Merge pull request #308 from ansible-lockdown/devel

Final main release v1r13 - Jan24 -updated

.ansible-lint

@@ -19,4 +19,6 @@ skip_list:
     - '602'
     - '208'
 use_default_rules: true
+rulesdir:
+    - ./rules/
 verbosity: 0

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -35,12 +35,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.4
+  rev: v8.21.1
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.7.0
+  rev: v24.9.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

README.md

@@ -58,9 +58,9 @@ This contains rewrites and ID reference changes as per STIG documentation.
 
 This can be turned on or off within the defaults/main.yml file with the variable rhel7cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role.
 
-This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.
+This is a quick, very lightweight, check (where possible) of config compliance and live/running settings.
 
-A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
+A form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
 This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process.
 
 ## Documentation
@@ -83,9 +83,8 @@ The following packages must be installed on the controlling host/host where ansi
 
 - python2-passlib (or just passlib, if using python3)
 - python-lxml
-- python-xmltodict
 
-Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.
+Packages python(2)-passlib are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.
 
 ## Role Variables
 

handlers/main.yml

@@ -174,13 +174,3 @@
   when:
       - "'dconf' in ansible_facts.packages"
       - rhel8stig_always_configure_dconf
-
-- name: prereport score
-  ansible.builtin.debug:
-      msg: "Pre-run OpenSCAP score is {{ rhel8stig_prescanresults.Benchmark.TestResult.score['#text'] }}"
-  when: rhel8stig_oscap_scan
-
-- name: postreport score
-  ansible.builtin.debug:
-      msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}"
-  when: rhel8stig_oscap_scan

requirements.txt

@@ -1,5 +1,4 @@
 passlib
 lxml
-xmltodict
 jmespath
 yamllint

rules/tag.py

@@ -0,0 +1,63 @@
+"""Implementation of TagRule."""
+
+from __future__ import annotations
+
+import re
+from typing import TYPE_CHECKING
+
+from ansiblelint.constants import LINE_NUMBER_KEY
+from ansiblelint.file_utils import Lintable
+from ansiblelint.rules import AnsibleLintRule, TransformMixin
+
+if TYPE_CHECKING:
+    from ansiblelint.errors import MatchError
+    from ansiblelint.utils import Task
+
+
+class TagRule(AnsibleLintRule, TransformMixin):
+    """Rule for checking task tags."""
+
+    id = "tag"
+    description = (
+        "All task tags should have distinct names"
+        "and templates in tags should be avoided."
+    )
+    severity = "MEDIUM"
+    tags = ["idiom"]
+    _re_templated = re.compile(r"^.*\{\{.*\}\}.*$")
+    _ids = {
+        "tag[no-duplicate]": "Tasks should not duplicate tags.",
+        "tag[no-template]": "Tasks should not use Jinja templates in tags.",
+    }
+
+    def matchtask(
+        self,
+        task: Task,
+        file: Lintable | None = None,
+    ) -> list[MatchError]:
+        results: list[MatchError] = []
+        if file and file.failed():
+            return results
+        tags = task.get("tags")
+        if tags:
+            if len(tags) != len(set(tags)):
+                results.append(
+                    self.create_matcherror(
+                        message="Tasks should not duplicate tags.",
+                        lineno=task[LINE_NUMBER_KEY],
+                        tag="tag[no-duplicate]",
+                        filename=file,
+                    ),
+                )
+            for tag in tags:
+                if self._re_templated.match(tag):
+                    results.append(
+                        self.create_matcherror(
+                            message="Tasks should not use Jinja templates in tags.",
+                            lineno=task[LINE_NUMBER_KEY],
+                            tag="tag[no-template]",
+                            filename=file,
+                        ),
+                    )
+                    break
+        return results

tasks/fix-cat2.yml

@@ -2733,7 +2733,6 @@
   tags:
       - RHEL-08-010830
       - CAT2
-      - V-230330
       - CCI-000366
       - SRG-OS-000480-GPOS-00229
       - SV-230330r858713_rule
@@ -5973,7 +5972,8 @@
       - SV-230505r744020_rule
       - V-230505
       - firewall
-      - "{{ rhel8stig_firewall_service }}"
+      - iptables
+      - firewalld
 
 - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8"
   block: