Skip to content

Commit

Permalink
Merge pull request #83 from ansible-lockdown/template_and_secrets
Browse files Browse the repository at this point in the history
Template and secrets
  • Loading branch information
uk-bolly authored Aug 9, 2023
2 parents 83c4e5c + dadeeab commit 5bedad6
Show file tree
Hide file tree
Showing 22 changed files with 29 additions and 110 deletions.
8 changes: 7 additions & 1 deletion .config/.secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,12 @@
},
{
"path": "detect_secrets.filters.heuristic.is_templated_secret"
},
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
".config/.gitleaks-report.json"
]
}
],
"results": {
Expand Down Expand Up @@ -166,5 +172,5 @@
}
]
},
"generated_at": "2023-08-07T15:38:18Z"
"generated_at": "2023-08-09T08:11:03Z"
}
34 changes: 0 additions & 34 deletions .github/ISSUE_TEMPLATE/bug_report.md

This file was deleted.

22 changes: 0 additions & 22 deletions .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md

This file was deleted.

18 changes: 0 additions & 18 deletions .github/ISSUE_TEMPLATE/question.md

This file was deleted.

12 changes: 0 additions & 12 deletions .github/pull_request_template.md

This file was deleted.

2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ delete*
ignore*
test_inv
# temp remove doc while this is built up
doc/
doc/
# VSCode
.vscode

Expand Down
7 changes: 3 additions & 4 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,14 @@ repos:
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.config/.secrets.baseline']
exclude: package.lock.json

args: [ '--baseline', '.config/.secrets.baseline' ]
exclude: .config/.gitleaks-report.json

- repo: https://github.com/gitleaks/gitleaks
rev: v8.17.0
hooks:
- id: gitleaks
args: ['--baseline-path','.config/.gitleaks-report.json']
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v6.17.2
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml)

[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml)
![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits)
![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)

![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

- name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
ansible.builtin.fail:
msg: Installed GPG Keys do not meet expected values or keys installed that are not expected
msg: Installed GPG Keys do not meet expected values or expected keys are not installed
when:
- os_installed_pub_keys.rc == 1 or
os_gpg_key_check.rc == 1
Expand Down
2 changes: 1 addition & 1 deletion templates/ansible_vars_goss.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -486,7 +486,7 @@ rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile

# 5.5.1
## PAM
rhel9cis_pam_password:
rhel9cis_pam_password:
minlen: {{ rhel9cis_pam_password['minlen'] }}
minclass: {{ rhel9cis_pam_password['minclass'] }}
rhel9cis_pam_passwd_retry: "3"
Expand Down
4 changes: 2 additions & 2 deletions templates/audit/98_auditd_exception.rules.j2
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
### YOUR CHANGES WILL BE LOST!

# This file contains users whose actions are not logged by auditd
{% if rhel9cis_allow_auditd_uid_user_exclusions %}
{% if rhel9cis_allow_auditd_uid_user_exclusions %}
{% for user in rhel9cis_auditd_uid_exclude %}
-a never,user -F uid!={{ user }} -F auid!={{ user }}
{% endfor %}
Expand Down
2 changes: 1 addition & 1 deletion templates/audit/99_auditd.rules.j2
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
### YOUR CHANGES WILL BE LOST!

Expand Down
4 changes: 2 additions & 2 deletions templates/etc/cron.d/aide.cron.j2
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Run AIDE integrity check
# Run AIDE integrity check
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC
### YOUR CHANGES WILL BE LOST!
# CIS 1.3.2
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/dconf/db/00-automount_lock.j2
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC

# Lock desktop media-handling automount setting
Expand Down
4 changes: 2 additions & 2 deletions templates/etc/dconf/db/00-autorun_lock.j2
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC

# Lock desktop media-handling settings
# Lock desktop media-handling settings
/org/gnome/desktop/media-handling/autorun-never
2 changes: 1 addition & 1 deletion templates/etc/dconf/db/00-media-automount.j2
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC

[org/gnome/desktop/media-handling]
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/dconf/db/00-media-autorun.j2
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC

[org/gnome/desktop/media-handling]
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/dconf/db/00-screensaver.j2
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC

# Specify the dconf path
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/dconf/db/00-screensaver_lock.j2
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC

# Lock desktop screensaver idle-delay setting
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/dconf/db/gdm.d/01-banner-message.j2
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# Added as part of ansible-lockdown CIS baseline
# provided by MindPointGroup LLC

[org/gnome/login-screen]
Expand Down
2 changes: 1 addition & 1 deletion templates/etc/sysctl.d/60-disable_ipv6.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,6 @@

# IPv6 disable
{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %}
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
{% endif %}
2 changes: 1 addition & 1 deletion templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,4 @@ net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
{% endif %}
{% endif %}
{% endif %}

0 comments on commit 5bedad6

Please sign in to comment.