Merge pull request #205 from ansible-lockdown/devel

Release to main
ansible-lockdown · May 1, 2024 · 7661bc0 · 7661bc0
2 parents 00e6f19 + 79e36d8
commit 7661bc0
Show file tree

Hide file tree

Showing 70 changed files with 1,508 additions and 714 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -6,12 +6,10 @@ skip_list:
     - 'schema'
     - 'no-changed-when'
     - 'var-spacing'
-    - 'fqcn-builtins'
     - 'experimental'
     - 'name[play]'
     - 'name[casing]'
     - 'name[template]'
-    - 'fqcn[action]'
     - 'key-order[task]'
     - '204'
     - '305'

diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".config/.secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,64 +109,11 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_password.yml"
       ]
     }
   ],
-  "results": {
-    "defaults/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-        "is_verified": false,
-        "line_number": 364,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
-        "is_verified": false,
-        "line_number": 375,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
-        "is_verified": false,
-        "line_number": 376,
-        "is_secret": false
-      }
-    ],
-    "tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb",
-        "is_verified": false,
-        "line_number": 38,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 110,
-        "is_secret": false
-      }
-    ],
-    "tasks/parse_etc_password.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_password.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 18
-      }
-    ]
-  },
-  "generated_at": "2023-08-10T12:54:13Z"
+  "results": {},
+  "generated_at": "2023-09-21T14:11:05Z"
 }
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -27,9 +27,9 @@
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                       Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
-        # This workflow contains a single job which tests the playbook
+        # This workflow contains a single job that tests the playbook
         playbook-test:
           # The type of runner that the job will run on
           runs-on: ubuntu-latest
@@ -44,13 +44,13 @@
 
           steps:
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                 ref: ${{ github.event.pull_request.head.sha }}
 
             # Pull in terraform code for linux servers
-            - name: Clone github IaC plan
-              uses: actions/checkout@v3
+            - name: Clone GitHub IaC plan
+              uses: actions/checkout@v4
               with:
                 repository: ansible-lockdown/github_linux_IaC
                 path: .github/workflows/github_linux_IaC
@@ -74,23 +74,23 @@
                 pwd
                 ls
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Init
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -111,9 +111,9 @@
       # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
-              run: sleep 60s
+              run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the ansible playbook
+          # Run the Ansibleplaybook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:
@@ -125,6 +125,7 @@
               env:
                 ANSIBLE_HOST_KEY_CHECKING: "false"
                 ANSIBLE_DEPRECATION_WARNINGS: "false"
+                ANSIBLE_INJECT_FACT_VARS: "false"
 
           # Remove test system - User secrets to keep if necessary
 

diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
@@ -18,7 +18,7 @@
     # that can run sequentially or in parallel
     jobs:
 
-        # This workflow contains a single job which tests the playbook
+        # This workflow contains a single job that tests the playbook
         playbook-test:
           # The type of runner that the job will run on
           runs-on: ubuntu-latest
@@ -33,13 +33,13 @@
 
           steps:
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                 ref: ${{ github.event.pull_request.head.sha }}
 
             # Pull in terraform code for linux servers
-            - name: Clone github IaC plan
-              uses: actions/checkout@v3
+            - name: Clone GitHub IaC plan
+              uses: actions/checkout@v4
               with:
                 repository: ansible-lockdown/github_linux_IaC
                 path: .github/workflows/github_linux_IaC
@@ -63,23 +63,23 @@
                 pwd
                 ls
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Init
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -100,9 +100,9 @@
       # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
-              run: sleep 60s
+              run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the ansible playbook
+          # Run the Ansibleplaybook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:
@@ -114,6 +114,7 @@
               env:
                 ANSIBLE_HOST_KEY_CHECKING: "false"
                 ANSIBLE_DEPRECATION_WARNINGS: "false"
+                ANSIBLE_INJECT_FACT_VARS: "false"
 
           # Remove test system - User secrets to keep if necessary
 

diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml
@@ -1,11 +1,7 @@
 ---
 
-# This is a basic workflow to help you get started with Actions
-
 name: update galaxy
 
-# Controls when the action will run.
-# Triggers the workflow on merge request events to the main branch
 on:
     push:
         branches:
@@ -14,8 +10,10 @@ jobs:
     update_role:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
-            - uses: robertdebock/galaxy-action@master
+            - name: Checkout repo
+              uses: actions/checkout@v4
+
+            - name: Action Ansible Galaxy Release ${{ github.ref_name }}
+              uses: ansible-actions/ansible-galaxy-action@main
               with:
-                  galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
-                  git_branch: main
+                galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v4.6.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -37,13 +37,13 @@ repos:
     exclude: .config/.gitleaks-report.json
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.17.0
+  rev: v8.18.2
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.17.2
+  rev: v24.2.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -62,6 +62,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.32.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint
diff --git a/.yamllint b/.yamllint
@@ -30,4 +30,4 @@ rules:
     trailing-spaces: enable
     truthy:
         allowed-values: ['true', 'false']
-        check-keys: false
+        check-keys: true
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,55 @@
 # Changes to rhel9CIS
 
+## 1.1.5 - Based on CIS v1.0.0
+
+- added new interactive user discoveries
+  - updated controls 6.2.10-6.2.14
+- audit
+  - steps moved to prelim
+  - update to coipy and archive logic and variables
+- removed vars not used
+- updated quotes used in mode tasks
+- pre-commit update
+- issues addressed
+  - #190 thanks to @ipruteanu-sie
+    - aligned logic for user shadow suite params (aligned with other repos)
+    - new variables to force changes to existing users added 5.6.1.1 - 5.6.1.2
+  - #198 thanks to @brakkio86
+
+## 1.1.4 - Based on CIS v1.0.0
+
+- 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only
+- thanks to @ipruteanu-sie
+  - #156
+  - #165
+  - #180
+  - #181
+  - #183
+  - #184
+
+## 1.1.3 - Based on CIS v1.0.0
+
+- updated goss binary to 0.4.4
+- moved majority of audit variables to vars/audit.yml
+- new function to enable audit_only using remediation
+- removed some dupes in audit config
+
+## 1.1.2 - Based on CIS v1.0.0
+
+- updated audit binary versions - aligned with rhel9-cis-audit
+- lint updates
+- .secrets updated
+- file mode quoted
+- updated 5.6.5 thansk to feedback from S!ghs on discord community
+
+## 1.1.1 - Based on CIS v1.0.0
+
+- thanks to @agbrowne
+  - [#90](https://github.com/ansible-lockdown/RHEL9-CIS/issues/90)
+
+- thanks to @mnasiadka
+  - [#54](https://github.com/ansible-lockdown/RHEL9-CIS/pull/54)
+
 ## 1.1.0
 
 - new workflow configuration
@@ -81,8 +131,8 @@ Aligned benchmark audit version with remediate release
 
 ## 1.0.1
 
-Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8  
-Will not follow ynlink in hoe directoris and amend permissions.
+Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
+Will not follow symlink in home directories and amend permissions.
 
 - rhel_09_6_2_16_home_follow_symlink: false
 

diff --git a/README.md b/README.md
@@ -40,7 +40,7 @@
 
 ### Community
 
-Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
+Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
 
 ### Contributing
 
@@ -132,8 +132,8 @@ os_check: false
 - python-def (should be included in RHEL 9)
 - libselinux-python
 - pip packages
-  - jmespath ( complete list found in requirements.txt)
-- collections found in collections/requirememnts.yml
+  - jmespath
+- collections found in collections/requirements.yml
 
 pre-commit is available if installed on your host for pull request testing.