From 4878eff7a7e6c6548fe587816f574b2894529511 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:04:36 +0100 Subject: [PATCH 1/9] removed templates to inherit from org Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 34 ------------------- .../feature-request-or-enhancement.md | 22 ------------ .github/ISSUE_TEMPLATE/question.md | 18 ---------- .github/pull_request_template.md | 12 ------- 4 files changed, 86 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index d3828ea..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - -- branch being used: [e.g. devel] -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index 3908075..0000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -## Feature Request or Enhancement - -- Feature [] -- Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index ad0629e..0000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 05dadb6..0000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,12 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A - From 0b6bb8afd7979a128ff3097980f0b7f9bd8a4204 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:53:23 +0100 Subject: [PATCH 2/9] update EOL spacing Signed-off-by: Mark Bolwell --- .gitignore | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- templates/audit/98_auditd_exception.rules.j2 | 4 ++-- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 4 ++-- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- 12 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index 8dd29c6..f67408e 100644 --- a/.gitignore +++ b/.gitignore @@ -12,7 +12,7 @@ delete* ignore* test_inv # temp remove doc while this is built up -doc/ +doc/ # VSCode .vscode diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 04a8284..e862c1d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -486,7 +486,7 @@ rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile # 5.5.1 ## PAM -rhel9cis_pam_password: +rhel9cis_pam_password: minlen: {{ rhel9cis_pam_password['minlen'] }} minclass: {{ rhel9cis_pam_password['minclass'] }} rhel9cis_pam_passwd_retry: "3" diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 2f76269..0f4a4f9 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,10 +1,10 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd -{% if rhel9cis_allow_auditd_uid_user_exclusions %} +{% if rhel9cis_allow_auditd_uid_user_exclusions %} {% for user in rhel9cis_auditd_uid_exclude %} -a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index c48782c..6f7c388 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index d92c56b..efebeac 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop media-handling automount setting diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 503069c..4506f4f 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC -# Lock desktop media-handling settings +# Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 32192c3..78ad883 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 16ded9d..81bdfea 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 822b33d..acfeaee 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Specify the dconf path diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index fae6e82..d6c5d70 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop screensaver idle-delay setting diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index 73b4505..c7ae76e 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/login-screen] diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 732cbcc..599103e 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -2,6 +2,6 @@ # IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 {% endif %} From 65c111177e9772f1414e43107a2b0fc100e47bfc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:56:05 +0100 Subject: [PATCH 3/9] tidy up spacing Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f044df5..350509c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,6 @@ repos: args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json - - repo: https://github.com/gitleaks/gitleaks rev: v8.17.0 hooks: From ec5217c309acfaee3f3ea5117c5d9a947da20208 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:58:35 +0100 Subject: [PATCH 4/9] updated secets for gitleaks Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 164 +++++++++++++++++++++++++++++++++++++- 1 file changed, 163 insertions(+), 1 deletion(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 26e9634..8f7ab01 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -112,6 +112,168 @@ } ], "results": { + ".config/.gitleaks-report.json": [ + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", + "is_verified": false, + "line_number": 12, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", + "is_verified": false, + "line_number": 132, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", + "is_verified": false, + "line_number": 249, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", + "is_verified": false, + "line_number": 252, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", + "is_verified": false, + "line_number": 269, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", + "is_verified": false, + "line_number": 272, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", + "is_verified": false, + "line_number": 289, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", + "is_verified": false, + "line_number": 309, + "is_secret": false + } + ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -166,5 +328,5 @@ } ] }, - "generated_at": "2023-08-07T15:38:18Z" + "generated_at": "2023-08-08T17:57:54Z" } From 08bbc99903111a148f4909363c6e001c570947a6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 19:02:11 +0100 Subject: [PATCH 5/9] tidy up spacing Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- templates/etc/cron.d/aide.cron.j2 | 4 ++-- templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 350509c..00725c6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: rev: v8.17.0 hooks: - id: gitleaks - args: ['--baseline-path','.config/.gitleaks-report.json'] + args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index 21270eb..db93323 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,6 +1,6 @@ -# Run AIDE integrity check +# Run AIDE integrity check ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index e85fae9..5e63a01 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -18,4 +18,4 @@ net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 {% endif %} -{% endif %} \ No newline at end of file +{% endif %} From afd4cd01ba8dc23d1cb2df3bfa08a8d5b938aeb1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 19:31:16 +0100 Subject: [PATCH 6/9] updated lable for badge Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f0f95ee..b41aa4d 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ [![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) [![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) From d79fe8fa049e4ab88273ef8e88a358643346bef7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 09:18:57 +0100 Subject: [PATCH 7/9] updated secrets Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 170 ++------------------------------------ 1 file changed, 7 insertions(+), 163 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 8f7ab01..aedca92 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -109,171 +109,15 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] } ], "results": { - ".config/.gitleaks-report.json": [ - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", - "is_verified": false, - "line_number": 12, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", - "is_verified": false, - "line_number": 132, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", - "is_verified": false, - "line_number": 249, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", - "is_verified": false, - "line_number": 252, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", - "is_verified": false, - "line_number": 269, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", - "is_verified": false, - "line_number": 272, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", - "is_verified": false, - "line_number": 289, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", - "is_verified": false, - "line_number": 309, - "is_secret": false - } - ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -328,5 +172,5 @@ } ] }, - "generated_at": "2023-08-08T17:57:54Z" + "generated_at": "2023-08-09T08:11:03Z" } From ae640608685cbcd1d0e7dd7c6bc56c9c533c0926 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 09:19:18 +0100 Subject: [PATCH 8/9] updated secrets check Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 00725c6..97c7943 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,8 +33,8 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.config/.secrets.baseline'] - exclude: package.lock.json + args: [ '--baseline', '.config/.secrets.baseline' ] + exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks rev: v8.17.0 From dadeeab2c76d20dadbd1a5602810687c19dcedf2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:47:54 +0100 Subject: [PATCH 9/9] updated comment on rule 1.2.1 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 2501732..9d732bb 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -17,7 +17,7 @@ - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" ansible.builtin.fail: - msg: Installed GPG Keys do not meet expected values or keys installed that are not expected + msg: Installed GPG Keys do not meet expected values or expected keys are not installed when: - os_installed_pub_keys.rc == 1 or os_gpg_key_check.rc == 1