Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rhel9-cis main release v1.0.0 #235

Merged
merged 32 commits into from
Sep 10, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
8c1b189
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jun 17, 2024
bebdeea
Merge pull request #214 from ansible-lockdown/pre-commit-ci-update-co…
georgenalen Jun 18, 2024
d40f2d0
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jun 24, 2024
632f6b8
Merge pull request #215 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Jul 8, 2024
611b9ce
issue #217 addressed thanks to tedunder237
uk-bolly Jul 11, 2024
a946ec6
issue #216 addressed thanks to tedunder237
uk-bolly Jul 11, 2024
7dcb2ca
removed jmespath dependancy
uk-bolly Jul 11, 2024
54e4ee1
update audit output and remove jmespath
uk-bolly Jul 11, 2024
065ab6a
updated to latest workflow
uk-bolly Jul 12, 2024
62baec6
changed to default bootloader hash
uk-bolly Jul 12, 2024
56dd646
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jul 15, 2024
dbbe8a9
Merge pull request #221 from ansible-lockdown/issue_audit_updates
uk-bolly Jul 17, 2024
cf4376f
Merge pull request #222 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Jul 17, 2024
22cd20c
updated for issue #226
uk-bolly Aug 9, 2024
44aa939
issue #227 resolved thanks @ckbaker10
uk-bolly Aug 9, 2024
8211920
issue #224 addressed thanks to @globalpayments-shoebsyed
uk-bolly Aug 9, 2024
3c08540
improved 6.1.10
uk-bolly Aug 9, 2024
82c1137
updated logic 6.1.11
uk-bolly Aug 9, 2024
a0fd194
fixed typo on 4.1.4.5
uk-bolly Aug 12, 2024
8fe700f
removed jmespath reference
uk-bolly Aug 12, 2024
383d2d4
updated to fix output
uk-bolly Aug 12, 2024
e510607
updated audit and arm64 audit support
uk-bolly Aug 13, 2024
0bcb867
Merge pull request #228 from ansible-lockdown/august_issues
uk-bolly Aug 13, 2024
27ee4a8
added calls to sshd restart handler to fix #230
numericillustration Aug 15, 2024
37e2bfa
Merge pull request #231 from numericillustration/devel
uk-bolly Aug 16, 2024
e05c2f3
added fix for #232 thanks to @Arkhenys
uk-bolly Aug 21, 2024
8000160
Merge pull request #233 from ansible-lockdown/issue_232
uk-bolly Aug 21, 2024
b368d8b
Fix link to Changelog.md in README.md
markgoddard Aug 22, 2024
9b076de
Merge pull request #234 from markgoddard/patch-1
uk-bolly Aug 22, 2024
2d2f281
made ssh_config file tage always
uk-bolly Sep 6, 2024
3cdd2a0
updated var naming from rhel9_cis to rhel9cis
uk-bolly Sep 6, 2024
4fb533b
Merge pull request #236 from ansible-lockdown/sshd_config_create
uk-bolly Sep 6, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .config/requirements.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
passlib
lxml
xmltodict
jmespath
yamllint
291 changes: 155 additions & 136 deletions .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
@@ -1,139 +1,158 @@
---

name: Devel pipeline

on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'

# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: ubuntu-latest

steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.

# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
env:
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
TF_VAR_repository: ${{ github.event.repository.name }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_linux_IaC

steps:
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
name: Devel pipeline

on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# Allow manual running of workflow
workflow_dispatch:

# Allow permissions for AWS auth
permissions:
id-token: write
contents: read
pull-requests: read

# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: self-hosted

steps:
- uses: actions/first-interaction@main
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC

- name: Add_ssh_key
working-directory: .github/workflows
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
run: |
mkdir .ssh
chmod 700 .ssh
echo $PRIVATE_KEY > .ssh/github_actions.pem
chmod 600 .ssh/github_actions.pem

- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
pwd
ls
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Apply
id: apply
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false

## Debug Section
- name: DEBUG - Show Ansible hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml

# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep for 60 seconds
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the Ansibleplaybook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/github_linux_IaC/hosts.yml
galaxy_file: collections/requirements.yml
private_key: ${{ secrets.SSH_PRV_KEY }}
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
ANSIBLE_INJECT_FACT_VARS: "false"

# Remove test system - User secrets to keep if necessary

- name: Terraform_Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.

# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: self-hosted
env:
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
TF_VAR_repository: ${{ github.event.repository.name }}
AWS_REGION: "us-east-1"
ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_linux_IaC
# working-directory: .github/workflows

steps:

- name: Git clone the lockdown repository to test
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: If a variable for IAC_BRANCH is set use that branch
working-directory: .github/workflows
run: |
if [ ${{ vars.IAC_BRANCH }} != '' ]; then
echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
else
echo IAC_BRANCH=main >> $GITHUB_ENV
fi

# Pull in terraform code for linux servers
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
ref: ${{ env.IAC_BRANCH }}

# Uses dedicated restricted role and policy to enable this only for this task
# No credentials are part of github for AWS auth
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@main
with:
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
aws-region: ${{ env.AWS_REGION }}

- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID"
echo "VPC_ID" = $AWS_VPC_SECGRP_ID"
pwd
ls
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}
PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}

- name: Tofu init
id: init
run: tofu init
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Tofu validate
id: validate
run: tofu validate
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Tofu apply
id: apply
env:
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false

## Debug Section
- name: DEBUG - Show Ansible hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml

# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep to allow system to come up
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the Ansible playbook
- name: Run_Ansible_Playbook
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
run: |
/opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml

# Remove test system - User secrets to keep if necessary

- name: Tofu Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false
Loading