diff --git a/.ansible-lint b/.ansible-lint index b717f678..44e65894 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -19,4 +19,6 @@ skip_list: - '602' - '208' use_default_rules: true +rulesdir: + - ./rules/ verbosity: 0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e3bd1700..8f807963 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.21.1 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.7.0 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint diff --git a/README.md b/README.md index 68ea0150..07f0f5fa 100644 --- a/README.md +++ b/README.md @@ -58,9 +58,9 @@ This contains rewrites and ID reference changes as per STIG documentation. This can be turned on or off within the defaults/main.yml file with the variable rhel7cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. -This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. +This is a quick, very lightweight, check (where possible) of config compliance and live/running settings. -A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. +A form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. ## Documentation @@ -83,9 +83,8 @@ The following packages must be installed on the controlling host/host where ansi - python2-passlib (or just passlib, if using python3) - python-lxml -- python-xmltodict -Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. +Packages python(2)-passlib are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. ## Role Variables diff --git a/filter_plugins/xml2json.py b/filter_plugins/xml2json.py deleted file mode 100644 index a0738ee7..00000000 --- a/filter_plugins/xml2json.py +++ /dev/null @@ -1,10 +0,0 @@ -class FilterModule(object): - - def filters(self): - return { - 'xml2json': self.xml2json, - } - - def xml2json(self, value): - import xmltodict, json - return json.dumps(xmltodict.parse(value)) diff --git a/handlers/main.yml b/handlers/main.yml index 9b8b7db1..d958d250 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -174,13 +174,3 @@ when: - "'dconf' in ansible_facts.packages" - rhel8stig_always_configure_dconf - -- name: prereport score - ansible.builtin.debug: - msg: "Pre-run OpenSCAP score is {{ rhel8stig_prescanresults.Benchmark.TestResult.score['#text'] }}" - when: rhel8stig_oscap_scan - -- name: postreport score - ansible.builtin.debug: - msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" - when: rhel8stig_oscap_scan diff --git a/requirements.txt b/requirements.txt index 52cb84d2..f313617a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,4 @@ passlib lxml -xmltodict jmespath yamllint diff --git a/rules/tag.py b/rules/tag.py new file mode 100644 index 00000000..1208011d --- /dev/null +++ b/rules/tag.py @@ -0,0 +1,63 @@ +"""Implementation of TagRule.""" + +from __future__ import annotations + +import re +from typing import TYPE_CHECKING + +from ansiblelint.constants import LINE_NUMBER_KEY +from ansiblelint.file_utils import Lintable +from ansiblelint.rules import AnsibleLintRule, TransformMixin + +if TYPE_CHECKING: + from ansiblelint.errors import MatchError + from ansiblelint.utils import Task + + +class TagRule(AnsibleLintRule, TransformMixin): + """Rule for checking task tags.""" + + id = "tag" + description = ( + "All task tags should have distinct names" + "and templates in tags should be avoided." + ) + severity = "MEDIUM" + tags = ["idiom"] + _re_templated = re.compile(r"^.*\{\{.*\}\}.*$") + _ids = { + "tag[no-duplicate]": "Tasks should not duplicate tags.", + "tag[no-template]": "Tasks should not use Jinja templates in tags.", + } + + def matchtask( + self, + task: Task, + file: Lintable | None = None, + ) -> list[MatchError]: + results: list[MatchError] = [] + if file and file.failed(): + return results + tags = task.get("tags") + if tags: + if len(tags) != len(set(tags)): + results.append( + self.create_matcherror( + message="Tasks should not duplicate tags.", + lineno=task[LINE_NUMBER_KEY], + tag="tag[no-duplicate]", + filename=file, + ), + ) + for tag in tags: + if self._re_templated.match(tag): + results.append( + self.create_matcherror( + message="Tasks should not use Jinja templates in tags.", + lineno=task[LINE_NUMBER_KEY], + tag="tag[no-template]", + filename=file, + ), + ) + break + return results diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ec4bce82..089e8129 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2733,7 +2733,6 @@ tags: - RHEL-08-010830 - CAT2 - - V-230330 - CCI-000366 - SRG-OS-000480-GPOS-00229 - SV-230330r858713_rule @@ -5973,7 +5972,8 @@ - SV-230505r744020_rule - V-230505 - firewall - - "{{ rhel8stig_firewall_service }}" + - iptables + - firewalld - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" block: