ansible-lockdown · uk-bolly · Feb 14, 2024 · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json
diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".config/.secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,78 +109,11 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_passwd.yml"
       ]
     }
   ],
-  "results": {
-    "defaults/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 467,
-        "is_secret": false
-      }
-    ],
-    "tasks/fix-cat2.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/fix-cat2.yml",
-        "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859",
-        "is_verified": false,
-        "line_number": 1449,
-        "is_secret": false
-      }
-    ],
-    "tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e",
-        "is_verified": false,
-        "line_number": 39,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 56,
-        "is_secret": false
-      }
-    ],
-    "tasks/parse_etc_passwd.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_passwd.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 18
-      }
-    ],
-    "tasks/prelim.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/prelim.yml",
-        "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a",
-        "is_verified": false,
-        "line_number": 228,
-        "is_secret": false
-      }
-    ],
-    "templates/pam_pkcs11.conf.j2": [
-      {
-        "type": "Secret Keyword",
-        "filename": "templates/pam_pkcs11.conf.j2",
-        "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-        "is_verified": false,
-        "line_number": 173,
-        "is_secret": false
-      }
-    ]
-  },
-  "generated_at": "2023-09-14T14:19:49Z"
+  "results": {},
+  "generated_at": "2023-10-09T14:42:52Z"
 }
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -27,9 +27,9 @@
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                       Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
-        # This workflow contains a single job which tests the playbook
+        # This workflow contains a single job that tests the playbook
         playbook-test:
           # The type of runner that the job will run on
           runs-on: ubuntu-latest
@@ -44,13 +44,13 @@
 
           steps:
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                 ref: ${{ github.event.pull_request.head.sha }}
 
             # Pull in terraform code for linux servers
-            - name: Clone github IaC plan
-              uses: actions/checkout@v3
+            - name: Clone GitHub IaC plan
+              uses: actions/checkout@v4
               with:
                 repository: ansible-lockdown/github_linux_IaC
                 path: .github/workflows/github_linux_IaC
@@ -74,23 +74,23 @@
                 pwd
                 ls
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Init
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -111,9 +111,9 @@
       # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
-              run: sleep 60s
+              run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the ansible playbook
+          # Run the Ansible playbook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:

diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml
@@ -18,7 +18,7 @@
     # that can run sequentially or in parallel
     jobs:
 
-        # This workflow contains a single job which tests the playbook
+        # This workflow contains a single job that tests the playbook
         playbook-test:
           # The type of runner that the job will run on
           runs-on: ubuntu-latest
@@ -33,13 +33,13 @@
 
           steps:
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                 ref: ${{ github.event.pull_request.head.sha }}
 
             # Pull in terraform code for linux servers
-            - name: Clone github IaC plan
-              uses: actions/checkout@v3
+            - name: Clone GitHub IaC plan
+              uses: actions/checkout@v4
               with:
                 repository: ansible-lockdown/github_linux_IaC
                 path: .github/workflows/github_linux_IaC
@@ -63,23 +63,23 @@
                 pwd
                 ls
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Init
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -100,9 +100,9 @@
       # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
-              run: sleep 60s
+              run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the ansible playbook
+          # Run the Ansible playbook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:

diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml
@@ -1,11 +1,7 @@
 ---
 
-# This is a basic workflow to help you get started with Actions
-
 name: update galaxy
 
-# Controls when the action will run.
-# Triggers the workflow on merge request events to the main branch
 on:
     push:
         branches:
@@ -14,8 +10,10 @@ jobs:
     update_role:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
-            - uses: robertdebock/galaxy-action@master
+            - name: Checkout repo
+              uses: actions/checkout@v4
+
+            - name: Action Ansible Galaxy Release ${{ github.ref_name }}
+              uses: ansible-actions/ansible-galaxy-action@main
               with:
-                  galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
-                  git_branch: main
+                galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v4.5.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -34,16 +34,15 @@ repos:
   hooks:
   - id: detect-secrets
     args: [ '--baseline', '.config/.secrets.baseline' ]
-    exclude: .config/.gitleaks-report.json
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.17.0
+  rev: v8.18.0
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.17.2
+  rev: v6.21.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint

diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
@@ -65,4 +65,3 @@ following text in your contribution commit message:
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
 option to `git commit` to automatically include the signoff message.
-
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -115,14 +115,14 @@ README
 
 ## Release 1.9.0
 
-- RHEL-07-010271 - New Control Added 
+- RHEL-07-010271 - New Control Added
 - Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below
   - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text.
   - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives.
   - RHEL-07-030840 - Updated check and fix text.
   - RHEL-07-040160 - Updated check text.
   - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion.
-  - RHEL-07-040360, RHEL-07-040530 - Updated CCI. 
+  - RHEL-07-040360, RHEL-07-040530 - Updated CCI.
 - Update to README and requirements
 - RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information
 

diff --git a/README.md b/README.md
@@ -12,7 +12,6 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on  July 23
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)

diff --git a/ansible.cfg b/ansible.cfg
@@ -23,4 +23,3 @@ transfer_method=scp
 [colors]
 
 [diff]
-
diff --git a/collections/requirements.yml b/collections/requirements.yml
@@ -1,8 +1,14 @@
 ---
 
 collections:
-- name: community.general
+    - name: community.general
+      source: https://github.com/ansible-collections/community.general
+      type: git
 
-- name: community.crypto
+    - name: community.crypto
+      source: https://github.com/ansible-collections/community.crypto
+      type: git
 
-- name: ansible.posix
+    - name: ansible.posix
+      source: https://github.com/ansible-collections/ansible.posix
+      type: git
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}"
 # RHEL-07-010480 and RHEL-07-010490
 # Password protect the boot loader
 
-rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
+rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
 rhel7stig_boot_superuser: root
 
 # RHEL-07-021700 set the value for correctly configured grub bootloader sequence
@@ -693,7 +693,7 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1,
 
 rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}"
 
-rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}"
+rhel7stig_boot_part: /boot
 
 rhel7stig_legacy_boot_path: '/boot/grub2/'
 rhel7stig_efi_boot_path: '/boot/efi/EFI/'

diff --git a/doc/README.md b/doc/README.md
@@ -5,4 +5,3 @@ To generate the documentation on a RHEL/CentOS 7 system, take the following step
    * `sudo pip3 install -r requirements.txt`
 3. Generate the documentation:
    * `make singlehtml`
-
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -27,7 +27,7 @@
 - name: make grub2 config
   ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_bootloader_path }}grub.cfg
   when:
-      - rhel7stig_grub2_user_cfg.stat.exists
+      - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists)
       - not rhel7stig_skip_for_travis
       - not rhel7stig_system_is_container
 
@@ -42,7 +42,7 @@
       - grub.cfg
       - user.cfg
   when:
-      - rhel7stig_grub2_user_cfg.stat.exists
+      - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists)
       - rhel7stig_workaround_for_disa_benchmark
       - not rhel7stig_skip_for_travis
       - not rhel7stig_system_is_container

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -456,6 +456,7 @@
                   insert: true
               when:
                   - rhel7stig_boot_part not in ['/', '']
+                  - item.uuid is defined
                   - not ansible_check_mode or
                     rhel7_stig_grub_template is not changed
               notify: confirm grub2 user cfg
@@ -474,9 +475,9 @@
                   - ansible_check_mode
                   - rhel_07_021350_audit is failed
               failed_when:
-                  - rhel_07_021350_audit is failed
-                  - not ansible_check_mode or
-                    rhel_07_021350_audit.rc > 1
+                  - rhel_07_021350_audit.rc not in [ 0, 1 ]
+                  - not ansible_check_mode
+
               when:
                   - not ansible_check_mode or
                     rhel7_stig_grub_template is not changed
Original file line number	Diff line number	Diff line change
Expand Up		@@ -65,4 +65,3 @@ following text in your contribution commit message:
		This message can be entered manually, or if you have configured git
		with the correct `user.name` and `user.email`, you can use the `-s`
		option to `git commit` to automatically include the signoff message.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -23,4 +23,3 @@ transfer_method=scp
		[colors]

		[diff]
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,4 +5,3 @@ To generate the documentation on a RHEL/CentOS 7 system, take the following step
		* `sudo pip3 install -r requirements.txt`
		3. Generate the documentation:
		* `make singlehtml`