Merge pull request #122 from ansible-lockdown/devel

Devel to main
Signed-off-by: George Nalen <[email protected]>

.ansible-lint

@@ -0,0 +1,11 @@
+parseable: true
+quiet: true
+skip_list:
+  - '204'
+  - '305'
+  - '303'
+  - '403'
+  - '306'
+  - '602'
+use_default_rules: true
+verbosity: 0

.github/workflows/communitytodevel.yml

@@ -1,38 +1,39 @@
+---
 # This is a basic workflow to help you get started with Actions
 
 name: CommunityToDevel
 
 # Controls when the action will run. Triggers the workflow on push or pull request
 # events but only for the devel branch
 on:
-  pull_request:
-    branches: [ devel ]
+    pull_request:
+        branches: [ devel ]
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
-  # This workflow contains a single job called "build"
-  build:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
+    # This workflow contains a single job called "build"
+    build:
+        # The type of runner that the job will run on
+        runs-on: ubuntu-latest
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-      
-      # Refactr pipeline for devel pull request/merge
-      - name: Refactr - Run Pipeline (to devel)
-       # You may pin to the exact commit or the version.
-        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
-        uses: refactr/[email protected]
-        with:
-          # API token
-          api_token: '${{ secrets.REFACTR_KEY }}'
-          # Project ID
-          project_id: 5f47f0c4a13c7b18373e5556
-          # Job ID
-          job_id: 5f933cbcf9c74e86b1609c00
-          # Variables
-          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-CIS.git", "image": "ami-066df92ac6f03efca", "githubBranch": "${{ github.head_ref }}", "username": "ec2-user" }'
-          # Refactr API base URL
-          api_url: # optional
+        # Steps represent a sequence of tasks that will be executed as part of the job
+        steps:
+            # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+            - uses: actions/checkout@v2
+
+            # Refactr pipeline for devel pull request/merge
+            - name: Refactr - Run Pipeline (to devel)
+              # You may pin to the exact commit or the version.
+              # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+              uses: refactr/[email protected]
+              with:
+                  # API token
+                  api_token: '${{ secrets.REFACTR_KEY }}'
+                  # Project ID
+                  project_id: 5f47f0c4a13c7b18373e5556
+                  # Job ID
+                  job_id: 5f933cbcf9c74e86b1609c00
+                  # Variables
+                  variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-CIS.git", "image": "ami-04483b15b4268d18d", "githubBranch": "${{ github.head_ref }}", "username": "centos" }'
+                  # Refactr API base URL
+                  api_url:  # optional

.github/workflows/develtomain.yml

@@ -0,0 +1,39 @@
+---
+# This is a basic workflow to help you get started with Actions
+
+name: DevelToMain
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+    pull_request:
+        branches: [ main ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+    # This workflow contains a single job called "build"
+    build:
+        # The type of runner that the job will run on
+        runs-on: ubuntu-latest
+
+        # Steps represent a sequence of tasks that will be executed as part of the job
+        steps:
+            # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+            - uses: actions/checkout@v2
+
+            # Refactr pipeline for devel pull request/merge
+            - name: Refactr - Run Pipeline (to main)
+              # You may pin to the exact commit or the version.
+              # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+              uses: refactr/[email protected]
+              with:
+                  # API token
+                  api_token: '${{ secrets.REFACTR_KEY }}'
+                  # Project ID
+                  project_id: 5f47f0c4a13c7b18373e5556
+                  # Job ID
+                  job_id: 5f90ad90f9c74e6d1e606e33
+                  # Variables
+                  variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-CIS.git", "image": "ami-04483b15b4268d18d", "username": "centos" }'
+                  # Refactr API base URL
+                  api_url:  # optional

.gitignore

@@ -1,6 +1,7 @@
 .env
 *.log
 *.retry
+.cache
 .vagrant
 tests/*redhat-subscription
 tests/Dockerfile

.yamllint

@@ -0,0 +1,23 @@
+---
+ignore: |
+  tests/
+  molecule/
+  .gitlab-ci.yml
+  *molecule.yml
+
+extends: default
+
+rules:
+  indentation:
+    # Requiring 4 space indentation
+    spaces: 4
+    # Requiring consistent indentation within a file, either indented or not
+    indent-sequences: consistent
+  truthy: disable
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  line-length: disable

Changelog.md

@@ -0,0 +1,47 @@
+# Changes to rhel8CIS
+
+## 1.2.2
+
+- #33 mkgrub missing variable issues - efi and bios path resolution
+  - thanks to mrampant & mickey1928geo
+- #102 2.2.2 xorg pkg removal extended
+  - thanks to RosarioVinoth
+- #104 5.4.1 pwquality logic
+  - thanks to RosarioVinoth
+- #107 Idempotence improvement for 4.1.1.3 and 4.1.1.4
+  - thanks to andreyzher
+
+- lint changes and updates to sync with ansible-galaxy
+
+## v1.2.1
+
+- bootloader and default variables
+- empty strings lint updates
+
+### 87
+
+- rule 6.1.1 - audit only - outputs file discrepancies to {{ rhel8cis_rpm_audit_file }}
+
+### 88
+
+- checkmode_improvements added to relevant tasks
+
+### PR #96
+
+- crypto policy idempotency
+
+## v1.2.0
+
+### 86
+
+- Adding on the goss auditing tool
+- remove deprecated warnings
+- format and layout
+- general improvements
+- readme updates
+- use ansible package_facts
+
+### 90
+
+- cis fix - nfs-server not nfs
+  - Thanks to danderemer

defaults/main.yml

@@ -15,7 +15,11 @@ rhel8cis_section4: true
 rhel8cis_section5: true
 rhel8cis_section6: true
 
+rhel8cis_level_1: true
+rhel8cis_level_2: true
+
 rhel8cis_selinux_disable: false
+rhel8cis_legacy_boot: false
 
 ## Python Binary
 ## This is used for python3 Installations where python2 OS modules are used in ansible
@@ -199,7 +203,7 @@ rhel8cis_rule_4_1_17: true
 rhel8cis_rule_4_2_1_1: true
 rhel8cis_rule_4_2_1_2: true
 rhel8cis_rule_4_2_1_3: true
-rhel8cis_rule_4_2_1_4: false
+rhel8cis_rule_4_2_1_4: true
 rhel8cis_rule_4_2_1_5: true
 rhel8cis_rule_4_2_1_6: true
 rhel8cis_rule_4_2_2_1: true
@@ -358,7 +362,7 @@ rhel8cis_set_boot_pass: false
 
 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
 # Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.
-rhel8cis_crypto_policy: "FIPS"
+rhel8cis_crypto_policy: "FUTURE"
 
 # System network parameters (host only OR host and router)
 rhel8cis_is_router: false
@@ -517,7 +521,7 @@ rhel8cis_vartmp:
     opts: "defaults,nodev,nosuid,noexec,bind"
     enabled: no
 ## PAM
-rhel8cis_pam_password: 
+rhel8cis_pam_password:
     minlen: "14"
     minclass: "4"
 
@@ -533,13 +537,16 @@ rhel8cis_shell_session_timeout:
 # RHEL-08-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
 rhel8cis_futurepwchgdate_autofix: true
 
+# 5.7
+# rhel8cis_sugroup: sugroup  # change accordingly wheel is default
+
 # wheel users list
-rhel8cis_wheel_users: "root"
+rhel8cis_sugroup_users: "root"
 
 ## Section6 vars
 
-# RHEL-08_6.1.1 Allow ansible to adjust package descrepancies . False will just display packages with descrepancies, True will correct descrepancies
-rhelcis_rpm_descrep_autofixes: true
+# RHEL-08_6.1.1
+rhel8cis_rpm_audit_file: /var/tmp/rpm_file_check
 
 # RHEL-08_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable
 rhel8cis_no_world_write_adjust: true
@@ -556,19 +563,19 @@ rhel8cis_audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Au
 rhel8cis_audit_git_version: main
 
 # copy:
-#rhel8cis_audit_local_copy: "some path to copy from"
+# rhel8cis_audit_local_copy: "some path to copy from"
 
 # get_url:
-#rhel8cis_audit_files_url: "some url maybe s3?"
+# rhel8cis_audit_files_url: "some url maybe s3?"
 
 
 ## audit controls ##
 goss_version:
-  release: v0.3.16
-  checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
+    release: v0.3.16
+    checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
 
 ### Audit Settings ###
-#goss_checksum: "checksum_{{ goss_version }}"
+# goss_checksum: "checksum_{{ goss_version }}"
 goss_path: /usr/local/bin/
 goss_bin: "{{ goss_path }}goss"
 goss_format: documentation
@@ -579,10 +586,10 @@ goss_audit_dir: "/var/tmp/{{ benchmark }}-Audit/"
 goss_file: "{{ goss_audit_dir }}goss.yml"
 goss_vars_path: "{{ goss_audit_dir }}/vars/{{ ansible_hostname }}.yml"
 goss_out_dir: '/var/tmp'
-pre_audit_outfile: "{{ goss_out_dir }}/pre_remediation_scan"
-post_audit_outfile: "{{ goss_out_dir }}/post_remediation_scan"
+pre_audit_outfile: "{{ goss_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}"
+post_audit_outfile: "{{ goss_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}"
 
 Audit_results: |
       The pre remediation results are: {{ pre_audit_summary }}.
       The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ goss_out_dir }}
+      Full breakdown can be found in {{ goss_out_dir }}

handlers/main.yml

@@ -9,6 +9,8 @@
       sysctl_set: yes
   ignore_errors: yes
   when: ansible_virtualization_type != "docker"
+  tags:
+      - skip_ansible_lint
 
 - name: sysctl flush ipv6 route table
   become: yes
@@ -39,11 +41,7 @@
 - name: remount tmp
   command: mount -o remount /tmp
   args:
-    warn: false
-
-- name: generate new grub config
-  become: yes
-  command: grub2-mkconfig -o "{{ grub_cfg.stat.lnk_source }}"
+      warn: false
 
 - name: restart firewalld
   become: yes
@@ -86,8 +84,10 @@
       - skip_ansible_lint
 
 - name: grub2cfg
-  command: /sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
+  command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
   ignore_errors: True
+  tags:
+      - skip_ansible_lint
 
 - name: restart rsyslog
   become: yes