From 8300f11edd0d25fb5fbdb90dae57352de9d86943 Mon Sep 17 00:00:00 2001 From: William Panlener Date: Thu, 15 Aug 2024 23:35:24 -0500 Subject: [PATCH 1/6] Remove remnants of removed openscap scanning feature Signed-off-by: William Panlener --- README.md | 7 +++---- filter_plugins/xml2json.py | 10 ---------- handlers/main.yml | 10 ---------- requirements.txt | 1 - 4 files changed, 3 insertions(+), 25 deletions(-) delete mode 100644 filter_plugins/xml2json.py diff --git a/README.md b/README.md index 68ea0150..07f0f5fa 100644 --- a/README.md +++ b/README.md @@ -58,9 +58,9 @@ This contains rewrites and ID reference changes as per STIG documentation. This can be turned on or off within the defaults/main.yml file with the variable rhel7cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. -This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. +This is a quick, very lightweight, check (where possible) of config compliance and live/running settings. -A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. +A form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. ## Documentation @@ -83,9 +83,8 @@ The following packages must be installed on the controlling host/host where ansi - python2-passlib (or just passlib, if using python3) - python-lxml -- python-xmltodict -Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. +Packages python(2)-passlib are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. ## Role Variables diff --git a/filter_plugins/xml2json.py b/filter_plugins/xml2json.py deleted file mode 100644 index a0738ee7..00000000 --- a/filter_plugins/xml2json.py +++ /dev/null @@ -1,10 +0,0 @@ -class FilterModule(object): - - def filters(self): - return { - 'xml2json': self.xml2json, - } - - def xml2json(self, value): - import xmltodict, json - return json.dumps(xmltodict.parse(value)) diff --git a/handlers/main.yml b/handlers/main.yml index 9b8b7db1..d958d250 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -174,13 +174,3 @@ when: - "'dconf' in ansible_facts.packages" - rhel8stig_always_configure_dconf - -- name: prereport score - ansible.builtin.debug: - msg: "Pre-run OpenSCAP score is {{ rhel8stig_prescanresults.Benchmark.TestResult.score['#text'] }}" - when: rhel8stig_oscap_scan - -- name: postreport score - ansible.builtin.debug: - msg: "Post-run OpenSCAP score is {{ rhel8stig_postscanresults.Benchmark.TestResult.score['#text'] }}" - when: rhel8stig_oscap_scan diff --git a/requirements.txt b/requirements.txt index 52cb84d2..f313617a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,4 @@ passlib lxml -xmltodict jmespath yamllint From 006d294453c9e905e9fe3ca1e5364902c5b14079 Mon Sep 17 00:00:00 2001 From: William Panlener Date: Sun, 18 Aug 2024 17:48:39 -0500 Subject: [PATCH 2/6] Remove duplicate and templated task tags Signed-off-by: William Panlener --- .ansible-lint | 2 ++ rules/tag.py | 63 ++++++++++++++++++++++++++++++++++++++++++++++ tasks/fix-cat2.yml | 4 +-- 3 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 rules/tag.py diff --git a/.ansible-lint b/.ansible-lint index b717f678..44e65894 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -19,4 +19,6 @@ skip_list: - '602' - '208' use_default_rules: true +rulesdir: + - ./rules/ verbosity: 0 diff --git a/rules/tag.py b/rules/tag.py new file mode 100644 index 00000000..1208011d --- /dev/null +++ b/rules/tag.py @@ -0,0 +1,63 @@ +"""Implementation of TagRule.""" + +from __future__ import annotations + +import re +from typing import TYPE_CHECKING + +from ansiblelint.constants import LINE_NUMBER_KEY +from ansiblelint.file_utils import Lintable +from ansiblelint.rules import AnsibleLintRule, TransformMixin + +if TYPE_CHECKING: + from ansiblelint.errors import MatchError + from ansiblelint.utils import Task + + +class TagRule(AnsibleLintRule, TransformMixin): + """Rule for checking task tags.""" + + id = "tag" + description = ( + "All task tags should have distinct names" + "and templates in tags should be avoided." + ) + severity = "MEDIUM" + tags = ["idiom"] + _re_templated = re.compile(r"^.*\{\{.*\}\}.*$") + _ids = { + "tag[no-duplicate]": "Tasks should not duplicate tags.", + "tag[no-template]": "Tasks should not use Jinja templates in tags.", + } + + def matchtask( + self, + task: Task, + file: Lintable | None = None, + ) -> list[MatchError]: + results: list[MatchError] = [] + if file and file.failed(): + return results + tags = task.get("tags") + if tags: + if len(tags) != len(set(tags)): + results.append( + self.create_matcherror( + message="Tasks should not duplicate tags.", + lineno=task[LINE_NUMBER_KEY], + tag="tag[no-duplicate]", + filename=file, + ), + ) + for tag in tags: + if self._re_templated.match(tag): + results.append( + self.create_matcherror( + message="Tasks should not use Jinja templates in tags.", + lineno=task[LINE_NUMBER_KEY], + tag="tag[no-template]", + filename=file, + ), + ) + break + return results diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ec4bce82..089e8129 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2733,7 +2733,6 @@ tags: - RHEL-08-010830 - CAT2 - - V-230330 - CCI-000366 - SRG-OS-000480-GPOS-00229 - SV-230330r858713_rule @@ -5973,7 +5972,8 @@ - SV-230505r744020_rule - V-230505 - firewall - - "{{ rhel8stig_firewall_service }}" + - iptables + - firewalld - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8" block: From 413e36a2cd3d5d9bd7e7325c4df4b5ca941dfb2a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:48:38 +0000 Subject: [PATCH 3/6] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.4 → v8.19.2](https://github.com/gitleaks/gitleaks/compare/v8.18.4...v8.19.2) - [github.com/ansible-community/ansible-lint: v24.7.0 → v24.9.0](https://github.com/ansible-community/ansible-lint/compare/v24.7.0...v24.9.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e3bd1700..32ed0167 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.19.2 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.7.0 + rev: v24.9.0 hooks: - id: ansible-lint name: Ansible-lint From 7fe7b1cf0edba34a3da23c47d98681ea118ebc34 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 17:48:55 +0000 Subject: [PATCH 4/6] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.0 → v24.9.2](https://github.com/ansible-community/ansible-lint/compare/v24.9.0...v24.9.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 32ed0167..bcbce980 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.0 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint From e3452ef3cc4efe5b4e97676bbce032dc8cf0af23 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 18:27:08 +0000 Subject: [PATCH 5/6] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.6.0...v5.0.0) - [github.com/gitleaks/gitleaks: v8.19.2 → v8.20.1](https://github.com/gitleaks/gitleaks/compare/v8.19.2...v8.20.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bcbce980..e890b356 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.19.2 + rev: v8.20.1 hooks: - id: gitleaks From 722fbdccd3357b3f4b25aae856ad9931a31974d4 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:54:54 +0000 Subject: [PATCH 6/6] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.20.1 → v8.21.1](https://github.com/gitleaks/gitleaks/compare/v8.20.1...v8.21.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e890b356..8f807963 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.20.1 + rev: v8.21.1 hooks: - id: gitleaks