Merge pull request #45 from ansible-lockdown/ssh_and_badges

Ssh and badges

.github/workflows/benchmark_tracking_controller.yml

@@ -0,0 +1,38 @@
+---
+
+# GitHub schedules all cron jobs in UTC.
+# This expression will run the job every day at 9 AM Eastern Time during Daylight Saving Time (mid-March to early November).
+# This expression will run the job every day at 8 AM Eastern Time during Standard Time (early November to mid-March).
+
+name: Central Benchmark Orchestrator
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 6 * * *'  # Runs daily at 9 AM ET
+  workflow_dispatch:
+
+jobs:
+  call-benchmark-tracker:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest')
+    name: Start Benchmark Tracker
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_track.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+
+  call-monitor-promotions:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    name: Monitor Promotions and Auto-Promote
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_promote.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}
+      DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}

.github/workflows/export_badges_private.yml

@@ -0,0 +1,27 @@
+---
+
+name: Export Private Repo Badges
+
+# Use different minute offsets with the same hourly pattern:
+# Repo Group Suggested Cron Expression Explanation
+# Group A 0 */6 * * * Starts at top of hour
+# Group B 10 */6 * * * Starts at 10 after
+# And So On
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 */6 * * *'
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && startsWith(github.repository, 'ansible-lockdown/Private-')) || (github.event_name == 'push' && github.ref_name == 'latest')
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/export_badges_private.yml@self_hosted
+    with:
+      # Full org/repo path passed for GitHub API calls (e.g., ansible-lockdown/Private-Windows-2016-CIS)
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}

.github/workflows/export_badges_public.yml

@@ -0,0 +1,19 @@
+---
+
+name: Export Public Repo Badges
+
+on:
+  push:
+    branches:
+      - main
+      - devel
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.repository_visibility == 'public' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && (github.ref_name == 'devel' || github.ref_name == 'main')))
+    uses: ansible-lockdown/github_linux_IaC/.github/workflows/export_badges_public.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}

Changelog.md

@@ -8,7 +8,7 @@ README latest versions
 Audit improvements and max-concurrent option added
 Benchmark version variable in audit template
 fixed typo thanks to @fragglexarmy #393
-fixed typo thanks to @trumbaut #397
+fixed typo thanks to @trumbaut #397 & #399
 
 ## 2.0.3 - Based on CIS v2.0.0
 

tasks/section_5/cis_5.1.x.yml

@@ -41,8 +41,8 @@
       ansible.builtin.file:
         path: "{{ item.path }}"
         owner: root
-        group: root
-        mode: 'u-x,go-rwx'
+        group: "{{ 'ssh_keys' if (item.gr_name == 'ssh_keys') else 'root' }}"
+        mode: "{{ 'u-x,g-wx,o-rwx' if (item.gr_name == 'ssh_keys') else 'u-x,go-rwx' }}"
       loop: "{{ discovered_ssh_private_host_key.files }}"
       loop_control:
         label: "{{ item.path }}"