Merge pull request #83 from ansible-lockdown/template_and_secrets

Template and secrets
2025-12-24 14:23:05 +00:00 · 2023-08-09 12:28:44 +01:00 · 2023-08-09 12:28:44 +01:00 · 5bedad6472
commit 5bedad6472
parent 83c4e5c7e5 dadeeab2c7
22 changed files with 29 additions and 110 deletions
--- a/.config/.secrets.baseline
+++ b/.config/.secrets.baseline
@ -109,6 +109,12 @@
    },
    {
      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        ".config/.gitleaks-report.json"
+      ]
    }
  ],
  "results": {
@ -166,5 +172,5 @@
      }
    ]
  },
-  "generated_at": "2023-08-07T15:38:18Z"
+  "generated_at": "2023-08-09T08:11:03Z"
 }
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -1,34 +0,0 @@
---
-name: Report Issue
-about: Create a bug issue ticket to help us improve
-title: ''
-labels: bug
-assignees: ''
-
---
-
-**Describe the Issue**
-A clear and concise description of what the bug is.
-
-**Expected Behavior**
-A clear and concise description of what you expected to happen.
-
-**Actual Behavior**
-A clear and concise description of what's happening.
-
-**Control(s) Affected**
-What controls are being affected by the issue
-
-**Environment (please complete the following information):**
-
- branch being used: [e.g. devel]
- Ansible Version: [e.g. 2.10]
- Host Python Version: [e.g. Python 3.7.6]
- Ansible Server Python Version: [e.g. Python 3.7.6]
- Additional Details:
-
-**Additional Notes**
-Anything additional goes here
-
-**Possible Solution**
-Enter a suggested fix here
--- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md
+++ b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md
@ -1,22 +0,0 @@
---
-name: Feature Request or Enhancement
-about: Suggest an idea for this project
-title: ''
-labels: enhancement
-assignees: ''
-
---
-
-## Feature Request or Enhancement
-
- Feature []
- Enhancement []
-
-**Summary of Request**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Suggested Code**
-Please provide any code you have in mind to fulfill the request
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -1,18 +0,0 @@
---
-name: Question
-about: Ask away.......
-title: ''
-labels: question
-assignees: ''
-
---
-
-**Question**
-Pose question here.
-
-**Environment (please complete the following information):**
-
- Ansible Version: [e.g. 2.10]
- Host Python Version: [e.g. Python 3.7.6]
- Ansible Server Python Version: [e.g. Python 3.7.6]
- Additional Details:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,12 +0,0 @@
-**Overall Review of Changes:**
-A general description of the changes made that are being requested for merge
-
-**Issue Fixes:**
-Please list (using linking) any open issues this PR addresses
-
-**Enhancements:**
-Please list any enhancements/features that are not open issue tickets
-
-**How has this been tested?:**
-Please give an overview of how these changes were tested. If they were not please use N/A
-
--- a/.gitignore
+++ b/.gitignore
@ -12,7 +12,7 @@ delete*
 ignore*
 test_inv
 # temp remove doc while this is built up
-doc/  
+doc/
 # VSCode
 .vscode

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -33,15 +33,14 @@ repos:
  rev: v1.4.0
  hooks:
  - id: detect-secrets
-    args: ['--baseline', '.config/.secrets.baseline']
-    exclude: package.lock.json
-
+    args: [ '--baseline', '.config/.secrets.baseline' ]
+    exclude: .config/.gitleaks-report.json

 - repo: https://github.com/gitleaks/gitleaks
  rev: v8.17.0
  hooks:
  - id: gitleaks
-    args: ['--baseline-path','.config/.gitleaks-report.json']
+    args: ['--baseline-path', '.config/.gitleaks-report.json']

 - repo: https://github.com/ansible-community/ansible-lint
  rev: v6.17.2
--- a/README.md
+++ b/README.md
@ -22,7 +22,7 @@
 [![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml)

 [![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml)
-![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)

 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -17,7 +17,7 @@

      - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
        ansible.builtin.fail:
-            msg: Installed GPG Keys do not meet expected values or keys installed that are not expected
+            msg: Installed GPG Keys do not meet expected values or expected keys are not installed
        when:
            - os_installed_pub_keys.rc == 1 or
              os_gpg_key_check.rc == 1
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@ -486,7 +486,7 @@ rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile

 # 5.5.1
 ## PAM
-rhel9cis_pam_password: 
+rhel9cis_pam_password:
  minlen: {{ rhel9cis_pam_password['minlen'] }}
  minclass: {{ rhel9cis_pam_password['minclass'] }}
 rhel9cis_pam_passwd_retry: "3"
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,10 +1,10 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!

 # This file contains users whose actions are not logged by auditd
-{% if rhel9cis_allow_auditd_uid_user_exclusions %} 
+{% if rhel9cis_allow_auditd_uid_user_exclusions %}
 {% for user in rhel9cis_auditd_uid_exclude %}
 -a never,user -F uid!={{ user }} -F auid!={{ user }}
 {% endfor %}
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!

--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,6 +1,6 @@
-# Run AIDE integrity check 
+# Run AIDE integrity check
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC

 # Lock desktop media-handling automount setting
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC

-# Lock desktop media-handling settings 
+# Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC

 [org/gnome/desktop/media-handling]
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC

 [org/gnome/desktop/media-handling]
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC

 # Specify the dconf path
--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC

 # Lock desktop screensaver idle-delay setting
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC

 [org/gnome/login-screen]
--- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
+++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
@ -2,6 +2,6 @@

 # IPv6 disable
 {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %}
-net.ipv6.conf.all.disable_ipv6 = 1 
+net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 {% endif %}
--- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
@ -18,4 +18,4 @@ net.ipv6.conf.default.accept_redirects = 0
 net.ipv6.conf.all.accept_ra = 0
 net.ipv6.conf.default.accept_ra = 0
 {% endif %}
-{% endif %}
+{% endif %}