diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 9887dca..0000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,119 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_passwd.yml" - ] - } - ], - "results": {}, - "generated_at": "2023-09-20T12:31:28Z" -} diff --git a/.gitignore b/.gitignore index c4d29c3..f67408e 100644 --- a/.gitignore +++ b/.gitignore @@ -3,8 +3,6 @@ *.retry .cache .vagrant -vagrantfile -Vagrantfile tests/*redhat-subscription tests/Dockerfile *.iso @@ -12,6 +10,9 @@ tests/Dockerfile packer_cache delete* ignore* +test_inv +# temp remove doc while this is built up +doc/ # VSCode .vscode @@ -45,4 +46,3 @@ benchparse/ # GitHub Action/Workflow files .github/ -.DS_Store diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f2f732a..717f0e6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,16 +33,14 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.2 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.21.1 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +59,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint diff --git a/ChangeLog.md b/ChangeLog.md index 2c7f534..8583848 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,11 @@ # Changelog +## Based on Stig v1r7 - Jan 2023 + +- ansible version updated to 2.10.1 minimum +- updates to pre-commit config +- gitignore updated + ## Release 0.9.1 - yamllint update @@ -15,7 +21,7 @@ Issues - thanks to @kfiresmith - #11 - #12 -- thanks to €aelx-rowe +- thanks to @alex-rowe - #13 ## Release 0.9.0 diff --git a/meta/main.yml b/meta/main.yml index 554c73c..17b6d39 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: license: MIT role_name: ubuntu20_stig namespace: mindpointgroup - min_ansible_version: 2.9.0 + min_ansible_version: 2.10.1 platforms: - name: Ubuntu versions: diff --git a/site.yml b/site.yml index ddb551b..1082c66 100644 --- a/site.yml +++ b/site.yml @@ -1,6 +1,7 @@ --- -- hosts: all # noqa: name[play] +- name: Run Ubuntu20-stig remediation role + hosts: all become: true roles: diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 53e2c69..5d8d598 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -191,7 +191,7 @@ - name: "HIGH | UBTU-20-010048 | PATCH | The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements." ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - regexp: '^#?(\s+|)X11Forwarding' + regexp: '^#?X11Forwarding' line: "X11Forwarding no" notify: restart sshd when: diff --git a/tasks/main.yml b/tasks/main.yml index c089d00..0e5d002 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,10 +1,17 @@ --- -- name: Gather distribution info - ansible.builtin.setup: - gather_subset: distribution,!all,!min - when: - - ansible_distribution is not defined +- name: Check OS version and family + ansible.builtin.assert: + that: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('20', '==') + msg: "This role can only be run against Ubuntu 20. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + tags: + - always + +- name: Check ansible version + ansible.builtin.assert: + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - always diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index ce4f48f..47b4a7f 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -16,7 +16,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/vars/main.yml b/vars/main.yml index aca9029..f185b68 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,7 @@ --- # vars file for . +min_ansible_version: 2.10.1 # Used to control warning summary warn_control_list: ""