Skip to content

Commit

Permalink
Merge pull request #125 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Release to main
  • Loading branch information
uk-bolly authored Dec 12, 2023
2 parents 68ce732 + c10bca7 commit 5f03547
Show file tree
Hide file tree
Showing 26 changed files with 339 additions and 213 deletions.
18 changes: 9 additions & 9 deletions .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
# This workflow contains a single job which tests the playbook
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
Expand All @@ -44,13 +44,13 @@

steps:
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
- name: Clone github IaC plan
uses: actions/checkout@v3
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
Expand All @@ -74,23 +74,23 @@
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -111,9 +111,9 @@
# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep for 60 seconds
run: sleep 60s
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the ansible playbook
# Run the Ansibleplaybook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/main_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
# that can run sequentially or in parallel
jobs:

# This workflow contains a single job which tests the playbook
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
Expand All @@ -33,13 +33,13 @@

steps:
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
- name: Clone github IaC plan
uses: actions/checkout@v3
- name: Clone GitHub IaC plan
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
Expand All @@ -63,23 +63,23 @@
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -100,9 +100,9 @@
# Aws deployments taking a while to come up insert sleep or playbook fails

- name: Sleep for 60 seconds
run: sleep 60s
run: sleep ${{ vars.BUILD_SLEEPTIME }}

# Run the ansible playbook
# Run the Ansibleplaybook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
Expand Down
14 changes: 6 additions & 8 deletions .github/workflows/update_galaxy.yml
Original file line number Diff line number Diff line change
@@ -1,11 +1,7 @@
---

# This is a basic workflow to help you get started with Actions

name: update galaxy

# Controls when the action will run.
# Triggers the workflow on merge request events to the main branch
on:
push:
branches:
Expand All @@ -14,8 +10,10 @@ jobs:
update_role:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: robertdebock/galaxy-action@master
- name: Checkout repo
uses: actions/checkout@v4

- name: Action Ansible Galaxy Release ${{ github.ref_name }}
uses: ansible-actions/ansible-galaxy-action@main
with:
galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
git_branch: main
galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
8 changes: 4 additions & 4 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ ci:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
rev: v4.5.0
hooks:
# Safety
- id: detect-aws-credentials
Expand Down Expand Up @@ -37,14 +37,14 @@ repos:
exclude: .config/.gitleaks-report.json tasks/parse_etc_password

- repo: https://github.com/gitleaks/gitleaks
rev: v8.17.0
rev: v8.18.1
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']
exclude: .config/.secrets.baseline

- repo: https://github.com/ansible-community/ansible-lint
rev: v6.17.2
rev: v6.22.1
hooks:
- id: ansible-lint
name: Ansible-lint
Expand All @@ -63,6 +63,6 @@ repos:
- ansible-core>=2.10.1

- repo: https://github.com/adrienverge/yamllint.git
rev: v1.32.0 # or higher tag
rev: v1.33.0 # or higher tag
hooks:
- id: yamllint
7 changes: 7 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# Change log for Ubuntu 2004

## v2.0.1 based upon CIS 2.0.1

- ability to run goss audit only audit_only variable
- audit vars mainly move dto var/audit.yml
- several control updates
- goss version update to 0.4.4

## V2.0 based upon CIS 2.0.1

- v2.0.1 - refer to change history from official CIS pdf.
Expand Down
1 change: 0 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)

![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/54777?label=Quality&&logo=ansible)
![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)

![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
Expand Down
6 changes: 6 additions & 0 deletions collections/requirements.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,13 @@

collections:
- name: community.general
source: https://github.com/ansible-collections/community.general
type: git

- name: community.crypto
source: https://github.com/ansible-collections/community.crypto
type: git

- name: ansible.posix
source: https://github.com/ansible-collections/ansible.posix
type: git
97 changes: 39 additions & 58 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,26 +18,53 @@ benchmark: UBUNTU20-CIS
## metadata for Audit benchmark
benchmark_version: 'v2.0.1'

### Audit Binary is required on the remote host
##########################################
### Goss is required on the remote host ###
## Refer to vars/auditd.yml for any other settings ##

# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false

# enable audits to run - this runs the audit and get the latest content
run_audit: false

# Only run Audit do not remediate
audit_only: false
# As part of audit_only
# This will enable files to be copied back to control node
fetch_audit_files: false
# Path to copy the files to will create dir structure
audit_capture_files_dir: /some/location to copy to on control node

# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_audit_binary_method: download

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

# how to get audit files onto host options
# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# archive or copy:
audit_conf_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true
# Timeout for those cmds that take longer to run where timeout set
audit_cmd_timeout: 60000

### End Audit enablements ####
# This variable specifies the timeout (in ms) for audit commands that
# take a very long time: if a command takes too long to complete,
# it will be forcefully terminated after the specified duration.
audit_cmd_timeout: 120000

### End Goss enablements ####

# We've defined complexity-high to mean that we cannot automatically remediate
# the rule in question. In the future this might mean that the remediation
Expand Down Expand Up @@ -415,7 +442,7 @@ ubtu20cis_dovecot_server: false
ubtu20cis_smb_server: false
ubtu20cis_squid_server: false
ubtu20cis_snmp_server: false
ubtu20cis_rsync_server: false
ubtu20cis_rsync_server: mask # Can be set to true, mask or remove depending on requirements
ubtu20cis_nis_server: false
ubtu20cis_nfs_client: false
# rpcbind is required by nfs-common which is required on client and server
Expand Down Expand Up @@ -467,15 +494,17 @@ ubtu20cis_aide_cron:
aide_weekday: '*'

# Control 1.4.1
# THIS VARIABLE SHOULD BE CHANGED
# THESE VARIABLES SHOULD BE CHANGED
# This will fail assertion if not changed and rule 1.4.2 is enabled
# insert password as per output of running grub-mkpasswd-pbkdf2
# refers to https://help.ubuntu.com/community/Grub2/Passwords

# You maybe changing the root password if grub user root - Ensure you understand the risks
ubtu20cis_set_grub_user_password: false
ubtu20cis_grub_user: root
ubtu20cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme
ubtu20cis_set_boot_pass: false
ubtu20cis_set_grub_password: true
ubtu20cis_grub_user_file: /etc/grub.d/40_custom
ubtu20cis_grub_user: root
ubtu20cis_grub_file: /boot/grub/grub.cfg

# This is used to set the password in grub the full string is required.
Expand Down Expand Up @@ -739,51 +768,3 @@ ubtu20cis_sgid_adjust: false
# Control 6.2.5 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable
# ubtu20cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
ubtu20cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"

#### Audit Configuration Settings ####

### Audit binary settings ###
audit_bin_version:
release: v0.3.23
checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json

# if get_audit_binary_method == download change accordingly
audit_bin_url: "https://github.com/aelsabbahy/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64"

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

### Goss Audit Benchmark file ###
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: "benchmark_{{ benchmark_version }}"

# archive or copy:
audit_conf_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

## Goss configuration information
# Where the goss configs and outputs are stored
audit_out_dir: '/opt'
# Where the goss audit configuration will be stored
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"

# If changed these can affect other products
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"

## The following should not need changing
audit_control_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}.
Full breakdown can be found in {{ audit_out_dir }}
Loading

0 comments on commit 5f03547

Please sign in to comment.