Final v3.0.0 release to main

.ansible-lint

@@ -6,12 +6,10 @@ skip_list:
  - 'schema'
  - 'no-changed-when'
  - 'var-spacing'
- - 'fqcn-builtins'
  - 'experimental'
  - 'name[play]'
  - 'name[casing]'
  - 'name[template]'
- - 'fqcn[action]'
  - 'key-order[task]'
  - '204'
  - '305'

.config/.secrets.baseline

@@ -75,10 +75,6 @@
  {
  "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
  },
- {
- "path": "detect_secrets.filters.common.is_baseline_file",
- "filename": ".config/.secrets.baseline"
- },
  {
  "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
  "min_level": 2
@@ -113,70 +109,11 @@
  {
  "path": "detect_secrets.filters.regex.should_exclude_file",
  "pattern": [
- ".config/.gitleaks-report.json"
+ ".config/.gitleaks-report.json",
+ "tasks/parse_etc_password.yml"
  ]
  }
  ],
- "results": {
- "defaults/main.yml": [
- {
- "type": "Secret Keyword",
- "filename": "defaults/main.yml",
- "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
- "is_verified": false,
- "line_number": 382,
- "is_secret": false
- }
- ],
- "tasks/main.yml": [
- {
- "type": "Secret Keyword",
- "filename": "tasks/main.yml",
- "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
- "is_verified": false,
- "line_number": 22,
- "is_secret": false
- }
- ],
- "tasks/parse_etc_password.yml": [
- {
- "type": "Secret Keyword",
- "filename": "tasks/parse_etc_password.yml",
- "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
- "is_verified": false,
- "line_number": 18
- }
- ],
- "vars/CentOS.yml": [
- {
- "type": "Hex High Entropy String",
- "filename": "vars/CentOS.yml",
- "hashed_secret": "2baa4bd2c505f21a0e48d6c17a174a0c8b6f3c3b",
- "is_verified": false,
- "line_number": 6,
- "is_secret": false
- }
- ],
- "vars/OracleLinux.yml": [
- {
- "type": "Hex High Entropy String",
- "filename": "vars/OracleLinux.yml",
- "hashed_secret": "260c8f0806148cd568435cd3d7647f43150efdbb",
- "is_verified": false,
- "line_number": 9,
- "is_secret": false
- }
- ],
- "vars/is_container.yml": [
- {
- "type": "Secret Keyword",
- "filename": "vars/is_container.yml",
- "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
- "is_verified": false,
- "line_number": 377,
- "is_secret": false
- }
- ]
- },
- "generated_at": "2023-09-13T08:05:26Z"
+ "results": {},
+ "generated_at": "2023-10-09T15:14:50Z"
 }

.github/workflows/devel_pipeline_validation.yml

@@ -27,7 +27,7 @@
  repo-token: ${{ secrets.GITHUB_TOKEN }}
  pr-message: |-
  Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
- Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+ Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
  # This workflow contains a single job which tests the playbook
  playbook-test:

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v3.2.0
+ rev: v4.5.0
  hooks:
  # Safety
  - id: detect-aws-credentials
@@ -37,13 +37,13 @@ repos:
  exclude: .config/.gitleaks-report.json
 
 - repo: https://github.com/gitleaks/gitleaks
- rev: v8.17.0
+ rev: v8.18.2
  hooks:
  - id: gitleaks
  args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
- rev: v6.17.2
+ rev: v24.2.0
  hooks:
  - id: ansible-lint
  name: Ansible-lint
@@ -62,6 +62,6 @@ repos:
  - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
- rev: v1.32.0 # or higher tag
+ rev: v1.35.1 # or higher tag
  hooks:
  - id: yamllint

.yamllint

@@ -30,4 +30,4 @@ rules:
  trailing-spaces: enable
  truthy:
  allowed-values: ['true', 'false']
- check-keys: false
+ check-keys: true

README.md

@@ -11,7 +11,6 @@
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
@@ -39,7 +38,7 @@
 
 ### Community
 
-On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
+On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
 
 ---
 
@@ -169,6 +168,10 @@ uses:
 pre-commit run
 ```
 
-## Credits
+## Credits and Thanks
 
-This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)
+Massive thanks to the fantastic community and all its members.
+
+This includes a huge thanks and credit to the original authors and maintainers.
+
+Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell

ansible.cfg

@@ -22,4 +22,4 @@ transfer_method=scp
 
 [colors]
 
-[diff]
+[diff]

collections/requirements.yml

@@ -2,7 +2,13 @@
 
 collections:
  - name: community.general
+ source: https://github.com/ansible-collections/community.general
+ type: git
 
  - name: community.crypto
+ source: https://github.com/ansible-collections/community.crypto
+ type: git
 
  - name: ansible.posix
+ source: https://github.com/ansible-collections/ansible.posix
+ type: git

defaults/main.yml

@@ -26,25 +26,46 @@ python2_bin: /bin/python2.7
 benchmark: RHEL7-CIS
 benchmark_version: v3.1.1
 
-#### Basic external goss audit enablement settings ####
-#### Precise details - per setting can be found at the bottom of this file ####
+##########################################
+### Goss is required on the remote host ###
+## Refer to vars/auditd.yml for any other settings ##
 
-### Goss is required on the remote host
+# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
-# How to retrive goss
+
+# enable audits to run - this runs the audit and get the latest content
+run_audit: false
+
+# Only run Audit do not remediate
+audit_only: false
+# As part of audit_only
+# This will enable files to be copied back to control node
+fetch_audit_files: false
+# Path to copy the files to will create dir structure
+audit_capture_files_dir: /some/location to copy to on control node
+
+# How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
 # you will need to access to either github or the file already dowmloaded
-get_goss_file: download
+get_audit_binary_method: download
+
+## if get_audit_binary_method - copy the following needs to be updated for your environment
+## it is expected that it will be copied from somewhere accessible to the control node
+## e.g copy from ansible control node to remote host
+audit_bin_copy_location: /some/accessible/path
 
 # how to get audit files onto host options
-# options are git/copy/get_url
+# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# Timeout for those cmds that take longer to run where timeout set
-audit_cmd_timeout: 30000
+# archive or copy:
+audit_conf_copy: "some path to copy from"
 
-# enable audits to run - this runs the audit and get the latest content
-run_audit: false
+# get_url:
+audit_files_url: "some url maybe s3?"
+
+# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
+audit_run_heavy_tests: true
 
 ### End Goss enablements ####
 #### Detailed settings found at the end of this document ####
@@ -379,7 +400,7 @@ rhel7cis_rhnsd_required: false
 
 # 1.4.2 Bootloader password
 rhel7cis_set_boot_pass: false
-rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart'
+rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret
 
 # System network parameters (host only OR host and router)
 rhel7cis_is_router: false
@@ -565,55 +586,3 @@ rhel7cis_dotperm_ansiblemanaged: true
 
 # RHEL-07-6.2.18 Clear users from shadow group
 rhel7cis_remove_shadow_grp_usrs: true
-
-#### Goss Configuration Settings ####
-audit_run_script_environment:
- AUDIT_BIN: "{{ audit_bin }}"
- AUDIT_FILE: 'goss.yml'
- AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-
-### Goss binary settings ###
-goss_version:
- release: v0.3.23
- checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
-audit_bin_path: /usr/local/bin/
-audit_bin: "{{ audit_bin_path }}goss"
-audit_format: json
-
-# if get_goss_file == download change accordingly
-goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
-
-## if get_goss_file - copy the following needs to be updated for your environment
-## it is expected that it will be copied from somewhere accessible to the control node
-## e.g copy from ansible control node to remote host
-copy_goss_from_path: /some/accessible/path
-
-### Goss Audit Benchmark file ###
-## managed by the control audit_content
-# git
-audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: "benchmark_{{ benchmark_version }}"
-
-# copy:
-audit_local_copy: "some path to copy from"
-
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-# Where the goss audit configuration will be stored
-audit_files: "/opt/{{ benchmark }}-Audit/"
-
-## Goss configuration information
-# Where the goss configs and outputs are stored
-audit_out_dir: '/opt'
-audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
-pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-
-## The following should not need changing
-goss_file: "{{ audit_conf_dir }}goss.yml"
-audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
-audit_results: |
- The pre remediation results are: {{ pre_audit_summary }}.
- The post remediation results are: {{ post_audit_summary }}.
- Full breakdown can be found in {{ audit_out_dir }}

meta/main.yml

@@ -1,7 +1,7 @@
 ---
 
 galaxy_info:
- author: "Sam Doran, Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, Mark Bolwell, George Nalen"
+ author: "MindPoint group"
  description: "Apply the CIS RHEL7 role"
  company: "MindPoint Group"
  license: MIT

tasks/LE_audit_setup.yml

@@ -1,22 +1,34 @@
 ---
 
-- name: Download goss binary
+- name: Pre Audit Setup | Set audit package name
+ block:
+ - name: Pre Audit Setup | Set audit package name | 64bit
+ ansible.builtin.set_fact:
+ audit_pkg_arch_name: AMD64
+ when: ansible_facts.machine == "x86_64"
+
+ - name: Pre Audit Setup | Set audit package name | ARM64
+ ansible.builtin.set_fact:
+ audit_pkg_arch_name: ARM64
+ when: ansible_facts.machine == "arm64"
+
+- name: Pre Audit Setup | Download audit binary
  ansible.builtin.get_url:
- url: "{{ goss_url }}"
+ url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
  dest: "{{ audit_bin }}"
  owner: root
  group: root
- checksum: "{{ goss_version.checksum }}"
- mode: 0555
+ checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
+ mode: '0555'
  when:
- - get_goss_file == 'download'
+ - get_audit_binary_method == 'download'
 
-- name: Copy goss binary
+- name: Pre Audit Setup | Copy audit binary
  ansible.builtin.copy:
- src: "{{ copy_goss_from_path }}"
+ src: "{{ audit_bin_copy_location }}"
  dest: "{{ audit_bin }}"
- mode: 0555
+ mode: '0555'
  owner: root
  group: root
  when:
- - get_goss_file == 'copy'
+ - get_audit_binary_method == 'copy'