From 09c14e2ca808771c39e30b2294dfa55ef3483283 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:28:29 +0100 Subject: [PATCH 01/32] updated workflow files Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 9 -- .github/workflows/github_networks.tf | 53 -------- .github/workflows/github_vars.tfvars | 14 -- .github/workflows/linux_benchmark_testing.yml | 122 ++++++++++++------ .github/workflows/main.tf | 83 ------------ .github/workflows/terraform.tfvars | 6 - .github/workflows/variables.tf | 81 ------------ 7 files changed, 80 insertions(+), 288 deletions(-) delete mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/github_networks.tf delete mode 100644 .github/workflows/github_vars.tfvars delete mode 100644 .github/workflows/main.tf delete mode 100644 .github/workflows/terraform.tfvars delete mode 100644 .github/workflows/variables.tf diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index 634512b..0000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -#Ami Alma 9 -ami_id = "ami-0845395779540e3cb" -ami_os = "rhel9" -ami_username = "ec2-user" -ami_user_home = "/home/ec2-user" -instance_tags = { - Name = "RHEL9-CIS" - Environment = "lockdown_github_repo_workflow" -} diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf deleted file mode 100644 index ba77764..0000000 --- a/.github/workflows/github_networks.tf +++ /dev/null @@ -1,53 +0,0 @@ -resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - instance_tenancy = "default" - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } -} - -resource "aws_internet_gateway" "IGW" { - vpc_id = aws_vpc.Main.id - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-IGW" - } -} - -resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" - } -} - -resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - cidr_block = var.private_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" - } -} - -resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" - } -} - -resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id - route_table_id = aws_route_table.PublicRT.id -} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars deleted file mode 100644 index 24daeca..0000000 --- a/.github/workflows/github_vars.tfvars +++ /dev/null @@ -1,14 +0,0 @@ -// github_actions variables -// Resourced in github_networks.tf -// Declared in variables.tf -// - -namespace = "github_actions" -environment = "lockdown_github_repo_workflow" - -// Matching pair name found in AWS for keypairs PEM key -ami_key_pair_name = "github_actions" -private_key = ".ssh/github_actions.pem" -main_vpc_cidr = "172.22.0.0/24" -public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 9d32ece..d5c5726 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -1,3 +1,5 @@ +--- + # This is a basic workflow to help you get started with Actions name: linux_benchmark_pipeline @@ -6,48 +8,61 @@ name: linux_benchmark_pipeline # Triggers the workflow on push or pull request # events but only for the devel branch on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: ubuntu-latest + runs-on: ubuntu-latest - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" build: # The type of runner that the job will run on runs-on: ubuntu-latest - env: - ENABLE_DEBUG: false + ENABLE_DEBUG: true + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, + # Checks-out your repository under $GITHUB_WORKSPACE, # so your job can access it - - uses: actions/checkout@v3 + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + - name: Add_ssh_key working-directory: .github/workflows env: @@ -58,54 +73,77 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} ### Build out the server + - name: Terraform_Init - working-directory: .github/workflows + id: init run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Validate - working-directory: .github/workflows + id: validate run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Apply - working-directory: .github/workflows + id: apply env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false ## Debug Section - name: DEBUG - Show Ansible hostfile if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows run: cat hosts.yml # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds run: sleep 60s - shell: bash # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} # verbose: 3 env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" # Remove test system - User secrets to keep if necessary - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' + if: always() env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index c877665..0000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,83 +0,0 @@ -provider "aws" { - profile = "" - region = var.aws_region -} - -// Create a security group with access to port 22 and port 80 open to serve HTTP traffic - -resource "random_id" "server" { - keepers = { - # Generate a new id each time we switch to a new AMI id - ami_id = "${var.ami_id}" - } - - byte_length = 8 -} - -resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}-SG" - vpc_id = aws_vpc.Main.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-SG" - } -} - -// instance setup - -resource "aws_instance" "testing_vm" { - ami = var.ami_id - availability_zone = var.availability_zone - associate_public_ip_address = true - key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs - instance_type = var.instance_type - tags = var.instance_tags - vpc_security_group_ids = [aws_security_group.github_actions.id] - subnet_id = aws_subnet.Main.id - root_block_device { - delete_on_termination = true - } -} - -// generate inventory file -resource "local_file" "inventory" { - filename = "./hosts.yml" - directory_permission = "0755" - file_permission = "0644" - content = < Date: Wed, 26 Jul 2023 16:50:48 +0100 Subject: [PATCH 02/32] lint updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 -- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c4b27e7..544dd4b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,8 +3,6 @@ - name: Reload sysctl ansible.builtin.shell: sysctl --system - when: - - sysctl_updated.changed - name: Sysctl flush ipv4 route table ansible.posix.sysctl: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 7ffe31c..52a3f3c 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -44,7 +44,7 @@ ansible.builtin.shell: nmcli radio all off changed_when: false failed_when: false - when: rhel_09_wifi_enabled is changed + when: rhel_09_wifi_enabled is changed # noqa no-handler when: - rhel9cis_rule_3_1_2 tags: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 8a1c4a8..955f83f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -168,7 +168,7 @@ loop: "{{ rhel_09_6_1_10_audit.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" @@ -214,7 +214,7 @@ loop: "{{ rhel_09_6_1_11_audit.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" @@ -270,7 +270,7 @@ loop: "{{ rhel_09_6_1_13_suid_perms.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" @@ -312,7 +312,7 @@ loop: "{{ rhel_09_6_1_14_sgid_perms.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" From 2d222fbc49076295d167f2252409f16af397740a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:51:03 +0100 Subject: [PATCH 03/32] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 1 + 1 file changed, 1 insertion(+) diff --git a/.ansible-lint b/.ansible-lint index 964eb05..057c65e 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -12,6 +12,7 @@ skip_list: - 'name[casing]' - 'name[template]' - 'fqcn[action]' + - 'key-order[task]' - '204' - '305' - '303' From 495f942b7d26ee82690dc16eb4f231c587a57687 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:51:17 +0100 Subject: [PATCH 04/32] added pre-commit files Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 69 ++++++++++++++++ .secrets.baseline | 172 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 241 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..561e9e5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,69 @@ +--- + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + exclude: package.lock.json + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint + +## To be moved to main link when PR approved - https://github.com/ansible/ansible-sign.git +- repo: https://github.com/ansible-lockdown/ansible-sign.git + rev: v0.1.1b + hooks: + - id: ansible-sign + name: Verify Ansible-sign signature + description: This hook runs ansible-sign. + entry: ansible-sign project gpg-verify . + language: python + # do not pass files as we need to scan the directory with the MANIFEST.in + pass_filenames: false + always_run: true diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..521cd47 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,172 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 363, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "is_verified": false, + "line_number": 374, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "is_verified": false, + "line_number": 375, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "is_verified": false, + "line_number": 38, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 109, + "is_secret": false + } + ], + "tasks/parse_etc_password.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_password.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18, + "is_secret": false + } + ] + }, + "generated_at": "2023-07-04T16:02:46Z" +} + From c9db12b603d5f6aafe3f6aa5ff7673b3701c7a02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:58:33 +0100 Subject: [PATCH 05/32] updated lint Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 13 ------------- tasks/auditd.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 3 files changed, 5 insertions(+), 18 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 561e9e5..8087b48 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -54,16 +54,3 @@ repos: rev: v1.32.0 # or higher tag hooks: - id: yamllint - -## To be moved to main link when PR approved - https://github.com/ansible/ansible-sign.git -- repo: https://github.com/ansible-lockdown/ansible-sign.git - rev: v0.1.1b - hooks: - - id: ansible-sign - name: Verify Ansible-sign signature - description: This hook runs ansible-sign. - entry: ansible-sign project gpg-verify . - language: python - # do not pass files as we need to scan the directory with the MANIFEST.in - pass_filenames: false - always_run: true diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 486ef31..f578657 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -19,7 +19,7 @@ - Audit immutable fact - Restart auditd -- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa: no-handler +- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 955f83f..76f92be 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -173,7 +173,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_10_unowned_files_found - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" @@ -219,7 +219,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" @@ -275,7 +275,7 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: - msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" @@ -317,7 +317,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: - msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" From 66ed22e5eedf04f593b9ea0508c03f9b2925285c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:05:18 +0100 Subject: [PATCH 06/32] Added pre-commit manifest file Signed-off-by: Mark Bolwell --- MANIFEST.in | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 MANIFEST.in diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..6fc2d89 --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,20 @@ +# Files for ansible-signing + +include site.yml +include MANIFEST.in +include .secrets.baseline +include *.md *.rst +include ansible.cfg +include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE +include requirements.txt Makefile +recursive-exclude .git * +recursive-include .github *.yml *.md *.tf *.tfvars +recursive-include collections *.yml +recursive-include defaults *.yml +recursive-include files * +recursive-include handlers *.yml +recursive-include meta *.yml +recursive-include molecule *.yml +recursive-include tasks *.yml +recursive-include templates *.j2 +recursive-include vars *.yml From 3f6b53f4f31b43bbebd64be333fb85b7eb880ca2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:08:17 +0100 Subject: [PATCH 07/32] updated content Signed-off-by: Mark Bolwell --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a819e4d..d2970e6 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ ![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Devel%20Build%20Status) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) ![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Build%20Status) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) @@ -100,10 +100,6 @@ Almalinux 9 Rocky 9 OracleLinux 9 -ansible 2.10 -jmespath -relevant collections - - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) **General:** @@ -120,13 +116,15 @@ relevant collections **Technical Dependencies:** - Python3 -- Ansible 2.9+ +- Ansible 2.10+ - python-def (should be included in RHEL 9) - libselinux-python - pip packages - jmespath ( complete list found in requirements.txt) - collections found in collections/requirememnts.yml +pre-commit is available if installed + ## Role Variables This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars From 81b2f06dabb2f6451b4912589a039eacf22e8a4c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:17:45 +0100 Subject: [PATCH 08/32] updated 5.6.5 logic Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 527208d..7d6cd1d 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -83,25 +83,21 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - ansible.builtin.replace: - path: /etc/login.defs - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - loop: - - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } - - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } + ansible.builtin.lineinfile: + path: "{{ item.path }}" + regexp: '(?i)(umask\s*)' + line: '{{ item.line }} 027' + with_items: + - { path: '/etc/bash.bashrc', line: 'umask' } + - { path: '/etc/profile', line: 'umask' } + - { path: '/etc/login.defs', line: 'UMASK' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - ansible.builtin.replace: - path: /etc/bashrc - regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' - replace: '\1 027' + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^USERGROUPS_ENAB' + line: USERGROUPS_ENAB no - - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - ansible.builtin.replace: - path: /etc/profile - regexp: '(?i)(umask)\s0[0-2][0-6]' - replace: '\1 027' when: - rhel9cis_rule_5_6_5 tags: From 1dbe8b2706a7085cbffca650d9e41ae80c6c5890 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:21:26 +0100 Subject: [PATCH 09/32] updated Signed-off-by: Mark Bolwell --- Changelog.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Changelog.md b/Changelog.md index 0a98224..04f7d85 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,17 @@ # Changes to rhel9CIS +## 1.1.0 + +- new workflow configuration +- Added pre-commit config - Does not have to be used but can imrpove things + - .pre-commit-config.yaml + - MANIFEST.in + - .secrets.baseline + +- updated to logic in 5.6.5 +- lint updates to 6.1.x +- readme updates + ## 1.0.10 - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) From b16d09aa82e7c7a2ea45b43320d6393c6096c716 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 08:41:07 +0100 Subject: [PATCH 10/32] updated Signed-off-by: Mark Bolwell --- README.md | 134 ++++++------------------------------------------------ 1 file changed, 14 insertions(+), 120 deletions(-) diff --git a/README.md b/README.md index d2970e6..6ff9449 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,11 @@ Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +### Contributing + +Issues and Pull requests are welcome please ensure that all commits are signed-off-by and gpg-signed. +Refer to [Contributing Guide](./CONTRIBUTING.rst) + --- ## Caution(s) @@ -60,10 +65,10 @@ To use release version please point to main branch and relevant release for the It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags: -- level1_server -- level1_workstation -- level2_server -- level2_workstation +- level1-server +- level1-workstation +- level2-server +- level2-workstation The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. @@ -123,7 +128,7 @@ OracleLinux 9 - jmespath ( complete list found in requirements.txt) - collections found in collections/requirememnts.yml -pre-commit is available if installed +pre-commit is available if installed on your host for pull request testing. ## Role Variables @@ -173,119 +178,8 @@ uses: ## Local Testing -ansible-base 2.10.17 - python 3.8 -ansible-core 2.13.4 - python 3.10 +- ansible-base 2.10.17 - python 3.8 +- ansible-core 2.13.4 - python 3.10 +- ansible-core 2.15.1 - python 3.11 -- makefile - this is there purely for testing and initial setup purposes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -## v1.0.0 - released Dec 2022 - -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic) -![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic) - - - -## Join us - -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users - -## Caution(s) - -This role **will make changes to the system** which may have unintended concequences. - -This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. - -To use release version please point to main branch - -## Documentation - -- [Readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/) -- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) -- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) -- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) -- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) - -## Requirements - -RHEL 9 -Almalinux 9 -Rocky 9 -OracleLinux 9 - -ansible 2.10 -jmespath -relevant collections - -- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) - -## Tested with - -ansible-base 2.10.17 - python 3.8 -ansible-core 2.13.4 - python 3.10 - -- makefile - this is there purely for testing and initial setup purposes. - -## General - -- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - - [Main Ansible documentation page](https://docs.ansible.com) - - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - -- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. - - Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file - -## Dependencies - -- Python3 -- Ansible 2.9+ -- python-def (should be included in RHEL 9) -- libselinux-python -- pip packages - - jmespath ( complete list found in requirements.txt) -- collections found in collections/requirememnts.yml - - - - - -### Known Issues - -CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var). - - Rocky and Alma not affected. -Variable used to unset. -rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability +makefile - this is there purely for testing and initial setup purposes. From cfee090156da4d04c091fe5896be3a9726f6e5bc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 08:52:41 +0100 Subject: [PATCH 11/32] turned off debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index d5c5726..895cd4e 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -39,7 +39,7 @@ jobs: # The type of runner that the job will run on runs-on: ubuntu-latest env: - ENABLE_DEBUG: true + ENABLE_DEBUG: false # Imported as a variable by terraform TF_VAR_repository: ${{ github.event.repository.name }} defaults: @@ -73,7 +73,7 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem - + - name: DEBUG - Show IaC files if: env.ENABLE_DEBUG == 'true' run: | From b631459e9b3ea43a7849a022a575dc120a13e2fe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:09:52 +0100 Subject: [PATCH 12/32] fix typo in bashrc path Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 7d6cd1d..7379f3f 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -88,7 +88,7 @@ regexp: '(?i)(umask\s*)' line: '{{ item.line }} 027' with_items: - - { path: '/etc/bash.bashrc', line: 'umask' } + - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } From 009c9fc498f37c360d5764f122f213d20fe06520 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:16:50 +0100 Subject: [PATCH 13/32] updated audit vars naming, AMD & ARM binaries Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 +-- tasks/LE_audit_setup.yml | 34 ++++---- tasks/post_remediation_audit.yml | 10 ++- tasks/pre_remediation_audit.yml | 132 ++++++++++++++++--------------- 4 files changed, 99 insertions(+), 88 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 81df6a1..2cc4700 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -52,7 +52,7 @@ setup_audit: false # How to retrive goss # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded -get_goss_file: download +get_audit_binary_method: download # how to get audit files onto host options # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) @@ -663,15 +663,16 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -goss_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_release: v0.3.23 +audit_bin_version: + AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' + ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_goss_file == download change accordingly -goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_release }}/goss-linux-" ## if get_goss_file - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index bc929ae..29f8960 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,30 +1,34 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_machine == "arm64" + +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ goss_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ goss_version.checksum }}" + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: 0555 when: - - get_goss_file == 'download' + - get_audit_binary_method == 'download' -- name: Copy audit binary +- name: Pre Audit Setup | copy audit binary ansible.builtin.copy: - src: + src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 owner: root group: root when: - - get_goss_file == 'copy' - -- name: Install git if not present - ansible.builtin.package: - name: git - state: present - register: git_installed - when: - - '"git" not in ansible_facts.packages' + - get_audit_binary_method == 'copy' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0eb7608..f0a7664 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,9 +2,11 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_post_remediation.rc == 0 - register: audit_run_post_remediation + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -17,7 +19,7 @@ - name: Post Audit | Capture audit data if json format block: - - name: "Capture data {{ post_audit_outfile }}" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 2947e6a..711f59b 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,109 +1,113 @@ --- -- name: Pre Audit | Setup the audit +- name: Pre Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit -- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" +- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' -- name: Pre Audit | retrieve audit content files from git - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" +- name: Pre Audit Setup | If using git for content set up + block: + - name: Pre Audit Setup | Install git + ansible.builtin.package: + name: git + state: present + + - name: Pre Audit Setup | retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' -- name: Pre Audit | confirm audit branch vs benchmark version - ansible.builtin.debug: - msg: "Audit will run the branch {{ audit_git_version }} for this Benchmark {{ benchmark_version }}" - -- name: Pre Audit | copy to audit content files to server +- name: Pre Audit Setup | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + dest: "{{ audit_conf_dest }}" + mode: preserve when: - - audit_content == 'copy' + - audit_content == 'copy' -- name: Pre Audit | get audit content from url +- name: Pre Audit Setup | unarchive audit content files on server + ansible.builtin.unarchive: + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" + when: + - audit_content == 'archived' + +- name: Pre Audit Setup | get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - owner: root - group: root - mode: 0755 when: - - audit_content == 'get_url' + - audit_content == 'get_url' -- name: Pre Audit | Check Goss is available +- name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit | Check for goss file - ansible.builtin.stat: - path: "{{ audit_bin }}" - register: goss_available + - name: Pre Audit Setup | Check for goss file + ansible.builtin.stat: + path: "{{ audit_bin }}" + register: goss_available - - name: Pre Audit | Alert if goss not available - ansible.builtin.assert: - that: goss_available.stat.exists - fail_msg: "Audit binary file {{ audit_bin }} does not exist" + - name: Pre Audit Setup | If audit ensure goss is available + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit -- name: "Pre Audit | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel9_efi_boot - tags: - - goss_template - -- name: Pre Audit | Copy ansible default vars values to test audit +- name: Pre Audit Setup | Copy ansible default vars values to test audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template + - goss_template + - always - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_pre_remediation.rc == 0 - register: audit_run_pre_remediation + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Pre Audit | Capture audit data if json format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "capture data {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: 'summary."summary-line"' + - name: Pre Audit | Capture pre-audit result + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + vars: + summary: 'summary."summary-line"' when: - - audit_format == "json" + - audit_format == "json" - name: Pre Audit | Capture audit data if documentation format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + - name: Pre Audit | Capture pre-audit result | documentation format + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - - audit_format == "documentation" + - audit_format == "documentation" From 093c5950d25d8a2073ad4b555ca524d86d21ba44 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:31:12 +0100 Subject: [PATCH 14/32] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 04f7d85..f553ad9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -11,6 +11,8 @@ - updated to logic in 5.6.5 - lint updates to 6.1.x - readme updates +- audit control updates and variable name changes + - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 ## 1.0.10 From 0f34707b66b979b56eb05a83cd7fba3f60a2df07 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:36:51 +0100 Subject: [PATCH 15/32] moved precommit file location Signed-off-by: Mark Bolwell --- .../.pre-commit-config.yaml | 2 +- .secrets.baseline => .precommit/.secrets.baseline | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-) rename .pre-commit-config.yaml => .precommit/.pre-commit-config.yaml (96%) rename .secrets.baseline => .precommit/.secrets.baseline (95%) diff --git a/.pre-commit-config.yaml b/.precommit/.pre-commit-config.yaml similarity index 96% rename from .pre-commit-config.yaml rename to .precommit/.pre-commit-config.yaml index 8087b48..fa1decd 100644 --- a/.pre-commit-config.yaml +++ b/.precommit/.pre-commit-config.yaml @@ -28,7 +28,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] + args: ['--baseline', '.precommit/.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/.secrets.baseline b/.precommit/.secrets.baseline similarity index 95% rename from .secrets.baseline rename to .precommit/.secrets.baseline index 521cd47..e393467 100644 --- a/.secrets.baseline +++ b/.precommit/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets.baseline" + "filename": ".precommit/.secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -152,7 +152,7 @@ "filename": "tasks/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 109, + "line_number": 110, "is_secret": false } ], @@ -162,11 +162,9 @@ "filename": "tasks/parse_etc_password.yml", "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", "is_verified": false, - "line_number": 18, - "is_secret": false + "line_number": 18 } ] }, - "generated_at": "2023-07-04T16:02:46Z" + "generated_at": "2023-07-31T09:36:20Z" } - From b634952569c813d6fd6a26e3296a2b2a4a87319e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:37:09 +0100 Subject: [PATCH 16/32] updated file locations Signed-off-by: Mark Bolwell --- MANIFEST.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MANIFEST.in b/MANIFEST.in index 6fc2d89..88214c1 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -2,7 +2,7 @@ include site.yml include MANIFEST.in -include .secrets.baseline +include .precommit/.secrets.baseline include *.md *.rst include ansible.cfg include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE From 2fbeae499294f7c442fa92a364ec03b449905862 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:37:52 +0100 Subject: [PATCH 17/32] updated with precommit check Signed-off-by: Mark Bolwell --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6ff9449..e98e2a1 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,8 @@ uses: - ansible-core 2.12 - ansible collections - pulls in the latest version based on requirements file -- runs the audit using the devel branch +- Runs the audit using the devel branch +- Runs the pre-commit setup on the PR to ensure everything is in place as expected. - This is an automated test that occurs on pull requests into devel ## Local Testing @@ -183,3 +184,8 @@ uses: - ansible-core 2.15.1 - python 3.11 makefile - this is there purely for testing and initial setup purposes. +pre-commit can be tested with + +```sh +pre-commit run -c .precommit/.precommit-commit-config.yaml +``` From b0f5ea04377d118d716a8e5be8e0c52c4a023421 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 16:41:08 +0100 Subject: [PATCH 18/32] updated with PR #78 Signed-off-by: Mark Bolwell --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index e98e2a1..df0df9f 100644 --- a/README.md +++ b/README.md @@ -56,13 +56,13 @@ Check Mode is not supported! The role will complete in check mode without errors This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. -To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. +To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with. --- ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS. +It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags: - level1-server @@ -70,23 +70,23 @@ This is managed using tags: - level2-server - level2-workstation -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -This can be turned on or off within the defaults/main.yml file with the variable rhel8cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. +This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. +A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling. +This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). From 81f580c5c026a982427dabdaa7a22da9566a3850 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 16:55:42 +0100 Subject: [PATCH 19/32] added centos wording Signed-off-by: Mark Bolwell --- README.md | 10 ++++++++-- vars/CentOS.yml | 4 ++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 vars/CentOS.yml diff --git a/README.md b/README.md index df0df9f..341467b 100644 --- a/README.md +++ b/README.md @@ -15,11 +15,11 @@ ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Devel%20Build%20Status) +[![devel build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml/badge.svg?branch=devel)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Build%20Status) +[![main build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml/badge.svg?branch=main)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) @@ -107,6 +107,12 @@ OracleLinux 9 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) +CentOS stream - while this will generally work it is not supported and requires the following variable setting + +```sh +check_os: false +``` + **General:** - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible diff --git a/vars/CentOS.yml b/vars/CentOS.yml new file mode 100644 index 0000000..08ca326 --- /dev/null +++ b/vars/CentOS.yml @@ -0,0 +1,4 @@ +--- + +os_gpg_key_pubkey_name: centos-gpg-keys +os_gpg_key_pubkey_content: "builder@centos.org 9.0" From 2a38e18864eb856d9660a8ebced6ba14b3229173 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:03:45 +0100 Subject: [PATCH 20/32] Added pipelines Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 153 ++++++++++++++++++ ...sting.yml => main_pipeline_validation.yml} | 113 ++++++------- 2 files changed, 206 insertions(+), 60 deletions(-) create mode 100644 .github/workflows/devel_pipeline_validation.yml rename .github/workflows/{linux_benchmark_testing.yml => main_pipeline_validation.yml} (61%) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 0000000..e51af9b --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,153 @@ +--- + + name: devel_pipeline_validation + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # Carries out lint tests on the content + linting: + runs-on: ubuntu-latest + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - name: Run ansible-lint + uses: ansible/ansible-lint-action@v6 + with: + path: ./site.yml + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/main_pipeline_validation.yml similarity index 61% rename from .github/workflows/linux_benchmark_testing.yml rename to .github/workflows/main_pipeline_validation.yml index 895cd4e..22d158a 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,62 +1,58 @@ --- -# This is a basic workflow to help you get started with Actions + name: main_pipeline_validation -name: linux_benchmark_pipeline + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: false - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it + # Carries out lint tests on the content + linting: + runs-on: ubuntu-latest + steps: - name: Clone ${{ github.event.repository.name }} uses: actions/checkout@v3 with: - ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} - # Pull in terraform code for linux servers + - name: Run ansible-lint + uses: ansible/ansible-lint-action@v6 + with: + path: ./site.yml + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers - name: Clone github IaC plan uses: actions/checkout@v3 with: @@ -81,13 +77,10 @@ jobs: echo "benchmark_type = $benchmark_type" pwd ls - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - -### Build out the server + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Init id: init @@ -114,7 +107,7 @@ jobs: TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - ## Debug Section + ## Debug Section - name: DEBUG - Show Ansible hostfile if: env.ENABLE_DEBUG == 'true' run: cat hosts.yml @@ -124,7 +117,7 @@ jobs: - name: Sleep for 60 seconds run: sleep 60s - # Run the ansible playbook + # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: @@ -137,10 +130,10 @@ jobs: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" - # Remove test system - User secrets to keep if necessary + # Remove test system - User secrets to keep if necessary - name: Terraform_Destroy - if: always() + if: always() && env.ENABLE_DEBUG == 'false' env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From 0713706d4c40dff6842c9779cd8167249b77e8a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:06:00 +0100 Subject: [PATCH 21/32] fixed typo and updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index f553ad9..f6006b5 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,9 +3,10 @@ ## 1.1.0 - new workflow configuration -- Added pre-commit config - Does not have to be used but can imrpove things + - Allowing devel and main configs + - IaC code found in alternate repo for easier mgmt +- Added pre-commit config - Does not have to be used but can improve things - .pre-commit-config.yaml - - MANIFEST.in - .secrets.baseline - updated to logic in 5.6.5 @@ -13,6 +14,8 @@ - readme updates - audit control updates and variable name changes - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 +- tidy up README adopted PR #78 thanks to @lucab85 + ## 1.0.10 From 4bbf19b6d1f310ecdc9eed64a423fcae6886baf9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:08:05 +0100 Subject: [PATCH 22/32] updated precommit config Signed-off-by: Mark Bolwell --- .../.pre-commit-config.yaml => .pre-commit-config.yaml | 7 ++++++- .precommit/.secrets.baseline => .secrets.baseline | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) rename .precommit/.pre-commit-config.yaml => .pre-commit-config.yaml (88%) rename .precommit/.secrets.baseline => .secrets.baseline (97%) diff --git a/.precommit/.pre-commit-config.yaml b/.pre-commit-config.yaml similarity index 88% rename from .precommit/.pre-commit-config.yaml rename to .pre-commit-config.yaml index fa1decd..e6541d9 100644 --- a/.precommit/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,9 @@ --- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] repos: - repo: https://github.com/pre-commit/pre-commit-hooks @@ -28,7 +33,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.precommit/.secrets.baseline'] + args: ['--baseline', '.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/.precommit/.secrets.baseline b/.secrets.baseline similarity index 97% rename from .precommit/.secrets.baseline rename to .secrets.baseline index e393467..f4c8d28 100644 --- a/.precommit/.secrets.baseline +++ b/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".precommit/.secrets.baseline" + "filename": ".secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-07-31T09:36:20Z" + "generated_at": "2023-08-01T16:07:28Z" } From 2a7d1cef964c37ddb5500f961d0483f63bc76f50 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 15:49:38 +0100 Subject: [PATCH 23/32] updated Readme Signed-off-by: Mark Bolwell --- README.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 341467b..7f82018 100644 --- a/README.md +++ b/README.md @@ -15,13 +15,14 @@ ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -[![devel build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml/badge.svg?branch=devel)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) - ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -[![main build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml/badge.svg?branch=main)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS) + +[![Main pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) + +[![Devel pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) @@ -29,6 +30,7 @@ ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) + --- ## Looking for support? From 8525b1e31c6862de4fe51e9c03242f837717950c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:03:45 +0100 Subject: [PATCH 24/32] updated pipeline workflows Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 4 ++-- .github/workflows/main_pipeline_validation.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index e51af9b..a6c4a90 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,6 +1,6 @@ --- - name: devel_pipeline_validation + name: Devel pipeline on: # yamllint disable-line rule:truthy pull_request_target: @@ -30,7 +30,7 @@ Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # Carries out lint tests on the content - linting: + lint: runs-on: ubuntu-latest steps: - name: Clone ${{ github.event.repository.name }} diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 22d158a..fc7f808 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,6 +1,6 @@ --- - name: main_pipeline_validation + name: Main pipeline on: # yamllint disable-line rule:truthy pull_request_target: From 203cc2b68269cb026737715cd6f0181c1c56701e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:05:01 +0100 Subject: [PATCH 25/32] removed files Signed-off-by: Mark Bolwell --- MANIFEST.in | 20 -------------------- ansible.cfg | 30 ------------------------------ local.yml | 8 -------- 3 files changed, 58 deletions(-) delete mode 100644 MANIFEST.in delete mode 100644 ansible.cfg delete mode 100644 local.yml diff --git a/MANIFEST.in b/MANIFEST.in deleted file mode 100644 index 88214c1..0000000 --- a/MANIFEST.in +++ /dev/null @@ -1,20 +0,0 @@ -# Files for ansible-signing - -include site.yml -include MANIFEST.in -include .precommit/.secrets.baseline -include *.md *.rst -include ansible.cfg -include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE -include requirements.txt Makefile -recursive-exclude .git * -recursive-include .github *.yml *.md *.tf *.tfvars -recursive-include collections *.yml -recursive-include defaults *.yml -recursive-include files * -recursive-include handlers *.yml -recursive-include meta *.yml -recursive-include molecule *.yml -recursive-include tasks *.yml -recursive-include templates *.j2 -recursive-include vars *.yml diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index 1f4e5c4..0000000 --- a/ansible.cfg +++ /dev/null @@ -1,30 +0,0 @@ -[defaults] -host_key_checking=False -display_skipped_hosts=True -system_warnings=False -command_warnings=False -nocows=1 -retry_files_save_path=/dev/null -pipelining=true - -# Use the YAML callback plugin. -#stdout_callback = yaml -# Use the stdout_callback when running ad-hoc commands. -bin_ansible_callbacks = True - -[privilege_escalation] - -[paramiko_connection] -record_host_keys=False - -[ssh_connection] -transfer_method=scp -ssh_args = -o ControlMaster=auto -o ControlPersist=60s - -[accelerate] - -[selinux] - -[colors] - -[diff] diff --git a/local.yml b/local.yml deleted file mode 100644 index 18c2f43..0000000 --- a/local.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- hosts: localhost - connection: local - become: true - - roles: - - role: "{{ playbook_dir }}" From c631b24a9dcca694887f856611b77923ae2012d0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:27:15 +0100 Subject: [PATCH 26/32] updated file locations Signed-off-by: Mark Bolwell --- .secrets.baseline => .config/.secrets.baseline | 4 ++-- requirements.txt => .config/requirements.txt | 0 .pre-commit-config.yaml | 2 +- Makefile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) rename .secrets.baseline => .config/.secrets.baseline (97%) rename requirements.txt => .config/requirements.txt (100%) diff --git a/.secrets.baseline b/.config/.secrets.baseline similarity index 97% rename from .secrets.baseline rename to .config/.secrets.baseline index f4c8d28..dbcf03d 100644 --- a/.secrets.baseline +++ b/.config/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets.baseline" + "filename": ".config/.secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-08-01T16:07:28Z" + "generated_at": "2023-08-02T15:26:59Z" } diff --git a/requirements.txt b/.config/requirements.txt similarity index 100% rename from requirements.txt rename to .config/requirements.txt diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e6541d9..794d35a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,7 +33,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] + args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/Makefile b/Makefile index c39a283..99029ac 100755 --- a/Makefile +++ b/Makefile @@ -25,5 +25,5 @@ yamllint: pip-requirements: @echo 'Python dependencies:' - @cat requirements.txt + @cat .config/requirements.txt pip3 install -r requirements.txt From 2590d8a9553fb0d53f910afd9461e94a1fe667ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:28:44 +0100 Subject: [PATCH 27/32] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index f6006b5..4a4c8c7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -15,7 +15,8 @@ - audit control updates and variable name changes - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 - tidy up README adopted PR #78 thanks to @lucab85 - +- moved Makefile requirements to .config/ +- removed .ansible.cfg and local.yml ## 1.0.10 From 299cada9885cd45929b4e3c3d1c8e528c73e4522 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 4 Aug 2023 08:08:23 +0100 Subject: [PATCH 28/32] updated github tag labels Signed-off-by: Mark Bolwell --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7f82018..f0f95ee 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,9 @@ ![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS) ![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS) -[![Main pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) -[![Devel pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) @@ -30,7 +30,6 @@ ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) - --- ## Looking for support? @@ -192,8 +191,9 @@ uses: - ansible-core 2.15.1 - python 3.11 makefile - this is there purely for testing and initial setup purposes. -pre-commit can be tested with +pre-commit can be tested +Is run from with the directory ```sh -pre-commit run -c .precommit/.precommit-commit-config.yaml +pre-commit run ``` From b314be45ef2d0f13eb6f9dbce5055f494a12035d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 4 Aug 2023 17:45:55 +0100 Subject: [PATCH 29/32] removed separate lint task Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 15 --------------- .github/workflows/main_pipeline_validation.yml | 15 --------------- 2 files changed, 30 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a6c4a90..a4e7d48 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,21 +29,6 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # Carries out lint tests on the content - lint: - runs-on: ubuntu-latest - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run ansible-lint - uses: ansible/ansible-lint-action@v6 - with: - path: ./site.yml - # This workflow contains a single job which tests the playbook playbook-test: # The type of runner that the job will run on diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index fc7f808..0b149fb 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,21 +18,6 @@ # that can run sequentially or in parallel jobs: - # Carries out lint tests on the content - linting: - runs-on: ubuntu-latest - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run ansible-lint - uses: ansible/ansible-lint-action@v6 - with: - path: ./site.yml - # This workflow contains a single job which tests the playbook playbook-test: # The type of runner that the job will run on From c5cd1a84878f439459aa91fa93a6689479ac0753 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:39:23 +0100 Subject: [PATCH 30/32] Added secerts baselines Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 322 ++++++++++++++++++++++++++++++++++ .config/.secrets.baseline | 2 +- 2 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 .config/.gitleaks-report.json diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 0000000..fbdde5d --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1,322 @@ +[ + { + "Description": "Generic API Key", + "StartLine": 119, + "EndLine": 119, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"", + "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.853056, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:119" + }, + { + "Description": "Generic API Key", + "StartLine": 127, + "EndLine": 127, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"", + "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.6568441, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:127" + }, + { + "Description": "Generic API Key", + "StartLine": 135, + "EndLine": 135, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"", + "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.5221736, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:135" + }, + { + "Description": "Generic API Key", + "StartLine": 145, + "EndLine": 145, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"", + "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.6348295, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:145" + }, + { + "Description": "Generic API Key", + "StartLine": 153, + "EndLine": 153, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:153" + }, + { + "Description": "Generic API Key", + "StartLine": 163, + "EndLine": 163, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:163" + }, + { + "Description": "Generic API Key", + "StartLine": 119, + "EndLine": 119, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"", + "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.853056, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:119" + }, + { + "Description": "Generic API Key", + "StartLine": 127, + "EndLine": 127, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"", + "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.6568441, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:127" + }, + { + "Description": "Generic API Key", + "StartLine": 135, + "EndLine": 135, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"", + "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.5221736, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:135" + }, + { + "Description": "Generic API Key", + "StartLine": 145, + "EndLine": 145, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"", + "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.6348295, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:145" + }, + { + "Description": "Generic API Key", + "StartLine": 153, + "EndLine": 153, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:153" + }, + { + "Description": "Generic API Key", + "StartLine": 163, + "EndLine": 163, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:163" + }, + { + "Description": "Generic API Key", + "StartLine": 3, + "EndLine": 4, + "StartColumn": 9, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec", + "Secret": "gpg-pubkey-8d8b756f-629e59ec", + "File": "vars/OracleLinux.yml", + "SymlinkFile": "", + "Commit": "e04da88df42da0108d489f359513c574fbe5c87a", + "Entropy": 3.96772, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-03-06T11:22:08Z", + "Message": "Added OracleLinux support\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "e04da88df42da0108d489f359513c574fbe5c87a:vars/OracleLinux.yml:generic-api-key:3" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b", + "Secret": "gpg-pubkey-fd431d51-4ae0493b", + "File": "vars/RedHat.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.96772, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/RedHat.yml:generic-api-key:4" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-b86b3716-61e69f29", + "Secret": "gpg-pubkey-b86b3716-61e69f29", + "File": "vars/AlmaLinux.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.824863, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/AlmaLinux.yml:generic-api-key:4" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-350d275d-6279464b", + "Secret": "gpg-pubkey-350d275d-6279464b", + "File": "vars/Rocky.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.9946804, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/Rocky.yml:generic-api-key:4" + } +] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index dbcf03d..26e9634 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-08-02T15:26:59Z" + "generated_at": "2023-08-07T15:38:18Z" } From 05f8889aaef696e403677fe0252e06a666a39320 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:39:44 +0100 Subject: [PATCH 31/32] added gitleaks plugin Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 794d35a..f044df5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,6 +36,13 @@ repos: args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.17.0 + hooks: + - id: gitleaks + args: ['--baseline-path','.config/.gitleaks-report.json'] + - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 hooks: From c53cc86db0e9721de358871780e77b86970b176f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:40:32 +0100 Subject: [PATCH 32/32] updated for gitleaks Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 4a4c8c7..e3b0e82 100644 --- a/Changelog.md +++ b/Changelog.md @@ -8,6 +8,7 @@ - Added pre-commit config - Does not have to be used but can improve things - .pre-commit-config.yaml - .secrets.baseline + - gitleaks and secrets detection - updated to logic in 5.6.5 - lint updates to 6.1.x