devel -> main lint and workflow

.config/.secrets.baseline

@@ -109,20 +109,11 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_passwd.yml"
       ]
     }
   ],
-  "results": {
-    "tasks/parse_etc_passwd.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_passwd.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 19
-      }
-    ]
-  },
-  "generated_at": "2023-09-18T09:16:50Z"
+  "results": {},
+  "generated_at": "2023-09-20T12:31:28Z"
 }

.gitattributes

@@ -3,4 +3,4 @@
 *.yml linguist-detectable=true
 *.ps1 linguist-detectable=true
 *.j2 linguist-detectable=true
-*.md linguist-documentation
+*.md linguist-documentation

.github/workflows/github_vars.tfvars

@@ -1,7 +1,7 @@
 // github_actions variables
 // Resourced in github_networks.tf
 // Declared in variables.tf
-// 
+//
 
 namespace   = "github_actions"
 environment = "lockdown_github_repo_workflow"

README.md

@@ -14,20 +14,20 @@
 
 ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61237?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
+![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
+![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU20-STIG)
+![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/UBUNTU20-STIG)
 
-![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/ubuntu20-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status)
-![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/ubuntu20-stig/devel?color=dark%20green&label=Devel%20Branch%20Commits)
+[![Main Pipeline Status](https://github.com/ansible-lockdown/UBUNTU20-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/UBUNTU20-STIG/actions/workflows/main_pipeline_validation.yml)
 
-![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
-![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/ubuntu20-stig/linux_benchmark_testing.yml?label=Build%20Status)
-![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/ubuntu20-stig?label=Release%20Date)
-![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/ubuntu20-stig?label=Release%20Tag&&color=success)
+[![Devel Pipeline Status](https://github.com/ansible-lockdown/UBUNTU20-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/UBUNTU20-STIG/actions/workflows/devel_pipeline_validation.yml)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/UBUNTU20-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits)
 
-![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/ubuntu20-stig?label=Open%20Issues)
-![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/ubuntu20-stig?label=Closed%20Issues&&color=success)
-![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/ubuntu20-stig?label=Pull%20Requests)
+![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/UBUNTU20-STIG?label=Open%20Issues)
+![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/UBUNTU20-STIG?label=Closed%20Issues&&color=success)
+![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/UBUNTU20-STIG?label=Pull%20Requests)
 
-![License](https://img.shields.io/github/license/ansible-lockdown/ubuntu20-stig?label=License)
+![License](https://img.shields.io/github/license/ansible-lockdown/UBUNTU20-STIG?label=License)
 
 ---
 

tasks/fix-cat1.yml

@@ -78,7 +78,8 @@
             - "'password' in ubtu_20_010009_bootloader_hash_check.stdout"
 
       - name: "HIGH | UBTU-20-010009 | AUDIT | The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010009'
   when:
@@ -125,7 +126,8 @@
         when: not ubtu20_auto_remove_sudoers
 
       - name: "HIGH | UBTU-20-010012 | AUDIT | The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group. | Set Warn Count."
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010012'
         when: not ubtu20_auto_remove_sudoers
@@ -244,7 +246,8 @@
                 - "A subscription to the Ubuntu Pro plan is required to obtain the FIPS Kernel cryptographic modules and enable FIPS"
 
       - name: "HIGH | UBTU-20-010442 | AUDIT | The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: To provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010442'
   when:
@@ -319,7 +322,8 @@
             - not ubtu20stig_disruption_high
 
       - name: "HIGH | UBTU-20-010462 | PATCH | The Ubuntu operating system must not have accounts configured with blank or null passwords. | Set warning count"
-        import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-18-010522'
         when:

tasks/fix-cat2.yml

@@ -35,7 +35,8 @@
             - ubtu20_temp_account not in ubtu20stig_passwd | map(attribute='id') | list
 
       - name: "MEDIUM | UBTU-20-010000 | AUDIT | The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010000'
         when:
@@ -150,7 +151,8 @@
         when: ubtu_20_010010_duplicate_uid_users.stdout | length > 0
 
       - name: "MEDIUM | UBTU-20-010010 | AUDIT | The Ubuntu operating system must uniquely identify interactive users. | Set warning count"
-        import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010010'
         when: ubtu_20_010010_duplicate_uid_users.stdout | length > 0
@@ -727,7 +729,8 @@
                   - ubtu20stig_aide_sha1_current_daily.stdout | length > 0
 
             - name: "MEDIUM | UBTU-20-010074 | AUDIT | The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. | Warn Count."
-              ansible.builtin.import_tasks: warning_facts.yml
+              ansible.builtin.import_tasks:
+                  file: warning_facts.yml
               vars:
                   warn_control_id: 'UBTU-20-010074'
               when:
@@ -771,7 +774,8 @@
                   - ubtu20stig_aide_sha1_current_monthly.stdout | length > 0
 
             - name: "MEDIUM | UBTU-20-010074 | AUDIT | The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. | Warn Count."
-              ansible.builtin.import_tasks: warning_facts.yml
+              ansible.builtin.import_tasks:
+                  file: warning_facts.yml
               vars:
                   warn_control_id: 'UBTU-20-010074'
               when:
@@ -813,7 +817,8 @@
                   - ubtu20stig_aide_sha1_current_daily.stdout | length > 0
 
             - name: "MEDIUM | UBTU-20-010074 | AUDIT | The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. | Warn Count."
-              ansible.builtin.import_tasks: warning_facts.yml
+              ansible.builtin.import_tasks:
+                  file: warning_facts.yml
               vars:
                   warn_control_id: 'UBTU-20-010074'
               when:
@@ -2020,7 +2025,8 @@
             msg: "Warning!! Please make sure your UFW allow/deny settings conform to PPSM CAL vulnerability assessments"
 
       - name: The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010407'
   when:
@@ -2165,7 +2171,8 @@
         when: ubtu_20_010414_crypttab_status.stdout | length == 0
 
       - name: "MEDIUM | UBTU-20-010414 | AUDIT | Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010414'
         when: ubtu_20_010414_crypttab_status.stdout | length == 0
@@ -2178,7 +2185,8 @@
         when: ubtu_20_010414_crypttab_status.stdout | length > 0
 
       - name: "MEDIUM | UBTU-20-010414 | AUDIT | Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010414'
         when: ubtu_20_010414_crypttab_status.stdout | length > 0
@@ -2666,7 +2674,8 @@
                 - "All configurations will be based on the actual system setup and organization and normally are on a per role basis."
 
       - name: "MEDIUM | UBTU-20-010439 | PATCH | The Ubuntu operating system must be configured to use AppArmor. | Warn Count."
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010439'
   when:
@@ -2693,7 +2702,8 @@
                 - 'For example: "chage -d 0 [UserName]" or "passwd -e [UserName]"'
 
       - name: "MEDIUM | UBTU-20-010440 | AUDIT | The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010440'
   when:
@@ -2717,7 +2727,8 @@
                 - "Please use at least one DoD certificate authority to the '/usr/local/share/ca-certificates' directory in the PEM format."
 
       - name: "MEDIUM | UBTU-20-010443 | AUDIT | The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010443'
   when:
@@ -2754,7 +2765,8 @@
       - name: |
               "MEDIUM | UBTU-20-010444 | AUDIT | Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest. | Set warning count"
               "MEDIUM | UBTU-20-010445 | AUDIT | Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010444 | UBTU-20-010445'
         when: ubtu_20_010444_crypttab_status.stdout | length == 0
@@ -2771,7 +2783,8 @@
       - name: |
               "MEDIUM | UBTU-20-010444 | AUDIT | Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest. | Set warning count"
               "MEDIUM | UBTU-20-010445 | AUDIT | Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010444 | UBTU-20-010445'
         when: ubtu_20_010444_crypttab_status.stdout | length > 0
@@ -2844,7 +2857,8 @@
             - "'nx' not in ubtu_20_010447_cpuinfo_settings.stdout or '[    0.000000] NX (Execute Disable) protection: active' not in ubtu_20_010447_nx_dmesg.stdout"
 
       - name: "MEDIUM | UBTU-20-010447 | AUDIT | The Ubuntu operating system must implement nonexecutable data to protect its memory from unauthorized code execution. | Warning Count."
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010447'
   when:
@@ -2959,7 +2973,8 @@
                 - "a manual check and verify it conforms to site policies."
 
       - name: "MEDIUM | UBTU-20-010450 | AUDIT | The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions. | Warning Out."
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010450'
   when:

tasks/fix-cat3.yml

@@ -307,7 +307,8 @@
                 - "Disk Space: {{ ubtu_20_010215_audit_log_partition.stdout }}"
 
       - name: "LOW | UBTU-20-010215 | AUDIT | The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. | Set warning count"
-        import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010215'
   when:
@@ -390,7 +391,8 @@
             - ubtu20stig_auditd_action_mail_acct != "root"
 
       - name: "LOW | UBTU-20-010217 | PATCH | The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010217'
         when:
@@ -448,7 +450,8 @@
                 - "{{ ubtu_20_010300_cron_weekly.stdout_lines }}"
 
       - name: "LOW | UBTU-20-010300 | AUDIT | The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems. | Warn Count."
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010300'
   when:
@@ -519,7 +522,8 @@
             - ubtu20_emergency_account not in ubtu20stig_passwd | map(attribute='id') | list
 
       - name: "MEDIUM | UBTU-20-010410 | AUDIT | The Ubuntu operating system must automatically remove or disable emergency accounts after 72 hours. | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010410'
         when:
@@ -569,7 +573,8 @@
             - ubtu_20_mcafeetp_daemon_status.stdout | length == 0
 
       - name: "MEDIUM | UBTU-20-010415 | AUDIT | The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP). | Set warning count."
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         vars:
             warn_control_id: 'UBTU-20-010415'
         when:

tasks/main.yml

@@ -15,7 +15,8 @@
       - always
 
 - name: Include prelim tasks
-  ansible.builtin.import_tasks: prelim.yml
+  ansible.builtin.import_tasks:
+      file: prelim.yml
   tags:
       - prelim_tasks
 
@@ -26,21 +27,24 @@
       - always
 
 - name: Include CAT I patches
-  ansible.builtin.import_tasks: fix-cat1.yml
+  ansible.builtin.import_tasks:
+      file: fix-cat1.yml
   when: ubtu20stig_cat1_patch
   tags:
       - cat1
       - high
 
 - name: Include CAT II patches
-  ansible.builtin.import_tasks: fix-cat2.yml
+  ansible.builtin.import_tasks:
+      file: fix-cat2.yml
   when: ubtu20stig_cat2_patch
   tags:
       - cat2
       - medium
 
 - name: Include CAT III patches
-  ansible.builtin.import_tasks: fix-cat3.yml
+  ansible.builtin.import_tasks:
+      file: fix-cat3.yml
   when: ubtu20stig_cat3_patch
   tags:
       - cat3

templates/audit/99_stig_auditd.rules.j2

@@ -113,13 +113,13 @@
 -a always,exit -F arch=b64 -S finit_module -F auid>={{ ubtu20stig_int_gid }} -F auid!=4294967295 -k module_chng
 {% endif %}
 {% if ubtu_20_010181 %}
--a always,exit -F arch=b32 -S delete_module -F auid>={{ ubtu20stig_int_gid }} -F auid!=4294967295 -k module_chng 
+-a always,exit -F arch=b32 -S delete_module -F auid>={{ ubtu20stig_int_gid }} -F auid!=4294967295 -k module_chng
 -a always,exit -F arch=b64 -S delete_module -F auid>={{ ubtu20stig_int_gid }} -F auid!=4294967295 -k module_chng
 {% endif %}
 {% if ubtu_20_010211 %}
--a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv 
--a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv 
--a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv 
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
 -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
 {% endif %}
 {% if ubtu_20_010244 %}
@@ -146,4 +146,4 @@
 {% endif %}
 {% if ubtu_20_010298 %}
 -w /bin/fdisk -p x -k fdisk
-{% endif %} 
+{% endif %}