Merge pull request #83 from ansible-lockdown/template_and_secrets

Template and secrets
2023-08-09 12:28:44 +01:00 · 2023-08-09 12:28:44 +01:00 · 5bedad6472
commit 5bedad6472
parent 83c4e5c7e5 dadeeab2c7
22 changed files with 29 additions and 110 deletions
--- a/.config/.secrets.baseline
+++ b/.config/.secrets.baseline
@ -109,6 +109,12 @@
    },
    {
      "path": "detect_secrets.filters.heuristic.is_templated_secret"
    },
    {
      "path": "detect_secrets.filters.regex.should_exclude_file",
      "pattern": [
        ".config/.gitleaks-report.json"
      ]
    }
  ],
  "results": {
@ -166,5 +172,5 @@
      }
    ]
  },
-  "generated_at": "2023-08-07T15:38:18Z"
+  "generated_at": "2023-08-09T08:11:03Z"
 }
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -1,34 +0,0 @@
 ---
 name: Report Issue
 about: Create a bug issue ticket to help us improve
 title: ''
 labels: bug
 assignees: ''
 ---
 **Describe the Issue**
 A clear and concise description of what the bug is.
 **Expected Behavior**
 A clear and concise description of what you expected to happen.
 **Actual Behavior**
 A clear and concise description of what's happening.
 **Control(s) Affected**
 What controls are being affected by the issue
 **Environment (please complete the following information):**
 - branch being used: [e.g. devel]
 - Ansible Version: [e.g. 2.10]
 - Host Python Version: [e.g. Python 3.7.6]
 - Ansible Server Python Version: [e.g. Python 3.7.6]
 - Additional Details:
 **Additional Notes**
 Anything additional goes here
 **Possible Solution**
 Enter a suggested fix here
--- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md
+++ b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md
@ -1,22 +0,0 @@
 ---
 name: Feature Request or Enhancement
 about: Suggest an idea for this project
 title: ''
 labels: enhancement
 assignees: ''
 ---
 ## Feature Request or Enhancement
 - Feature []
 - Enhancement []
 **Summary of Request**
 A clear and concise description of what you want to happen.
 **Describe alternatives you've considered**
 A clear and concise description of any alternative solutions or features you've considered.
 **Suggested Code**
 Please provide any code you have in mind to fulfill the request
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -1,18 +0,0 @@
 ---
 name: Question
 about: Ask away.......
 title: ''
 labels: question
 assignees: ''
 ---
 **Question**
 Pose question here.
 **Environment (please complete the following information):**
 - Ansible Version: [e.g. 2.10]
 - Host Python Version: [e.g. Python 3.7.6]
 - Ansible Server Python Version: [e.g. Python 3.7.6]
 - Additional Details:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,12 +0,0 @@
 **Overall Review of Changes:**
 A general description of the changes made that are being requested for merge
 **Issue Fixes:**
 Please list (using linking) any open issues this PR addresses
 **Enhancements:**
 Please list any enhancements/features that are not open issue tickets
 **How has this been tested?:**
 Please give an overview of how these changes were tested. If they were not please use N/A
--- a/.gitignore
+++ b/.gitignore
@ -12,7 +12,7 @@ delete*
 ignore*
 test_inv
 # temp remove doc while this is built up
-doc/  
+doc/
 # VSCode
 .vscode
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -33,15 +33,14 @@ repos:
  rev: v1.4.0
  hooks:
  - id: detect-secrets
-    args: ['--baseline', '.config/.secrets.baseline']
+    args: [ '--baseline', '.config/.secrets.baseline' ]
-    exclude: package.lock.json
+    exclude: .config/.gitleaks-report.json
 - repo: https://github.com/gitleaks/gitleaks
  rev: v8.17.0
  hooks:
  - id: gitleaks
-    args: ['--baseline-path','.config/.gitleaks-report.json']
+    args: ['--baseline-path', '.config/.gitleaks-report.json']
 - repo: https://github.com/ansible-community/ansible-lint
  rev: v6.17.2
--- a/README.md
+++ b/README.md
@ -22,7 +22,7 @@
 [![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml)
 [![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml)
-![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)
 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -17,7 +17,7 @@
      - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
        ansible.builtin.fail:
-            msg: Installed GPG Keys do not meet expected values or keys installed that are not expected
+            msg: Installed GPG Keys do not meet expected values or expected keys are not installed
        when:
            - os_installed_pub_keys.rc == 1 or
              os_gpg_key_check.rc == 1
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@ -486,7 +486,7 @@ rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile
 # 5.5.1
 ## PAM
-rhel9cis_pam_password: 
+rhel9cis_pam_password:
  minlen: {{ rhel9cis_pam_password['minlen'] }}
  minclass: {{ rhel9cis_pam_password['minclass'] }}
 rhel9cis_pam_passwd_retry: "3"
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,10 +1,10 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!
 # This file contains users whose actions are not logged by auditd
-{% if rhel9cis_allow_auditd_uid_user_exclusions %} 
+{% if rhel9cis_allow_auditd_uid_user_exclusions %}
 {% for user in rhel9cis_auditd_uid_exclude %}
 -a never,user -F uid!={{ user }} -F auid!={{ user }}
 {% endfor %}
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!
--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,6 +1,6 @@
-# Run AIDE integrity check 
+# Run AIDE integrity check
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 # Lock desktop media-handling automount setting
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
-# Lock desktop media-handling settings 
+# Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 [org/gnome/desktop/media-handling]
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 [org/gnome/desktop/media-handling]
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 # Specify the dconf path
--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 # Lock desktop screensaver idle-delay setting
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,5 +1,5 @@
 ## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline 
+# Added as part of ansible-lockdown CIS baseline
 # provided by MindPointGroup LLC
 [org/gnome/login-screen]
--- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
+++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2
@ -2,6 +2,6 @@
 # IPv6 disable
 {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %}
-net.ipv6.conf.all.disable_ipv6 = 1 
+net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
 {% endif %}
--- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
@ -18,4 +18,4 @@ net.ipv6.conf.default.accept_redirects = 0
 net.ipv6.conf.all.accept_ra = 0
 net.ipv6.conf.default.accept_ra = 0
 {% endif %}
-{% endif %}
+{% endif %}