devel to main update for release (#443)

* Specify missing state parameter for package Signed-off-by: Anže Luzar <[email protected]> * Correct with_items indentation for package Signed-off-by: Anže Luzar <[email protected]> * Replace inline strings with module parameters Signed-off-by: Anže Luzar <[email protected]> * updated link Signed-off-by: Mark Bolwell <[email protected]> * lint updates Signed-off-by: Mark Bolwell <[email protected]> * removed old Signed-off-by: Mark Bolwell <[email protected]> * added new defined secrets file Signed-off-by: Mark Bolwell <[email protected]> * added precommit Signed-off-by: Mark Bolwell <[email protected]> * lint updates Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * added pragma allow list Signed-off-by: Mark Bolwell <[email protected]> * updated due to galaxy changes Signed-off-by: Mark Bolwell <[email protected]> * moved file Signed-off-by: Mark Bolwell <[email protected]> * updated path Signed-off-by: Mark Bolwell <[email protected]> * removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell <[email protected]> * Adding additional condition for rhel7stig_grub2_user_cfg for task Signed-off-by: layluke <[email protected]> * updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell <[email protected]> * removed file Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * updated Signed-off-by: Mark Bolwell <[email protected]> * lint update Signed-off-by: Mark Bolwell <[email protected]> * fix typo Signed-off-by: Mark Bolwell <[email protected]> * rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell <[email protected]> * tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell <[email protected]> * changed logic on 20620 Signed-off-by: Mark Bolwell <[email protected]> * updated logic for uuid Signed-off-by: Mark Bolwell <[email protected]> * removed extra line Signed-off-by: Mark Bolwell <[email protected]> * removed doc dir Signed-off-by: Mark Bolwell <[email protected]> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](gitleaks/gitleaks@v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](ansible/ansible-lint@v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) * Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell <[email protected]> * conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell <[email protected]> --------- Signed-off-by: Anže Luzar <[email protected]> Signed-off-by: Mark Bolwell <[email protected]> Signed-off-by: layluke <[email protected]> Co-authored-by: Anže Luzar <[email protected]> Co-authored-by: layluke <[email protected]> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
ansible-lockdown · Feb 14, 2024 · dd187dd · dd187dd
1 parent 06d7dae
commit dd187dd
Show file tree

Hide file tree

Showing 24 changed files with 121 additions and 208 deletions.
diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json
diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".config/.secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,78 +109,11 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_passwd.yml"
       ]
     }
   ],
-  "results": {
-    "defaults/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 467,
-        "is_secret": false
-      }
-    ],
-    "tasks/fix-cat2.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/fix-cat2.yml",
-        "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859",
-        "is_verified": false,
-        "line_number": 1449,
-        "is_secret": false
-      }
-    ],
-    "tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e",
-        "is_verified": false,
-        "line_number": 39,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 56,
-        "is_secret": false
-      }
-    ],
-    "tasks/parse_etc_passwd.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_passwd.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 18
-      }
-    ],
-    "tasks/prelim.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/prelim.yml",
-        "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a",
-        "is_verified": false,
-        "line_number": 228,
-        "is_secret": false
-      }
-    ],
-    "templates/pam_pkcs11.conf.j2": [
-      {
-        "type": "Secret Keyword",
-        "filename": "templates/pam_pkcs11.conf.j2",
-        "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-        "is_verified": false,
-        "line_number": 173,
-        "is_secret": false
-      }
-    ]
-  },
-  "generated_at": "2023-09-14T14:19:49Z"
+  "results": {},
+  "generated_at": "2023-10-09T14:42:52Z"
 }
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -27,9 +27,9 @@
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                       Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
-        # This workflow contains a single job which tests the playbook
+        # This workflow contains a single job that tests the playbook
         playbook-test:
           # The type of runner that the job will run on
           runs-on: ubuntu-latest
@@ -44,13 +44,13 @@
 
           steps:
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                 ref: ${{ github.event.pull_request.head.sha }}
 
             # Pull in terraform code for linux servers
-            - name: Clone github IaC plan
-              uses: actions/checkout@v3
+            - name: Clone GitHub IaC plan
+              uses: actions/checkout@v4
               with:
                 repository: ansible-lockdown/github_linux_IaC
                 path: .github/workflows/github_linux_IaC
@@ -74,23 +74,23 @@
                 pwd
                 ls
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Init
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -111,9 +111,9 @@
       # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
-              run: sleep 60s
+              run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the ansible playbook
+          # Run the Ansible playbook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:

diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
@@ -18,7 +18,7 @@
     # that can run sequentially or in parallel
     jobs:
 
-        # This workflow contains a single job which tests the playbook
+        # This workflow contains a single job that tests the playbook
         playbook-test:
           # The type of runner that the job will run on
           runs-on: ubuntu-latest
@@ -33,13 +33,13 @@
 
           steps:
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                 ref: ${{ github.event.pull_request.head.sha }}
 
             # Pull in terraform code for linux servers
-            - name: Clone github IaC plan
-              uses: actions/checkout@v3
+            - name: Clone GitHub IaC plan
+              uses: actions/checkout@v4
               with:
                 repository: ansible-lockdown/github_linux_IaC
                 path: .github/workflows/github_linux_IaC
@@ -63,23 +63,23 @@
                 pwd
                 ls
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Init
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -100,9 +100,9 @@
       # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
-              run: sleep 60s
+              run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the ansible playbook
+          # Run the Ansible playbook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:

diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml
@@ -1,11 +1,7 @@
 ---
 
-# This is a basic workflow to help you get started with Actions
-
 name: update galaxy
 
-# Controls when the action will run.
-# Triggers the workflow on merge request events to the main branch
 on:
     push:
         branches:
@@ -14,8 +10,10 @@ jobs:
     update_role:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
-            - uses: robertdebock/galaxy-action@master
+            - name: Checkout repo
+              uses: actions/checkout@v4
+
+            - name: Action Ansible Galaxy Release ${{ github.ref_name }}
+              uses: ansible-actions/ansible-galaxy-action@main
               with:
-                  galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
-                  git_branch: main
+                galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v4.5.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -34,16 +34,15 @@ repos:
   hooks:
   - id: detect-secrets
     args: [ '--baseline', '.config/.secrets.baseline' ]
-    exclude: .config/.gitleaks-report.json
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.17.0
+  rev: v8.18.1
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.17.2
+  rev: v6.22.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -62,6 +61,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.32.0  # or higher tag
+  rev: v1.33.0  # or higher tag
   hooks:
   - id: yamllint
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
@@ -65,4 +65,3 @@ following text in your contribution commit message:
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
 option to `git commit` to automatically include the signoff message.
-
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -115,14 +115,14 @@ README
 
 ## Release 1.9.0
 
-- RHEL-07-010271 - New Control Added 
+- RHEL-07-010271 - New Control Added
 - Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below
   - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text.
   - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives.
   - RHEL-07-030840 - Updated check and fix text.
   - RHEL-07-040160 - Updated check text.
   - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion.
-  - RHEL-07-040360, RHEL-07-040530 - Updated CCI. 
+  - RHEL-07-040360, RHEL-07-040530 - Updated CCI.
 - Update to README and requirements
 - RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information
 

diff --git a/README.md b/README.md
@@ -12,7 +12,6 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on  July 23
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)

diff --git a/ansible.cfg b/ansible.cfg
@@ -23,4 +23,3 @@ transfer_method=scp
 [colors]
 
 [diff]
-
diff --git a/collections/requirements.yml b/collections/requirements.yml
@@ -1,8 +1,14 @@
 ---
 
 collections:
-- name: community.general
+    - name: community.general
+      source: https://github.com/ansible-collections/community.general
+      type: git
 
-- name: community.crypto
+    - name: community.crypto
+      source: https://github.com/ansible-collections/community.crypto
+      type: git
 
-- name: ansible.posix
+    - name: ansible.posix
+      source: https://github.com/ansible-collections/ansible.posix
+      type: git
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}"
 # RHEL-07-010480 and RHEL-07-010490
 # Password protect the boot loader
 
-rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
+rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
 rhel7stig_boot_superuser: root
 
 # RHEL-07-021700 set the value for correctly configured grub bootloader sequence
@@ -693,7 +693,7 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1,
 
 rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"
 
-rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}"
+rhel7stig_boot_part: /boot
 
 rhel7stig_legacy_boot_path: '/boot/grub2/'
 rhel7stig_efi_boot_path: '/boot/efi/EFI/'

diff --git a/doc/README.md b/doc/README.md
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -27,7 +27,7 @@
 - name: make grub2 config
   ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_bootloader_path }}grub.cfg
   when:
-      - rhel7stig_grub2_user_cfg.stat.exists
+      - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists)
       - not rhel7stig_skip_for_travis
       - not rhel7stig_system_is_container
 
@@ -42,7 +42,7 @@
       - grub.cfg
       - user.cfg
   when:
-      - rhel7stig_grub2_user_cfg.stat.exists
+      - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists)
       - rhel7stig_workaround_for_disa_benchmark
       - not rhel7stig_skip_for_travis
       - not rhel7stig_system_is_container
Original file line number	Diff line number	Diff line change
Expand Up		@@ -65,4 +65,3 @@ following text in your contribution commit message:
		This message can be entered manually, or if you have configured git
		with the correct `user.name` and `user.email`, you can use the `-s`
		option to `git commit` to automatically include the signoff message.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -23,4 +23,3 @@ transfer_method=scp
		[colors]

		[diff]