From 80248aa8149b4bbd10e6bea130ebd9a668ddf905 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 14:50:09 +0100 Subject: [PATCH 01/11] removed old workflow files Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 32 ----- .../feature-request-or-enhancement.md | 21 ---- .github/ISSUE_TEMPLATE/question.md | 17 --- .github/pull_request_template.md | 12 -- .github/workflows/OS.tfvars | 9 -- .github/workflows/github_networks.tf | 53 --------- .github/workflows/github_vars.tfvars | 14 --- .github/workflows/linux_benchmark_testing.yml | 111 ------------------ .github/workflows/main.tf | 84 ------------- .github/workflows/terraform.tfvars | 6 - .github/workflows/update_galaxy.yml | 2 +- .github/workflows/variables.tf | 81 ------------- 12 files changed, 1 insertion(+), 441 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md delete mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/github_networks.tf delete mode 100644 .github/workflows/github_vars.tfvars delete mode 100644 .github/workflows/linux_benchmark_testing.yml delete mode 100644 .github/workflows/main.tf delete mode 100644 .github/workflows/terraform.tfvars delete mode 100644 .github/workflows/variables.tf diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 3a19c72b..00000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index bf457005..00000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -**Feature Request or Enhancement** - - Feature [] - - Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index cbab6e73..00000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 05dadb6b..00000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,12 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A - diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index 325c24f2..00000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -#Ami centos 7.11 -ami_id = "ami-00e87074e52e6c9f9" -ami_os = "centos7" -ami_username = "centos" -ami_user_home = "/home/centos" -instance_tags = { - Name = "RHEL7-STIG" - Environment = "github_test_pipeline" -} diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf deleted file mode 100644 index ba777642..00000000 --- a/.github/workflows/github_networks.tf +++ /dev/null @@ -1,53 +0,0 @@ -resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - instance_tenancy = "default" - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } -} - -resource "aws_internet_gateway" "IGW" { - vpc_id = aws_vpc.Main.id - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-IGW" - } -} - -resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" - } -} - -resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - cidr_block = var.private_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" - } -} - -resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" - } -} - -resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id - route_table_id = aws_route_table.PublicRT.id -} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars deleted file mode 100644 index 24daeca6..00000000 --- a/.github/workflows/github_vars.tfvars +++ /dev/null @@ -1,14 +0,0 @@ -// github_actions variables -// Resourced in github_networks.tf -// Declared in variables.tf -// - -namespace = "github_actions" -environment = "lockdown_github_repo_workflow" - -// Matching pair name found in AWS for keypairs PEM key -ami_key_pair_name = "github_actions" -private_key = ".ssh/github_actions.pem" -main_vpc_cidr = "172.22.0.0/24" -public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml deleted file mode 100644 index 591617f2..00000000 --- a/.github/workflows/linux_benchmark_testing.yml +++ /dev/null @@ -1,111 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: linux_benchmark_pipeline - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - ### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index 0e5660c3..00000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,84 +0,0 @@ -provider "aws" { - profile = "" - region = var.aws_region -} - -// Create a security group with access to port 22 and port 80 open to serve HTTP traffic - - -resource "random_id" "server" { - keepers = { - # Generate a new id each time we switch to a new AMI id - ami_id = "${var.ami_id}" - } - - byte_length = 8 -} - -resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}-SG" - vpc_id = aws_vpc.Main.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-SG" - } -} - -// instance setup - -resource "aws_instance" "testing_vm" { - ami = var.ami_id - availability_zone = var.availability_zone - associate_public_ip_address = true - key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs - instance_type = var.instance_type - tags = var.instance_tags - vpc_security_group_ids = [aws_security_group.github_actions.id] - subnet_id = aws_subnet.Main.id - root_block_device { - delete_on_termination = true - } -} - -// generate inventory file -resource "local_file" "inventory" { - filename = "./hosts.yml" - directory_permission = "0755" - file_permission = "0644" - content = < Date: Thu, 14 Sep 2023 14:50:42 +0100 Subject: [PATCH 02/11] added new pipeline workflows Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 138 ++++++++++++++++++ .../workflows/main_pipeline_validation.yml | 127 ++++++++++++++++ 2 files changed, 265 insertions(+) create mode 100644 .github/workflows/devel_pipeline_validation.yml create mode 100644 .github/workflows/main_pipeline_validation.yml diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 00000000..a4e7d48a --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,138 @@ +--- + + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml new file mode 100644 index 00000000..0b149fb3 --- /dev/null +++ b/.github/workflows/main_pipeline_validation.yml @@ -0,0 +1,127 @@ +--- + + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false From d04d9c6d2701b235e99aca53adbc0773d71d3cb5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:01:25 +0100 Subject: [PATCH 03/11] updated tags thansk to @trae on discord Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 41667ff2..505b99bf 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -419,7 +419,7 @@ notify: clean up ssh host key when: not rhel7stig_ssh_host_rsa_key_stat.stat.exists when: - -rhel7stig_ssh_required + - rhel7stig_ssh_required - name: "PRELIM | Check whether machine is UEFI-based" ansible.builtin.stat: @@ -427,6 +427,7 @@ register: rhel7_efi_boot tags: - goss_template + - always - name: set bootloader type block: @@ -460,6 +461,8 @@ msg: - "bootloader path set to {{ rhel7stig_bootloader_path }}" - "legacy boot equals {{ rhel7stig_legacy_boot }}" + tags: + - always - name: "PRELIM | Gather interactive user ID min" block: From d1ee020a2338c540792eb3c5f198325ccce9f2a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:01:34 +0100 Subject: [PATCH 04/11] updated date Signed-off-by: Mark Bolwell --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 4f5e4fdb..7e4285ae 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2023 Mindpoint Group Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From d209ffd33e8109a74ca671e9ae8034c62349313a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:17:46 +0100 Subject: [PATCH 05/11] added tag Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 505b99bf..f1863acd 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -2,11 +2,10 @@ - name: "PRELIM | Check required packages installed | Python2" ansible.builtin.package: - list: "{{ item }}" + name: + - rpm-python + - libselinux-python state: present - loop: - - rpm-python - - libselinux-python vars: ansible_python_interpreter: "{{ python2_bin }}" when: ansible_python.version.major == 2 From f434a72364f6f771e710cc9d6eeaeec38c907a77 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:18:01 +0100 Subject: [PATCH 06/11] updated Signed-off-by: Mark Bolwell --- README.md | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 68be4ff5..1d9e0e26 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL7 based system to be complaint with Disa STIG -This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on April 27, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R11_STIG.zip). +This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R12_STIG.zip). --- @@ -15,13 +15,14 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on April 27 ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL7-STIG/devel?color=dark%20green&label=Devel%20Branch%20commits) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL7-STIG) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL7-STIG) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL7-STIG?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL7-STIG?label=Release%20Tag&&color=success) +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL7-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL7-STIG/actions/workflows/main_pipeline_validation.yml) + +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL7-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL7-STIG/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL7-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL7-STIG?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL7-STIG?label=Closed%20Issues&&color=success) @@ -47,6 +48,18 @@ Configure a RHEL 7 system to be DISA STIG compliant. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `true`. +# Caution(s) + +This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. + +Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL7-STIG-Audit role or a compliance scanner should be used for compliance checking over check mode. + +This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. + +To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. + +--- + ## Updating Coming from a previous release. @@ -138,7 +151,7 @@ ok: [cent7_bios] => { ] } PLAY RECAP **************************************************************************************************************** -rhel7test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 rescued=0 ignored=0 +rhel7test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 rescued=0 ignored=0 ``` ## Branches From a5bff3aeebed42fc2ae23d04d64cf9ed560bf131 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:20:12 +0100 Subject: [PATCH 07/11] gcsm "added and setup secrets" Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 1 + .config/.secrets.baseline | 190 ++++++++++++++++++++++++++++++++++ 2 files changed, 191 insertions(+) create mode 100644 .config/.gitleaks-report.json create mode 100644 .config/.secrets.baseline diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 00000000..fe51488c --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1 @@ +[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline new file mode 100644 index 00000000..522a6339 --- /dev/null +++ b/.config/.secrets.baseline @@ -0,0 +1,190 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 467, + "is_secret": false + } + ], + "tasks/fix-cat2.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/fix-cat2.yml", + "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", + "is_verified": false, + "line_number": 1449, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", + "is_verified": false, + "line_number": 39, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 56, + "is_secret": false + } + ], + "tasks/parse_etc_passwd.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_passwd.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18 + } + ], + "tasks/prelim.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/prelim.yml", + "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", + "is_verified": false, + "line_number": 228, + "is_secret": false + } + ], + "templates/pam_pkcs11.conf.j2": [ + { + "type": "Secret Keyword", + "filename": "templates/pam_pkcs11.conf.j2", + "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "is_verified": false, + "line_number": 173, + "is_secret": false + } + ] + }, + "generated_at": "2023-09-14T14:19:49Z" +} From cde9e8a0e6b42d0d5d1ba5fefb02e3477eb85439 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:33:14 +0100 Subject: [PATCH 08/11] updated discord link Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1d9e0e26..fb60db15 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23 ### Community -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users --- From feb1eb7824f2d4be3d66da40afd3426d8951328a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:47:40 +0100 Subject: [PATCH 09/11] added precommit file Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 67 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..97c79434 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,67 @@ +--- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: [ '--baseline', '.config/.secrets.baseline' ] + exclude: .config/.gitleaks-report.json + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.17.0 + hooks: + - id: gitleaks + args: ['--baseline-path', '.config/.gitleaks-report.json'] + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint From b4a62a358db0a4e12cf1a50ba746ee769822fe0d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:53:55 +0100 Subject: [PATCH 10/11] Lint tidy up Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 4 ++-- tasks/fix-cat2.yml | 18 +++++++++--------- tasks/fix-cat3.yml | 4 ++-- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 533cedf0..a46c1f74 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -449,7 +449,7 @@ with_items: - "{{ ansible_mounts | json_query(query) }}" vars: - query: "[?mount=='{{ rhel7stig_boot_part }}'] | [0]" + query: "[?mount=='{{ rhel7stig_boot_part }}'] | [0]" # noqa: jinja[invalid] key: GRUB_CMDLINE_LINUX param: boot value: UUID={{ item.uuid }} @@ -468,7 +468,7 @@ - "fips={{ fips_value }}" - boot=UUID={{ ansible_mounts | json_query(query) }} vars: - query: "[?mount=='{{ rhel7stig_boot_part }}'].uuid | [0]" + query: "[?mount=='{{ rhel7stig_boot_part }}'].uuid | [0]" # noqa: jinja[invalid] register: rhel_07_021350_audit changed_when: - ansible_check_mode diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 15a6df1e..694a304c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2014,7 +2014,7 @@ fstype: "{{ home_mount.fstype }}" opts: "{{ home_mount.options }},nosuid" vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" # noqa: jinja[invalid] when: - rhel_07_021000 - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 @@ -2037,7 +2037,7 @@ fstype: "{{ removable_mount.fstype }}" opts: "{{ removable_mount.options }},nosuid" vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nosuid' not in home_mount.options" @@ -2050,7 +2050,7 @@ fstype: "{{ removable_mount2.fstype }}" opts: "{{ removable_mount2.options }},nosuid" vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nosuid' not in home_mount.options" @@ -2073,9 +2073,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: - "{{ rhel7stig_nfs_mounts }}" when: @@ -2098,9 +2098,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},noexec" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: - "{{ rhel7stig_nfs_mounts }}" when: diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index b544a948..a1c52225 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -71,8 +71,8 @@ fstype: "{{ dev_shm_mount.fstype | default('tmpfs') }}" opts: "{{ dev_shm_mount_opts }}" vars: - dev_shm_mount: "{{ ansible_mounts | json_query('[?mount == `/dev/shm`] | [0]') }}" - dev_shm_mount_opts: "{{ dev_shm_mount.options | default('defaults') }},nodev,nosuid{{ (rhel_07_021024) | ternary(',noexec', '') }}" + dev_shm_mount: "{{ ansible_mounts | json_query('[?mount == `/dev/shm`] | [0]') }}" # noqa: jinja[invalid] + dev_shm_mount_opts: "{{ dev_shm_mount.options | default('defaults') }},nodev,nosuid{{ (rhel_07_021024) | ternary(',noexec', '') }}" # noqa: jinja[invalid] when: - rhel_07_021024 tags: From c82e4fb9feecfb4e46f38f0895f83e0a7fc56346 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Sep 2023 15:56:47 +0100 Subject: [PATCH 11/11] added precommit comment Signed-off-by: Mark Bolwell --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index fb60db15..40081ffc 100644 --- a/README.md +++ b/README.md @@ -212,6 +212,12 @@ If you would are interested in dedicated support to assist or provide bespoke se - [Ansible Counselor](https://www.mindpointgroup.com/products/ansible-counselor-on-demand-ansible-services-and-consulting/) - [Try us out](https://engage.mindpointgroup.com/try-ansible-counselor) +## Added Extras + +```sh +pre-commit run +``` + ## Credits This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)