Merge pull request #270 from ansible-lockdown/devel

March interim updates
ansible-lockdown · Mar 21, 2023 · cd32ffe · cd32ffe
2 parents b07f1d7 + a93566e
commit cd32ffe
Show file tree

Hide file tree

Showing 17 changed files with 20 additions and 46 deletions.
diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf
@@ -5,7 +5,6 @@ provider "aws" {
 
 // Create a security group with access to port 22 and port 80 open to serve HTTP traffic
 
-
 resource "random_id" "server" {
   keepers = {
     # Generate a new id each time we switch to a new AMI id
@@ -80,4 +79,3 @@ resource "local_file" "inventory" {
         audit_git_version: devel
     EOF
 }
-
diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml
@@ -14,7 +14,8 @@ jobs:
     update_role:
       runs-on: ubuntu-latest
       steps:
-        - uses: actions/checkout@v2
-        - uses: hspaans/ansible-galaxy-action@master
+        - uses: actions/checkout@v3
+        - uses: robertdebock/galaxy-action@master
           with:
-            api_key: ${{ secrets.GALAXY_API_KEY }}
+            galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
+            git_branch: main
diff --git a/.yamllint b/.yamllint
@@ -20,6 +20,8 @@ rules:
     brackets:
         max-spaces-inside: 1
         level: error
+    empty-lines:
+        max: 1
     line-length: disable
     key-duplicates: enable
     new-line-at-end-of-file: enable

diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
@@ -61,7 +61,6 @@ following text in your contribution commit message:
 
 ::
 
-
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
 option to `git commit` to automatically include the signoff message.
diff --git a/README.md b/README.md
@@ -165,7 +165,6 @@ uses:
 - runs the audit using the devel branch
 - This is an automated test that occurs on pull requests into devel
 
-
 ## Local Testing
 
 Molecule can be used to work on this role and test in distinct _scenarios_.
@@ -179,6 +178,7 @@ molecule verify -s localhost
 ```
 
 local testing uses:
+
 - ansible 2.13.3
 - molecule 4.0.1
 - molecule-docker 2.0.0

diff --git a/ansible.cfg b/ansible.cfg
@@ -12,7 +12,6 @@ stdout_callback = yaml
 # Use the stdout_callback when running ad-hoc commands.
 #bin_ansible_callbacks = True
 
-
 [privilege_escalation]
 
 [paramiko_connection]

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -388,7 +388,6 @@ rhel8cis_telnet_required: false
 rhel8cis_openldap_clients_required: false
 rhel8cis_tftp_client: false
 
-
 rhel8cis_allow_autofs: false
 
 ## Section 1 vars
@@ -414,7 +413,6 @@ rhel8cis_rh_sub_password: password
 # RedHat Satellite Subscription items
 rhel8cis_rhnsd_required: false
 
-
 # xinetd required
 rhel8cis_xinetd_required: false
 
@@ -589,7 +587,6 @@ rhel8cis_ssh_loglevel: INFO
 # 5.2.19 SSH MaxSessions setting. Must be 10 or less
 rhel8cis_ssh_maxsessions: 10
 
-
 # 5.3.1 Enable automation to create custom profile settings, using the settings above
 rhel8cis_authselect_custom_profile_create: false
 
@@ -625,7 +622,6 @@ rhel8cis_pass:
     min_days: 7
     warn_age: 7
 
-
 # 5.6.1.4
 rhel8cis_inactivelock:
     lock_days: 30
@@ -659,7 +655,6 @@ rhel8cis_rpm_audit_file: /var/tmp/rpm_file_check
 rhel8cis_no_world_write_adjust: true
 rhel8cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
 
-
 # 6.2.9 - adjusting symlinks in home directories
 # Default in ansible is true this causes lots of issues for many users
 # set as variable so can be overridden but default is not to follow.

diff --git a/meta/main.yml b/meta/main.yml
@@ -22,11 +22,8 @@ galaxy_info:
         - redhat
         - rhel
         - compliance
-
-
 collections:
     - community.general
     - community.crypto
     - ansible.posix
-
 dependencies: []
diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml
@@ -61,7 +61,7 @@
       - automated
       - patch
       - cups
-      - rule_2.2.3
+      - rule_2.2.4
 
 - name: "2.2.5 | PATCH | Ensure DHCP Server is not installed"
   package:
@@ -247,14 +247,14 @@
   when:
       - not rhel8cis_nis_server
       - "'ypserv' in ansible_facts.packages"
-      - rhel8cis_rule_2_2_17
+      - rhel8cis_rule_2_2_15
   tags:
       - level1-server
       - level1-workstation
       - automated
       - patch
       - nis
-      - rule_2.2.17
+      - rule_2.2.15
 
 - name: "2.2.16 | PATCH | Ensure telnet-server is not installed"
   package:

diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
@@ -68,7 +68,6 @@
             line: "blacklist dccp"
             create: true
             mode: 0600
-
   when:
       - rhel8cis_rule_3_1_3
   tags:

diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml
@@ -263,7 +263,7 @@
       - automated
       - patch
       - nftables
-      - rule_3.4.3.5
+      - rule_3.4.3.8
 
 - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy"
   block:
@@ -330,7 +330,7 @@
       - automated
       - patch
       - nftables
-      - rule_3.4.3.7
+      - rule_3.4.3.10
 
 - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent"
   lineinfile:

diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml
@@ -12,7 +12,6 @@
 - name: "SECTION | 4.1.3.x| Configure auditd rules"
   import_tasks: cis_4.1.3.x.yml
 
-
 # 4.2 Configure Logging
 - name: "SECTION | 4.2.1.x| Configure rsyslog"
   import_tasks: cis_4.2.1.x.yml

diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml
@@ -32,7 +32,7 @@
   lineinfile:
       path: /etc/sudoers
       regexp: '^Defaults\s+logfile='
-      line: 'Defaults logfile="{{ rhel8cis_sudolog_location }}"'
+      line: 'Defaults logfile={{ rhel8cis_sudolog_location }}'
   when:
       - rhel8cis_rule_5_3_3
   tags:

diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
@@ -13,7 +13,7 @@
       - automated
       - patch
       - password
-      - rule_5.5.1.1
+      - rule_5.6.1.1
 
 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
   lineinfile:
@@ -43,7 +43,7 @@
       - automated
       - patch
       - password
-      - rule_5.5.1.3
+      - rule_5.6.1.3
 
 - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
   block:
@@ -127,4 +127,4 @@
       - level1-server
       - level1-workstation
       - patch
-      - rule_5.5.1.5
+      - rule_5.6.1.5
diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
@@ -55,7 +55,7 @@
       - patch
       - stickybits
       - permissons
-      - rule_1.1.21
+      - rule_6.1.2
 
 - name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured"
   file:
@@ -137,21 +137,21 @@
       - permissions
       - rule_6.1.7
 
-- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
+- name: "6.1.8 | PATCH | Ensure permissions on /etc/shadow- are configured"
   file:
       path: /etc/shadow-
       owner: root
       group: root
       mode: 0000
   when:
-      - rhel8cis_rule_6_1_6
+      - rhel8cis_rule_6_1_8
   tags:
       - level1-server
       - level1-workstation
       - automated
       - patch
       - permissions
-      - rule_6.1.6
+      - rule_6.1.8
 
 - name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured"
   file:

diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
@@ -296,7 +296,6 @@
       - users
       - rule_6.2.9
 
-
 - name: "6.2.10 | PATCH | Ensure users own their home directories"
   file:
       path: "{{ item.dir }}"

diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2
@@ -23,15 +23,12 @@ rhel8cis_level_2: {{ rhel8cis_level_2 }}
 
 rhel8cis_selinux_disable: {{ rhel8cis_selinux_disable }}
 
-
-
 # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
 run_heavy_tests: true
 {% if rhel8cis_legacy_boot is defined %}
 rhel8cis_legacy_boot: {{ rhel8cis_legacy_boot }}
 {% endif %}
 
-
 rhel8cis_set_boot_pass: {{ rhel8cis_set_boot_pass }}
 # These variables correspond with the CIS rule IDs or paragraph numbers defined in
 # the CIS benchmark documents.
@@ -110,11 +107,9 @@ rhel8cis_rule_1_8_3: {{ rhel8cis_rule_1_8_3 }}
 rhel8cis_rule_1_8_4: {{ rhel8cis_rule_1_8_4 }}
 rhel8cis_rule_1_8_5: {{ rhel8cis_rule_1_8_5 }}
 
-
 rhel8cis_rule_1_9: {{ rhel8cis_rule_1_9 }}
 rhel8cis_rule_1_10: {{ rhel8cis_rule_1_10 }}
 
-
 # section 2 rules
 rhel8cis_rule_2_1_1: {{ rhel8cis_rule_2_1_1 }}
 rhel8cis_rule_2_1_2: {{ rhel8cis_rule_2_1_2 }}
@@ -206,7 +201,6 @@ rhel8cis_rule_3_4_3_3_4: {{ rhel8cis_rule_3_4_3_3_4 }}
 rhel8cis_rule_3_4_3_3_5: {{ rhel8cis_rule_3_4_3_3_5 }}
 rhel8cis_rule_3_4_3_3_6: {{ rhel8cis_rule_3_4_3_3_6 }}
 
-
 # Section 4 rules
 rhel8cis_rule_4_1_1_1: {{ rhel8cis_rule_4_1_1_1 }}
 rhel8cis_rule_4_1_1_2: {{ rhel8cis_rule_4_1_1_2 }}
@@ -252,7 +246,6 @@ rhel8cis_rule_4_2_2_1_2: {{ rhel8cis_rule_4_2_2_1_2 }}
 rhel8cis_rule_4_2_2_1_3: {{ rhel8cis_rule_4_2_2_1_3 }}
 rhel8cis_rule_4_2_2_1_4: {{ rhel8cis_rule_4_2_2_1_4 }}
 
-
 rhel8cis_rule_4_2_2_2: {{ rhel8cis_rule_4_2_2_2 }}
 rhel8cis_rule_4_2_2_3: {{ rhel8cis_rule_4_2_2_3 }}
 rhel8cis_rule_4_2_2_4: {{ rhel8cis_rule_4_2_2_4 }}
@@ -275,7 +268,6 @@ rhel8cis_rule_5_1_7: {{ rhel8cis_rule_5_1_7 }}
 rhel8cis_rule_5_1_8: {{ rhel8cis_rule_5_1_8 }}
 rhel8cis_rule_5_1_9: {{ rhel8cis_rule_5_1_9 }}
 
-
 rhel8cis_rule_5_2_1: {{ rhel8cis_rule_5_2_1 }}
 rhel8cis_rule_5_2_2: {{ rhel8cis_rule_5_2_2 }}
 rhel8cis_rule_5_2_3: {{ rhel8cis_rule_5_2_3 }}
@@ -324,7 +316,6 @@ rhel8cis_rule_5_6_3: {{ rhel8cis_rule_5_6_3 }}
 rhel8cis_rule_5_6_4: {{ rhel8cis_rule_5_6_4 }}
 rhel8cis_rule_5_6_5: {{ rhel8cis_rule_5_6_5 }}
 
-
 # Section 6
 rhel8cis_rule_6_1_1: {{ rhel8cis_rule_6_1_1 }}
 rhel8cis_rule_6_1_2: {{ rhel8cis_rule_6_1_2 }}
@@ -359,8 +350,6 @@ rhel8cis_rule_6_2_14: {{ rhel8cis_rule_6_2_14 }}
 rhel8cis_rule_6_2_15: {{ rhel8cis_rule_6_2_15 }}
 rhel8cis_rule_6_2_16: {{ rhel8cis_rule_6_2_16 }}
 
-
-
 # Service configuration booleans set true to keep service
 rhel8cis_avahi_server: {{ rhel8cis_avahi_server }}
 rhel8cis_cups_server: {{ rhel8cis_cups_server }}
@@ -382,8 +371,6 @@ rhel8cis_telnet_server: {{ rhel8cis_telnet_server }}
 rhel8cis_tftp_server: {{ rhel8cis_tftp_server }}
 rhel8cis_vsftpd_server: {{ rhel8cis_vsftpd_server }}
 
-
-
 rhel8cis_allow_autofs: {{ rhel8cis_allow_autofs }}
 
 # client services
@@ -451,7 +438,6 @@ rhel8cis_firewall_interface:
 
 rhel8cis_firewall_services: {% for svc in rhel8cis_firewall_services %}{{ svc }} {% endfor %}
 
-
 ### Section 4
 ## auditd settings
 rhel8cis_auditd:
-Original file line number
+Diff line change
@@ Expand Up / @@ -296,7 +296,6 @@ @@
           - users
           - rule_6.2.9
     - name: "6.2.10 | PATCH | Ensure users own their home directories"
       file:
           path: "{{ item.dir }}"
@@ Expand Down @@