From 9db4b7fd810be4113711296deb6d285e138923cd Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 2 Feb 2022 11:34:50 +0000 Subject: [PATCH] Improvements (#5) * container standards Signed-off-by: Mark Bolwell * logic on handlers Signed-off-by: Mark Bolwell * initial container ignore Signed-off-by: Mark Bolwell * tags and containder discovery Signed-off-by: Mark Bolwell * logic on auditd task Signed-off-by: Mark Bolwell * tags and crypto logic Signed-off-by: Mark Bolwell * distro update for rocky Signed-off-by: Mark Bolwell * system_is_container updates Signed-off-by: Mark Bolwell * ssh pkg check Signed-off-by: Mark Bolwell * logrotate pkg check Signed-off-by: Mark Bolwell * logic in container check Signed-off-by: Mark Bolwell * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell * tidy up crypto step Signed-off-by: Mark Bolwell * Added missing tags Signed-off-by: Mark Bolwell * container vars file now a variable Signed-off-by: Mark Bolwell * added uid discovery and usage Signed-off-by: Mark Bolwell * Updated OS checks and conditionals Signed-off-by: Mark Bolwell * fixed empty become Signed-off-by: Mark Bolwell * change audit to include task Signed-off-by: Mark Bolwell * Added OS_specific vars Signed-off-by: Mark Bolwell * updated import/include Signed-off-by: Mark Bolwell * OS Specific vars Signed-off-by: Mark Bolwell * updated tags Signed-off-by: Mark Bolwell * updated changed_when Signed-off-by: Mark Bolwell * fixed UID logic Signed-off-by: Mark Bolwell * added github templates Signed-off-by: Mark Bolwell * updated layout Signed-off-by: Mark Bolwell * Added .github ignore again Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 34 ++++++++++++++++ .../feature-request-or-enhancement.md | 22 ++++++++++ .github/ISSUE_TEMPLATE/question.md | 18 +++++++++ .github/pull_request_template.md | 12 ++++++ .github/workflows/communitytodevel.yml | 39 ++++++++++++++++++ .github/workflows/develtomain.yml | 40 +++++++++++++++++++ tasks/section_6/cis_6.2.x.yml | 3 ++ 7 files changed, 168 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md create mode 100644 .github/ISSUE_TEMPLATE/question.md create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/communitytodevel.yml create mode 100644 .github/workflows/develtomain.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..d3828ea --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,34 @@ +--- +name: Report Issue +about: Create a bug issue ticket to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the Issue** +A clear and concise description of what the bug is. + +**Expected Behavior** +A clear and concise description of what you expected to happen. + +**Actual Behavior** +A clear and concise description of what's happening. + +**Control(s) Affected** +What controls are being affected by the issue + +**Environment (please complete the following information):** + +- branch being used: [e.g. devel] +- Ansible Version: [e.g. 2.10] +- Host Python Version: [e.g. Python 3.7.6] +- Ansible Server Python Version: [e.g. Python 3.7.6] +- Additional Details: + +**Additional Notes** +Anything additional goes here + +**Possible Solution** +Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md new file mode 100644 index 0000000..3908075 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md @@ -0,0 +1,22 @@ +--- +name: Feature Request or Enhancement +about: Suggest an idea for this project +title: '' +labels: enhancement +assignees: '' + +--- + +## Feature Request or Enhancement + +- Feature [] +- Enhancement [] + +**Summary of Request** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Suggested Code** +Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md new file mode 100644 index 0000000..ad0629e --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.md @@ -0,0 +1,18 @@ +--- +name: Question +about: Ask away....... +title: '' +labels: question +assignees: '' + +--- + +**Question** +Pose question here. + +**Environment (please complete the following information):** + +- Ansible Version: [e.g. 2.10] +- Host Python Version: [e.g. Python 3.7.6] +- Ansible Server Python Version: [e.g. Python 3.7.6] +- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..05dadb6 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,12 @@ +**Overall Review of Changes:** +A general description of the changes made that are being requested for merge + +**Issue Fixes:** +Please list (using linking) any open issues this PR addresses + +**Enhancements:** +Please list any enhancements/features that are not open issue tickets + +**How has this been tested?:** +Please give an overview of how these changes were tested. If they were not please use N/A + diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml new file mode 100644 index 0000000..9ad4d78 --- /dev/null +++ b/.github/workflows/communitytodevel.yml @@ -0,0 +1,39 @@ +--- +# This is a basic workflow to help you get started with Actions + +name: CommunityToDevel + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request: + branches: [ devel ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Refactr pipeline for devel pull request/merge + - name: Refactr - Run Pipeline (to devel) + # You may pin to the exact commit or the version. + # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 + uses: refactr/action-run-pipeline@v0.1.2 + with: + # API token + api_token: '${{ secrets.REFACTR_KEY }}' + # Project ID + project_id: 5f47f0c4a13c7b18373e5556 + # Job ID + job_id: 5f933cbcf9c74e86b1609c00 + # Variables + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-04483b15b4268d18d", "githubBranch": "${{ github.head_ref }}", "username": "centos" }' + # Refactr API base URL + api_url: # optional diff --git a/.github/workflows/develtomain.yml b/.github/workflows/develtomain.yml new file mode 100644 index 0000000..11781c6 --- /dev/null +++ b/.github/workflows/develtomain.yml @@ -0,0 +1,40 @@ +--- +# This is a basic workflow to help you get started with Actions + +name: DevelToMain + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request: + branches: [ main ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel + +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Refactr pipeline for devel pull request/merge + - name: Refactr - Run Pipeline (to main) + # You may pin to the exact commit or the version. + # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 + uses: refactr/action-run-pipeline@v0.1.2 + with: + # API token + api_token: '${{ secrets.REFACTR_KEY }}' + # Project ID + project_id: 5f47f0c4a13c7b18373e5556 + # Job ID + job_id: 5f90ad90f9c74e6d1e606e33 + # Variables + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-04483b15b4268d18d", "username": "centos" }' + # Refactr API base URL + api_url: # optional diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index c825229..7b9523b 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -137,6 +137,9 @@ with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" register: rhel_09_6_2_7_audit + - debug: + var: rhel_09_6_2_7_audit + - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 args: