Skip to content

Commit

Permalink
Merge pull request #205 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Release to main
  • Loading branch information
uk-bolly authored May 1, 2024
2 parents 00e6f19 + 79e36d8 commit 7661bc0
Show file tree
Hide file tree
Showing 70 changed files with 1,508 additions and 714 deletions.
2 changes: 0 additions & 2 deletions .ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,10 @@ skip_list:
- 'schema'
- 'no-changed-when'
- 'var-spacing'
- 'fqcn-builtins'
- 'experimental'
- 'name[play]'
- 'name[casing]'
- 'name[template]'
- 'fqcn[action]'
- 'key-order[task]'
- '204'
- '305'
Expand Down
65 changes: 4 additions & 61 deletions .config/.secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -75,10 +75,6 @@
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
{
"path": "detect_secrets.filters.common.is_baseline_file",
"filename": ".config/.secrets.baseline"
},
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
Expand Down Expand Up @@ -113,64 +109,11 @@
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
".config/.gitleaks-report.json"
".config/.gitleaks-report.json",
"tasks/parse_etc_password.yml"
]
}
],
"results": {
"defaults/main.yml": [
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
"is_verified": false,
"line_number": 364,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
"is_verified": false,
"line_number": 375,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
"is_verified": false,
"line_number": 376,
"is_secret": false
}
],
"tasks/main.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb",
"is_verified": false,
"line_number": 38,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"is_verified": false,
"line_number": 110,
"is_secret": false
}
],
"tasks/parse_etc_password.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/parse_etc_password.yml",
"hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
"is_verified": false,
"line_number": 18
}
]
},
"generated_at": "2023-08-10T12:54:13Z"
"results": {},
"generated_at": "2023-09-21T14:11:05Z"
}
21 changes: 11 additions & 10 deletions .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
# This workflow contains a single job which tests the playbook
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
Expand All @@ -44,13 +44,13 @@

steps:
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
- name: Clone github IaC plan
uses: actions/checkout@v3
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
Expand All @@ -74,23 +74,23 @@
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -111,9 +111,9 @@
# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep for 60 seconds
run: sleep 60s
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the ansible playbook
# Run the Ansibleplaybook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
Expand All @@ -125,6 +125,7 @@
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
ANSIBLE_INJECT_FACT_VARS: "false"

# Remove test system - User secrets to keep if necessary

Expand Down
19 changes: 10 additions & 9 deletions .github/workflows/main_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
# that can run sequentially or in parallel
jobs:

# This workflow contains a single job which tests the playbook
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
Expand All @@ -33,13 +33,13 @@

steps:
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
- name: Clone github IaC plan
uses: actions/checkout@v3
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
Expand All @@ -63,23 +63,23 @@
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -100,9 +100,9 @@
# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep for 60 seconds
run: sleep 60s
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the ansible playbook
# Run the Ansibleplaybook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
Expand All @@ -114,6 +114,7 @@
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
ANSIBLE_INJECT_FACT_VARS: "false"

# Remove test system - User secrets to keep if necessary

Expand Down
14 changes: 6 additions & 8 deletions .github/workflows/update_galaxy.yml
Original file line number Diff line number Diff line change
@@ -1,11 +1,7 @@
---

# This is a basic workflow to help you get started with Actions

name: update galaxy

# Controls when the action will run.
# Triggers the workflow on merge request events to the main branch
on:
push:
branches:
Expand All @@ -14,8 +10,10 @@ jobs:
update_role:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: robertdebock/galaxy-action@master
- name: Checkout repo
uses: actions/checkout@v4

- name: Action Ansible Galaxy Release ${{ github.ref_name }}
uses: ansible-actions/ansible-galaxy-action@main
with:
galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
git_branch: main
galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
8 changes: 4 additions & 4 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ ci:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
rev: v4.6.0
hooks:
# Safety
- id: detect-aws-credentials
Expand Down Expand Up @@ -37,13 +37,13 @@ repos:
exclude: .config/.gitleaks-report.json

- repo: https://github.com/gitleaks/gitleaks
rev: v8.17.0
rev: v8.18.2
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v6.17.2
rev: v24.2.2
hooks:
- id: ansible-lint
name: Ansible-lint
Expand All @@ -62,6 +62,6 @@ repos:
- ansible-core>=2.10.1

- repo: https://github.com/adrienverge/yamllint.git
rev: v1.32.0 # or higher tag
rev: v1.35.1 # or higher tag
hooks:
- id: yamllint
2 changes: 1 addition & 1 deletion .yamllint
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ rules:
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: false
check-keys: true
54 changes: 52 additions & 2 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,55 @@
# Changes to rhel9CIS

## 1.1.5 - Based on CIS v1.0.0

- added new interactive user discoveries
- updated controls 6.2.10-6.2.14
- audit
- steps moved to prelim
- update to coipy and archive logic and variables
- removed vars not used
- updated quotes used in mode tasks
- pre-commit update
- issues addressed
- #190 thanks to @ipruteanu-sie
- aligned logic for user shadow suite params (aligned with other repos)
- new variables to force changes to existing users added 5.6.1.1 - 5.6.1.2
- #198 thanks to @brakkio86

## 1.1.4 - Based on CIS v1.0.0

- 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only
- thanks to @ipruteanu-sie
- #156
- #165
- #180
- #181
- #183
- #184

## 1.1.3 - Based on CIS v1.0.0

- updated goss binary to 0.4.4
- moved majority of audit variables to vars/audit.yml
- new function to enable audit_only using remediation
- removed some dupes in audit config

## 1.1.2 - Based on CIS v1.0.0

- updated audit binary versions - aligned with rhel9-cis-audit
- lint updates
- .secrets updated
- file mode quoted
- updated 5.6.5 thansk to feedback from S!ghs on discord community

## 1.1.1 - Based on CIS v1.0.0

- thanks to @agbrowne
- [#90](https://github.com/ansible-lockdown/RHEL9-CIS/issues/90)

- thanks to @mnasiadka
- [#54](https://github.com/ansible-lockdown/RHEL9-CIS/pull/54)

## 1.1.0

- new workflow configuration
Expand Down Expand Up @@ -81,8 +131,8 @@ Aligned benchmark audit version with remediate release

## 1.0.1

Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
Will not follow ynlink in hoe directoris and amend permissions.
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
Will not follow symlink in home directories and amend permissions.

- rhel_09_6_2_16_home_follow_symlink: false

Expand Down
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@

### Community

Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.

### Contributing

Expand Down Expand Up @@ -132,8 +132,8 @@ os_check: false
- python-def (should be included in RHEL 9)
- libselinux-python
- pip packages
- jmespath ( complete list found in requirements.txt)
- collections found in collections/requirememnts.yml
- jmespath
- collections found in collections/requirements.yml

pre-commit is available if installed on your host for pull request testing.

Expand Down
Loading

0 comments on commit 7661bc0

Please sign in to comment.