diff --git a/.ansible-lint b/.ansible-lint index 964eb052..057c65e0 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -12,6 +12,7 @@ skip_list: - 'name[casing]' - 'name[template]' - 'fqcn[action]' + - 'key-order[task]' - '204' - '305' - '303' diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index fd1ca9c2..00000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -#Ami centos 7.11 -ami_id = "ami-00e87074e52e6c9f9" -ami_os = "centos7" -ami_username = "centos" -ami_user_home = "/home/centos" -instance_tags = { - Name = "RHEL7-CIS" - Environment = "Lockdown_github_repo_workflow " -} diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 00000000..a4e7d48a --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,138 @@ +--- + + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf deleted file mode 100644 index 998cb768..00000000 --- a/.github/workflows/github_networks.tf +++ /dev/null @@ -1,53 +0,0 @@ -resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - instance_tenancy = "default" - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } -} - -resource "aws_internet_gateway" "IGW" { - vpc_id = aws_vpc.Main.id - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-IGW" - } -} - -resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" - } -} - -resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - availability_zone = var.availability_zone - cidr_block = var.private_subnets - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" - } -} - -resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" - } -} - -resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id - route_table_id = aws_route_table.PublicRT.id -} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars deleted file mode 100644 index 908ec89c..00000000 --- a/.github/workflows/github_vars.tfvars +++ /dev/null @@ -1,14 +0,0 @@ -// github_actions variables -// Resourced in github_networks.tf -// Declared in variables.tf -// - -namespace = "github_actions" -environment = "Lockdown_github_repo_workflow " - -// Matching pair name found in AWS for keypairs PEM key -ami_key_pair_name = "github_actions" -main_vpc_cidr = "172.22.0.0/24" -public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" - diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml deleted file mode 100644 index 51c58921..00000000 --- a/.github/workflows/linux_benchmark_testing.yml +++ /dev/null @@ -1,111 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: linux_benchmark_pipeline - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file="github_vars.tfvars" -var-file="OS.tfvars" --auto-approve -input=false - -## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - -# Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - -# Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} -# verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - -# Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file="github_vars.tfvars" -var-file="OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index a7fd514c..00000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,83 +0,0 @@ -provider "aws" { - profile = "" - region = var.aws_region -} - -// Create a security group with access to port 22 and port 80 open to serve HTTP traffic - - -resource "random_id" "server" { - keepers = { - # Generate a new id each time we switch to a new AMI id - ami_id = "${var.ami_id}" - } - - byte_length = 8 -} - -resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}-SG" - vpc_id = aws_vpc.Main.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-SG" - } -} - -// instance setup - -resource "aws_instance" "testing_vm" { - ami = var.ami_id - availability_zone = var.availability_zone - associate_public_ip_address = true - key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs - instance_type = var.instance_type - tags = var.instance_tags - vpc_security_group_ids = [aws_security_group.github_actions.id] - subnet_id = aws_subnet.Main.id - root_block_device { - delete_on_termination = true - } -} - -// generate inventory file -resource "local_file" "inventory" { - filename = "./hosts.yml" - directory_permission = "0755" - file_permission = "0644" - content = < .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/terraform.tfvars b/.github/workflows/terraform.tfvars deleted file mode 100644 index 31113784..00000000 --- a/.github/workflows/terraform.tfvars +++ /dev/null @@ -1,6 +0,0 @@ -// vars should be loaded by OSname.tfvars -availability_zone = "us-east-1b" -aws_region = "us-east-1" -ami_os = var.ami_os -ami_username = var.ami_username -instance_tags = var.instance_tags diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml deleted file mode 100644 index 5b30b648..00000000 --- a/.github/workflows/update_galaxy.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -# This is a basic workflow to help you get started with Actions - -name: update galaxy - -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch -on: - push: - branches: - - main -jobs: - update_role: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf deleted file mode 100644 index 16bc9f6e..00000000 --- a/.github/workflows/variables.tf +++ /dev/null @@ -1,76 +0,0 @@ -// Taken from the OSname.tfvars - -variable "aws_region" { - description = "AWS region" - default = "us-east-1" - type = string -} - -variable "availability_zone" { - description = "List of availability zone in the region" - default = "us-east-1b" - type = string -} - -variable "instance_type" { - description = "EC2 Instance Type" - default = "t3.micro" - type = string -} - -variable "instance_tags" { - description = "Tags to set for instances" - type = map(string) -} - -variable "ami_key_pair_name" { - description = "Name of key pair in AWS thats used" - type = string -} - -variable "ami_os" { - description = "AMI OS Type" - type = string -} - -variable "ami_id" { - description = "AMI ID reference" - type = string -} - -variable "ami_username" { - description = "Username for the ami id" - type = string -} - -variable "ami_user_home" { - description = "home dir for the username" - type = string -} - -variable "namespace" { - description = "Name used across all tags" - type = string -} - -variable "environment" { - description = "Env Name used across all tags" - type = string -} - -// taken from github_vars.tfvars & - -variable "main_vpc_cidr" { - description = "Private cidr block to be used for vpc" - type = string -} - -variable "public_subnets" { - description = "public subnet cidr block" - type = string -} - -variable "private_subnets" { - description = "private subnet cidr block" - type = string -} diff --git a/ChangeLog.md b/ChangeLog.md index d9b21319..0cab94cc 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,6 +1,17 @@ # release CIS RedHat Enterprise Linux 7 Benchmark v3.0.1 - 09-21-2020 -# 1.1.3 +## 1.1.4 + +- update lint +- files relinted +- [#315](https://github.com/ansible-lockdown/RHEL7-CIS/issues/315) + thanks to @dankxylese +- [#316](https://github.com/ansible-lockdown/RHEL7-CIS/issues/316) + thanks to I-am-Mos +- readme update +- workflow update + +## 1.1.3 - [#313](https://github.com/ansible-lockdown/RHEL7-CIS/issues/313) thanks to @xiranlyu and community member Tony(whozzyourdaddy) diff --git a/LICENSE b/LICENSE index 4f5e4fdb..7e4285ae 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2023 Mindpoint Group Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index ccd9a2f0..59863e64 100644 --- a/README.md +++ b/README.md @@ -5,29 +5,29 @@ ### Based on [CIS RedHat Enterprise Linux 7 Benchmark v3.1.1 - 05-21-2021 ](https://www.cisecurity.org/cis-benchmarks/) --- - ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) -![Stars](https://img.shields.io/github/stars/ansible-lockdown/rhel7-cis?label=Repo%20Stars&style=social) -![Forks](https://img.shields.io/github/forks/ansible-lockdown/rhel7-cis?style=social) +![Stars](https://img.shields.io/github/stars/ansible-lockdown/RHEL7-CIS?label=Repo%20Stars&style=social) +![Forks](https://img.shields.io/github/forks/ansible-lockdown/RHEL7-CIS?style=social) ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel7-cis/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel7-cis/devel?color=dark%20green&label=Devel%20Branch%20commits) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL7-CIS) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL7-CIS) + +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL7-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL7-CIS/actions/workflows/main_pipeline_validation.yml) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel7-cis/linux_benchmark_testing.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel7-cis?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel7-cis?label=Release%20Tag&&color=success) +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL7-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL7-CIS/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL7-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) -![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/rhel7-cis?label=Open%20Issues) -![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/rhel7-cis?label=Closed%20Issues&&color=success) -![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/rhel7-cis?label=Pull%20Requests) +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL7-CIS?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL7-CIS?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL7-CIS?label=Pull%20Requests) -![License](https://img.shields.io/github/license/ansible-lockdown/rhel7-cis?label=License) +![License](https://img.shields.io/github/license/ansible-lockdown/RHEL7-CIS?label=License) --- diff --git a/defaults/main.yml b/defaults/main.yml index 81a3ab7a..9c3f8670 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -445,11 +445,11 @@ rhel7cis_firewall_services: # NFT firewall # not tested but added example for clarity - This will break connections # If the tables dont exist automatically create the tablename below -rhel7cis_nft_tables_autoNewTable: false +rhel7cis_nft_tables_autoNewTable: false # noqa: var-naming[pattern] # create chain if doesnt exist -rhel7cis_nft_tables_autoChainCreate: false +rhel7cis_nft_tables_autoChainCreate: false # noqa: var-naming[pattern] # create a table called -rhel7cis_nft_tables_tableName: filter +rhel7cis_nft_tables_tableName: filter # noqa: var-naming[pattern] # 3.5.3.x.x iptables rhel7cis_save_iptables_cis_rules: true @@ -574,8 +574,8 @@ audit_run_script_environment: ### Goss binary settings ### goss_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' + release: v0.3.23 + checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json diff --git a/handlers/main.yml b/handlers/main.yml index fb76dbf8..a62e4b9f 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -25,18 +25,12 @@ - name: remount tmp ansible.builtin.command: mount -o remount /tmp - args: - warn: false - name: remount dev_shm ansible.builtin.command: mount -o remount /dev/shm - args: - warn: false - name: remount var_tmp ansible.builtin.command: mount -o remount /var/tmp - args: - warn: false - name: systemd restart var-tmp.mount ansible.builtin.systemd: @@ -48,8 +42,6 @@ - name: remount home ansible.builtin.command: mount -o remount /home - args: - warn: false - name: update dconf ansible.builtin.command: dconf update @@ -59,6 +51,10 @@ name: firewalld state: restarted +- name: reboot_required + ansible.builtin.set_fact: + change_requires_reboot: true + - name: restart xinetd ansible.builtin.service: name: xinetd @@ -82,8 +78,6 @@ changed_when: false check_mode: false failed_when: false - args: - warn: false when: - not rhel7cis_skip_for_travis tags: diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 8313ccb8..09a1b670 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -18,8 +18,6 @@ register: python36_rpm_present failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) changed_when: false - args: - warn: false - name: Add the EPEL repository required for the python36-rpm pkg ansible.builtin.package: @@ -40,7 +38,7 @@ - name: Disable Epel repo if installed earlier ansible.builtin.command: yum-config-manager disable epel - when: epel_installed.changed + when: epel_installed.changed # noqa: no-handler when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) vars: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 1202972a..95c26a64 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -5,8 +5,6 @@ environment: "{{ audit_run_script_environment | default({}) }}" changed_when: false register: audit_run_post_remediation - vars: - warn: false - name: Post Audit | ensure audit files readable by users ansible.builtin.file: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 31997ad2..6109d5ca 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -87,8 +87,6 @@ environment: "{{ audit_run_script_environment | default({}) }}" changed_when: false register: audit_run_pre_remediation - vars: - warn: false - name: Pre Audit | Capture audit data if json format block: diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 88187947..2be33e5d 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -333,8 +333,6 @@ - name: "1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - args: - warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 5131e37f..179e73dc 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -20,10 +20,6 @@ changed_when: false register: repolist check_mode: false - args: - warn: false - tags: - - skip_ansible_lint - name: "1.2.2 | AUDIT | Ensure package manager repositories are configured" ansible.builtin.debug: diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index e52e1974..a38c1b44 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -30,6 +30,8 @@ - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked | cron" ansible.builtin.cron: name: Run AIDE integrity check + file: "{{ rhel7cis_aide_cron['cron_file'] }}" + user: "{{ rhel7cis_aide_cron['cron_user'] }}" minute: "{{ rhel7cis_aide_cron['aide_minute'] | default('0') }}" hour: "{{ rhel7cis_aide_cron['aide_hour'] | default('5') }}" day: "{{ rhel7cis_aide_cron['aide_day'] | default('*') }}" diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 3624accb..29cac139 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -16,20 +16,14 @@ ansible_python_interpreter: /bin/python - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - block: - - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=\s*0\s*' - register: selinux_grub_patch - ignore_errors: true # noqa ignore-errors - notify: grub2cfg - - - name: "1.6.1.2 | FACT | Ensure SELinux is not disabled in bootloader configuration" - ansible.builtin.set_fact: - change_requires_reboot: true - when: - - selinux_grub_patch.changed + ansible.builtin.replace: + dest: /etc/default/grub + regexp: '(selinux|enforcing)\s*=\s*0\s*' + register: selinux_grub_patch + ignore_errors: true # noqa ignore-errors + notify: + - grub2cfg + - reboot_required when: - not rhel7cis_selinux_disable - rhel7cis_rule_1_6_1_2 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 0750a793..f008fa3a 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,19 +1,15 @@ --- - name: "3.1.1 | PATCH | Disable IPv6 | grub" - block: - - name: "3.1.1 | PATCH | Disable IPv6 | grub" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(? - path='{{ item }}' - follow=yes - state=directory - owner=root - mode='o-w,g-w' + ansible.builtin.file: + path: '{{ item }}' + follow: true + state: directory + owner: root + mode: 'o-w,g-w' loop: "{{ dot_in_path.stdout_lines }}" when: - rhel7cis_rule_6_2_10 @@ -268,14 +266,14 @@ ansible.builtin.shell: "mkhomedir_helper {{ item }}" with_items: - "{{ missing_home_dirs }}" - when: rhel7cis_users_missing_home is changed + when: rhel7cis_users_missing_home is changed # noqa: no-handler - name: "6.2.11 | Audit| Ensure all users' home directories exist | Warning" ansible.builtin.debug: msg: "WARNING!! {{ item }} user home directory has been created please ensure any SELINUX settings are applied" with_items: - "{{ missing_home_dirs }}" - when: rhel7cis_users_missing_home is changed + when: rhel7cis_users_missing_home is changed # noqa: no-handler vars: ld_regex: >- diff --git a/vars/is_container.yml b/vars/is_container.yml index 93d93af1..bb45e082 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -440,11 +440,11 @@ rhel7cis_firewall_services: # NFT firewall # not tested but added example for clarity - This will break connections # If the tables dont exist automatically create the tablename below -rhel7cis_nft_tables_autoNewTable: false +rhel7cis_nft_tables_autoNewTable: false # noqa: var-naming[pattern] # create chain if doesnt exist -rhel7cis_nft_tables_autoChainCreate: false +rhel7cis_nft_tables_autoChainCreate: false # noqa: var-naming[pattern] # create a table called -rhel7cis_nft_tables_tableName: filter +rhel7cis_nft_tables_tableName: filter # noqa: var-naming[pattern] # 3.5.3.x.x iptables rhel7cis_save_iptables_cis_rules: true