Merge pull request #2 from ansible-lockdown/devel

linting and standards updates

.ansible-lint

@@ -3,20 +3,7 @@
 parseable: true
 quiet: true
 skip_list:
-  - 'schema'
-  - 'no-changed-when'
-  - 'var-spacing'
-  - 'experimental'
-  - 'name[play]'
-  - 'name[casing]'
-  - 'name[template]'
-  - 'key-order[task]'
-  - '204'
-  - '305'
-  - '303'
-  - '403'
-  - '306'
-  - '602'
-  - '208'
+  - 'package-latest'
+  - 'risky-shell-pipe'
 use_default_rules: true
 verbosity: 0

.gitattributes

@@ -1,3 +1,17 @@
+# https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github
+# Default behaviour
+* text=auto
+
+# https://docs.github.com/en/get-started/getting-started-with-git/configuring-git-to-handle-line-endings
+# Ensure to read artcile prior to adding
+# Scripts should have Unix endings
+*.py text eol=lf
+*.sh text eol=lf
+
+# Windows Batch or PowerShell scripts should have CRLF endings
+*.bat text eol=crlf
+*.ps1 text eol=crlf
+
 # adding github settings to show correct language
 *.sh linguist-detectable=true
 *.yml linguist-detectable=true

.gitignore

@@ -1,7 +1,6 @@
 .env
 *.log
 *.retry
-.cache
 .vagrant
 tests/*redhat-subscription
 tests/Dockerfile
@@ -10,11 +9,9 @@ tests/Dockerfile
 packer_cache
 delete*
 ignore*
-test_inv
-# temp remove doc while this is built up
-doc/
 # VSCode
 .vscode
+vagrant
 
 # Byte-compiled / optimized / DLL files
 __pycache__/

.pre-commit-config.yaml

@@ -7,16 +7,21 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
   hooks:
   # Safety
   - id: detect-aws-credentials
+    name: Detect AWS Credentials
   - id: detect-private-key
+    name: Detect Private Keys
 
   # git checks
   - id: check-merge-conflict
+    name: Check for merge conflicts
   - id: check-added-large-files
+    name: Check for Large files
   - id: check-case-conflict
+    name: Check case conflict
 
   # General checks
   - id: trailing-whitespace
@@ -27,21 +32,21 @@ repos:
     types: [text]
     args: [--markdown-linebreak-ext=md]
   - id: end-of-file-fixer
+    name: Ensure line at end of file
 
 # Scan for passwords
 - repo: https://github.com/Yelp/detect-secrets
   rev: v1.5.0
   hooks:
   - id: detect-secrets
-    exclude: templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.4
+  rev: v8.21.2
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.7.0
+  rev: v24.10.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -52,14 +57,15 @@ repos:
     # https://github.com/ansible/ansible-lint/issues/611
     pass_filenames: false
     always_run: true
-    additional_dependencies:
+    # additional_dependencies:
     # https://github.com/pre-commit/pre-commit/issues/1526
     # If you want to use specific version of ansible-core or ansible, feel
     # free to override `additional_dependencies` in your own hook config
     # file.
-    - ansible-core>=2.10.1
+    # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
   rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint
+    name: Check YAML Lint

.yamllint

@@ -1,32 +1,38 @@
 ---
-extends: default
 
+extends: default
 ignore: |
     tests/
     molecule/
     .github/
     .gitlab-ci.yml
     *molecule.yml
-
 rules:
-  indentation:
-    # Requiring 4 space indentation
-    spaces: 2
-    # Requiring consistent indentation within a file, either indented or not
-    indent-sequences: consistent
   braces:
     max-spaces-inside: 1
     level: error
   brackets:
     max-spaces-inside: 1
     level: error
+  comments:
+    ignore-shebangs: true
+    min-spaces-from-content: 1 # prettier compatibility
+  comments-indentation: enable
   empty-lines:
     max: 1
-  line-length: disable
+  indentation:
+    # Requiring 2 space indentation
+    spaces: 2
+    # Requiring consistent indentation within a file, either indented or not
+    indent-sequences: consistent
   key-duplicates: enable
+  line-length: disable
   new-line-at-end-of-file: enable
   new-lines:
     type: unix
+  octal-values:
+    forbid-implicit-octal: true # yamllint defaults to false
+    forbid-explicit-octal: true
   trailing-spaces: enable
   truthy:
     allowed-values: ['true', 'false']

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

defaults/main.yml

@@ -498,6 +498,20 @@ deb12cis_rule_7_2_10: true
 
 ## Section 1 vars
 
+## Control 1.1.1.8
+# We have found that some systems may have UAS kernel running and if it is
+# usb-storage will fail to be removed which is control 1.1.1.8. By default This
+# is set to false. By having this set to false control 1.1.1.8 will run but if UAS
+# Is loaded you will receive a warning message instead of usb-storage being removed
+# and the playbook will have to be re-run with this switch set to true.
+# Default: false
+deb12cis_uas_remove: false
+
+## Ability to enabe debug on mounts to assist in troubleshooting
+# Mount point changes are set based upon facts created in Prelim
+# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
+deb12cis_debug_mount_data: false
+
 ## Control 1.1.2
 # If set to `true`, rule will be implemented using the `tmp.mount` systemd-service,
 # otherwise fstab configuration will be used.
@@ -1051,46 +1065,61 @@ prelim_max_int_uid: 65533
 # By setting this variable to `true`, all of the settings related to AIDE will be applied!
 deb12cis_config_aide: true
 
-## Control 6.1.2 AIDE cron settings
+# If DB file older than below will automatically rebuild DB
+# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour
+deb12cis_aide_db_file_age: 1w
 
-## How the aide schedule is run either cron or timer
-deb12cis_aide_scan: cron
+# If aide already setup this forces a new DB to be created
+deb12cis_aide_db_recreate: false
+
+# allows to change db file, not config need to be adjusted too
+deb12cis_aide_db_file: /var/lib/aide/aide.db
+
+## When Initializing aide this can take longer on some systems
+# changing the values enables user to change to thier own requirements
+# Maximum Time in seconds
+deb12cis_aide_init_async: 600
+# Polling Interval in seconds
+deb12cis_aide_init_poll: 15
 
+# Set how aide is scanned either cron or timer
+deb12cis_aide_scan: cron
 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
 # The sub-settings of this variable provide the parameters required to configure
 # the cron job on the target system.
 # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
 # and executed automatically at a certain point in time.
-deb12cis_aide_cron:
-  # This variable represents the user account under which the cron job for AIDE will run.
-  cron_user: root
-  # This variable represents the path to the AIDE crontab file.
-  cron_file: /etc/cron.d/aide_cron
-  # This variable represents the actual command or script that the cron job
-  # will execute for running AIDE.
-  aide_job: '/usr/sbin/aide --check'
-  # These variables define the schedule for the cron job
-  # This variable governs the minute of the time of day when the AIDE cronjob is run.
-  # It must be in the range `0-59`.
-  aide_minute: 0
-  # This variable governs the hour of the time of day when the AIDE cronjob is run.
-  # It must be in the range `0-23`.
-  aide_hour: 5
-  # This variable governs the day of the month when the AIDE cronjob is run.
-  # `*` signifies that the job is run on all days; furthermore, specific days
-  # can be given in the range `1-31`; several days can be concatenated with a comma.
-  # The specified day(s) can must be in the range  `1-31`.
-  aide_day: '*'
-  # This variable governs months when the AIDE cronjob is run.
-  # `*` signifies that the job is run in every month; furthermore, specific months
-  # can be given in the range `1-12`; several months can be concatenated with commas.
-  # The specified month(s) can must be in the range  `1-12`.
-  aide_month: '*'
-  # This variable governs the weekdays, when the AIDE cronjob is run.
-  # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
-  # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
-  # can be concatenated with commas.
-  aide_weekday: '*'
+
+# This variable represents the user account under which the cron job for AIDE will run.
+deb12cis_aide_cron_user: root
+# This variable represents the path to the AIDE crontab file.
+deb12cis_aide_cron_file: /etc/cron.d/aide_cron
+# This variable represents the actual command or script that the cron job
+# will execute for running AIDE.
+deb12cis_aide_cron_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
+# These variables define the schedule for the cron job
+# This variable governs the minute of the time of day when the AIDE cronjob is run.
+# It must be in the range `0-59`.
+deb12cis_aide_cron_minute: 0
+# This variable governs the hour of the time of day when the AIDE cronjob is run.
+# It must be in the range `0-23`.
+deb12cis_aide_cron_hour: 5
+# This variable governs the day of the month when the AIDE cronjob is run.
+# `*` signifies that the job is run on all days; furthermore, specific days
+# can be given in the range `1-31`; several days can be concatenated with a comma.
+# The specified day(s) can must be in the range  `1-31`.
+deb12cis_aide_cron_day: '*'
+# This variable governs months when the AIDE cronjob is run.
+# `*` signifies that the job is run in every month; furthermore, specific months
+# can be given in the range `1-12`; several months can be concatenated with commas.
+# The specified month(s) can must be in the range  `1-12`.
+deb12cis_aide_cron_month: '*'
+# This variable governs the weekdays, when the AIDE cronjob is run.
+# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
+# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
+# can be concatenated with commas.
+deb12cis_aide_cron_weekday: '*'
+
 #
 ## Preferred method of logging
 ## Whether rsyslog or journald preferred method for local logging