From 674d3417ff03377963e858d120ee6bd3436d5dff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 14:36:38 +0100 Subject: [PATCH 01/63] rule_1.10 updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 +++++--- tasks/main.yml | 21 ++++++++++++++++----- tasks/prelim.yml | 11 ++++++++++- tasks/section_1/cis_1.10.yml | 19 ++++++++++++++----- vars/main.yml | 5 +++++ 5 files changed, 50 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ee4f51b..9d3c003 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -380,9 +380,11 @@ rhel9cis_dconf_db_name: local rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) -# 1.10 Set crypto policy DEFAULT -# Control 1.10 states not to use LEGACY -rhel9cis_crypto_policy: "DEFAULT" +# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) +# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. +rhel9cis_crypto_policy: 'DEFAULT' +# Added module to be allowed as default setting (Allowed options in vars/main.yml) +rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) rhel9cis_is_router: false diff --git a/tasks/main.yml b/tasks/main.yml index 2bb0f3f..2bab3f6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,18 +22,18 @@ - name: "Check password set for {{ ansible_user }}" block: - - name: Capture current password state of "{{ ansible_user }}" - ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + - name: Capture current password state of connecting user" + ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - - name: "Assert that password set for {{ ansible_user }} and account not locked" + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: sudo_password_rule: rhel9cis_rule_5_3_4 when: @@ -92,6 +92,17 @@ fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" +- name: Check crypto-policy module input + ansible.builtin.assert: + that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules + fail_msg: "Crypto policy module is not a permitted version" + success_msg: "Crypto policy module is a permitted version" + when: + - rhel9cis_rule_1_10 + - rhel9cis_crypto_policy_module | length > 0 + tags: + - rule_1.10 + - name: Check rhel9cis_bootloader_password_hash variable has been changed ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f555337..47d1750 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -62,10 +62,19 @@ state: present - name: "PRELIM | Gather system-wide crypto-policy" - ansible.builtin.shell: update-crypto-policies --show + ansible.builtin.shell: 'update-crypto-policies --show' changed_when: false check_mode: false register: system_wide_crypto_policy + + - name: "PRELIM | Gather system-wide crypto-policy" + ansible.builtin.set_fact: + current_crypto_policy: "{{ system_wide_crypto_policy.stdout.split(':')[0] }}" + + - name: "PRELIM | Gather system-wide crypto-policy module" + ansible.builtin.set_fact: + current_crypto_module: "{{ system_wide_crypto_policy.stdout.split(':')[1] }}" + when: "':' in system_wide_crypto_policy.stdout" when: - rhel9cis_rule_1_10 tags: diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index c43e445..e61e367 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,16 +1,25 @@ --- - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" - ansible.builtin.shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" - update-crypto-policies - notify: Change_requires_reboot + block: + - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy | set_fact" + ansible.builtin.set_fact: + rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}" + + - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" + ansible.builtin.shell: | + update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + update-crypto-policies + notify: change_requires_reboot + when: + - system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: - rhel9cis_rule_1_10 - - system_wide_crypto_policy['stdout'] == 'LEGACY' + tags: - level1-server - level1-workstation + - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/vars/main.yml b/vars/main.yml index 2a93184..6b9fcea 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,6 +7,11 @@ rhel9cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' +rhel9cis_allowed_crypto_policies_modules: + - 'OSPP' + - 'AD-Support' + - 'AD-Support-LEGACY' + # Used to control warning summary warn_control_list: "" warn_count: 0 From cc9e04719648f2923f0d47f5b3dc8cb56227f925 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 14:36:51 +0100 Subject: [PATCH 02/63] lint Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index c4826c9..bf76b5c 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -16,7 +16,7 @@ community.general.modprobe: name: usb-storage state: absent - when: not system_is_container + when: not system_is_container - name: "1.1.9 | PATCH | Disable USB Storage | blacklist" ansible.builtin.lineinfile: From faf12de1df62ca321133d7c6843e546e70822ab1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 14:36:58 +0100 Subject: [PATCH 03/63] updated Signed-off-by: Mark Bolwell --- Changelog.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index ef5157b..34b805a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.0.8 + +rule_1.10 improvements allowing for module checking (useful for AD) + ## 1.0.7 lint and yaml updates @@ -8,7 +12,7 @@ improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14 ## 1.0.6 -updated ymlalint as galaxy doenst honouyr local settings +updated yamllint as galaxy doesn't honour local settings removed empty lines in files ## 1.0.5 From 82eedb0edf069681196f6d4bc5f82141f4b327cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 18:40:11 +0100 Subject: [PATCH 04/63] updated case for module Signed-off-by: Mark Bolwell --- vars/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index 6b9fcea..022c230 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -9,8 +9,8 @@ rhel9cis_allowed_crypto_policies: rhel9cis_allowed_crypto_policies_modules: - 'OSPP' - - 'AD-Support' - - 'AD-Support-LEGACY' + - 'AD-SUPPORT' + - 'AD-SUPPORT-LEGACY' # Used to control warning summary warn_control_list: "" From 194925be2faf5facf5544d85e9b9be130677081a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Jun 2023 09:24:32 +0100 Subject: [PATCH 05/63] consistent vars and names Signed-off-by: Mark Bolwell --- tasks/main.yml | 11 ++++++----- tasks/prelim.yml | 14 +++++++------- tasks/section_1/cis_1.10.yml | 2 +- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2bab3f6..f30753b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,18 +20,18 @@ tags: - always -- name: "Check password set for {{ ansible_user }}" +- name: "Check password set for {{ ansible_env.SUDO_USER }}" block: - - name: Capture current password state of connecting user" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false - register: ansible_user_password_set + register: rhel9cis_ansible_user_password_set - - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked" ansible.builtin.assert: - that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + that: ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: @@ -41,6 +41,7 @@ - not system_is_ec2 tags: - user_passwd + - rule_5.3.4 - name: "Ensure root password is set" block: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 47d1750..65d4be4 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -54,7 +54,7 @@ - name: "PRELIM | Setup crypto-policy" block: - - name: "PRELIM | Install crypto-policies" + - name: "PRELIM | Install crypto-policies | pkgs present" ansible.builtin.package: name: - crypto-policies @@ -65,16 +65,16 @@ ansible.builtin.shell: 'update-crypto-policies --show' changed_when: false check_mode: false - register: system_wide_crypto_policy + register: rhel9cis_system_wide_crypto_policy - - name: "PRELIM | Gather system-wide crypto-policy" + - name: "PRELIM | Gather system-wide crypto-policy | set fact system policy" ansible.builtin.set_fact: - current_crypto_policy: "{{ system_wide_crypto_policy.stdout.split(':')[0] }}" + current_crypto_policy: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[0] }}" - - name: "PRELIM | Gather system-wide crypto-policy module" + - name: "PRELIM | Gather system-wide crypto-policy module | set fact system policy submodule" ansible.builtin.set_fact: - current_crypto_module: "{{ system_wide_crypto_policy.stdout.split(':')[1] }}" - when: "':' in system_wide_crypto_policy.stdout" + current_crypto_module: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[1] }}" + when: "':' in rhel9cis_system_wide_crypto_policy.stdout" when: - rhel9cis_rule_1_10 tags: diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index e61e367..ed6774d 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -12,7 +12,7 @@ update-crypto-policies notify: change_requires_reboot when: - - system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy + - rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: - rhel9cis_rule_1_10 From a12c75b5b720b188ddcac611a023d654af9f5fd0 Mon Sep 17 00:00:00 2001 From: jakejellinek <109655728+jakejellinek@users.noreply.github.com> Date: Tue, 20 Jun 2023 16:33:14 +0100 Subject: [PATCH 06/63] Update cis_1.3.x.yml Indentation error causing aide to not start or get validated. Signed-off-by: jakejellinek <109655728+jakejellinek@users.noreply.github.com> --- tasks/section_1/cis_1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 1275d86..7a5e544 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -65,7 +65,7 @@ /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - validate: aide -D --config %s + validate: aide -D --config %s when: - rhel9cis_rule_1_3_2 - not system_is_ec2 From ddec58c419733b90ff5d9e5698c44e8d3c7e47c8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 10:49:55 +0100 Subject: [PATCH 07/63] #66 5.6.5 regex improvment Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 3e49a46..527208d 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -100,7 +100,7 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" ansible.builtin.replace: path: /etc/profile - regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' + regexp: '(?i)(umask)\s0[0-2][0-6]' replace: '\1 027' when: - rhel9cis_rule_5_6_5 From 6b8746a9e1af40c33f91899e552cec25c05ca9e0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 10:50:01 +0100 Subject: [PATCH 08/63] updated Signed-off-by: Mark Bolwell --- Changelog.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog.md b/Changelog.md index 34b805a..00f5819 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,10 @@ # Changes to rhel9CIS +## 1.0.9 + +thanks to @byjunks +[#66](https://github.com/ansible-lockdown/RHEL9-CIS/issues/66) + ## 1.0.8 rule_1.10 improvements allowing for module checking (useful for AD) From 456671acdf2983e6aa729d9fd34c9f2f09b9b7c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:33:58 +0100 Subject: [PATCH 09/63] removed yaml from stdout Signed-off-by: Mark Bolwell --- ansible.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 8b5bba7..1f4e5c4 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -8,7 +8,7 @@ retry_files_save_path=/dev/null pipelining=true # Use the YAML callback plugin. -stdout_callback = yaml +#stdout_callback = yaml # Use the stdout_callback when running ad-hoc commands. bin_ansible_callbacks = True From 612bb018959a1b58e7136052d2ec9e314d8be713 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:34:15 +0100 Subject: [PATCH 10/63] fixed error in assert user password set Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index f30753b..f895847 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -31,7 +31,7 @@ - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked" ansible.builtin.assert: - that: ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" + that: rhel9cis_ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: From edb7a3bcf0af618818b2f6e86ef5c934f7cc6dc7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:34:44 +0100 Subject: [PATCH 11/63] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 00f5819..adbc58b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 1.0.9 +fixed assert for user password set thanks to @byjunks [#66](https://github.com/ansible-lockdown/RHEL9-CIS/issues/66) From fe1bddf15b298249c3f3bacc1f8efb84f197421c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:45:58 +0100 Subject: [PATCH 12/63] typo fix Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 865fe59..16644c5 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -202,7 +202,7 @@ - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" block: - - name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules" + - name: "3.4.2.6 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules" ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false From 12c5d6e81388db2a80c363b37ac8b517ca5cab7b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 Jun 2023 11:46:08 +0100 Subject: [PATCH 13/63] update comment Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9d3c003..205ec9c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -477,7 +477,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -# These are added to demonstrate how this can be done +# These are added to demonstrate how this can be done will require a new control rhel9cis_firewalld_ports: - number: 80 protocol: tcp From e19402d613fdabecac0b6e766df9a85c77630c82 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jul 2023 13:01:56 +0100 Subject: [PATCH 14/63] updated comment Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 205ec9c..81df6a1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -477,7 +477,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -# These are added to demonstrate how this can be done will require a new control +# These settings are added to demonstrate how this update can be done (eventually will require a new control) rhel9cis_firewalld_ports: - number: 80 protocol: tcp From 97097794924ae816dc1e083d32c60cfc164e631f Mon Sep 17 00:00:00 2001 From: Luca Berton Date: Thu, 6 Jul 2023 21:30:09 +0200 Subject: [PATCH 15/63] Fix 2.2.14 Corrected rule 2.2.14 Ensure dnsmasq is not installed (Automated). Signed-off-by: Luca Berton --- tasks/section_2/cis_2.2.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index e592d17..8c6ccf6 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -228,9 +228,8 @@ ansible.builtin.package: name: dnsmasq state: absent - notify: Restart postfix when: - - not rhel9cis_is_mail_server + - not rhel9cis_dnsmasq_server - "'dnsmasq' in ansible_facts.packages" - rhel9cis_rule_2_2_14 tags: From 9e8ecee96491626b6bff97b6c7e16558b45ed8ef Mon Sep 17 00:00:00 2001 From: c59099 Date: Wed, 19 Jul 2023 17:30:54 +0200 Subject: [PATCH 16/63] - Added extra checks in using loop items in when statement - Fixed typo in handler name Signed-off-by: Marco V --- tasks/section_1/cis_1.10.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index ed6774d..adb25c1 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -10,7 +10,7 @@ ansible.builtin.shell: | update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" update-crypto-policies - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 8da977d..69cf777 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -164,7 +164,7 @@ ansible.builtin.set_fact: rhel_09_6_1_10_unowned_files_found: true loop: "{{ rhel_09_6_1_10_audit.results }}" - when: item.stdout | length > 0 + when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: @@ -205,7 +205,7 @@ ansible.builtin.set_fact: rhel_09_6_1_11_ungrouped_files_found: true loop: "{{ rhel_09_6_1_11_audit.results }}" - when: item.stdout | length > 0 + when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: @@ -258,7 +258,7 @@ ansible.builtin.set_fact: rhel9_6_1_13_suid_found: true loop: "{{ rhel_09_6_1_13_suid_perms.results }}" - when: item.stdout | length > 0 + when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: @@ -297,7 +297,7 @@ ansible.builtin.set_fact: rhel9_6_1_14_sgid_found: true loop: "{{ rhel_09_6_1_14_sgid_perms.results }}" - when: item.stdout | length > 0 + when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: From cfe7f8c8527440087c0ed84ec40534ae9032e434 Mon Sep 17 00:00:00 2001 From: Marco V Date: Fri, 21 Jul 2023 09:53:14 +0200 Subject: [PATCH 17/63] Refactored the when statement layout Signed-off-by: Marco V --- tasks/section_6/cis_6.1.x.yml | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 69cf777..8a1c4a8 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -158,13 +158,18 @@ loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + when: + - item['device'].startswith('/dev') + - not 'bind' in item['options'] - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact" ansible.builtin.set_fact: rhel_09_6_1_10_unowned_files_found: true loop: "{{ rhel_09_6_1_10_audit.results }}" - when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 + when: + - item | length > 0 + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: @@ -199,13 +204,18 @@ loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + when: + - item['device'].startswith('/dev') + - not 'bind' in item['options'] - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact" ansible.builtin.set_fact: rhel_09_6_1_11_ungrouped_files_found: true loop: "{{ rhel_09_6_1_11_audit.results }}" - when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 + when: + - item | length > 0 + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: @@ -258,7 +268,10 @@ ansible.builtin.set_fact: rhel9_6_1_13_suid_found: true loop: "{{ rhel_09_6_1_13_suid_perms.results }}" - when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 + when: + - item | length > 0 + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout | length > 0 - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: @@ -297,7 +310,10 @@ ansible.builtin.set_fact: rhel9_6_1_14_sgid_found: true loop: "{{ rhel_09_6_1_14_sgid_perms.results }}" - when: item | length > 0 and item.stdout is defined and item.stdout | length > 0 + when: + - item | length > 0 + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout | length > 0 - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: From 69813b582497064abf170104f4921ef5415c9e08 Mon Sep 17 00:00:00 2001 From: Marco V Date: Fri, 21 Jul 2023 09:53:14 +0200 Subject: [PATCH 18/63] Refactored the when statement layout Signed-off-by: Marco V From 7c34f61d11e306bd59eaa1225327c06c8440453a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 08:50:53 +0100 Subject: [PATCH 19/63] #72 improve password check Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++++ tasks/main.yml | 1 + 2 files changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index adbc58b..1ceb4c6 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,12 @@ # Changes to rhel9CIS +## 1.0.10 + +- [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) + - Only run check when paybook user not a superuser + ## 1.0.9 + fixed assert for user password set thanks to @byjunks diff --git a/tasks/main.yml b/tasks/main.yml index f895847..277e43f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -38,6 +38,7 @@ sudo_password_rule: rhel9cis_rule_5_3_4 when: - rhel9cis_rule_5_3_4 + - ansible_env.SUDO_USER is defined - not system_is_ec2 tags: - user_passwd From a791c81cf2a629ff17e002852614d8df767cb978 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 11:42:21 +0100 Subject: [PATCH 20/63] 5.5.3 fix and update Signed-off-by: Mark Bolwell --- Changelog.md | 1 + tasks/section_5/cis_5.5.x.yml | 18 +++++------------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/Changelog.md b/Changelog.md index 1ceb4c6..0a98224 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,7 @@ - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) - Only run check when paybook user not a superuser +- fix for 5.5.3 thanks to @nrg-fv ## 1.0.9 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 566823a..bb3cf34 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -77,19 +77,11 @@ - patch - rule_5.5.2 -- name: "5.5.3 | PATCH | Ensure password reuse is limited" - block: - - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" - ansible.builtin.lineinfile: - path: /etc/pam.d/system-auth - line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" - insertafter: '^password\s*requisite\s*pam_pwquality.so' - - - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - ansible.builtin.replace: - path: /etc/pam.d/system-auth - regexp: '^password\s*sufficient\s*pam_unix.so.*$' - replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' +- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" + ansible.builtin.lineinfile: + path: /etc/pam.d/system-auth + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' when: - rhel9cis_rule_5_5_3 tags: From 09c14e2ca808771c39e30b2294dfa55ef3483283 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:28:29 +0100 Subject: [PATCH 21/63] updated workflow files Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 9 -- .github/workflows/github_networks.tf | 53 -------- .github/workflows/github_vars.tfvars | 14 -- .github/workflows/linux_benchmark_testing.yml | 122 ++++++++++++------ .github/workflows/main.tf | 83 ------------ .github/workflows/terraform.tfvars | 6 - .github/workflows/variables.tf | 81 ------------ 7 files changed, 80 insertions(+), 288 deletions(-) delete mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/github_networks.tf delete mode 100644 .github/workflows/github_vars.tfvars delete mode 100644 .github/workflows/main.tf delete mode 100644 .github/workflows/terraform.tfvars delete mode 100644 .github/workflows/variables.tf diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index 634512b..0000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -#Ami Alma 9 -ami_id = "ami-0845395779540e3cb" -ami_os = "rhel9" -ami_username = "ec2-user" -ami_user_home = "/home/ec2-user" -instance_tags = { - Name = "RHEL9-CIS" - Environment = "lockdown_github_repo_workflow" -} diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf deleted file mode 100644 index ba77764..0000000 --- a/.github/workflows/github_networks.tf +++ /dev/null @@ -1,53 +0,0 @@ -resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - instance_tenancy = "default" - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } -} - -resource "aws_internet_gateway" "IGW" { - vpc_id = aws_vpc.Main.id - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-IGW" - } -} - -resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" - } -} - -resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - cidr_block = var.private_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" - } -} - -resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" - } -} - -resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id - route_table_id = aws_route_table.PublicRT.id -} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars deleted file mode 100644 index 24daeca..0000000 --- a/.github/workflows/github_vars.tfvars +++ /dev/null @@ -1,14 +0,0 @@ -// github_actions variables -// Resourced in github_networks.tf -// Declared in variables.tf -// - -namespace = "github_actions" -environment = "lockdown_github_repo_workflow" - -// Matching pair name found in AWS for keypairs PEM key -ami_key_pair_name = "github_actions" -private_key = ".ssh/github_actions.pem" -main_vpc_cidr = "172.22.0.0/24" -public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 9d32ece..d5c5726 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -1,3 +1,5 @@ +--- + # This is a basic workflow to help you get started with Actions name: linux_benchmark_pipeline @@ -6,48 +8,61 @@ name: linux_benchmark_pipeline # Triggers the workflow on push or pull request # events but only for the devel branch on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: ubuntu-latest + runs-on: ubuntu-latest - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" build: # The type of runner that the job will run on runs-on: ubuntu-latest - env: - ENABLE_DEBUG: false + ENABLE_DEBUG: true + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, + # Checks-out your repository under $GITHUB_WORKSPACE, # so your job can access it - - uses: actions/checkout@v3 + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + - name: Add_ssh_key working-directory: .github/workflows env: @@ -58,54 +73,77 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} ### Build out the server + - name: Terraform_Init - working-directory: .github/workflows + id: init run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Validate - working-directory: .github/workflows + id: validate run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Apply - working-directory: .github/workflows + id: apply env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false ## Debug Section - name: DEBUG - Show Ansible hostfile if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows run: cat hosts.yml # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds run: sleep 60s - shell: bash # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} # verbose: 3 env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" # Remove test system - User secrets to keep if necessary - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' + if: always() env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index c877665..0000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,83 +0,0 @@ -provider "aws" { - profile = "" - region = var.aws_region -} - -// Create a security group with access to port 22 and port 80 open to serve HTTP traffic - -resource "random_id" "server" { - keepers = { - # Generate a new id each time we switch to a new AMI id - ami_id = "${var.ami_id}" - } - - byte_length = 8 -} - -resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}-SG" - vpc_id = aws_vpc.Main.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-SG" - } -} - -// instance setup - -resource "aws_instance" "testing_vm" { - ami = var.ami_id - availability_zone = var.availability_zone - associate_public_ip_address = true - key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs - instance_type = var.instance_type - tags = var.instance_tags - vpc_security_group_ids = [aws_security_group.github_actions.id] - subnet_id = aws_subnet.Main.id - root_block_device { - delete_on_termination = true - } -} - -// generate inventory file -resource "local_file" "inventory" { - filename = "./hosts.yml" - directory_permission = "0755" - file_permission = "0644" - content = < Date: Wed, 26 Jul 2023 16:50:48 +0100 Subject: [PATCH 22/63] lint updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 -- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c4b27e7..544dd4b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,8 +3,6 @@ - name: Reload sysctl ansible.builtin.shell: sysctl --system - when: - - sysctl_updated.changed - name: Sysctl flush ipv4 route table ansible.posix.sysctl: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 7ffe31c..52a3f3c 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -44,7 +44,7 @@ ansible.builtin.shell: nmcli radio all off changed_when: false failed_when: false - when: rhel_09_wifi_enabled is changed + when: rhel_09_wifi_enabled is changed # noqa no-handler when: - rhel9cis_rule_3_1_2 tags: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 8a1c4a8..955f83f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -168,7 +168,7 @@ loop: "{{ rhel_09_6_1_10_audit.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" @@ -214,7 +214,7 @@ loop: "{{ rhel_09_6_1_11_audit.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" @@ -270,7 +270,7 @@ loop: "{{ rhel_09_6_1_13_suid_perms.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" @@ -312,7 +312,7 @@ loop: "{{ rhel_09_6_1_14_sgid_perms.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" From 2d222fbc49076295d167f2252409f16af397740a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:51:03 +0100 Subject: [PATCH 23/63] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 1 + 1 file changed, 1 insertion(+) diff --git a/.ansible-lint b/.ansible-lint index 964eb05..057c65e 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -12,6 +12,7 @@ skip_list: - 'name[casing]' - 'name[template]' - 'fqcn[action]' + - 'key-order[task]' - '204' - '305' - '303' From 495f942b7d26ee82690dc16eb4f231c587a57687 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:51:17 +0100 Subject: [PATCH 24/63] added pre-commit files Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 69 ++++++++++++++++ .secrets.baseline | 172 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 241 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..561e9e5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,69 @@ +--- + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + exclude: package.lock.json + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint + +## To be moved to main link when PR approved - https://github.com/ansible/ansible-sign.git +- repo: https://github.com/ansible-lockdown/ansible-sign.git + rev: v0.1.1b + hooks: + - id: ansible-sign + name: Verify Ansible-sign signature + description: This hook runs ansible-sign. + entry: ansible-sign project gpg-verify . + language: python + # do not pass files as we need to scan the directory with the MANIFEST.in + pass_filenames: false + always_run: true diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..521cd47 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,172 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 363, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "is_verified": false, + "line_number": 374, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "is_verified": false, + "line_number": 375, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "is_verified": false, + "line_number": 38, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 109, + "is_secret": false + } + ], + "tasks/parse_etc_password.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_password.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18, + "is_secret": false + } + ] + }, + "generated_at": "2023-07-04T16:02:46Z" +} + From c9db12b603d5f6aafe3f6aa5ff7673b3701c7a02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:58:33 +0100 Subject: [PATCH 25/63] updated lint Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 13 ------------- tasks/auditd.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 3 files changed, 5 insertions(+), 18 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 561e9e5..8087b48 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -54,16 +54,3 @@ repos: rev: v1.32.0 # or higher tag hooks: - id: yamllint - -## To be moved to main link when PR approved - https://github.com/ansible/ansible-sign.git -- repo: https://github.com/ansible-lockdown/ansible-sign.git - rev: v0.1.1b - hooks: - - id: ansible-sign - name: Verify Ansible-sign signature - description: This hook runs ansible-sign. - entry: ansible-sign project gpg-verify . - language: python - # do not pass files as we need to scan the directory with the MANIFEST.in - pass_filenames: false - always_run: true diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 486ef31..f578657 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -19,7 +19,7 @@ - Audit immutable fact - Restart auditd -- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa: no-handler +- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 955f83f..76f92be 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -173,7 +173,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_10_unowned_files_found - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" @@ -219,7 +219,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" @@ -275,7 +275,7 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: - msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" @@ -317,7 +317,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: - msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" From 66ed22e5eedf04f593b9ea0508c03f9b2925285c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:05:18 +0100 Subject: [PATCH 26/63] Added pre-commit manifest file Signed-off-by: Mark Bolwell --- MANIFEST.in | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 MANIFEST.in diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..6fc2d89 --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,20 @@ +# Files for ansible-signing + +include site.yml +include MANIFEST.in +include .secrets.baseline +include *.md *.rst +include ansible.cfg +include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE +include requirements.txt Makefile +recursive-exclude .git * +recursive-include .github *.yml *.md *.tf *.tfvars +recursive-include collections *.yml +recursive-include defaults *.yml +recursive-include files * +recursive-include handlers *.yml +recursive-include meta *.yml +recursive-include molecule *.yml +recursive-include tasks *.yml +recursive-include templates *.j2 +recursive-include vars *.yml From 3f6b53f4f31b43bbebd64be333fb85b7eb880ca2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:08:17 +0100 Subject: [PATCH 27/63] updated content Signed-off-by: Mark Bolwell --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a819e4d..d2970e6 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ ![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Devel%20Build%20Status) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) ![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Build%20Status) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) @@ -100,10 +100,6 @@ Almalinux 9 Rocky 9 OracleLinux 9 -ansible 2.10 -jmespath -relevant collections - - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) **General:** @@ -120,13 +116,15 @@ relevant collections **Technical Dependencies:** - Python3 -- Ansible 2.9+ +- Ansible 2.10+ - python-def (should be included in RHEL 9) - libselinux-python - pip packages - jmespath ( complete list found in requirements.txt) - collections found in collections/requirememnts.yml +pre-commit is available if installed + ## Role Variables This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars From 81b2f06dabb2f6451b4912589a039eacf22e8a4c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:17:45 +0100 Subject: [PATCH 28/63] updated 5.6.5 logic Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 527208d..7d6cd1d 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -83,25 +83,21 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - ansible.builtin.replace: - path: /etc/login.defs - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - loop: - - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } - - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } + ansible.builtin.lineinfile: + path: "{{ item.path }}" + regexp: '(?i)(umask\s*)' + line: '{{ item.line }} 027' + with_items: + - { path: '/etc/bash.bashrc', line: 'umask' } + - { path: '/etc/profile', line: 'umask' } + - { path: '/etc/login.defs', line: 'UMASK' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - ansible.builtin.replace: - path: /etc/bashrc - regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' - replace: '\1 027' + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^USERGROUPS_ENAB' + line: USERGROUPS_ENAB no - - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - ansible.builtin.replace: - path: /etc/profile - regexp: '(?i)(umask)\s0[0-2][0-6]' - replace: '\1 027' when: - rhel9cis_rule_5_6_5 tags: From 1dbe8b2706a7085cbffca650d9e41ae80c6c5890 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:21:26 +0100 Subject: [PATCH 29/63] updated Signed-off-by: Mark Bolwell --- Changelog.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Changelog.md b/Changelog.md index 0a98224..04f7d85 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,17 @@ # Changes to rhel9CIS +## 1.1.0 + +- new workflow configuration +- Added pre-commit config - Does not have to be used but can imrpove things + - .pre-commit-config.yaml + - MANIFEST.in + - .secrets.baseline + +- updated to logic in 5.6.5 +- lint updates to 6.1.x +- readme updates + ## 1.0.10 - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) From 6d7abcc92965191a0c538e721528a017542ddc3e Mon Sep 17 00:00:00 2001 From: Carlos Rodriguez-Fernandez Date: Wed, 26 Jul 2023 14:37:38 -0700 Subject: [PATCH 30/63] Readme.md:fix cis level tag names Signed-off-by: Carlos Rodriguez-Fernandez --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a819e4d..c049553 100644 --- a/README.md +++ b/README.md @@ -60,10 +60,10 @@ To use release version please point to main branch and relevant release for the It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags: -- level1_server -- level1_workstation -- level2_server -- level2_workstation +- level1-server +- level1-workstation +- level2-server +- level2-workstation The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. From b16d09aa82e7c7a2ea45b43320d6393c6096c716 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 08:41:07 +0100 Subject: [PATCH 31/63] updated Signed-off-by: Mark Bolwell --- README.md | 134 ++++++------------------------------------------------ 1 file changed, 14 insertions(+), 120 deletions(-) diff --git a/README.md b/README.md index d2970e6..6ff9449 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,11 @@ Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +### Contributing + +Issues and Pull requests are welcome please ensure that all commits are signed-off-by and gpg-signed. +Refer to [Contributing Guide](./CONTRIBUTING.rst) + --- ## Caution(s) @@ -60,10 +65,10 @@ To use release version please point to main branch and relevant release for the It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags: -- level1_server -- level1_workstation -- level2_server -- level2_workstation +- level1-server +- level1-workstation +- level2-server +- level2-workstation The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. @@ -123,7 +128,7 @@ OracleLinux 9 - jmespath ( complete list found in requirements.txt) - collections found in collections/requirememnts.yml -pre-commit is available if installed +pre-commit is available if installed on your host for pull request testing. ## Role Variables @@ -173,119 +178,8 @@ uses: ## Local Testing -ansible-base 2.10.17 - python 3.8 -ansible-core 2.13.4 - python 3.10 +- ansible-base 2.10.17 - python 3.8 +- ansible-core 2.13.4 - python 3.10 +- ansible-core 2.15.1 - python 3.11 -- makefile - this is there purely for testing and initial setup purposes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -## v1.0.0 - released Dec 2022 - -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic) -![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic) - - - -## Join us - -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users - -## Caution(s) - -This role **will make changes to the system** which may have unintended concequences. - -This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. - -To use release version please point to main branch - -## Documentation - -- [Readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/) -- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) -- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) -- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) -- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) - -## Requirements - -RHEL 9 -Almalinux 9 -Rocky 9 -OracleLinux 9 - -ansible 2.10 -jmespath -relevant collections - -- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) - -## Tested with - -ansible-base 2.10.17 - python 3.8 -ansible-core 2.13.4 - python 3.10 - -- makefile - this is there purely for testing and initial setup purposes. - -## General - -- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - - [Main Ansible documentation page](https://docs.ansible.com) - - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - -- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. - - Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file - -## Dependencies - -- Python3 -- Ansible 2.9+ -- python-def (should be included in RHEL 9) -- libselinux-python -- pip packages - - jmespath ( complete list found in requirements.txt) -- collections found in collections/requirememnts.yml - - - - - -### Known Issues - -CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var). - - Rocky and Alma not affected. -Variable used to unset. -rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability +makefile - this is there purely for testing and initial setup purposes. From cfee090156da4d04c091fe5896be3a9726f6e5bc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 08:52:41 +0100 Subject: [PATCH 32/63] turned off debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index d5c5726..895cd4e 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -39,7 +39,7 @@ jobs: # The type of runner that the job will run on runs-on: ubuntu-latest env: - ENABLE_DEBUG: true + ENABLE_DEBUG: false # Imported as a variable by terraform TF_VAR_repository: ${{ github.event.repository.name }} defaults: @@ -73,7 +73,7 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem - + - name: DEBUG - Show IaC files if: env.ENABLE_DEBUG == 'true' run: | From 58e013d0a5476ea13bdcfbcc4e8bcab6fdbae75b Mon Sep 17 00:00:00 2001 From: Luca Berton Date: Fri, 28 Jul 2023 11:54:40 +0100 Subject: [PATCH 33/63] Update README.md Updated audit instructions. Fixed typos. Signed-off-by: Luca Berton --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index a819e4d..7b944d6 100644 --- a/README.md +++ b/README.md @@ -51,13 +51,13 @@ Check Mode is not supported! The role will complete in check mode without errors This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. -To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. +To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with. --- ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS. +It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags: - level1_server @@ -65,23 +65,23 @@ This is managed using tags: - level2_server - level2_workstation -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -This can be turned on or off within the defaults/main.yml file with the variable rhel8cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. +This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. +A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling. +This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). From b631459e9b3ea43a7849a022a575dc120a13e2fe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:09:52 +0100 Subject: [PATCH 34/63] fix typo in bashrc path Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 7d6cd1d..7379f3f 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -88,7 +88,7 @@ regexp: '(?i)(umask\s*)' line: '{{ item.line }} 027' with_items: - - { path: '/etc/bash.bashrc', line: 'umask' } + - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } From 009c9fc498f37c360d5764f122f213d20fe06520 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:16:50 +0100 Subject: [PATCH 35/63] updated audit vars naming, AMD & ARM binaries Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 +-- tasks/LE_audit_setup.yml | 34 ++++---- tasks/post_remediation_audit.yml | 10 ++- tasks/pre_remediation_audit.yml | 132 ++++++++++++++++--------------- 4 files changed, 99 insertions(+), 88 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 81df6a1..2cc4700 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -52,7 +52,7 @@ setup_audit: false # How to retrive goss # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded -get_goss_file: download +get_audit_binary_method: download # how to get audit files onto host options # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) @@ -663,15 +663,16 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -goss_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_release: v0.3.23 +audit_bin_version: + AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' + ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_goss_file == download change accordingly -goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_release }}/goss-linux-" ## if get_goss_file - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index bc929ae..29f8960 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,30 +1,34 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_machine == "arm64" + +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ goss_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ goss_version.checksum }}" + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: 0555 when: - - get_goss_file == 'download' + - get_audit_binary_method == 'download' -- name: Copy audit binary +- name: Pre Audit Setup | copy audit binary ansible.builtin.copy: - src: + src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 owner: root group: root when: - - get_goss_file == 'copy' - -- name: Install git if not present - ansible.builtin.package: - name: git - state: present - register: git_installed - when: - - '"git" not in ansible_facts.packages' + - get_audit_binary_method == 'copy' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0eb7608..f0a7664 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,9 +2,11 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_post_remediation.rc == 0 - register: audit_run_post_remediation + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -17,7 +19,7 @@ - name: Post Audit | Capture audit data if json format block: - - name: "Capture data {{ post_audit_outfile }}" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 2947e6a..711f59b 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,109 +1,113 @@ --- -- name: Pre Audit | Setup the audit +- name: Pre Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit -- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" +- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' -- name: Pre Audit | retrieve audit content files from git - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" +- name: Pre Audit Setup | If using git for content set up + block: + - name: Pre Audit Setup | Install git + ansible.builtin.package: + name: git + state: present + + - name: Pre Audit Setup | retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' -- name: Pre Audit | confirm audit branch vs benchmark version - ansible.builtin.debug: - msg: "Audit will run the branch {{ audit_git_version }} for this Benchmark {{ benchmark_version }}" - -- name: Pre Audit | copy to audit content files to server +- name: Pre Audit Setup | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + dest: "{{ audit_conf_dest }}" + mode: preserve when: - - audit_content == 'copy' + - audit_content == 'copy' -- name: Pre Audit | get audit content from url +- name: Pre Audit Setup | unarchive audit content files on server + ansible.builtin.unarchive: + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" + when: + - audit_content == 'archived' + +- name: Pre Audit Setup | get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - owner: root - group: root - mode: 0755 when: - - audit_content == 'get_url' + - audit_content == 'get_url' -- name: Pre Audit | Check Goss is available +- name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit | Check for goss file - ansible.builtin.stat: - path: "{{ audit_bin }}" - register: goss_available + - name: Pre Audit Setup | Check for goss file + ansible.builtin.stat: + path: "{{ audit_bin }}" + register: goss_available - - name: Pre Audit | Alert if goss not available - ansible.builtin.assert: - that: goss_available.stat.exists - fail_msg: "Audit binary file {{ audit_bin }} does not exist" + - name: Pre Audit Setup | If audit ensure goss is available + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit -- name: "Pre Audit | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel9_efi_boot - tags: - - goss_template - -- name: Pre Audit | Copy ansible default vars values to test audit +- name: Pre Audit Setup | Copy ansible default vars values to test audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template + - goss_template + - always - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_pre_remediation.rc == 0 - register: audit_run_pre_remediation + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Pre Audit | Capture audit data if json format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "capture data {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: 'summary."summary-line"' + - name: Pre Audit | Capture pre-audit result + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + vars: + summary: 'summary."summary-line"' when: - - audit_format == "json" + - audit_format == "json" - name: Pre Audit | Capture audit data if documentation format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + - name: Pre Audit | Capture pre-audit result | documentation format + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - - audit_format == "documentation" + - audit_format == "documentation" From 093c5950d25d8a2073ad4b555ca524d86d21ba44 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:31:12 +0100 Subject: [PATCH 36/63] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 04f7d85..f553ad9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -11,6 +11,8 @@ - updated to logic in 5.6.5 - lint updates to 6.1.x - readme updates +- audit control updates and variable name changes + - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 ## 1.0.10 From 0f34707b66b979b56eb05a83cd7fba3f60a2df07 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:36:51 +0100 Subject: [PATCH 37/63] moved precommit file location Signed-off-by: Mark Bolwell --- .../.pre-commit-config.yaml | 2 +- .secrets.baseline => .precommit/.secrets.baseline | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-) rename .pre-commit-config.yaml => .precommit/.pre-commit-config.yaml (96%) rename .secrets.baseline => .precommit/.secrets.baseline (95%) diff --git a/.pre-commit-config.yaml b/.precommit/.pre-commit-config.yaml similarity index 96% rename from .pre-commit-config.yaml rename to .precommit/.pre-commit-config.yaml index 8087b48..fa1decd 100644 --- a/.pre-commit-config.yaml +++ b/.precommit/.pre-commit-config.yaml @@ -28,7 +28,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] + args: ['--baseline', '.precommit/.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/.secrets.baseline b/.precommit/.secrets.baseline similarity index 95% rename from .secrets.baseline rename to .precommit/.secrets.baseline index 521cd47..e393467 100644 --- a/.secrets.baseline +++ b/.precommit/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets.baseline" + "filename": ".precommit/.secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -152,7 +152,7 @@ "filename": "tasks/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 109, + "line_number": 110, "is_secret": false } ], @@ -162,11 +162,9 @@ "filename": "tasks/parse_etc_password.yml", "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", "is_verified": false, - "line_number": 18, - "is_secret": false + "line_number": 18 } ] }, - "generated_at": "2023-07-04T16:02:46Z" + "generated_at": "2023-07-31T09:36:20Z" } - From b634952569c813d6fd6a26e3296a2b2a4a87319e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:37:09 +0100 Subject: [PATCH 38/63] updated file locations Signed-off-by: Mark Bolwell --- MANIFEST.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MANIFEST.in b/MANIFEST.in index 6fc2d89..88214c1 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -2,7 +2,7 @@ include site.yml include MANIFEST.in -include .secrets.baseline +include .precommit/.secrets.baseline include *.md *.rst include ansible.cfg include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE From 2fbeae499294f7c442fa92a364ec03b449905862 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:37:52 +0100 Subject: [PATCH 39/63] updated with precommit check Signed-off-by: Mark Bolwell --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6ff9449..e98e2a1 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,8 @@ uses: - ansible-core 2.12 - ansible collections - pulls in the latest version based on requirements file -- runs the audit using the devel branch +- Runs the audit using the devel branch +- Runs the pre-commit setup on the PR to ensure everything is in place as expected. - This is an automated test that occurs on pull requests into devel ## Local Testing @@ -183,3 +184,8 @@ uses: - ansible-core 2.15.1 - python 3.11 makefile - this is there purely for testing and initial setup purposes. +pre-commit can be tested with + +```sh +pre-commit run -c .precommit/.precommit-commit-config.yaml +``` From b0f5ea04377d118d716a8e5be8e0c52c4a023421 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 16:41:08 +0100 Subject: [PATCH 40/63] updated with PR #78 Signed-off-by: Mark Bolwell --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index e98e2a1..df0df9f 100644 --- a/README.md +++ b/README.md @@ -56,13 +56,13 @@ Check Mode is not supported! The role will complete in check mode without errors This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. -To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. +To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with. --- ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS. +It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags: - level1-server @@ -70,23 +70,23 @@ This is managed using tags: - level2-server - level2-workstation -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -This can be turned on or off within the defaults/main.yml file with the variable rhel8cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. +This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. +A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling. +This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). From 81f580c5c026a982427dabdaa7a22da9566a3850 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 16:55:42 +0100 Subject: [PATCH 41/63] added centos wording Signed-off-by: Mark Bolwell --- README.md | 10 ++++++++-- vars/CentOS.yml | 4 ++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 vars/CentOS.yml diff --git a/README.md b/README.md index df0df9f..341467b 100644 --- a/README.md +++ b/README.md @@ -15,11 +15,11 @@ ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Devel%20Build%20Status) +[![devel build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml/badge.svg?branch=devel)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Build%20Status) +[![main build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml/badge.svg?branch=main)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) @@ -107,6 +107,12 @@ OracleLinux 9 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) +CentOS stream - while this will generally work it is not supported and requires the following variable setting + +```sh +check_os: false +``` + **General:** - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible diff --git a/vars/CentOS.yml b/vars/CentOS.yml new file mode 100644 index 0000000..08ca326 --- /dev/null +++ b/vars/CentOS.yml @@ -0,0 +1,4 @@ +--- + +os_gpg_key_pubkey_name: centos-gpg-keys +os_gpg_key_pubkey_content: "builder@centos.org 9.0" From 2a38e18864eb856d9660a8ebced6ba14b3229173 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:03:45 +0100 Subject: [PATCH 42/63] Added pipelines Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 153 ++++++++++++++++++ ...sting.yml => main_pipeline_validation.yml} | 113 ++++++------- 2 files changed, 206 insertions(+), 60 deletions(-) create mode 100644 .github/workflows/devel_pipeline_validation.yml rename .github/workflows/{linux_benchmark_testing.yml => main_pipeline_validation.yml} (61%) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 0000000..e51af9b --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,153 @@ +--- + + name: devel_pipeline_validation + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # Carries out lint tests on the content + linting: + runs-on: ubuntu-latest + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - name: Run ansible-lint + uses: ansible/ansible-lint-action@v6 + with: + path: ./site.yml + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/main_pipeline_validation.yml similarity index 61% rename from .github/workflows/linux_benchmark_testing.yml rename to .github/workflows/main_pipeline_validation.yml index 895cd4e..22d158a 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,62 +1,58 @@ --- -# This is a basic workflow to help you get started with Actions + name: main_pipeline_validation -name: linux_benchmark_pipeline + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: false - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it + # Carries out lint tests on the content + linting: + runs-on: ubuntu-latest + steps: - name: Clone ${{ github.event.repository.name }} uses: actions/checkout@v3 with: - ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} - # Pull in terraform code for linux servers + - name: Run ansible-lint + uses: ansible/ansible-lint-action@v6 + with: + path: ./site.yml + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers - name: Clone github IaC plan uses: actions/checkout@v3 with: @@ -81,13 +77,10 @@ jobs: echo "benchmark_type = $benchmark_type" pwd ls - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - -### Build out the server + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Init id: init @@ -114,7 +107,7 @@ jobs: TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - ## Debug Section + ## Debug Section - name: DEBUG - Show Ansible hostfile if: env.ENABLE_DEBUG == 'true' run: cat hosts.yml @@ -124,7 +117,7 @@ jobs: - name: Sleep for 60 seconds run: sleep 60s - # Run the ansible playbook + # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: @@ -137,10 +130,10 @@ jobs: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" - # Remove test system - User secrets to keep if necessary + # Remove test system - User secrets to keep if necessary - name: Terraform_Destroy - if: always() + if: always() && env.ENABLE_DEBUG == 'false' env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From 0713706d4c40dff6842c9779cd8167249b77e8a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:06:00 +0100 Subject: [PATCH 43/63] fixed typo and updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index f553ad9..f6006b5 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,9 +3,10 @@ ## 1.1.0 - new workflow configuration -- Added pre-commit config - Does not have to be used but can imrpove things + - Allowing devel and main configs + - IaC code found in alternate repo for easier mgmt +- Added pre-commit config - Does not have to be used but can improve things - .pre-commit-config.yaml - - MANIFEST.in - .secrets.baseline - updated to logic in 5.6.5 @@ -13,6 +14,8 @@ - readme updates - audit control updates and variable name changes - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 +- tidy up README adopted PR #78 thanks to @lucab85 + ## 1.0.10 From 4bbf19b6d1f310ecdc9eed64a423fcae6886baf9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:08:05 +0100 Subject: [PATCH 44/63] updated precommit config Signed-off-by: Mark Bolwell --- .../.pre-commit-config.yaml => .pre-commit-config.yaml | 7 ++++++- .precommit/.secrets.baseline => .secrets.baseline | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) rename .precommit/.pre-commit-config.yaml => .pre-commit-config.yaml (88%) rename .precommit/.secrets.baseline => .secrets.baseline (97%) diff --git a/.precommit/.pre-commit-config.yaml b/.pre-commit-config.yaml similarity index 88% rename from .precommit/.pre-commit-config.yaml rename to .pre-commit-config.yaml index fa1decd..e6541d9 100644 --- a/.precommit/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,9 @@ --- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] repos: - repo: https://github.com/pre-commit/pre-commit-hooks @@ -28,7 +33,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.precommit/.secrets.baseline'] + args: ['--baseline', '.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/.precommit/.secrets.baseline b/.secrets.baseline similarity index 97% rename from .precommit/.secrets.baseline rename to .secrets.baseline index e393467..f4c8d28 100644 --- a/.precommit/.secrets.baseline +++ b/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".precommit/.secrets.baseline" + "filename": ".secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-07-31T09:36:20Z" + "generated_at": "2023-08-01T16:07:28Z" } From 2a7d1cef964c37ddb5500f961d0483f63bc76f50 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 15:49:38 +0100 Subject: [PATCH 45/63] updated Readme Signed-off-by: Mark Bolwell --- README.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 341467b..7f82018 100644 --- a/README.md +++ b/README.md @@ -15,13 +15,14 @@ ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -[![devel build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml/badge.svg?branch=devel)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) - ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -[![main build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml/badge.svg?branch=main)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS) + +[![Main pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) + +[![Devel pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) @@ -29,6 +30,7 @@ ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) + --- ## Looking for support? From 8525b1e31c6862de4fe51e9c03242f837717950c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:03:45 +0100 Subject: [PATCH 46/63] updated pipeline workflows Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 4 ++-- .github/workflows/main_pipeline_validation.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index e51af9b..a6c4a90 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,6 +1,6 @@ --- - name: devel_pipeline_validation + name: Devel pipeline on: # yamllint disable-line rule:truthy pull_request_target: @@ -30,7 +30,7 @@ Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # Carries out lint tests on the content - linting: + lint: runs-on: ubuntu-latest steps: - name: Clone ${{ github.event.repository.name }} diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 22d158a..fc7f808 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,6 +1,6 @@ --- - name: main_pipeline_validation + name: Main pipeline on: # yamllint disable-line rule:truthy pull_request_target: From 203cc2b68269cb026737715cd6f0181c1c56701e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:05:01 +0100 Subject: [PATCH 47/63] removed files Signed-off-by: Mark Bolwell --- MANIFEST.in | 20 -------------------- ansible.cfg | 30 ------------------------------ local.yml | 8 -------- 3 files changed, 58 deletions(-) delete mode 100644 MANIFEST.in delete mode 100644 ansible.cfg delete mode 100644 local.yml diff --git a/MANIFEST.in b/MANIFEST.in deleted file mode 100644 index 88214c1..0000000 --- a/MANIFEST.in +++ /dev/null @@ -1,20 +0,0 @@ -# Files for ansible-signing - -include site.yml -include MANIFEST.in -include .precommit/.secrets.baseline -include *.md *.rst -include ansible.cfg -include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE -include requirements.txt Makefile -recursive-exclude .git * -recursive-include .github *.yml *.md *.tf *.tfvars -recursive-include collections *.yml -recursive-include defaults *.yml -recursive-include files * -recursive-include handlers *.yml -recursive-include meta *.yml -recursive-include molecule *.yml -recursive-include tasks *.yml -recursive-include templates *.j2 -recursive-include vars *.yml diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index 1f4e5c4..0000000 --- a/ansible.cfg +++ /dev/null @@ -1,30 +0,0 @@ -[defaults] -host_key_checking=False -display_skipped_hosts=True -system_warnings=False -command_warnings=False -nocows=1 -retry_files_save_path=/dev/null -pipelining=true - -# Use the YAML callback plugin. -#stdout_callback = yaml -# Use the stdout_callback when running ad-hoc commands. -bin_ansible_callbacks = True - -[privilege_escalation] - -[paramiko_connection] -record_host_keys=False - -[ssh_connection] -transfer_method=scp -ssh_args = -o ControlMaster=auto -o ControlPersist=60s - -[accelerate] - -[selinux] - -[colors] - -[diff] diff --git a/local.yml b/local.yml deleted file mode 100644 index 18c2f43..0000000 --- a/local.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- hosts: localhost - connection: local - become: true - - roles: - - role: "{{ playbook_dir }}" From c631b24a9dcca694887f856611b77923ae2012d0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:27:15 +0100 Subject: [PATCH 48/63] updated file locations Signed-off-by: Mark Bolwell --- .secrets.baseline => .config/.secrets.baseline | 4 ++-- requirements.txt => .config/requirements.txt | 0 .pre-commit-config.yaml | 2 +- Makefile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) rename .secrets.baseline => .config/.secrets.baseline (97%) rename requirements.txt => .config/requirements.txt (100%) diff --git a/.secrets.baseline b/.config/.secrets.baseline similarity index 97% rename from .secrets.baseline rename to .config/.secrets.baseline index f4c8d28..dbcf03d 100644 --- a/.secrets.baseline +++ b/.config/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets.baseline" + "filename": ".config/.secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-08-01T16:07:28Z" + "generated_at": "2023-08-02T15:26:59Z" } diff --git a/requirements.txt b/.config/requirements.txt similarity index 100% rename from requirements.txt rename to .config/requirements.txt diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e6541d9..794d35a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,7 +33,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] + args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/Makefile b/Makefile index c39a283..99029ac 100755 --- a/Makefile +++ b/Makefile @@ -25,5 +25,5 @@ yamllint: pip-requirements: @echo 'Python dependencies:' - @cat requirements.txt + @cat .config/requirements.txt pip3 install -r requirements.txt From 2590d8a9553fb0d53f910afd9461e94a1fe667ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:28:44 +0100 Subject: [PATCH 49/63] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index f6006b5..4a4c8c7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -15,7 +15,8 @@ - audit control updates and variable name changes - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 - tidy up README adopted PR #78 thanks to @lucab85 - +- moved Makefile requirements to .config/ +- removed .ansible.cfg and local.yml ## 1.0.10 From 299cada9885cd45929b4e3c3d1c8e528c73e4522 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 4 Aug 2023 08:08:23 +0100 Subject: [PATCH 50/63] updated github tag labels Signed-off-by: Mark Bolwell --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7f82018..f0f95ee 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,9 @@ ![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS) ![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS) -[![Main pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) -[![Devel pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) @@ -30,7 +30,6 @@ ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) - --- ## Looking for support? @@ -192,8 +191,9 @@ uses: - ansible-core 2.15.1 - python 3.11 makefile - this is there purely for testing and initial setup purposes. -pre-commit can be tested with +pre-commit can be tested +Is run from with the directory ```sh -pre-commit run -c .precommit/.precommit-commit-config.yaml +pre-commit run ``` From b314be45ef2d0f13eb6f9dbce5055f494a12035d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 4 Aug 2023 17:45:55 +0100 Subject: [PATCH 51/63] removed separate lint task Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 15 --------------- .github/workflows/main_pipeline_validation.yml | 15 --------------- 2 files changed, 30 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a6c4a90..a4e7d48 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,21 +29,6 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # Carries out lint tests on the content - lint: - runs-on: ubuntu-latest - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run ansible-lint - uses: ansible/ansible-lint-action@v6 - with: - path: ./site.yml - # This workflow contains a single job which tests the playbook playbook-test: # The type of runner that the job will run on diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index fc7f808..0b149fb 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,21 +18,6 @@ # that can run sequentially or in parallel jobs: - # Carries out lint tests on the content - linting: - runs-on: ubuntu-latest - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run ansible-lint - uses: ansible/ansible-lint-action@v6 - with: - path: ./site.yml - # This workflow contains a single job which tests the playbook playbook-test: # The type of runner that the job will run on From c5cd1a84878f439459aa91fa93a6689479ac0753 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:39:23 +0100 Subject: [PATCH 52/63] Added secerts baselines Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 322 ++++++++++++++++++++++++++++++++++ .config/.secrets.baseline | 2 +- 2 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 .config/.gitleaks-report.json diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 0000000..fbdde5d --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1,322 @@ +[ + { + "Description": "Generic API Key", + "StartLine": 119, + "EndLine": 119, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"", + "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.853056, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:119" + }, + { + "Description": "Generic API Key", + "StartLine": 127, + "EndLine": 127, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"", + "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.6568441, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:127" + }, + { + "Description": "Generic API Key", + "StartLine": 135, + "EndLine": 135, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"", + "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.5221736, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:135" + }, + { + "Description": "Generic API Key", + "StartLine": 145, + "EndLine": 145, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"", + "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.6348295, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:145" + }, + { + "Description": "Generic API Key", + "StartLine": 153, + "EndLine": 153, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:153" + }, + { + "Description": "Generic API Key", + "StartLine": 163, + "EndLine": 163, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:163" + }, + { + "Description": "Generic API Key", + "StartLine": 119, + "EndLine": 119, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"", + "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.853056, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:119" + }, + { + "Description": "Generic API Key", + "StartLine": 127, + "EndLine": 127, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"", + "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.6568441, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:127" + }, + { + "Description": "Generic API Key", + "StartLine": 135, + "EndLine": 135, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"", + "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.5221736, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:135" + }, + { + "Description": "Generic API Key", + "StartLine": 145, + "EndLine": 145, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"", + "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.6348295, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:145" + }, + { + "Description": "Generic API Key", + "StartLine": 153, + "EndLine": 153, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:153" + }, + { + "Description": "Generic API Key", + "StartLine": 163, + "EndLine": 163, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:163" + }, + { + "Description": "Generic API Key", + "StartLine": 3, + "EndLine": 4, + "StartColumn": 9, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec", + "Secret": "gpg-pubkey-8d8b756f-629e59ec", + "File": "vars/OracleLinux.yml", + "SymlinkFile": "", + "Commit": "e04da88df42da0108d489f359513c574fbe5c87a", + "Entropy": 3.96772, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-03-06T11:22:08Z", + "Message": "Added OracleLinux support\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "e04da88df42da0108d489f359513c574fbe5c87a:vars/OracleLinux.yml:generic-api-key:3" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b", + "Secret": "gpg-pubkey-fd431d51-4ae0493b", + "File": "vars/RedHat.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.96772, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/RedHat.yml:generic-api-key:4" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-b86b3716-61e69f29", + "Secret": "gpg-pubkey-b86b3716-61e69f29", + "File": "vars/AlmaLinux.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.824863, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/AlmaLinux.yml:generic-api-key:4" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-350d275d-6279464b", + "Secret": "gpg-pubkey-350d275d-6279464b", + "File": "vars/Rocky.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.9946804, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/Rocky.yml:generic-api-key:4" + } +] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index dbcf03d..26e9634 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-08-02T15:26:59Z" + "generated_at": "2023-08-07T15:38:18Z" } From 05f8889aaef696e403677fe0252e06a666a39320 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:39:44 +0100 Subject: [PATCH 53/63] added gitleaks plugin Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 794d35a..f044df5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,6 +36,13 @@ repos: args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.17.0 + hooks: + - id: gitleaks + args: ['--baseline-path','.config/.gitleaks-report.json'] + - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 hooks: From c53cc86db0e9721de358871780e77b86970b176f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:40:32 +0100 Subject: [PATCH 54/63] updated for gitleaks Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 4a4c8c7..e3b0e82 100644 --- a/Changelog.md +++ b/Changelog.md @@ -8,6 +8,7 @@ - Added pre-commit config - Does not have to be used but can improve things - .pre-commit-config.yaml - .secrets.baseline + - gitleaks and secrets detection - updated to logic in 5.6.5 - lint updates to 6.1.x From 4878eff7a7e6c6548fe587816f574b2894529511 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:04:36 +0100 Subject: [PATCH 55/63] removed templates to inherit from org Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 34 ------------------- .../feature-request-or-enhancement.md | 22 ------------ .github/ISSUE_TEMPLATE/question.md | 18 ---------- .github/pull_request_template.md | 12 ------- 4 files changed, 86 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index d3828ea..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - -- branch being used: [e.g. devel] -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index 3908075..0000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -## Feature Request or Enhancement - -- Feature [] -- Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index ad0629e..0000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 05dadb6..0000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,12 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A - From 0b6bb8afd7979a128ff3097980f0b7f9bd8a4204 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:53:23 +0100 Subject: [PATCH 56/63] update EOL spacing Signed-off-by: Mark Bolwell --- .gitignore | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- templates/audit/98_auditd_exception.rules.j2 | 4 ++-- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 4 ++-- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- 12 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index 8dd29c6..f67408e 100644 --- a/.gitignore +++ b/.gitignore @@ -12,7 +12,7 @@ delete* ignore* test_inv # temp remove doc while this is built up -doc/ +doc/ # VSCode .vscode diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 04a8284..e862c1d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -486,7 +486,7 @@ rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile # 5.5.1 ## PAM -rhel9cis_pam_password: +rhel9cis_pam_password: minlen: {{ rhel9cis_pam_password['minlen'] }} minclass: {{ rhel9cis_pam_password['minclass'] }} rhel9cis_pam_passwd_retry: "3" diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 2f76269..0f4a4f9 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,10 +1,10 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd -{% if rhel9cis_allow_auditd_uid_user_exclusions %} +{% if rhel9cis_allow_auditd_uid_user_exclusions %} {% for user in rhel9cis_auditd_uid_exclude %} -a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index c48782c..6f7c388 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index d92c56b..efebeac 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop media-handling automount setting diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 503069c..4506f4f 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC -# Lock desktop media-handling settings +# Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 32192c3..78ad883 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 16ded9d..81bdfea 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 822b33d..acfeaee 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Specify the dconf path diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index fae6e82..d6c5d70 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop screensaver idle-delay setting diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index 73b4505..c7ae76e 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/login-screen] diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 732cbcc..599103e 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -2,6 +2,6 @@ # IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 {% endif %} From 65c111177e9772f1414e43107a2b0fc100e47bfc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:56:05 +0100 Subject: [PATCH 57/63] tidy up spacing Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f044df5..350509c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,6 @@ repos: args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json - - repo: https://github.com/gitleaks/gitleaks rev: v8.17.0 hooks: From ec5217c309acfaee3f3ea5117c5d9a947da20208 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:58:35 +0100 Subject: [PATCH 58/63] updated secets for gitleaks Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 164 +++++++++++++++++++++++++++++++++++++- 1 file changed, 163 insertions(+), 1 deletion(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 26e9634..8f7ab01 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -112,6 +112,168 @@ } ], "results": { + ".config/.gitleaks-report.json": [ + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", + "is_verified": false, + "line_number": 12, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", + "is_verified": false, + "line_number": 132, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", + "is_verified": false, + "line_number": 249, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", + "is_verified": false, + "line_number": 252, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", + "is_verified": false, + "line_number": 269, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", + "is_verified": false, + "line_number": 272, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", + "is_verified": false, + "line_number": 289, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", + "is_verified": false, + "line_number": 309, + "is_secret": false + } + ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -166,5 +328,5 @@ } ] }, - "generated_at": "2023-08-07T15:38:18Z" + "generated_at": "2023-08-08T17:57:54Z" } From 08bbc99903111a148f4909363c6e001c570947a6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 19:02:11 +0100 Subject: [PATCH 59/63] tidy up spacing Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- templates/etc/cron.d/aide.cron.j2 | 4 ++-- templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 350509c..00725c6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: rev: v8.17.0 hooks: - id: gitleaks - args: ['--baseline-path','.config/.gitleaks-report.json'] + args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index 21270eb..db93323 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,6 +1,6 @@ -# Run AIDE integrity check +# Run AIDE integrity check ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index e85fae9..5e63a01 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -18,4 +18,4 @@ net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 {% endif %} -{% endif %} \ No newline at end of file +{% endif %} From afd4cd01ba8dc23d1cb2df3bfa08a8d5b938aeb1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 19:31:16 +0100 Subject: [PATCH 60/63] updated lable for badge Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f0f95ee..b41aa4d 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ [![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) [![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) From d79fe8fa049e4ab88273ef8e88a358643346bef7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 09:18:57 +0100 Subject: [PATCH 61/63] updated secrets Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 170 ++------------------------------------ 1 file changed, 7 insertions(+), 163 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 8f7ab01..aedca92 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -109,171 +109,15 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] } ], "results": { - ".config/.gitleaks-report.json": [ - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", - "is_verified": false, - "line_number": 12, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", - "is_verified": false, - "line_number": 132, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", - "is_verified": false, - "line_number": 249, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", - "is_verified": false, - "line_number": 252, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", - "is_verified": false, - "line_number": 269, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", - "is_verified": false, - "line_number": 272, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", - "is_verified": false, - "line_number": 289, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", - "is_verified": false, - "line_number": 309, - "is_secret": false - } - ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -328,5 +172,5 @@ } ] }, - "generated_at": "2023-08-08T17:57:54Z" + "generated_at": "2023-08-09T08:11:03Z" } From ae640608685cbcd1d0e7dd7c6bc56c9c533c0926 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 09:19:18 +0100 Subject: [PATCH 62/63] updated secrets check Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 00725c6..97c7943 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,8 +33,8 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.config/.secrets.baseline'] - exclude: package.lock.json + args: [ '--baseline', '.config/.secrets.baseline' ] + exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks rev: v8.17.0 From dadeeab2c76d20dadbd1a5602810687c19dcedf2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:47:54 +0100 Subject: [PATCH 63/63] updated comment on rule 1.2.1 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 2501732..9d732bb 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -17,7 +17,7 @@ - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" ansible.builtin.fail: - msg: Installed GPG Keys do not meet expected values or keys installed that are not expected + msg: Installed GPG Keys do not meet expected values or expected keys are not installed when: - os_installed_pub_keys.rc == 1 or os_gpg_key_check.rc == 1