diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json index 5fcadd2b..fe51488c 100644 --- a/.config/.gitleaks-report.json +++ b/.config/.gitleaks-report.json @@ -1,222 +1 @@ -[ - { - "Description": "Generic API Key", - "StartLine": 9, - "EndLine": 9, - "StartColumn": 5, - "EndColumn": 55, - "Match": "Secret\": \"0f5b530255e5a064cc73699e4fa44ba8b2ad399f\"", - "Secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f", - "File": ".config/.gitleaks-report.json", - "SymlinkFile": "", - "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", - "Entropy": 3.7561984, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-13T11:09:38Z", - "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:9" - }, - { - "Description": "Generic API Key", - "StartLine": 29, - "EndLine": 29, - "StartColumn": 5, - "EndColumn": 39, - "Match": "Secret\": \"grub.pbkdf2.sha512.10000\"", - "Secret": "grub.pbkdf2.sha512.10000", - "File": ".config/.gitleaks-report.json", - "SymlinkFile": "", - "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", - "Entropy": 3.8035088, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-13T11:09:38Z", - "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:29" - }, - { - "Description": "Generic API Key", - "StartLine": 49, - "EndLine": 49, - "StartColumn": 5, - "EndColumn": 55, - "Match": "Secret\": \"4fae1797297d5c73819a504516f2de7740e4b52d\"", - "Secret": "4fae1797297d5c73819a504516f2de7740e4b52d", - "File": ".config/.gitleaks-report.json", - "SymlinkFile": "", - "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", - "Entropy": 3.7898228, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-13T11:09:38Z", - "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:49" - }, - { - "Description": "Generic API Key", - "StartLine": 69, - "EndLine": 69, - "StartColumn": 5, - "EndColumn": 55, - "Match": "Secret\": \"f395ee0a2d842bfcf81da0aad13591e2a9311fe1\"", - "Secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1", - "File": ".config/.gitleaks-report.json", - "SymlinkFile": "", - "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", - "Entropy": 3.618454, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-13T11:09:38Z", - "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:69" - }, - { - "Description": "Generic API Key", - "StartLine": 89, - "EndLine": 89, - "StartColumn": 5, - "EndColumn": 55, - "Match": "Secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", - "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "File": ".config/.gitleaks-report.json", - "SymlinkFile": "", - "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", - "Entropy": 3.8439426, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-13T11:09:38Z", - "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:89" - }, - { - "Description": "Generic API Key", - "StartLine": 133, - "EndLine": 133, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"0f5b530255e5a064cc73699e4fa44ba8b2ad399f\"", - "Secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "358016009cd8ec06f468d091aba4e92e984a8c4b", - "Entropy": 3.7561984, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-11T10:19:54Z", - "Message": "updated secrets\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "358016009cd8ec06f468d091aba4e92e984a8c4b:.config/.secrets.baseline:generic-api-key:133" - }, - { - "Description": "Generic API Key", - "StartLine": 9, - "EndLine": 9, - "StartColumn": 5, - "EndColumn": 39, - "Match": "Secret\": \"grub.pbkdf2.sha512.10000\"", - "Secret": "grub.pbkdf2.sha512.10000", - "File": ".config/.gitleaks-report.json", - "SymlinkFile": "", - "Commit": "f046ed0c486cba258a6d50e7124566a314b87c8e", - "Entropy": 3.8035088, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-11T09:06:43Z", - "Message": "added pre-commit setup\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "f046ed0c486cba258a6d50e7124566a314b87c8e:.config/.gitleaks-report.json:generic-api-key:9" - }, - { - "Description": "Generic API Key", - "StartLine": 125, - "EndLine": 125, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"4fae1797297d5c73819a504516f2de7740e4b52d\"", - "Secret": "4fae1797297d5c73819a504516f2de7740e4b52d", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "f046ed0c486cba258a6d50e7124566a314b87c8e", - "Entropy": 3.7898228, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-11T09:06:43Z", - "Message": "added pre-commit setup\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "f046ed0c486cba258a6d50e7124566a314b87c8e:.config/.secrets.baseline:generic-api-key:125" - }, - { - "Description": "Generic API Key", - "StartLine": 135, - "EndLine": 135, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"f395ee0a2d842bfcf81da0aad13591e2a9311fe1\"", - "Secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "f046ed0c486cba258a6d50e7124566a314b87c8e", - "Entropy": 3.618454, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-11T09:06:43Z", - "Message": "added pre-commit setup\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "f046ed0c486cba258a6d50e7124566a314b87c8e:.config/.secrets.baseline:generic-api-key:135" - }, - { - "Description": "Generic API Key", - "StartLine": 145, - "EndLine": 145, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", - "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "f046ed0c486cba258a6d50e7124566a314b87c8e", - "Entropy": 3.8439426, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-11T09:06:43Z", - "Message": "added pre-commit setup\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "f046ed0c486cba258a6d50e7124566a314b87c8e:.config/.secrets.baseline:generic-api-key:145" - }, - { - "Description": "Generic API Key", - "StartLine": 479, - "EndLine": 479, - "StartColumn": 23, - "EndColumn": 63, - "Match": "password_hash: \"grub.pbkdf2.sha512.10000\"", - "Secret": "grub.pbkdf2.sha512.10000", - "File": "defaults/main.yml", - "SymlinkFile": "", - "Commit": "ea067d7f8f12f2a81d7b2b99449799b1fae1ae51", - "Entropy": 3.8035088, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-07-10T15:12:00Z", - "Message": "updated default vars\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "ea067d7f8f12f2a81d7b2b99449799b1fae1ae51:defaults/main.yml:generic-api-key:479" - } -] +[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 85b45d85..ad5f40df 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,48 +109,11 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "4fae1797297d5c73819a504516f2de7740e4b52d", - "is_verified": false, - "line_number": 480, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f", - "is_verified": false, - "line_number": 623, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1", - "is_verified": false, - "line_number": 54, - "is_secret": false - } - ], - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 16 - } - ] - }, - "generated_at": "2023-09-19T11:33:19Z" + "results": {}, + "generated_at": "2023-09-19T12:32:59Z" } diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..9fa68a00 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -34,13 +34,14 @@ repos: hooks: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json + exclude: .config/.gitleaks-report.json tasks/parse_etc_password - repo: https://github.com/gitleaks/gitleaks rev: v8.17.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] + exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 diff --git a/defaults/main.yml b/defaults/main.yml index 3b2b64f9..e42dfe03 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -477,7 +477,7 @@ ubtu20cis_set_grub_password: true ubtu20cis_grub_user_file: /etc/grub.d/40_custom ubtu20cis_grub_user: root ubtu20cis_grub_file: /boot/grub/grub.cfg -ubtu20cis_bootloader_password_hash: "grub.pbkdf2.sha512.10000" +ubtu20cis_bootloader_password_hash: "grub.pbkdf2.sha512.10000" # pragma: allowlist secret # Change the following value to true if you wish to be prompted to get past grub bootloader ubtu20cis_ask_passwd_to_boot: false @@ -620,7 +620,7 @@ ubtu20cis_sudo_timestamp_timeout: 15 ubtu20cis_sugroup: nosugroup # Controls 4.4.x -ubtu20cis_passwd_hash_algo: sha512 +ubtu20cis_passwd_hash_algo: sha512 # pragma: allowlist secret # pam_tally2 login options allows for audit to be removed if required ubtu20cis_pamtally2_login_opts: 'onerr=fail audit silent deny=5 unlock_time=900' diff --git a/tasks/main.yml b/tasks/main.yml index 5afb0e98..8994906f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -51,7 +51,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: ubtu20cis_rule_4_3_4 + sudo_password_rule: ubtu20cis_rule_4_3_4 # pragma: allowlist secret when: - ubtu20cis_rule_4_3_4 - ansible_env.SUDO_USER is defined