From 671ba154e7a6086d9504935a2dae1cd93a54f7f7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 13:47:38 +0100 Subject: [PATCH] linting updates Signed-off-by: Mark Bolwell --- .ansible-lint | 30 +-- .config/.gitleaks-report.json | 322 -------------------------------- .config/.secrets.baseline | 119 ------------ .config/requirements.txt | 5 - .yamllint | 44 ++--- collections/requirements.yml | 18 +- defaults/main.yml | 26 ++- tasks/main.yml | 32 ++-- tasks/parse_etc_password.yml | 2 +- tasks/section_1/cis_1.6.x.yml | 28 +-- tasks/section_5/cis_5.3.2.x.yml | 3 - tasks/section_6/cis_6.2.3.x.yml | 2 +- vars/main.yml | 1 - 13 files changed, 86 insertions(+), 546 deletions(-) delete mode 100644 .config/.gitleaks-report.json delete mode 100644 .config/.secrets.baseline delete mode 100644 .config/requirements.txt diff --git a/.ansible-lint b/.ansible-lint index b717f67..3090307 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,20 +3,20 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'var-spacing' - - 'experimental' - - 'name[play]' - - 'name[casing]' - - 'name[template]' - - 'key-order[task]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' - - '208' + - 'schema' + - 'no-changed-when' + - 'var-spacing' + - 'experimental' + - 'name[play]' + - 'name[casing]' + - 'name[template]' + - 'key-order[task]' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' + - '208' use_default_rules: true verbosity: 0 diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index fbdde5d..0000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1,322 +0,0 @@ -[ - { - "Description": "Generic API Key", - "StartLine": 119, - "EndLine": 119, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"", - "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", - "Entropy": 3.853056, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-26T15:51:17Z", - "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:119" - }, - { - "Description": "Generic API Key", - "StartLine": 127, - "EndLine": 127, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"", - "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", - "Entropy": 3.6568441, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-26T15:51:17Z", - "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:127" - }, - { - "Description": "Generic API Key", - "StartLine": 135, - "EndLine": 135, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"", - "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", - "Entropy": 3.5221736, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-26T15:51:17Z", - "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:135" - }, - { - "Description": "Generic API Key", - "StartLine": 145, - "EndLine": 145, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"", - "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", - "Entropy": 3.6348295, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-26T15:51:17Z", - "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:145" - }, - { - "Description": "Generic API Key", - "StartLine": 153, - "EndLine": 153, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-26T15:51:17Z", - "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:153" - }, - { - "Description": "Generic API Key", - "StartLine": 163, - "EndLine": 163, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", - "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", - "Entropy": 3.8439426, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-26T15:51:17Z", - "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:163" - }, - { - "Description": "Generic API Key", - "StartLine": 119, - "EndLine": 119, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"", - "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", - "Entropy": 3.853056, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-04T16:08:02Z", - "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:119" - }, - { - "Description": "Generic API Key", - "StartLine": 127, - "EndLine": 127, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"", - "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", - "Entropy": 3.6568441, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-04T16:08:02Z", - "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:127" - }, - { - "Description": "Generic API Key", - "StartLine": 135, - "EndLine": 135, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"", - "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", - "Entropy": 3.5221736, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-04T16:08:02Z", - "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:135" - }, - { - "Description": "Generic API Key", - "StartLine": 145, - "EndLine": 145, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"", - "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", - "Entropy": 3.6348295, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-04T16:08:02Z", - "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:145" - }, - { - "Description": "Generic API Key", - "StartLine": 153, - "EndLine": 153, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-04T16:08:02Z", - "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:153" - }, - { - "Description": "Generic API Key", - "StartLine": 163, - "EndLine": 163, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", - "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "File": ".secrets.baseline", - "SymlinkFile": "", - "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", - "Entropy": 3.8439426, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-04T16:08:02Z", - "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:163" - }, - { - "Description": "Generic API Key", - "StartLine": 3, - "EndLine": 4, - "StartColumn": 9, - "EndColumn": 1, - "Match": "key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec", - "Secret": "gpg-pubkey-8d8b756f-629e59ec", - "File": "vars/OracleLinux.yml", - "SymlinkFile": "", - "Commit": "e04da88df42da0108d489f359513c574fbe5c87a", - "Entropy": 3.96772, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-03-06T11:22:08Z", - "Message": "Added OracleLinux support\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "e04da88df42da0108d489f359513c574fbe5c87a:vars/OracleLinux.yml:generic-api-key:3" - }, - { - "Description": "Generic API Key", - "StartLine": 4, - "EndLine": 5, - "StartColumn": 8, - "EndColumn": 1, - "Match": "key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b", - "Secret": "gpg-pubkey-fd431d51-4ae0493b", - "File": "vars/RedHat.yml", - "SymlinkFile": "", - "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", - "Entropy": 3.96772, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2022-07-25T10:26:27Z", - "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/RedHat.yml:generic-api-key:4" - }, - { - "Description": "Generic API Key", - "StartLine": 4, - "EndLine": 5, - "StartColumn": 8, - "EndColumn": 1, - "Match": "key_pubkey_name: gpg-pubkey-b86b3716-61e69f29", - "Secret": "gpg-pubkey-b86b3716-61e69f29", - "File": "vars/AlmaLinux.yml", - "SymlinkFile": "", - "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", - "Entropy": 3.824863, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2022-07-25T10:26:27Z", - "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/AlmaLinux.yml:generic-api-key:4" - }, - { - "Description": "Generic API Key", - "StartLine": 4, - "EndLine": 5, - "StartColumn": 8, - "EndColumn": 1, - "Match": "key_pubkey_name: gpg-pubkey-350d275d-6279464b", - "Secret": "gpg-pubkey-350d275d-6279464b", - "File": "vars/Rocky.yml", - "SymlinkFile": "", - "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", - "Entropy": 3.9946804, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2022-07-25T10:26:27Z", - "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/Rocky.yml:generic-api-key:4" - } -] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 7707be7..0000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,119 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_password.yml" - ] - } - ], - "results": {}, - "generated_at": "2023-09-21T14:11:05Z" -} diff --git a/.config/requirements.txt b/.config/requirements.txt deleted file mode 100644 index 52cb84d..0000000 --- a/.config/requirements.txt +++ /dev/null @@ -1,5 +0,0 @@ -passlib -lxml -xmltodict -jmespath -yamllint diff --git a/.yamllint b/.yamllint index 27d8aee..ec2d1cd 100644 --- a/.yamllint +++ b/.yamllint @@ -9,25 +9,25 @@ ignore: | *molecule.yml rules: - indentation: - # Requiring 4 space indentation - spaces: 2 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - empty-lines: - max: 1 - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + indentation: + # Requiring 4 space indentation + spaces: 2 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + empty-lines: + max: 1 + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: true diff --git a/collections/requirements.yml b/collections/requirements.yml index 8ebc618..810c9af 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,14 +1,14 @@ --- collections: - - name: community.general - source: https://github.com/ansible-collections/community.general - type: git + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - - name: community.crypto - source: https://github.com/ansible-collections/community.crypto - type: git + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - - name: ansible.posix - source: https://github.com/ansible-collections/ansible.posix - type: git + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index ba6ccd3..c524a55 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -858,10 +858,9 @@ rhel9cis_allow_authselect_updates: true ## rhel9cis_authselect_pkg_update: false # NOTE the risks if system is using SSSD or using ipa-client-install - ## PAM AND Authselect -# To create a new profile (best for greenfield fresh sites not configured) +# To create a new profile (best for greenfield fresh sites not configured) # This allows creation of a custom profile using an existing one to build from # will only create if profiel does not already exist ## options true or false @@ -914,9 +913,9 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf # Choose if using minclass or credits options # Options are: minclass or credits # ensure only one is selected -rhel9cis_passwd_complex_option: minclass +rhel9cis_passwd_complex_option: minclass # pragma: allowlist secret rhel9cis_passwd_minclass: 3 -#rhel9cis_passwd_complex: credits +# rhel9cis_passwd_complex: credits rhel9cis_passwd_dcredit: -1 rhel9cis_passwd_ucredit: -2 rhel9cis_passwd_ocredit: 0 @@ -950,18 +949,17 @@ rhel9cis_pamd_pwhistory_remember: 24 # 5.3.3.4.x rhel9cis_passwd_hash_algo: sha512 # pragma: allowlist secret -## Section 5.4.1.x: Shadow Password Suite Parameters - ## Control 5.6.1.1 - Ensure password expiration is 365 days or less - # This variable governs after how many days a password expires. - # CIS requires a value of 365 or less. +## Control 5.6.1.1 - Ensure password expiration is 365 days or less +# This variable governs after how many days a password expires. +# CIS requires a value of 365 or less. rhel9cis_pass_max_days: 365 - ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more - # This variable specifies the minimum number of days allowed between changing - # passwords. CIS requires a value of at least 1. +## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more +# This variable specifies the minimum number of days allowed between changing +# passwords. CIS requires a value of at least 1. rhel9cis_pass_min_days: 7 - ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more - # This variable governs, how many days before a password expires, the user will be warned. - # CIS requires a value of at least 7. +## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more +# This variable governs, how many days before a password expires, the user will be warned. +# CIS requires a value of at least 7. rhel9cis_pass_warn_age: 7 ## Control 5.4.1.x - Ensure inactive password lock is 30 days or less diff --git a/tasks/main.yml b/tasks/main.yml index 8e283e0..1dd529e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -114,26 +114,26 @@ - name: "PRELIM | AUDIT | Check authselect profile is selected" when: - - rhel9cis_allow_authselect_updates + - rhel9cis_allow_authselect_updates tags: - - always + - always block: - - name: "PRELIM | AUDIT | Check authselect profile name has been updated" - ansible.builtin.assert: - that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile' - fail_msg: "You still have the default name for your authselect profile" + - name: "PRELIM | AUDIT | Check authselect profile name has been updated" + ansible.builtin.assert: + that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile' + fail_msg: "You still have the default name for your authselect profile" - - name: "PRELIM | AUDIT | Check authselect profile is selected" - ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}' - changed_when: false - failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ] - register: prelim_authselect_current_profile + - name: "PRELIM | AUDIT | Check authselect profile is selected" + ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}' + changed_when: false + failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ] + register: prelim_authselect_current_profile - - name: "PRELIM | AUDIT | Check authselect profile is selected" - ansible.builtin.assert: - that: prelim_authselect_current_profile is defined - success_msg: "Authselect is running and profile is selected" - fail_msg: Authselect updates have been selected there are issues with profile selection" + - name: "PRELIM | AUDIT | Check authselect profile is selected" + ansible.builtin.assert: + that: prelim_authselect_current_profile is defined + success_msg: "Authselect is running and profile is selected" + fail_msg: Authselect updates have been selected there are issues with profile selection" - name: "Ensure root password is set" when: diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index e16f8b9..8270b5a 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -17,7 +17,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index f0798e9..f497f15 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -55,12 +55,12 @@ owner: root group: root mode: '0640' - register: NO_SHA1_TEMPLATE + register: no_sha1_template - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}" - changed_when: NO_SHA1_TEMPLATE is defined + changed_when: no_sha1_template is defined notify: - Update Crypto Policy - Set Crypto Policy @@ -79,8 +79,6 @@ - NIST800-53R5_SC-6 block: - - ansible.builtin.debug: - msg: "{{ rhel9cis_crypto_policy_module }}" - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion" ansible.builtin.template: src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 @@ -88,12 +86,12 @@ owner: root group: root mode: '0640' - register: NO_WEAKMAC_TEMPLATE + register: no_weakmac_template - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}" - changed_when: NO_WEAKMAC_TEMPLATE is defined + changed_when: no_weakmac_template is defined notify: - Update Crypto Policy - Set Crypto Policy @@ -111,8 +109,6 @@ - rule_1.6.5 - NIST800-53R5_SC-6 block: - - ansible.builtin.debug: - msg: "{{ rhel9cis_crypto_policy_module }}" - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion" ansible.builtin.template: src: etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 @@ -120,12 +116,12 @@ owner: root group: root mode: '0640' - register: NO_SSHCBC_TEMPLATE + register: no_sshcbc_template - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}" - changed_when: NO_SSHCBC_TEMPLATE is defined + changed_when: no_sshcbc_template is defined notify: - Update Crypto Policy - Set Crypto Policy @@ -143,8 +139,6 @@ - rule_1.6.6 - NIST800-53R5_SC-6 block: - - ansible.builtin.debug: - msg: "{{ rhel9cis_crypto_policy_module }}" - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion" ansible.builtin.template: src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 @@ -152,12 +146,12 @@ owner: root group: root mode: '0640' - register: NO_SSHWEAKCIPHERS_TEMPLATE + register: no_sshweakciphers_template - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}" - changed_when: NO_SSHWEAKCIPHERS_TEMPLATE is defined + changed_when: no_sshweakciphers_template is defined notify: - Update Crypto Policy - Set Crypto Policy @@ -175,8 +169,6 @@ - rule_1.6.7 - NIST800-53R5_SC-6 block: - - ansible.builtin.debug: - msg: "{{ rhel9cis_crypto_policy_module }}" - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion" ansible.builtin.template: src: etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 @@ -184,12 +176,12 @@ owner: root group: root mode: '0640' - register: NO_SSHETM_TEMPLATE + register: no_sshetm_template - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}" - changed_when: NO_SSHETM_TEMPLATE is defined + changed_when: no_sshetm_template is defined notify: - Update Crypto Policy - Set Crypto Policy diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 571cb70..c9a7559 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -139,9 +139,6 @@ failed_when: rhel9cis_authselect_pam_unix.rc not in [ 0, 1 ] register: rhel9cis_authselect_pam_unix - - debug: - msg: "{{ rhel9cis_authselect_pam_unix }}" - - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth" when: "'system-auth:password' not in rhel9cis_authselect_pam_unix.stdout" ansible.builtin.lineinfile: diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 86cef8a..4274429 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -263,7 +263,7 @@ - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf" ansible.builtin.template: src: etc/logrotate.d/rsyslog.conf.j2 - dest: /etc/logrotate.d/rsyslog.conf + dest: /etc/logrotate.d/rsyslog.conf owner: root group: root mode: '0640' diff --git a/vars/main.yml b/vars/main.yml index 49c84ba..ec72d0b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -29,7 +29,6 @@ gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys" # NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules'). update_audit_template: false - # Defaults ## Usage on containerized images # The role discovers dynamically (in tasks/main.yml) whether it