Skip to content

Commit

Permalink
Merge pull request #44 from ansible-lockdown/march_updates
Browse files Browse the repository at this point in the history
March updates
  • Loading branch information
uk-bolly authored Mar 20, 2023
2 parents 30abc4b + c62c2d4 commit 7e0172a
Show file tree
Hide file tree
Showing 16 changed files with 214 additions and 17 deletions.
2 changes: 2 additions & 0 deletions .yamllint
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ rules:
brackets:
max-spaces-inside: 1
level: error
empty-lines:
max: 1
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
Expand Down
7 changes: 7 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# Changes to rhel9CIS

## 1.0.5

updated yamllint
removed empty lines after lint
initial molecule added
galaxy workflow updated

## 1.0.4

#40 tmp systemd file variable naming update
Expand Down
10 changes: 0 additions & 10 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,6 @@ rhel9cis_rule_6_2_14: true
rhel9cis_rule_6_2_15: true
rhel9cis_rule_6_2_16: true


## Section 1 vars

#### 1.1.2
Expand Down Expand Up @@ -413,7 +412,6 @@ rhel9cis_selinux_enforce: enforcing

## 2. Services


### 2.1 Time Synchronization
#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2
rhel9cis_time_synchronization_servers:
Expand Down Expand Up @@ -461,7 +459,6 @@ rhel9cis_openldap_clients_required: false
rhel9cis_tftp_client: false
rhel9cis_ftp_client: false


## Section3 vars
## Sysctl
rhel9cis_sysctl_update: false
Expand All @@ -478,7 +475,6 @@ rhel9cis_firewall: firewalld
##### firewalld
rhel9cis_default_zone: public


# These are added to demonstrate how this can be done
rhel9cis_firewalld_ports:
- number: 80
Expand Down Expand Up @@ -514,7 +510,6 @@ update_audit_template: false
## Advanced option found in auditd post
rhel9cis_allow_auditd_uid_user_exclusions: false


# This can be used to configure other keys in auditd.conf
rhel9cis_auditd_extra_conf: {}
# Example:
Expand All @@ -535,7 +530,6 @@ rhel9cis_remote_log_protocol: tcp
rhel9cis_remote_log_retrycount: 100
rhel9cis_remote_log_queuesize: 1000


#### 4.2.1.7
rhel9cis_system_is_log_server: false

Expand Down Expand Up @@ -584,7 +578,6 @@ rhel9cis_ssh_maxsessions: 4
rhel9cis_inactivelock:
lock_days: 30


rhel9cis_use_authconfig: false
# 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example
# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk
Expand All @@ -599,7 +592,6 @@ rhel9cis_authselect_custom_profile_create: false
# 5.3.2 Enable automation to select custom profile options, using the settings above
rhel9cis_authselect_custom_profile_select: false


rhel9cis_pass:
max_days: 365
min_days: 7
Expand Down Expand Up @@ -648,7 +640,6 @@ rhel9cis_futurepwchgdate_autofix: true
# 5.3.7
rhel9cis_sugroup: nosugroup


## Section6 vars

# RHEL-09_6.1.1
Expand All @@ -669,7 +660,6 @@ audit_run_script_environment:
AUDIT_FILE: 'goss.yml'
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"


### Goss binary settings ###
goss_version:
release: v0.3.21
Expand Down
27 changes: 27 additions & 0 deletions molecule/default/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
# This is a playbook to test the tasks.
- name: Converge
hosts: all
gather_facts: true

vars:
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
ansible_user: root
system_is_container: true
rhel9cis_selinux_disable: true
rhel9cis_rule_5_3_4: false
rhel9cis_rule_1_1_10: false
rhel9cis_firewall: "none"
rhel9cis_rule_4_1_1_1: false
rhel9cis_rule_4_1_1_2: false
rhel9cis_rule_4_1_1_3: false
rhel9cis_rule_4_1_1_4: false
rhel9cis_rule_4_2_1_2: false
rhel9cis_rule_4_2_1_4: false
rhel9cis_rule_5_1_1: false

pre_tasks:
tasks:
- name: "Include tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"
34 changes: 34 additions & 0 deletions molecule/default/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
# Molecule configuration
# https://molecule.readthedocs.io/en/latest/

driver:
name: docker

platforms:
- name: ubi9
image: registry.access.redhat.com/ubi9/ubi-init
pre_build_image: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
command: "/usr/sbin/init"
capabilities:
- SYS_ADMIN

provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
callbacks_enabled: profile_tasks, timer

lint: |
set -e
yamllint .
ansible-lint
flake8
verifier:
name: ansible

13 changes: 13 additions & 0 deletions molecule/default/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
- name: Verify
hosts: all
gather_facts: false

vars:
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

tasks:
- name: "Include verify tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"
tasks_from: verify
18 changes: 18 additions & 0 deletions molecule/localhost/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
# This is a playbook to test the tasks.
- name: Converge
hosts: all
become: true
gather_facts: true

vars:
ansible_user: "{{ lookup('env', 'USER') }}"
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
rhel9cis_rule_5_3_4: false

pre_tasks:
tasks:
- name: "Include tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"

30 changes: 30 additions & 0 deletions molecule/localhost/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
# Molecule configuration
# https://molecule.readthedocs.io/en/latest/

driver:
name: delegated
options:
managed: false
ansible_connection_options:
ansible_connection: local
platforms:
- name: localhost

provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
stdout_callback: yaml
callbacks_enabled: profile_tasks, timer

lint: |
set -e
yamllint .
ansible-lint
flake8
verifier:
name: ansible

14 changes: 14 additions & 0 deletions molecule/localhost/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
- name: Verify
hosts: all
gather_facts: false
become: true

vars:
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

tasks:
- name: "Include verify tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"
tasks_from: verify
27 changes: 27 additions & 0 deletions molecule/wsl/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
# This is a playbook to test the tasks.
- name: Converge
hosts: all
become: true
gather_facts: true

vars:
ansible_user: "{{ lookup('env', 'USER') }}"
system_is_container: true
rhel8cis_selinux_disable: true
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
rhel8cis_rule_5_3_4: false
rhel8cis_rule_1_1_10: false
rhel8cis_rsyslog_ansiblemanaged: false
rhel8cis_rule_3_4_1_3: false
rhel8cis_rule_3_4_1_4: false
rhel8cis_rule_4_2_1_2: false
rhel8cis_rule_4_2_1_4: false
rhel8cis_rule_5_1_1: false

pre_tasks:
tasks:
- name: "Include tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"

29 changes: 29 additions & 0 deletions molecule/wsl/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
# Molecule configuration
# https://molecule.readthedocs.io/en/latest/

driver:
name: delegated
options:
managed: false
ansible_connection_options:
ansible_connection: local
platforms:
- name: localhost

provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
callbacks_enabled: profile_tasks, timer

lint: |
set -e
yamllint .
ansible-lint
flake8
verifier:
name: ansible

13 changes: 13 additions & 0 deletions molecule/wsl/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
- name: Verify
hosts: all
gather_facts: false

vars:
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

tasks:
- name: "Include verify tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"
tasks_from: verify
1 change: 0 additions & 1 deletion tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,6 @@
tags:
- always


- name: Gather the package facts
ansible.builtin.package_facts:
manager: auto
Expand Down
1 change: 0 additions & 1 deletion tasks/section_2/cis_2.2.x.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
---


- name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed"
ansible.builtin.package:
name: xorg-x11-server-common
Expand Down
1 change: 0 additions & 1 deletion tasks/section_3/cis_3.4.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,6 @@
- nftables
- rule_3.4.2.4


- name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld"
ansible.posix.firewalld:
rich_rule: "{{ item }}"
Expand Down
4 changes: 0 additions & 4 deletions vars/is_container.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,12 @@

## controls


# Firewall
rhel9cis_firewall: None

# SElinux
rhel9cis_selinux_disable: true


## Related individual rules
# Aide
rhel9cis_rule_1_4_1: false
Expand Down Expand Up @@ -42,7 +40,6 @@ rhel9cis_rule_5_1_8: false
# crypto
rhel9cis_rule_1_10: false


# grub
rhel9cis_rule_1_5_1: false
rhel9cis_rule_1_5_2: false
Expand Down Expand Up @@ -88,6 +85,5 @@ rhel9cis_rule_4_2_2_3: false

# systemd


# Users/passwords/accounts
rhel9cis_rule_5_5_2: false

0 comments on commit 7e0172a

Please sign in to comment.