Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sept23 to devel #93

Merged
merged 8 commits into from
Sep 13, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
174 changes: 165 additions & 9 deletions .config/.secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -109,15 +109,171 @@
},
{
"path": "detect_secrets.filters.heuristic.is_templated_secret"
},
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
".config/.gitleaks-report.json"
]
}
],
"results": {
".config/.gitleaks-report.json": [
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b",
"is_verified": false,
"line_number": 9,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b",
"is_verified": false,
"line_number": 9,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555",
"is_verified": false,
"line_number": 12,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb",
"is_verified": false,
"line_number": 29,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb",
"is_verified": false,
"line_number": 29,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657",
"is_verified": false,
"line_number": 49,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657",
"is_verified": false,
"line_number": 49,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9",
"is_verified": false,
"line_number": 69,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9",
"is_verified": false,
"line_number": 69,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7",
"is_verified": false,
"line_number": 89,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7",
"is_verified": false,
"line_number": 89,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b",
"is_verified": false,
"line_number": 109,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b",
"is_verified": false,
"line_number": 109,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8",
"is_verified": false,
"line_number": 132,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6",
"is_verified": false,
"line_number": 249,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91",
"is_verified": false,
"line_number": 252,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49",
"is_verified": false,
"line_number": 269,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4",
"is_verified": false,
"line_number": 272,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86",
"is_verified": false,
"line_number": 289,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450",
"is_verified": false,
"line_number": 309,
"is_secret": false
}
],
"defaults/main.yml": [
{
"type": "Secret Keyword",
Expand All @@ -132,15 +288,15 @@
"filename": "defaults/main.yml",
"hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
"is_verified": false,
"line_number": 375,
"line_number": 376,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
"is_verified": false,
"line_number": 376,
"line_number": 377,
"is_secret": false
}
],
Expand Down Expand Up @@ -172,5 +328,5 @@
}
]
},
"generated_at": "2023-08-10T12:54:13Z"
"generated_at": "2023-09-07T13:18:00Z"
}
12 changes: 10 additions & 2 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Changes to rhel9CIS

## 1.1.1 - Based on CIS v1.0.0

- thanks to @agbrowne
- [#90](https://github.com/ansible-lockdown/RHEL9-CIS/issues/90)

- thanks to @mnasiadka
- [#54](https://github.com/ansible-lockdown/RHEL9-CIS/pull/54)

## 1.1.0

- new workflow configuration
Expand Down Expand Up @@ -81,8 +89,8 @@ Aligned benchmark audit version with remediate release

## 1.0.1

Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
Will not follow ynlink in hoe directoris and amend permissions.
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
Will not follow symlink in home directories and amend permissions.

- rhel_09_6_2_16_home_follow_symlink: false

Expand Down
7 changes: 4 additions & 3 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,7 @@ rhel9cis_rhnsd_required: false

# 1.2.4 repo_gpgcheck
rhel9cis_rhel_default_repo: true
rhel9cis_rule_enable_repogpg: true

# 1.4.1 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'
Expand Down Expand Up @@ -696,12 +697,12 @@ audit_files_url: "some url maybe s3?"
# Where the goss configs and outputs are stored
audit_out_dir: '/opt'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"

## The following should not need changing
goss_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}.
Expand Down
8 changes: 4 additions & 4 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@

- name: Check OS version and family
ansible.builtin.assert:
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
when:
- os_check
- not system_is_ec2
Expand Down Expand Up @@ -122,7 +122,7 @@
- always

- name: Include OS specific variables
ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml"
tags:
- always

Expand Down
4 changes: 2 additions & 2 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -133,8 +133,8 @@
state: latest
when:
- rhel9cis_rule_1_2_4
- ansible_distribution != 'RedHat'
- ansible_distribution != 'OracleLinux'
- ansible_facts.distribution != 'RedHat'
- ansible_facts.distribution != 'OracleLinux'

- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
ansible.builtin.package:
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
state: present
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
notify: Remount tmp
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
when:
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %}
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %}
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.7.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
notify: Change_requires_reboot
Expand Down
10 changes: 5 additions & 5 deletions tasks/section_1/cis_1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,9 @@
os_gpg_key_check.rc == 1
when:
- rhel9cis_rule_1_2_1
- ansible_distribution == "RedHat" or
ansible_distribution == "Rocky" or
ansible_distribution == "AlmaLinux"
- ansible_facts.distribution == "RedHat" or
ansible_facts.distribution == "Rocky" or
ansible_facts.distribution == "AlmaLinux"
tags:
- level1-server
- level1-workstation
Expand Down Expand Up @@ -111,8 +111,8 @@

when:
- rhel9cis_rule_1_2_4
- not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat'
- ansible_distribution != 'OracleLinux'
- rhel9cis_rule_enable_repogpg
- not rhel9cis_rhel_default_repo
tags:
- level1-server
- level1-workstation
Expand Down
8 changes: 4 additions & 4 deletions tasks/section_6/cis_6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@
failed_when: false
check_mode: false
register: rhel_09_6_1_10_audit
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.mount }}"
when:
Expand Down Expand Up @@ -201,7 +201,7 @@
failed_when: false
changed_when: false
register: rhel_09_6_1_11_audit
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.mount }}"
when:
Expand Down Expand Up @@ -260,7 +260,7 @@
failed_when: false
changed_when: false
register: rhel_09_6_1_13_suid_perms
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.mount }}"

Expand Down Expand Up @@ -302,7 +302,7 @@
failed_when: false
changed_when: false
register: rhel_09_6_1_14_sgid_perms
loop: "{{ ansible_mounts }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.mount }}"

Expand Down
Loading