From b3f324894dfe8a13013e31169ebf4c624405635e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 16:25:23 +0000 Subject: [PATCH 01/15] updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..9fbe7aa8 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..67ee9d90 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From d687371cf0ff509bf1e9fa0a0da7526995825119 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:26:54 +0000 Subject: [PATCH 02/15] removed file Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 142 ---------------------------------- 1 file changed, 142 deletions(-) delete mode 100644 .config/.gitleaks-report.json diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index bea9d1d8..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1,142 +0,0 @@ -[ - { - "Description": "Generic API Key", - "StartLine": 125, - "EndLine": 125, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:125" - }, - { - "Description": "Generic API Key", - "StartLine": 135, - "EndLine": 135, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"673504d3db128a01a93d32de2b104a05dc2e6859\"", - "Secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.7750704, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:135" - }, - { - "Description": "Generic API Key", - "StartLine": 145, - "EndLine": 145, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2784977b09b611a32db88f631d88a5806605967e\"", - "Secret": "2784977b09b611a32db88f631d88a5806605967e", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.718454, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:145" - }, - { - "Description": "Generic API Key", - "StartLine": 153, - "EndLine": 153, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:153" - }, - { - "Description": "Generic API Key", - "StartLine": 163, - "EndLine": 163, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", - "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.8439426, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:163" - }, - { - "Description": "Generic API Key", - "StartLine": 172, - "EndLine": 172, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"fd917ab33fb6bd01e799f4b72da0586589cd909a\"", - "Secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.808695, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:172" - }, - { - "Description": "Generic API Key", - "StartLine": 182, - "EndLine": 182, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\"", - "Secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.8250706, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:182" - } -] From 9dd216c104c7942e2aa5c7c75c86c4b8848863df Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:27:08 +0000 Subject: [PATCH 03/15] updated Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 40a21e27..97c79434 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,6 @@ repos: hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 From 388f85061c0b8ffe04d9a10173666e0542c1b02b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:27:44 +0000 Subject: [PATCH 04/15] updated Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..00d0e09d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -34,16 +34,16 @@ repos: hooks: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json + - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.21.1 hooks: - id: ansible-lint name: Ansible-lint From 22f7dabfedc1afb76f45deba55129427de70f169 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:28:47 +0000 Subject: [PATCH 05/15] lint update Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 00d0e09d..f2f732af 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,6 @@ repos: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: From 51b2df3a671cc1d33eb6d891a1b480283857942f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:30:39 +0000 Subject: [PATCH 06/15] fix typo Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- .github/workflows/main_pipeline_validation.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa8..39af625a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -113,7 +113,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d90..8ded7018 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -102,7 +102,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: From 444074df1e271f4a156a5233ca86d69f2c0ae1c8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Nov 2023 16:28:23 +0000 Subject: [PATCH 07/15] rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 -- tasks/prelim.yml | 15 +++------------ 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5310cee1..d773ab60 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -693,8 +693,6 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" -rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}" - rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8bfaf00b..5c66c1a1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -300,18 +300,6 @@ - RHEL-07-031000 - RHEL-07-031010 -- name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" - ansible.builtin.shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel_07_boot_part - when: - - rhel_07_021350 - tags: - - cat1 - - high - - RHEL-07-021350 - - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins @@ -443,6 +431,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false + rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path @@ -452,6 +441,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false + rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution == 'CentOS' @@ -461,6 +451,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true + rhel7stig_boot_part: /boot when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state From 6276776d77ab640872d7aba4365b765516d80110 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Nov 2023 17:22:51 +0000 Subject: [PATCH 08/15] tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ tasks/prelim.yml | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d773ab60..89b65ab1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -693,6 +693,8 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" +rhel7stig_boot_part: /boot + rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5c66c1a1..17fe42bb 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -431,7 +431,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false - rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path @@ -441,7 +440,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false - rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution == 'CentOS' @@ -451,7 +449,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true - rhel7stig_boot_part: /boot when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state From ad3b174385559e249b5d644bb058c50bc660dc5f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Nov 2023 17:23:22 +0000 Subject: [PATCH 09/15] changed logic on 20620 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0355d7a5..efc68379 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1554,7 +1554,7 @@ label: "{{ rhel7stig_passwd_label }}" when: - rhel_07_020620 - - rhel7stig_interactive_uid_start | int <= item.uid + - item.uid >= rhel7stig_interactive_uid_start | int tags: - RHEL-07-020620 - CAT2 From 617e0084622f1fcdf8be449221d2a0c4ba8c98f4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Nov 2023 18:23:48 +0000 Subject: [PATCH 10/15] updated logic for uuid Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a46c1f74..37dd1f24 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -441,6 +441,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: + - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." ansible.builtin.replace: path: /etc/default/grub @@ -456,6 +457,7 @@ insert: true when: - rhel7stig_boot_part not in ['/', ''] + - item.uuid is defined - not ansible_check_mode or rhel7_stig_grub_template is not changed notify: confirm grub2 user cfg @@ -474,9 +476,9 @@ - ansible_check_mode - rhel_07_021350_audit is failed failed_when: - - rhel_07_021350_audit is failed - - not ansible_check_mode or - rhel_07_021350_audit.rc > 1 + - rhel_07_021350_audit.rc not in [ 0, 1 ] + - not ansible_check_mode + when: - not ansible_check_mode or rhel7_stig_grub_template is not changed From 6e7329b786396c601791d3221e9a2ba4f76e5dac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 14:06:20 +0000 Subject: [PATCH 11/15] removed extra line Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 37dd1f24..a8dab97d 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -441,7 +441,6 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: - - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." ansible.builtin.replace: path: /etc/default/grub From 207be13c6f3cb0d66a23ef95dde5e1b1b1d9ab34 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jan 2024 15:29:34 +0000 Subject: [PATCH 12/15] removed doc dir Signed-off-by: Mark Bolwell --- doc/README.md | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 doc/README.md diff --git a/doc/README.md b/doc/README.md deleted file mode 100644 index 923de017..00000000 --- a/doc/README.md +++ /dev/null @@ -1,7 +0,0 @@ -To generate the documentation on a RHEL/CentOS 7 system, take the following steps: -1. Install required packages: - * `yum install python3-pip python-sphinx` -2. Install the requirements: - * `sudo pip3 install -r requirements.txt` -3. Generate the documentation: - * `make singlehtml` From 3901021fabd66678a590e443d00edaebed177bd5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:33:41 +0000 Subject: [PATCH 13/15] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f2f732af..43020660 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.21.1 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From 594ece92b5f0189ec4daf1313d54eada17765796 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 10:15:35 +0000 Subject: [PATCH 14/15] Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 17fe42bb..a4cdb913 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -159,13 +159,7 @@ rhel_07_010491 or rhel_07_021350 tags: - - cat1 - - high - - RHEL-07-010481 - - RHEL-07-010482 - - RHEL-07-010483 - - RHEL-07-010491 - - RHEL-07-021350 + - always - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based" ansible.builtin.stat: From e401d83f636572fd2d8caebf976d32f6252ee390 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 10:19:02 +0000 Subject: [PATCH 15/15] conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index efc68379..1ea2f6de 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2042,7 +2042,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - "'nosuid' not in removable_mount.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." ansible.posix.mount: @@ -2055,7 +2055,7 @@ removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - "'nosuid' not in removable_mount2.options" when: - rhel_07_021010 - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)