From 3953e0878fbf6727e7860ebd3fb09826acb20746 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:34:06 +0000 Subject: [PATCH 1/8] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f2f732a..4302066 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.21.1 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From d81cd1e679f48cc0e7db71bb727d05141eea78f7 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 17:38:41 +0000 Subject: [PATCH 2/8] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.2...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.34.0](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.34.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4302066..0fc547e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.2 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.34.0 # or higher tag hooks: - id: yamllint From 2dd3f40333346ba99dc751dc3770159e19f5aa5f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 17:48:38 +0000 Subject: [PATCH 3/8] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/adrienverge/yamllint.git: v1.34.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.34.0...v1.35.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0fc547e..82858b5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.34.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint From e032d1fbd954ab12569b8972bd14aba3c4b7d0fe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 20 Feb 2024 12:01:53 +0000 Subject: [PATCH 4/8] issue #13 update Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 53e2c69..5d8d598 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -191,7 +191,7 @@ - name: "HIGH | UBTU-20-010048 | PATCH | The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements." ansible.builtin.lineinfile: path: /etc/ssh/sshd_config - regexp: '^#?(\s+|)X11Forwarding' + regexp: '^#?X11Forwarding' line: "X11Forwarding no" notify: restart sshd when: From 4107f1fbdb4e635a8fd326866ab82dc653971a76 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Mar 2024 16:39:08 +0000 Subject: [PATCH 5/8] config updates Signed-off-by: Mark Bolwell --- .gitignore | 6 +++--- .pre-commit-config.yaml | 2 -- tasks/parse_etc_passwd.yml | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index c4d29c3..f67408e 100644 --- a/.gitignore +++ b/.gitignore @@ -3,8 +3,6 @@ *.retry .cache .vagrant -vagrantfile -Vagrantfile tests/*redhat-subscription tests/Dockerfile *.iso @@ -12,6 +10,9 @@ tests/Dockerfile packer_cache delete* ignore* +test_inv +# temp remove doc while this is built up +doc/ # VSCode .vscode @@ -45,4 +46,3 @@ benchparse/ # GitHub Action/Workflow files .github/ -.DS_Store diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 82858b5..717f0e6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,13 +33,11 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks rev: v8.18.2 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v24.2.0 diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index ce4f48f..47b4a7f 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -16,7 +16,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 From 3a1319fdb954eb88cb1f314860f4f74efcd3d563 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Mar 2024 16:39:46 +0000 Subject: [PATCH 6/8] lint updates Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 119 -------------------------------------- site.yml | 3 +- 2 files changed, 2 insertions(+), 120 deletions(-) delete mode 100644 .config/.secrets.baseline diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 9887dca..0000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,119 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_passwd.yml" - ] - } - ], - "results": {}, - "generated_at": "2023-09-20T12:31:28Z" -} diff --git a/site.yml b/site.yml index ddb551b..1082c66 100644 --- a/site.yml +++ b/site.yml @@ -1,6 +1,7 @@ --- -- hosts: all # noqa: name[play] +- name: Run Ubuntu20-stig remediation role + hosts: all become: true roles: From 258713e762919d2569a53ec764bcba84ac57bc02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Mar 2024 16:40:11 +0000 Subject: [PATCH 7/8] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index 2c7f534..8583848 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,11 @@ # Changelog +## Based on Stig v1r7 - Jan 2023 + +- ansible version updated to 2.10.1 minimum +- updates to pre-commit config +- gitignore updated + ## Release 0.9.1 - yamllint update @@ -15,7 +21,7 @@ Issues - thanks to @kfiresmith - #11 - #12 -- thanks to €aelx-rowe +- thanks to @alex-rowe - #13 ## Release 0.9.0 From 9b5fb28089c29d3b2a4834f8346bed15d18bfa90 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Mar 2024 16:44:00 +0000 Subject: [PATCH 8/8] updates to min ansible version and chk. Signed-off-by: Mark Bolwell --- meta/main.yml | 2 +- tasks/main.yml | 17 ++++++++++++----- vars/main.yml | 1 + 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 554c73c..17b6d39 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: license: MIT role_name: ubuntu20_stig namespace: mindpointgroup - min_ansible_version: 2.9.0 + min_ansible_version: 2.10.1 platforms: - name: Ubuntu versions: diff --git a/tasks/main.yml b/tasks/main.yml index c089d00..0e5d002 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,10 +1,17 @@ --- -- name: Gather distribution info - ansible.builtin.setup: - gather_subset: distribution,!all,!min - when: - - ansible_distribution is not defined +- name: Check OS version and family + ansible.builtin.assert: + that: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('20', '==') + msg: "This role can only be run against Ubuntu 20. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + tags: + - always + +- name: Check ansible version + ansible.builtin.assert: + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - always diff --git a/vars/main.yml b/vars/main.yml index aca9029..f185b68 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,7 @@ --- # vars file for . +min_ansible_version: 2.10.1 # Used to control warning summary warn_control_list: ""