Skip to content

Commit

Permalink
Merge pull request #2 from ansible-lockdown/georgenalen
Browse files Browse the repository at this point in the history
Possible Release
  • Loading branch information
carnells authored Nov 19, 2020
2 parents 3ad0cf4 + 181a161 commit 0373ba2
Show file tree
Hide file tree
Showing 8 changed files with 310 additions and 6 deletions.
102 changes: 102 additions & 0 deletions .github/workflows/communitytodevel.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# This is a basic workflow to help you get started with Actions

name: CommunityToDevel

# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the devel branch
on:
pull_request:
branches: [ devel ]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2

# Refactr pipeline for devel pull request/merge
- name: Refactr - Run RHEL 7 Pipeline (to devel)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f933cbcf9c74e86b1609c00
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-098f55b4287a885ba", "githubBranch": "${{ github.head_ref }}", "username": "centos" }'
# Refactr API base URL
api_url: # optional

- name: Refactr - Run RHEL 8 Pipeline (to devel)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f933cbcf9c74e86b1609c00
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-0ac4afbf945e5d64f", "githubBranch": "${{ github.head_ref }}", "username": "centos" }'
# Refactr API base URL
api_url: # optional

- name: Refactr - Run Ubuntu 16 Pipeline (to devel)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f933cbcf9c74e86b1609c00
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-0736e75ba7ca6b797", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }'
# Refactr API base URL
api_url: # optional

- name: Refactr - Run Ubuntu 18 Pipeline (to devel)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f933cbcf9c74e86b1609c00
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-0608f6bd6e0eec7cc", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }'
# Refactr API base URL
api_url: # optional

- name: Refactr - Run Ubuntu 20 Pipeline (to devel)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f933cbcf9c74e86b1609c00
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-0fe12c34e05228a69", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }'
# Refactr API base URL
api_url: # optional
106 changes: 106 additions & 0 deletions .github/workflows/develtomaster.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
# This is a basic workflow to help you get started with Actions

name: DevelToMain

# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the devel branch
on:
pull_request:
branches: [ main ]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2

# Refactr pipeline for devel pull request/merge
- name: Refactr - Run RHEL 7 Pipeline (to main)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f90ad90f9c74e6d1e606e33
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-098f55b4287a885ba", "username": "centos" }'
# Refactr API base URL
api_url: # optional

# Refactr pipeline for devel pull request/merge
- name: Refactr - Run RHEL 8 Pipeline (to main)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f90ad90f9c74e6d1e606e33
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-0ac4afbf945e5d64f", "username": "centos" }'
# Refactr API base URL
api_url: # optional

# Refactr pipeline for devel pull request/merge
- name: Refactr - Run Ubuntu 16 Pipeline (to main)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f90ad90f9c74e6d1e606e33
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-0736e75ba7ca6b797", "username": "ubuntu" }'
# Refactr API base URL
api_url: # optional

# Refactr pipeline for devel pull request/merge
- name: Refactr - Run Ubuntu 18 Pipeline (to main)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f90ad90f9c74e6d1e606e33
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-0608f6bd6e0eec7cc", "username": "ubuntu" }'
# Refactr API base URL
api_url: # optional

# Refactr pipeline for devel pull request/merge
- name: Refactr - Run Ubuntu 20 Pipeline (to main)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f90ad90f9c74e6d1e606e33
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/APACHE-2.4-CIS.git", "image": "ami-0fe12c34e05228a69", "username": "ubuntu" }'
# Refactr API base URL
api_url: # optional
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,5 @@ benchparse/
*xccdf.xml
*.retry

# GitHub Action/Workflow files
.github/
38 changes: 38 additions & 0 deletions communitytodevel.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# This is a basic workflow to help you get started with Actions

name: CommunityToDevel

# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the devel branch
on:
pull_request:
branches: [ devel ]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2

# Refactr pipeline for devel pull request/merge
- name: Refactr - Run Pipeline (to devel)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f933cbcf9c74e86b1609c00
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/UBUNTU20-CIS.git", "image": "ami-0fe12c34e05228a69", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }'
# Refactr API base URL
api_url: # optional
38 changes: 38 additions & 0 deletions develtomaster.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# This is a basic workflow to help you get started with Actions

name: DevelToMaster

# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the devel branch
on:
pull_request:
branches: [ main ]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest

# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2

# Refactr pipeline for devel pull request/merge
- name: Refactr - Run Pipeline (to master)
# You may pin to the exact commit or the version.
# uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
uses: refactr/[email protected]
with:
# API token
api_token: '${{ secrets.REFACTR_KEY }}'
# Project ID
project_id: 5f47f0c4a13c7b18373e5556
# Job ID
job_id: 5f90ad90f9c74e6d1e606e33
# Variables
variables: '{ "gitrepo": "https://github.com/ansible-lockdown/UBUNTU20-CIS.git", "image": "ami-0fe12c34e05228a69", "username": "ubuntu" }'
# Refactr API base URL
api_url: # optional
13 changes: 9 additions & 4 deletions tasks/cis_apache_redhat_fix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -442,7 +442,9 @@
- name: "SCORED | 3.7 | AUDIT | Ensure the Core Dump Directory Is Secured | Message if CoreDumpDirectory is Web Document Root Dir"
debug:
msg: "WARNING!! Your CoreDumpDirectory is using the Web Document Root directory: {{ apache_cis_3_7_coredumpdirectory.stdout }}"
when: apache_rhel_3_7_coredumpdirectory.stdout == apache_cis_3_7_docrootdir.stdout
when:
- apache_rhel_3_7_coredumpdirectory.stdout != ""
- apache_rhel_3_7_coredumpdirectory.stdout == apache_cis_3_7_docrootdir.stdout

- name: "SCORED | 3.7 | PATCH | Ensure the Core Dump Directory Is Secured"
file:
Expand Down Expand Up @@ -1007,7 +1009,8 @@
after: '<FilesMatch "\^\\.ht">'
before: '</FilesMatch>'
notify: restart httpd
when: '"Require" in apache_rhel_5_10_files_match_param.stdout'
when:
- '"Require" in apache_rhel_5_10_files_match_param.stdout'

- name: "SCORED | 5.10 | PATCH | Ensure Access to .ht* Files Is Restricted | Add Require setting if missing"
lineinfile:
Expand All @@ -1017,7 +1020,9 @@
<FilesMatch "^\.ht">
Require all denied
notify: restart httpd
when: '"Require" not in apache_rhel_5_10_files_match_param.stdout and apache_cis_5_10_files_match_param.stdout != ""'
when:
- apache_rhel_5_10_files_match_param.stdout != ""
- '"Require" not in apache_rhel_5_10_files_match_param.stdout'

- name: "SCORED | 5.10 | PATCH | Ensure Access to .ht* Files Is Restricted | Add FilesMatch settings"
blockinfile:
Expand Down Expand Up @@ -1388,7 +1393,7 @@

- name: "SCORED | 6.6 | PATCH | Ensure ModSecurity Is Installed and Enabled | Load module if not currently set"
lineinfile:
path: "{{ apache_cis_6_6_sec_mod_path.stdout }}"
path: "{{ apache_rhel_6_6_sec_mod_path.stdout }}"
regexp: 'LoadModule security2_module modules/mod_security2.so'
line: 'LoadModule security2_module modules/mod_security2.so'
insertbefore: BOF
Expand Down
9 changes: 9 additions & 0 deletions tasks/cis_apache_ubuntu_fix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1412,6 +1412,15 @@
apt:
name: modsecurity-crs
state: present
when:
- apache_cis_owasp_automate

- name: "SCORED | 6.7 | AUDIT | Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled | Create config folder if doesn't exist Configuration"
file:
name: /etc/modsecurity/crs/
state: directory
when:
- apache_cis_owasp_automate

- name: "SCORED | 6.7 | AUDIT | Ensure the OWASP ModSecurity Core Rule Set Is Installed and Enabled | Apply Configuration"
template:
Expand Down
8 changes: 6 additions & 2 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@

- name: Add additional RHEL repo
command: subscription-manager repos --enable rhel-7-server-optional-rpms
when: ansible_facts.distribution_file_variety == "RedHat" and ansible_facts.distribution_major_version == "7"
when: ansible_distribution == "RedHat" and ansible_facts.distribution_major_version == "7"

- name: Install needed packages
block:
Expand Down Expand Up @@ -104,4 +104,8 @@
when: ansible_facts.distribution_file_variety == "RedHat" and ansible_facts.distribution_major_version == "8"
when:
- apache_cis_11_2
- apache_cis_section11
- apache_cis_section11

# - name: Install PyOpenSSL
# apt:
# name:

0 comments on commit 0373ba2

Please sign in to comment.