yml
---
# tasks file for apache_ntp/web
- name: Install apache packages
  yum: name={{ item }} state=present
  with_items:
    - httpd
    - httpd-tools

- name: Copy apache index page
  copy: src=index.html dest=/var/www/html/index.html
  tags: apache
  notify: restart apache service

For “web/files/index.html”

[root@feenixdv apache_ntp]# cat web/files/index.html
Hello ansible

For “web/handlers/main.yml”

[root@feenixdv apache_ntp]# cat web/handlers/main.yml
---
# handlers file for apache_ntp/common
- name: restart apache service
  service: name=httpd state=started

Now configure host file and main.yml to call role one by one.

[root@feenixdv apache_ntp]# pwd
/etc/ansible/roles/apache_ntp
[root@feenixdv apache_ntp]# cat hosts
[all]
192.168.40.178
192.168.40.179
[web]
192.168.40.178

[root@feenixdv apache_ntp]# cat main.yml
---
- hosts: all
  tasks:

- name: Apply common configuration
  hosts: all
  user: root
  become: yes
  tasks:
  roles:
    - common

- name: Install and configure apache web server
  hosts: web
  user: root
  become: yes
  tasks:
  roles:
    - web

Now check syntax.

[root@feenixdv apache_ntp]# ansible-playbook main.yml -i hosts --syntax-check
playbook: main.yml

Looking good

Now launch the play book.

[root@feenixdv apache_ntp]# ansible-playbook main.yml -i hosts

PLAY [all] *********************************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************
ok: [192.168.40.178]

ok: [192.168.40.179]

PLAY [Apply common configuration] **********************************************************************************************************************************************************************
TASK [Gathering Facts] *********************************************************************************************************************************************************************************
ok: [192.168.40.179]
ok: [192.168.40.178]

TASK [common : Configure DNS client] *******************************************************************************************************************************************************************
changed: [192.168.40.179]
changed: [192.168.40.178]

TASK [common : Install NTP] ****************************************************************************************************************************************************************************
ok: [192.168.40.178]
ok: [192.168.40.179]

TASK [common : Copy NTP file] **************************************************************************************************************************************************************************
changed: [192.168.40.179]
changed: [192.168.40.178]

RUNNING HANDLER [common : restart ntp service] *********************************************************************************************************************************************************
ok: [192.168.40.178]
ok: [192.168.40.179]

PLAY [Install and configure apache web server] ********************************************************************************************************************************************************
TASK [Gathering Facts] *********************************************************************************************************************************************************************************
ok: [192.168.40.178]
TASK [web : Install apache packages] *******************************************************************************************************************************************************************
[DEPRECATION WARNING]: Invoking "yum" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying `name: "{{ item }}"`, please use

`name: ['httpd', 'httpd-tools']` and remove the loop. This feature will be removed in version 2.11. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
changed: [192.168.40.178] => (item=[u'httpd', u'httpd-tools'])

TASK [web : Copy apache index page] ********************************************************************************************************************************************************************
changed: [192.168.40.178]
RUNNING HANDLER [web : restart apache service] *********************************************************************************************************************************************************
changed: [192.168.40.178]

PLAY RECAP *********************************************************************************************************************************************************************************************
192.168.40.178             : ok=10   changed=5    unreachable=0    failed=0

192.168.40.179             : ok=6    changed=2    unreachable=0    failed=0

Looking good.

Check action.

For “192.168.40.179  “

[root@localhost ~]# ifconfig |grep inet
        inet 192.168.40.179  netmask 255.255.255.0  broadcast 192.168.40.255

        inet6 fe80::25c:a552:e7aa:8f2  prefixlen 64  scopeid 0x20<link>

        inet6 fe80::9e73:c84:139c:c56c  prefixlen 64  scopeid 0x20<link>

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search 8.8.8.8
nameserver 8.8.8.8
[root@localhost ~]# cat /etc/ntp.conf
##anisible managed file
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict -6 ::1
server 192.168.40.177
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys

For “192.168.40.178 “

Apache service accessible

LVM creation using playbook.

Lab setup:-

Task:-

Create LVM with below information.

Node setting:-

Playbook look like

Run playbook.

On Target node "192.168.40.146" we can see all action done.

Download Ansible file.

Ansible_Inventory_KeyLess_Auth

After Ansible installation, you need to follow some basic steps.

1. Create inventory file.
2. Make keyless authentication with Node[s].

Create an inventory file.

The Ansible inventory file defines the hosts and groups of hosts upon which commands, modules, and tasks in a playbook operate. The file can be in one of many formats depending on your Ansible environment and plugins. The default location for the inventory file is /etc/ansible/hosts .

For example in our environment we have these servers.

For example, these servers categorized into mail, web and DB. Here in inventory we can group these servers list like.

We can also create cross grouping. Like

If you are adding a lot of hosts following similar patterns,

You can also define alphabetic ranges:

You can also select the connection type and user on a per host basis:

For broad details, follow Ansible official site https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html  

For key less authentication, first need to generate key then copy key file to node.

On Ansible server:-

Now check keyless with below command.

[root@feenixdv ~]# ssh [email protected]

Now you can check ping from Ansible by using ping module.

In my host (inventory) below server IP are present.

What’s the Use of Ansible

Ansible is a radically simple IT automation engine that automates cloud provisioning, configuration management, application deployment, intra-service orchestration, and many other IT needs.

Designed for multi-tier deployments since day one, Ansible models your IT infrastructure by describing how all of your systems inter-relate, rather than just managing one system at a time.

It uses no agents and no additional custom security infrastructure, so it's easy to deploy – and most importantly, it uses a very simple language (YAML, in the form of Ansible Playbooks) that allow you to describe your automation jobs in a way that approaches plain English.

On this page, we'll give you a really quick overview so you can see things in context. For more detail, hop over to docs.ansible.com.

My Environment Setup

Operating System :    Red Hat Enterprise Linux Server release 7.3 (Maipo)
IP-Address            :    192.168.40.138
Host-name            :    feenixdv
User                     :    root

On RHEL/CentOS/Fedora, Unfortunately, there is no official Ansible repository for RedHat based clones.  For RHEL/CentOS 6, 7, you have to enable EPEL repo.

To enable EPEL repo download RPM and install.

After installation you can check repo file created inside “/etc/yum.repos.d/”

Now check installation with YUM command.

[root@feenixdv yum.repos.d]# yum install ansible -y

Cross check Ansible installation using this.

Using command line.

Report like:-

Date               Time   Critical  Warning  Unknown  HostUnreachable  Total Hosts
2014-01-15      06:31      3            6          0               0                      103
2014-01-15      06:31      3            6          0               0                      103
2014-01-15      11:38     12           13         0               0                      103

– Put this shell script and save it

# vi Report.sh
date=`date +%Y-%m-%d`;
time=`date +%H:%M`;

#Tolal Service CRITICAL WARNING UNKNOWN
wget  –user nagios_user –password 'password' –no-check-certificate -O ./Service_Alerts.html  "http://XXXXXXXX/nagios//cgi-bin/summary.cgi?report=1&displaytype=1&timeperiod=today&hostgroup=all&servicegroup=all&host=all&alerttypes=2&statetypes=2&hoststates=3&servicestates=56" >>/dev/null 2>/dev/null

#Tolal host Unreachable or Down
wget  –user nagios_user –password 'password' –no-check-certificate -O ./Host_Alerts.html  "http://XXXXXXXX/nagios//cgi-bin/summary.cgi?report=1&displaytype=1&timeperiod=today&hostgroup=all&servicegroup=all&host=all&alerttypes=1&statetypes=2&hoststates=3&servicestates=56" >>/dev/null 2>/dev/null

#Total host
wget  –user nagios_user –password 'password' –no-check-certificate -O ./Host_All.html  "http://XXXXXXXX/nagios/cgi-bin/avail.cgi?show_log_entries=&timeperiod=today&host=all&rpttimeperiod=&assumeinitialstates=yes&assumestateretention=yes&assumestatesduringnotrunning=yes&includesoftstates=no&initialassumedhoststate=3&initialassumedservicestate=6&backtrack=4" >>/dev/null 2>/dev/null

echo $date >data
echo $time >>data
cat Service_Alerts.html |grep CRITICAL |wc -l >>data
cat Service_Alerts.html |grep WARNING |wc -l >>data
cat Service_Alerts.html |grep UNKNOWN |wc -l >>data
cat Host_Alerts.html |grep CRITICAL |wc -l >>data
cat Host_All.html |grep host |wc -l >>data

awk -vRS="\n" -vORS="\t" '1' data >>Report.xls
echo "" >>Report.xls
echo "done"

– Now you can set Cron job to scheduel it.

Jenkins Installation and Configuration Steps on RHEL 7/Centos 7

Server details:-

Linux ansible 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux release 7.1.1503 (Core)

Jenkins Features:–

• Easy configuration.
• Distributed builds.
• Plugin Support
• Easy integration with SMTP to send out emails.
• Lightweight.
• Open source.
• Cross platform
• Provide statistics in the form of graphs if required.

Jenkins Installation and Configuration Steps on RHEL 7/Centos 7

By default Jenkins package is not available on the RHEL/Centos repositories. Therefore, that need to add and import the jenkins repository on machine by using below commands.

Now simply install Jenkins by running the following command –

After installation, start Jenkins services –

Jenkins runs on port 8080, Enable/Allow port 8080 from firewall by following below commands

Jenkins by default runs on port 8080. To access Jenkins open up a browser and type in

http://localhost:8080/ or http://<IP_OF_SERVER>:8080/

First time you need to configure account. Welcome page asking about "Unlock Jenkins". You need to copy password from "/var/lib/jenkins/secrets/initialAdminPassword" and past as administrator password.

Click on continue button.  Select the option “Install suggested plugins”.

After done with plugin installation it will ask to create Admin user

Click on “Save and Finish” button.

If you are using proxy server for internet access, then during plugin installation you are getting error.

You need to setup proxy information on Jenkins.

                Then click on “submit”.

Delivery Pipeline View

Plugin Name: – Delivery Pipeline Plugin

This plugin visualize Delivery Pipelines (Jobs with upstream/downstream dependencies)

To install this plugin follow below process.

After click on “Available” put plugin name in “Filter”

                How to create Delivery Pipeline.

                Step1:- Create a new view.

                Step2:- Select good view “Delivery pipeline view”.

                Step3:- Add pipeline.

                Step4:- Fill details. Select initial jobs from where the process starts. In my case job name is “Git_Commit”.

After finish, we can see your jobs in the below view.

In this example fours, jobs clubbed with each other.

When Git_Commit finished then automatic next job “Build_Process” launched. Same for Build_Process and next all.

For linkup, all jobs, which is part of the master pipeline, are triggered by one by one with required checks.

Useful Jenkins Plugins.

Categorized Jobs View

Plugin Name: – categorized-view

This plugin introduces a new view on which you can create collapsible groups of jobs based on regular expressions.

To install this plugin follow below process.

After click on “Available” and put plugin name in “Filter”

How to categorize jobs.

On Jenkins, the main page clicks on  new view and follow these steps.

Step1:- put view name and select categorized jobs view.

Step2:- check regular expression and put filter text. In an example, we grep all jobs which have “PROCESS” word (not case sensitive).  

Step3:- create a regex-grouping rule to not categorize.

Step4:- we can put multiple regex-grouping. In an example, we filter jobs name, which has “BUILD” key word with the name “AM”. Only categorize from an output of step 2 filter.

Step5:- jobs view.

Jenkins + DevOps