From 321921162c92f090c16e55fd9c8ac427ea6750cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:26:11 +0000 Subject: [PATCH 1/9] updated goss version and url Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 74a4b50..91ff01c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -486,14 +486,14 @@ amazon2cis_warning_banner: | ### Goss binary settings ### goss_version: - release: v0.3.16 - checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb' + release: v0.3.21 + checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_goss_file == download change accordingly -goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" ## if get_goss_file - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node From cf02d9c35e0ee290e1cb42134c2cdbcd79533725 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:26:30 +0000 Subject: [PATCH 2/9] updated inline with galaxy Signed-off-by: Mark Bolwell --- .yamllint | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) diff --git a/.yamllint b/.yamllint index 5f9d71c..5dc8a98 100644 --- a/.yamllint +++ b/.yamllint @@ -1,32 +1,25 @@ --- -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - +# Based on ansible-lint config extends: default rules: + braces: {max-spaces-inside: 1, level: error} + brackets: {max-spaces-inside: 1, level: error} + colons: {max-spaces-after: -1, level: error} + commas: {max-spaces-after: -1, level: error} + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: {max: 3, level: error} + hyphens: {level: error} indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - #truthy: disable - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - line-length: disable + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + line-length: disable + new-line-at-end-of-file: disable + new-lines: {type: unix} + trailing-spaces: disable + truthy: disable From 327adc75d384f85dcdb3d3ca6a1bb6e13ee501cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:26:47 +0000 Subject: [PATCH 3/9] lint update Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 190 +++++++++--------- 1 file changed, 95 insertions(+), 95 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 57ab540..c2377d4 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -6,106 +6,106 @@ name: linux_benchmark_pipeline # Triggers the workflow on push or pull request # events but only for the devel branch on: - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false - -## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - -# Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - -# Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} -# verbose: 3 env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" + ENABLE_DEBUG: false -# Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + ### Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + shell: bash + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false From 1ef82c303184c2a206535219127a62b1a5270209 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:27:01 +0000 Subject: [PATCH 4/9] updated for galaxy Signed-off-by: Mark Bolwell --- meta/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 1e07b05..c4042ae 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,21 +6,21 @@ galaxy_info: license: MIT namespace: mindpointgroup role_name: amazon2_cis - min_ansible_version: 2.9.0 + min_ansible_version: 2.10.1 platforms: - name: Amazon versions: - - "2" - + - "2017.03" + - "2017.09" galaxy_tags: - system - security - cis - hardening - + - Amazon + - complianceascode collections: - community.general - community.crypto - ansible.posix - dependencies: [] From 67b518084aa0b6c3a3554034ff0d96dc71922be3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:27:28 +0000 Subject: [PATCH 5/9] Added update Signed-off-by: Mark Bolwell --- .github/workflows/update_galaxy.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/update_galaxy.yml diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml new file mode 100644 index 0000000..951a53c --- /dev/null +++ b/.github/workflows/update_galaxy.yml @@ -0,0 +1,21 @@ +--- + +# This is a basic workflow to help you get started with Actions + +name: update galaxy + +# Controls when the action will run. +# Triggers the workflow on merge request events to the main branch +on: + push: + branches: + - main +jobs: + update_role: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main From 3aed59045b59d6b80787206ae057c827a385f5dc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:29:27 +0000 Subject: [PATCH 6/9] updated date Signed-off-by: Mark Bolwell --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 927b87d..67f118e 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Ansible Lockdown +Copyright (c) 2023 Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From f706206c2350093cfa9c0c43d8372403f0c01594 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:47:47 +0000 Subject: [PATCH 7/9] nice lint options added Signed-off-by: Mark Bolwell --- .yamllint | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.yamllint b/.yamllint index 5dc8a98..72ac645 100644 --- a/.yamllint +++ b/.yamllint @@ -19,7 +19,10 @@ rules: indent-sequences: consistent key-duplicates: enable line-length: disable - new-line-at-end-of-file: disable - new-lines: {type: unix} - trailing-spaces: disable - truthy: disable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: true From aadd406c3d349c9a6d3ecad80a98e816a104aa99 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 09:48:04 +0000 Subject: [PATCH 8/9] lint updates Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ++-- .github/workflows/update_galaxy.yml | 2 +- tasks/section_5/cis_5.4.x.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index c2377d4..d028118 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -5,7 +5,7 @@ name: linux_benchmark_pipeline # Controls when the action will run. # Triggers the workflow on push or pull request # events but only for the devel branch -on: +on: # yamllint disable-line rule:truthy pull_request_target: types: [opened, reopened, synchronize] branches: @@ -42,7 +42,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, + # Checks-out your repository under $GITHUB_WORKSPACE, # so your job can access it - uses: actions/checkout@v3 with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53c..2052b0a 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -6,7 +6,7 @@ name: update galaxy # Controls when the action will run. # Triggers the workflow on merge request events to the main branch -on: +on: # yamllint disable-line rule:truthy push: branches: - main diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 1eeddcf..729d68d 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -58,7 +58,7 @@ with_items: - "system-auth" - "password-auth" - + - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Activate deny count and unlock times to failed password" lineinfile: path: /etc/pam.d/{{ item }} From 946d2a40c41c80ebb6e187cf28c01db30f05a01b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Mar 2023 13:09:20 +0000 Subject: [PATCH 9/9] dummy update Signed-off-by: Mark Bolwell --- site.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/site.yml b/site.yml index 0a27252..52c4afc 100644 --- a/site.yml +++ b/site.yml @@ -2,5 +2,6 @@ - hosts: all become: true + name: Run the ansible-lockdown remediation role roles: - role: "{{ playbook_dir }}"