Merge pull request #17 from ansible-lockdown/devel

devel to main release

.github/workflows/linux_benchmark_testing.yml

@@ -5,107 +5,107 @@ name: linux_benchmark_pipeline
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
 # events but only for the devel branch
-on:
-  pull_request_target:
-    types: [opened, reopened, synchronize]
-    branches:
-      - devel
-      - main
-    paths:
-      - '**.yml'
-      - '**.sh'
-      - '**.j2'
-      - '**.ps1'
-      - '**.cfg'
+on:  # yamllint disable-line rule:truthy
+    pull_request_target:
+        types: [opened, reopened, synchronize]
+        branches:
+            - devel
+            - main
+        paths:
+            - '**.yml'
+            - '**.sh'
+            - '**.j2'
+            - '**.ps1'
+            - '**.cfg'
 
 # A workflow run is made up of one or more jobs
 # that can run sequentially or in parallel
 jobs:
   # This will create messages for first time contributers and direct them to the Discord server
-  welcome:
-      runs-on: ubuntu-latest
-
-      steps:
-          - uses: actions/first-interaction@main
-            with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                  Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! 
-                  Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
-  # This workflow contains a single job called "build"
-  build:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
-
-    env: 
-      ENABLE_DEBUG: false
+    welcome:
+        runs-on: ubuntu-latest
+
+        steps:
+            - uses: actions/first-interaction@main
+              with:
+                  repo-token: ${{ secrets.GITHUB_TOKEN }}
+                  pr-message: |-
+                      Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+    # This workflow contains a single job called "build"
+    build:
+        # The type of runner that the job will run on
+        runs-on: ubuntu-latest
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, 
-      # so your job can access it
-      - uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Add_ssh_key
-        working-directory: .github/workflows
-        env:
-          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-          PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
-        run: |
-          mkdir .ssh
-          chmod 700 .ssh
-          echo $PRIVATE_KEY > .ssh/github_actions.pem
-          chmod 600 .ssh/github_actions.pem
-
-### Build out the server
-      - name: Terraform_Init
-        working-directory: .github/workflows
-        run: terraform init
-
-      - name: Terraform_Validate
-        working-directory: .github/workflows
-        run: terraform validate
-
-      - name: Terraform_Apply
-        working-directory: .github/workflows
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
-
-## Debug Section
-      - name: DEBUG - Show Ansible hostfile
-        if: env.ENABLE_DEBUG == 'true'
-        working-directory: .github/workflows
-        run: cat hosts.yml
-
-# Aws deployments taking a while to come up insert sleep or playbook fails
-
-      - name: Sleep for 60 seconds
-        run: sleep 60s
-        shell: bash
-
-# Run the ansible playbook
-      - name: Run_Ansible_Playbook
-        uses: arillso/action.playbook@master
-        with:
-          playbook: site.yml
-          inventory: .github/workflows/hosts.yml
-          galaxy_file: collections/requirements.yml
-          private_key: ${{ secrets.SSH_PRV_KEY }}
-#          verbose: 3
         env:
-          ANSIBLE_HOST_KEY_CHECKING: "false"
-          ANSIBLE_DEPRECATION_WARNINGS: "false"
+            ENABLE_DEBUG: false
 
-# Remove test system - User secrets to keep if necessary
-
-      - name: Terraform_Destroy
-        working-directory: .github/workflows
-        if: always() && env.ENABLE_DEBUG == 'false'
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
+    # Steps represent a sequence of tasks that will be executed as part of the job
+        steps:
+            # Checks-out your repository under $GITHUB_WORKSPACE,
+            # so your job can access it
+            - uses: actions/checkout@v3
+              with:
+                  ref: ${{ github.event.pull_request.head.sha }}
+
+            - name: Add_ssh_key
+              working-directory: .github/workflows
+              env:
+                  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+                  PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
+              run: |
+                  mkdir .ssh
+                  chmod 700 .ssh
+                  echo $PRIVATE_KEY > .ssh/github_actions.pem
+                  chmod 600 .ssh/github_actions.pem
+
+            ### Build out the server
+            - name: Terraform_Init
+              working-directory: .github/workflows
+              run: terraform init
+
+            - name: Terraform_Validate
+              working-directory: .github/workflows
+              run: terraform validate
+
+            - name: Terraform_Apply
+              working-directory: .github/workflows
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false
+
+            ## Debug Section
+            - name: DEBUG - Show Ansible hostfile
+              if: env.ENABLE_DEBUG == 'true'
+              working-directory: .github/workflows
+              run: cat hosts.yml
+
+            # Aws deployments taking a while to come up insert sleep or playbook fails
+
+            - name: Sleep for 60 seconds
+              run: sleep 60s
+              shell: bash
+
+            # Run the ansible playbook
+            - name: Run_Ansible_Playbook
+              uses: arillso/action.playbook@master
+              with:
+                  playbook: site.yml
+                  inventory: .github/workflows/hosts.yml
+                  galaxy_file: collections/requirements.yml
+                  private_key: ${{ secrets.SSH_PRV_KEY }}
+        #          verbose: 3
+              env:
+                  ANSIBLE_HOST_KEY_CHECKING: "false"
+                  ANSIBLE_DEPRECATION_WARNINGS: "false"
+
+            # Remove test system - User secrets to keep if necessary
+
+            - name: Terraform_Destroy
+              working-directory: .github/workflows
+              if: always() && env.ENABLE_DEBUG == 'false'
+              env:
+                  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+              run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false

.github/workflows/update_galaxy.yml

@@ -0,0 +1,21 @@
+---
+
+# This is a basic workflow to help you get started with Actions
+
+name: update galaxy
+
+# Controls when the action will run.
+# Triggers the workflow on merge request events to the main branch
+on:  # yamllint disable-line rule:truthy
+    push:
+        branches:
+            - main
+jobs:
+    update_role:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v3
+            - uses: robertdebock/galaxy-action@master
+              with:
+                  galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
+                  git_branch: main

.yamllint

@@ -1,30 +1,26 @@
 ---
-ignore: |
-  tests/
-  molecule/
-  .github/
-  .gitlab-ci.yml
-  *molecule.yml
-
+# Based on ansible-lint config
 extends: default
 
 rules:
+  braces: {max-spaces-inside: 1, level: error}
+  brackets: {max-spaces-inside: 1, level: error}
+  colons: {max-spaces-after: -1, level: error}
+  commas: {max-spaces-after: -1, level: error}
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines: {max: 3, level: error}
+  hyphens: {level: error}
   indentation:
-    # Requiring 4 space indentation
-    spaces: 4
-    # Requiring consistent indentation within a file, either indented or not
-    indent-sequences: consistent
-  #truthy: disable
-  braces:
-    max-spaces-inside: 1
-    level: error
-  brackets:
-    max-spaces-inside: 1
-    level: error
-  line-length: disable
+     # Requiring 4 space indentation
+     spaces: 4
+     # Requiring consistent indentation within a file, either indented or not
+     indent-sequences: consistent
   key-duplicates: enable
+  line-length: disable
   new-line-at-end-of-file: enable
-  new-lines:
+  new-lines: 
     type: unix
   trailing-spaces: enable
   truthy:

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Ansible Lockdown
+Copyright (c) 2023 Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

defaults/main.yml

@@ -486,14 +486,14 @@ amazon2cis_warning_banner: |
 
 ### Goss binary settings ###
 goss_version:
-    release: v0.3.16
-    checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb'
+    release: v0.3.21
+    checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
 audit_bin_path: /usr/local/bin/
 audit_bin: "{{ audit_bin_path }}goss"
 audit_format: json
 
 # if get_goss_file == download change accordingly
-goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
+goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
 
 ## if get_goss_file - copy the following needs to be updated for your environment
 ## it is expected that it will be copied from somewhere accessible to the control node

meta/main.yml

@@ -6,21 +6,21 @@ galaxy_info:
     license: MIT
     namespace: mindpointgroup
     role_name: amazon2_cis
-    min_ansible_version: 2.9.0
+    min_ansible_version: 2.10.1
     platforms:
         - name: Amazon
           versions:
-              - "2"
-
+              - "2017.03"
+              - "2017.09"
     galaxy_tags:
         - system
         - security
         - cis
         - hardening
-
+        - Amazon
+        - complianceascode
 collections:
     - community.general
     - community.crypto
     - ansible.posix
-
 dependencies: []

site.yml

@@ -2,5 +2,6 @@
 - hosts: all
   become: true
 
+  name: Run the ansible-lockdown remediation role
   roles:
   - role: "{{ playbook_dir }}"

tasks/section_5/cis_5.4.x.yml

@@ -58,7 +58,7 @@
         with_items:
             - "system-auth"
             - "password-auth"
-    
+
       - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Activate deny count and unlock times to failed password"
         lineinfile:
             path: /etc/pam.d/{{ item }}