Merge pull request #44 from ansible-lockdown/march_updates

March updates

.yamllint

@@ -20,6 +20,8 @@ rules:
     brackets:
         max-spaces-inside: 1
         level: error
+    empty-lines:
+        max: 1
     line-length: disable
     key-duplicates: enable
     new-line-at-end-of-file: enable

Changelog.md

@@ -1,5 +1,12 @@
 # Changes to rhel9CIS
 
+## 1.0.5
+
+updated yamllint
+removed empty lines after lint
+initial molecule added
+galaxy workflow updated
+
 ## 1.0.4
 
 #40 tmp systemd file variable naming update

defaults/main.yml

@@ -343,7 +343,6 @@ rhel9cis_rule_6_2_14: true
 rhel9cis_rule_6_2_15: true
 rhel9cis_rule_6_2_16: true
 
-
 ## Section 1 vars
 
 #### 1.1.2
@@ -413,7 +412,6 @@ rhel9cis_selinux_enforce: enforcing
 
 ## 2. Services
 
-
 ### 2.1 Time Synchronization
 #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
 rhel9cis_time_synchronization_servers:
@@ -461,7 +459,6 @@ rhel9cis_openldap_clients_required: false
 rhel9cis_tftp_client: false
 rhel9cis_ftp_client: false
 
-
 ## Section3 vars
 ## Sysctl
 rhel9cis_sysctl_update: false
@@ -478,7 +475,6 @@ rhel9cis_firewall: firewalld
 ##### firewalld
 rhel9cis_default_zone: public
 
-
 # These are added to demonstrate how this can be done
 rhel9cis_firewalld_ports:
     - number: 80
@@ -514,7 +510,6 @@ update_audit_template: false
 ## Advanced option found in auditd post
 rhel9cis_allow_auditd_uid_user_exclusions: false
 
-
 # This can be used to configure other keys in auditd.conf
 rhel9cis_auditd_extra_conf: {}
 # Example:
@@ -535,7 +530,6 @@ rhel9cis_remote_log_protocol: tcp
 rhel9cis_remote_log_retrycount: 100
 rhel9cis_remote_log_queuesize: 1000
 
-
 #### 4.2.1.7
 rhel9cis_system_is_log_server: false
 
@@ -584,7 +578,6 @@ rhel9cis_ssh_maxsessions: 4
 rhel9cis_inactivelock:
     lock_days: 30
 
-
 rhel9cis_use_authconfig: false
 # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example
 # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk
@@ -599,7 +592,6 @@ rhel9cis_authselect_custom_profile_create: false
 # 5.3.2 Enable automation to select custom profile options, using the settings above
 rhel9cis_authselect_custom_profile_select: false
 
-
 rhel9cis_pass:
     max_days: 365
     min_days: 7
@@ -648,7 +640,6 @@ rhel9cis_futurepwchgdate_autofix: true
 # 5.3.7
 rhel9cis_sugroup: nosugroup
 
-
 ## Section6 vars
 
 # RHEL-09_6.1.1
@@ -669,7 +660,6 @@ audit_run_script_environment:
     AUDIT_FILE: 'goss.yml'
     AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
 
-
 ### Goss binary settings ###
 goss_version:
     release: v0.3.21

molecule/default/converge.yml

@@ -0,0 +1,27 @@
+---
+# This is a playbook to test the tasks.
+- name: Converge
+  hosts: all
+  gather_facts: true
+
+  vars:
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+    ansible_user: root
+    system_is_container: true
+    rhel9cis_selinux_disable: true
+    rhel9cis_rule_5_3_4: false
+    rhel9cis_rule_1_1_10: false
+    rhel9cis_firewall: "none"
+    rhel9cis_rule_4_1_1_1: false
+    rhel9cis_rule_4_1_1_2: false
+    rhel9cis_rule_4_1_1_3: false
+    rhel9cis_rule_4_1_1_4: false
+    rhel9cis_rule_4_2_1_2: false
+    rhel9cis_rule_4_2_1_4: false
+    rhel9cis_rule_5_1_1: false
+
+  pre_tasks:
+  tasks:
+    - name: "Include tasks"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"

molecule/default/molecule.yml

@@ -0,0 +1,34 @@
+---
+# Molecule configuration
+# https://molecule.readthedocs.io/en/latest/
+
+driver:
+  name: docker
+
+platforms:
+  - name: ubi9
+    image: registry.access.redhat.com/ubi9/ubi-init
+    pre_build_image: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    command: "/usr/sbin/init"
+    capabilities:
+      - SYS_ADMIN
+
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+      callbacks_enabled: profile_tasks, timer
+
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+  flake8
+
+verifier:
+  name: ansible
+

molecule/default/verify.yml

@@ -0,0 +1,13 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: false
+
+  vars:
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+
+  tasks:
+    - name: "Include verify tasks"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"
+        tasks_from: verify

molecule/localhost/converge.yml

@@ -0,0 +1,18 @@
+---
+# This is a playbook to test the tasks.
+- name: Converge
+  hosts: all
+  become: true
+  gather_facts: true
+
+  vars:
+    ansible_user: "{{ lookup('env', 'USER') }}"
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+    rhel9cis_rule_5_3_4: false
+
+  pre_tasks:
+  tasks:
+    - name: "Include tasks"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"
+

molecule/localhost/molecule.yml

@@ -0,0 +1,30 @@
+---
+# Molecule configuration
+# https://molecule.readthedocs.io/en/latest/
+
+driver:
+  name: delegated
+  options:
+    managed: false
+    ansible_connection_options:
+      ansible_connection: local
+platforms:
+  - name: localhost
+
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+      stdout_callback: yaml
+      callbacks_enabled: profile_tasks, timer
+
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+  flake8
+
+verifier:
+  name: ansible
+

molecule/localhost/verify.yml

@@ -0,0 +1,14 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: false
+  become: true
+
+  vars:
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+
+  tasks:
+    - name: "Include verify tasks"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"
+        tasks_from: verify

molecule/wsl/converge.yml

@@ -0,0 +1,27 @@
+---
+# This is a playbook to test the tasks.
+- name: Converge
+  hosts: all
+  become: true
+  gather_facts: true
+
+  vars:
+    ansible_user: "{{ lookup('env', 'USER') }}"
+    system_is_container: true
+    rhel8cis_selinux_disable: true
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+    rhel8cis_rule_5_3_4: false
+    rhel8cis_rule_1_1_10: false
+    rhel8cis_rsyslog_ansiblemanaged: false
+    rhel8cis_rule_3_4_1_3: false
+    rhel8cis_rule_3_4_1_4: false
+    rhel8cis_rule_4_2_1_2: false
+    rhel8cis_rule_4_2_1_4: false
+    rhel8cis_rule_5_1_1: false
+
+  pre_tasks:
+  tasks:
+    - name: "Include tasks"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"
+

molecule/wsl/molecule.yml

@@ -0,0 +1,29 @@
+---
+# Molecule configuration
+# https://molecule.readthedocs.io/en/latest/
+
+driver:
+  name: delegated
+  options:
+    managed: false
+    ansible_connection_options:
+      ansible_connection: local
+platforms:
+  - name: localhost
+
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      interpreter_python: auto_silent
+      callbacks_enabled: profile_tasks, timer
+
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+  flake8
+
+verifier:
+  name: ansible
+

molecule/wsl/verify.yml

@@ -0,0 +1,13 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: false
+
+  vars:
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+
+  tasks:
+    - name: "Include verify tasks"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"
+        tasks_from: verify

tasks/main.yml

@@ -102,7 +102,6 @@
   tags:
       - always
 
-
 - name: Gather the package facts
   ansible.builtin.package_facts:
       manager: auto

tasks/section_2/cis_2.2.x.yml

@@ -1,6 +1,5 @@
 ---
 
-
 - name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed"
   ansible.builtin.package:
       name: xorg-x11-server-common

tasks/section_3/cis_3.4.2.x.yml

@@ -157,7 +157,6 @@
       - nftables
       - rule_3.4.2.4
 
-
 - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld"
   ansible.posix.firewalld:
       rich_rule: "{{ item }}"

vars/is_container.yml

@@ -6,14 +6,12 @@
 
 ## controls
 
-
 # Firewall
 rhel9cis_firewall: None
 
 # SElinux
 rhel9cis_selinux_disable: true
 
-
 ## Related individual rules
 # Aide
 rhel9cis_rule_1_4_1: false
@@ -42,7 +40,6 @@ rhel9cis_rule_5_1_8: false
 # crypto
 rhel9cis_rule_1_10: false
 
-
 # grub
 rhel9cis_rule_1_5_1: false
 rhel9cis_rule_1_5_2: false
@@ -88,6 +85,5 @@ rhel9cis_rule_4_2_2_3: false
 
 # systemd
 
-
 # Users/passwords/accounts
 rhel9cis_rule_5_5_2: false