Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V3R14 to main release #477

Merged
merged 111 commits into from
Nov 14, 2024
Merged
Changes from 1 commit
Commits
Show all changes
111 commits
Select commit Hold shift + click to select a range
f117074
Specify missing state parameter for package
anzoman Sep 15, 2023
130e021
Correct with_items indentation for package
anzoman Sep 15, 2023
601ef18
Replace inline strings with module parameters
anzoman Sep 15, 2023
b53d7be
Merge pull request #437 from anzoman/steampunk-spotter-fixes
uk-bolly Sep 15, 2023
dfb9791
updated link
uk-bolly Sep 15, 2023
5108506
lint updates
uk-bolly Sep 15, 2023
223624e
removed old
uk-bolly Sep 15, 2023
20a720a
added new defined secrets file
uk-bolly Sep 15, 2023
5956a0f
added precommit
uk-bolly Sep 15, 2023
395956a
Merge pull request #438 from ansible-lockdown/discord_updates
uk-bolly Sep 15, 2023
aa000e8
lint updates
uk-bolly Oct 9, 2023
d14af2e
updated
uk-bolly Oct 9, 2023
1dc0f9b
added pragma allow list
uk-bolly Oct 9, 2023
6098b02
updated due to galaxy changes
uk-bolly Oct 9, 2023
197f961
moved file
uk-bolly Oct 9, 2023
d49469b
updated path
uk-bolly Oct 9, 2023
5aae574
removed quality badge since galaxy-ng
uk-bolly Oct 9, 2023
32fe8c1
Merge pull request #439 from ansible-lockdown/collections_lint
uk-bolly Oct 10, 2023
fb6f4fe
Adding additional condition for rhel7stig_grub2_user_cfg for task
layluke Oct 18, 2023
5e47e97
Merge pull request #441 from layluke/440-Grub_Handler_Fix
uk-bolly Oct 25, 2023
88f570b
updated version
uk-bolly Oct 25, 2023
ea14041
quoted version
uk-bolly Oct 25, 2023
c48ab81
updated rule id 020230
uk-bolly Oct 25, 2023
d602fd9
rule ids and inactive variable added
uk-bolly Oct 25, 2023
f480204
updated
uk-bolly Oct 25, 2023
6a7137f
updated the workflow version and galaxy setup
uk-bolly Oct 31, 2023
b3f3248
updated the workflow version and galaxy setup
uk-bolly Oct 31, 2023
d26e104
Merge pull request #442 from ansible-lockdown/workflow_galaxy
uk-bolly Nov 1, 2023
d687371
removed file
uk-bolly Nov 1, 2023
9dd216c
updated
uk-bolly Nov 1, 2023
388f850
updated
uk-bolly Nov 1, 2023
22f7dab
lint update
uk-bolly Nov 1, 2023
51b2df3
fix typo
uk-bolly Nov 1, 2023
9943f97
Merge pull request #444 from ansible-lockdown/tidyup
uk-bolly Nov 1, 2023
fb58a03
lint
uk-bolly Nov 2, 2023
ad96dd7
updated precommit files
uk-bolly Nov 2, 2023
444074d
rhel7stig_boot_part variable now discovered
uk-bolly Nov 14, 2023
6276776
tidy up of rhel7stig_boot_part variable
uk-bolly Nov 14, 2023
ad3b174
changed logic on 20620
uk-bolly Nov 15, 2023
617e008
updated logic for uuid
uk-bolly Nov 20, 2023
6e7329b
removed extra line
uk-bolly Nov 21, 2023
212f524
Merge pull request #445 from ansible-lockdown/fix_021350
uk-bolly Nov 21, 2023
207be13
removed doc dir
uk-bolly Jan 11, 2024
4e0554f
Merge pull request #449 from ansible-lockdown/nodocs
uk-bolly Jan 11, 2024
3901021
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jan 22, 2024
c294efb
Merge pull request #447 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Jan 26, 2024
594ece9
Issue #446 tag update to always - thanks to @prestonSeaman2
uk-bolly Jan 26, 2024
e401d83
conditional updated 021000 & 021010 #448 thanks @erosen03
uk-bolly Jan 26, 2024
9f52057
Merge branch 'jan_24_updates' into stig_v3r13
uk-bolly Jan 26, 2024
3ce0e42
Merge pull request #450 from ansible-lockdown/jan_24_updates
uk-bolly Jan 26, 2024
1f997b7
[pre-commit.ci] pre-commit autoupdate (#451)
pre-commit-ci[bot] Feb 14, 2024
dfe8425
[pre-commit.ci] pre-commit autoupdate (#454)
pre-commit-ci[bot] Mar 5, 2024
df38ef9
Feb 24 updates (#455)
uk-bolly Mar 6, 2024
da5270f
Merge branch 'main' into devel
uk-bolly Mar 6, 2024
82abd51
incorporated Feb_24 fixes
uk-bolly Mar 14, 2024
e277b23
v3r14 ref updated
uk-bolly Mar 14, 2024
09e75c8
v3r14 update
uk-bolly Mar 14, 2024
82d5761
associated rule updated v3r14
uk-bolly Mar 14, 2024
6d800a4
Stig v3r13 into devel (#457)
uk-bolly Mar 14, 2024
8911cbd
updated meta
uk-bolly Mar 19, 2024
91fd0d9
[pre-commit.ci] pre-commit autoupdate (#458)
pre-commit-ci[bot] Apr 10, 2024
16f3465
prelim.yml fixes on when conditions on cronie passwd_tasks
frederickw082922 Apr 11, 2024
94964ab
Merge pull request #460 from ansible-lockdown/2024_APRIL_UPDATE
frederickw082922 Apr 11, 2024
c7ebdb0
audit rewrite and logic improvements
uk-bolly Apr 15, 2024
4edeb2a
added prelim to includes
uk-bolly Apr 15, 2024
509fa41
added prelim to includes quoted
uk-bolly Apr 15, 2024
3508dfc
[pre-commit.ci] pre-commit autoupdate (#461)
pre-commit-ci[bot] Apr 22, 2024
2db15ef
Excluding non-interactive logins shells from being parsed
layluke May 2, 2024
c0c0ba5
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jun 17, 2024
3026fd9
Merge pull request #468 from ansible-lockdown/pre-commit-ci-update-co…
georgenalen Jun 18, 2024
a57f56e
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jul 15, 2024
c5936ff
21350 improvements
uk-bolly Jul 17, 2024
ebaefbd
moved audit to prelim
uk-bolly Jul 17, 2024
bb6ed8d
Audit updates
uk-bolly Jul 17, 2024
6a1dd5c
moved var from site to vars/main.yml
uk-bolly Jul 17, 2024
a85ccc0
Merge pull request #466 from layluke/462
uk-bolly Jul 17, 2024
a501c7f
Merge pull request #469 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Jul 17, 2024
1e000ce
reorder
uk-bolly Jul 17, 2024
aeef574
quotes on mode items
uk-bolly Jul 17, 2024
e00e54b
added update repo url for centos option
uk-bolly Jul 18, 2024
150a6b6
removed notify not required
uk-bolly Jul 18, 2024
ddd17c7
Updated
uk-bolly Jul 18, 2024
98d768f
Merge pull request #470 from ansible-lockdown/workflow_audit
uk-bolly Jul 18, 2024
d1ef065
Updated workflow
uk-bolly Jul 18, 2024
41a3edf
Merge pull request #471 from ansible-lockdown/workflow_audit
uk-bolly Jul 18, 2024
a25e8bf
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Sep 16, 2024
f697cfc
Merge pull request #472 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Sep 17, 2024
2b1804d
Merge branch 'devel' into stig_v3r14
uk-bolly Sep 17, 2024
b51cdf4
added solution for gui and X11 for 040730
uk-bolly Sep 17, 2024
f2baee2
updated default var to use discovered value
uk-bolly Sep 17, 2024
b38ce35
Alignment
uk-bolly Sep 17, 2024
cbeab4a
remove jmespath on the way mountspoints are check
uk-bolly Sep 19, 2024
594c50f
removed breaking dupe line
uk-bolly Sep 19, 2024
c6d2e06
Updated goss version and added ARM
uk-bolly Sep 19, 2024
a94da63
updated mount and wireless checks
uk-bolly Sep 19, 2024
272ce78
aligned benchmark git version name
uk-bolly Sep 19, 2024
6304b8d
Merge branch 'devel' into stig_v3r14
uk-bolly Sep 23, 2024
06d5a34
removed empty line
uk-bolly Sep 23, 2024
df0e444
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Sep 23, 2024
5b6660e
Merge pull request #474 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Sep 24, 2024
ebad8d3
Merge pull request #473 from ansible-lockdown/stig_v3r14
uk-bolly Sep 24, 2024
0b0049a
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Oct 21, 2024
2e45c3d
Merge pull request #475 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 22, 2024
e904997
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Oct 28, 2024
3623e05
Merge pull request #476 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 29, 2024
75bd5e6
Merge branch 'main' into devel
uk-bolly Oct 29, 2024
0e839b7
updated layout 21350
uk-bolly Oct 30, 2024
18f123f
fixed layout 041010
uk-bolly Oct 30, 2024
aa0be1c
moved check_mode
uk-bolly Nov 1, 2024
744f42e
moved check_mode
uk-bolly Nov 1, 2024
b223ae5
Merge pull request #478 from ansible-lockdown/Oct24
uk-bolly Nov 1, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
added pragma allow list
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
uk-bolly committed Oct 9, 2023
commit 1dc0f9b6af888b6f8dd40358ec27a6b0cadc0cba
68 changes: 3 additions & 65 deletions .config/.secrets.baseline
Original file line number Diff line number Diff line change
@@ -110,72 +110,10 @@
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
".config/.gitleaks-report.json",
"tasks/parse_etc_password.yml"
"tasks/parse_etc_passwd.yml"
]
}
],
"results": {
"defaults/main.yml": [
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"is_verified": false,
"line_number": 467
}
],
"tasks/fix-cat2.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/fix-cat2.yml",
"hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859",
"is_verified": false,
"line_number": 1450
}
],
"tasks/main.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "2784977b09b611a32db88f631d88a5806605967e",
"is_verified": false,
"line_number": 39
},
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"is_verified": false,
"line_number": 56
}
],
"tasks/parse_etc_passwd.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/parse_etc_passwd.yml",
"hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
"is_verified": false,
"line_number": 18
}
],
"tasks/prelim.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/prelim.yml",
"hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a",
"is_verified": false,
"line_number": 232
}
],
"templates/pam_pkcs11.conf.j2": [
{
"type": "Secret Keyword",
"filename": "templates/pam_pkcs11.conf.j2",
"hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
"is_verified": false,
"line_number": 173
}
]
},
"generated_at": "2023-10-09T14:38:05Z"
"results": {},
"generated_at": "2023-10-09T14:42:52Z"
}
2 changes: 1 addition & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
@@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}"
# RHEL-07-010480 and RHEL-07-010490
# Password protect the boot loader

rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'
rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
rhel7stig_boot_superuser: root

# RHEL-07-021700 set the value for correctly configured grub bootloader sequence
2 changes: 1 addition & 1 deletion tasks/fix-cat2.yml
Original file line number Diff line number Diff line change
@@ -1447,7 +1447,7 @@
ansible.builtin.include_tasks:
file: parse_etc_passwd.yml
vars:
rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler
rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler # pragma: allowlist secret
when: rhel_07_020270_patch is changed
when:
- rhel_07_020270
6 changes: 3 additions & 3 deletions tasks/main.yml
Original file line number Diff line number Diff line change
@@ -36,7 +36,7 @@
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}"
vars:
sudo_password_rule: RHEL-07-010340
sudo_password_rule: RHEL-07-010340 # pragma: allowlist secret
when:
- rhel_07_010340
- ansible_env.SUDO_USER is defined
@@ -53,8 +53,8 @@

- name: Check rhel7stig_bootloader_password_hash variable has been changed
ansible.builtin.assert:
that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'"
that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" # pragma: allowlist secret
when:
- rhel_07_010481 or
rhel_07_010482 or
2 changes: 1 addition & 1 deletion tasks/prelim.yml
Original file line number Diff line number Diff line change
@@ -229,7 +229,7 @@
ansible.builtin.include_tasks:
file: parse_etc_passwd.yml
vars:
rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690"
rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" # pragma: allowlist secret
when:
- rhel_07_020600 or
rhel_07_020620 or
2 changes: 1 addition & 1 deletion templates/pam_pkcs11.conf.j2
Original file line number Diff line number Diff line change
@@ -170,7 +170,7 @@ pam_pkcs11 {
# DN to bind with. Must have read-access for user entries under "base"
binddn = "cn=pam,o=example,c=com";
# Password for above DN
passwd = "test";
passwd = "test"; # pragma: allowlist secret
# Searchbase for user entries
base = "ou=People,o=example,c=com";
# Attribute of user entry which contains the certificate