From f117074ffe393e1fa65ad3db5b3204286233d8ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Fri, 15 Sep 2023 10:29:10 +0200 Subject: [PATCH 01/31] Specify missing state parameter for package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/prelim.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f1863acd..aa2be1a7 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -55,6 +55,7 @@ - name: "PRELIM | Install dconf" ansible.builtin.package: name: dconf + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -148,6 +149,7 @@ - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | Install grub2-tools." ansible.builtin.package: name: grub2-tools + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -210,6 +212,7 @@ - name: "PRELIM | ensure cronie is available" ansible.builtin.package: name: cronie + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -282,6 +285,7 @@ - name: "PRELIM | RHEL-07-021100 | RHEL-07-031000 | RHEL-07-031010 | Ensure rsyslog is installed when required." ansible.builtin.package: name: rsyslog + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -310,6 +314,7 @@ - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -387,6 +392,7 @@ - libselinux-python - policycoreutils-python - selinux-policy-targeted + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" when: @@ -399,6 +405,7 @@ - name: "PRELIM | Install SSH" ansible.builtin.package: name: openssh-server + state: present vars: ansible_python_interpreter: "{{ python2_bin }}" From 130e021090ad288ec991bf923daa5092ad957c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Fri, 15 Sep 2023 10:42:12 +0200 Subject: [PATCH 02/31] Correct with_items indentation for package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/fix-cat2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 694a304c..3d145677 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1109,9 +1109,9 @@ ansible.builtin.package: name: "{{ item }}" state: present - with_items: - - pam_pkcs11 - - pcsc-lite-libs + with_items: + - pam_pkcs11 + - pcsc-lite-libs vars: ansible_python_interpreter: "{{ python2_bin }}" register: rhel_07_010500pkcs11install From 601ef18853e0d7ac4f74bf56f481242d07fd5369 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Fri, 15 Sep 2023 10:46:33 +0200 Subject: [PATCH 03/31] Replace inline strings with module parameters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/fix-cat2.yml | 42 ++++++++++++++++++--------------- tasks/main.yml | 18 +++++++++----- tasks/pre_remediation_audit.yml | 3 ++- tasks/prelim.yml | 3 ++- 4 files changed, 39 insertions(+), 27 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3d145677..2083c369 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1368,7 +1368,7 @@ - name: | "MEDIUM | RHEL-07-020210 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux." "MEDIUM | RHEL-07-020220 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux targeted policy." - selinux: + ansible.posix.selinux: state: enforcing policy: targeted check_mode: "{{ ansible_check_mode or rhel7stig_system_is_chroot }}" @@ -1444,7 +1444,8 @@ - "{{ rhel7stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-07-020270 | AUDIT | Re-parse /etc/passwd since it changed." - include_tasks: parse_etc_passwd.yml # noqa: no-handler + ansible.builtin.include_tasks: + file: parse_etc_passwd.yml vars: rhel7stig_passwd_tasks: "RHEL-07-020270" when: rhel_07_020270_patch is changed @@ -1754,7 +1755,7 @@ # set default ACLs so the homedir has an effective umask of 0027 - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive." - acl: + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -1925,7 +1926,8 @@ register: rhel_07_020730_perms_results - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." - include_tasks: audit_homedirinifiles.yml + ansible.builtin.include_tasks: + file: audit_homedirinifiles.yml loop: - "{{ rhel_07_stig_interactive_homedir_inifiles }}" loop_control: @@ -3405,7 +3407,7 @@ - ldap - name: "MEDIUM | RHEL-07-040201 | PATCH | The Red Hat Enterprise Linux operating system must implement virtual address space randomization." - sysctl: + ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' state: present @@ -3918,7 +3920,7 @@ - firewall - name: "MEDIUM | RHEL-07-040610 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.accept_source_route state: present value: '0' @@ -3936,7 +3938,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040611 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.rp_filter value: '1' state: present @@ -3954,7 +3956,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040612 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.rp_filter state: present value: '1' @@ -3972,7 +3974,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040620 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.accept_source_route state: present value: '0' @@ -3990,7 +3992,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040630 | PATCH | The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address." - sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts state: present value: '1' @@ -4009,7 +4011,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040640 | PATCH | The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.accept_redirects state: present value: '0' @@ -4027,7 +4029,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040641 | PATCH | The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages" - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.accept_redirects state: present value: '0' @@ -4045,7 +4047,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040650 | PATCH | The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.default.send_redirects state: present value: '0' @@ -4063,7 +4065,7 @@ - ipv4 - name: "MEDIUM | RHEL-07-040660 | PATCH | The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects." - sysctl: + ansible.posix.sysctl: name: net.ipv4.conf.all.send_redirects state: present value: '0' @@ -4215,7 +4217,7 @@ - x11 - name: "MEDIUM | RHEL-07-040740 | PATCH | The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router." - sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward state: present value: '0' @@ -4268,11 +4270,13 @@ - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." block: - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - include_tasks: audit_firewalld.yml + ansible.builtin.include_tasks: + file: audit_firewalld.yml when: rhel7stig_firewall_service == "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - include_tasks: audit_iptables.yml + ansible.builtin.include_tasks: + file: audit_iptables.yml when: rhel7stig_firewall_service != "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." @@ -4311,7 +4315,7 @@ - V-204629 - name: "MEDIUM | RHEL-07-040830 | PATCH | The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets." - sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.accept_source_route state: present value: '0' @@ -4742,7 +4746,7 @@ - V-250312 - name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH." - seboolean: + ansible.posix.seboolean: name: ssh_sysadm_login persistent: true state: "{{ rhel7stig_ssh_sysadm_login_state }}" diff --git a/tasks/main.yml b/tasks/main.yml index 33a01a26..00f1923f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -73,13 +73,15 @@ - always - name: include prelim tasks - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - run_audit - name: include pre-remediation audit - ansible.builtin.import_tasks: pre_remediation_audit.yml + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml when: - run_audit tags: @@ -92,21 +94,24 @@ - always - name: Include CAT I patches - ansible.builtin.import_tasks: fix-cat1.yml + ansible.builtin.import_tasks: + file: fix-cat1.yml when: rhel7stig_cat1_patch tags: - cat1 - high - name: Include CAT II patches - ansible.builtin.import_tasks: fix-cat2.yml + ansible.builtin.import_tasks: + file: fix-cat2.yml when: rhel7stig_cat2_patch tags: - cat2 - medium - name: Include CAT III patches - ansible.builtin.import_tasks: fix-cat3.yml + ansible.builtin.import_tasks: + file: fix-cat3.yml when: rhel7stig_cat3_patch tags: - cat3 @@ -133,7 +138,8 @@ - not rhel7stig_skip_reboot - name: include post-remediation audit - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index e7b7319c..81f53f79 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index aa2be1a7..fe3e3c93 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -226,7 +226,8 @@ - RHEL-07-020040 - name: "PRELIM | RHEL-07-020600 | RHEL-07-020620 | RHEL-07-020630 | RHEL-07-020640 | RHEL-07-020650 | RHEL-07-020660 | RHEL-07-020690 | Parse /etc/passwd" - ansible.builtin.include_tasks: parse_etc_passwd.yml + ansible.builtin.include_tasks: + file: parse_etc_passwd.yml vars: rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" when: From dfb979177f01c2ab166f63a32699fd23aaae08e0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 16:52:48 +0100 Subject: [PATCH 04/31] updated link Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48a..dba39dc0 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: From 5108506807ba1eaefdaf7fc06b6d3bad2d7605ae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 16:55:32 +0100 Subject: [PATCH 05/31] lint updates Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 10 +++++----- tasks/main.yml | 12 ++++++------ tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2083c369..de38a195 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1445,9 +1445,9 @@ - name: "MEDIUM | RHEL-07-020270 | AUDIT | Re-parse /etc/passwd since it changed." ansible.builtin.include_tasks: - file: parse_etc_passwd.yml + file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020270" + rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler when: rhel_07_020270_patch is changed when: - rhel_07_020270 @@ -1927,7 +1927,7 @@ - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs." ansible.builtin.include_tasks: - file: audit_homedirinifiles.yml + file: audit_homedirinifiles.yml loop: - "{{ rhel_07_stig_interactive_homedir_inifiles }}" loop_control: @@ -4271,12 +4271,12 @@ block: - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." ansible.builtin.include_tasks: - file: audit_firewalld.yml + file: audit_firewalld.yml when: rhel7stig_firewall_service == "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." ansible.builtin.include_tasks: - file: audit_iptables.yml + file: audit_iptables.yml when: rhel7stig_firewall_service != "firewalld" - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." diff --git a/tasks/main.yml b/tasks/main.yml index 00f1923f..e807f16e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -74,14 +74,14 @@ - name: include prelim tasks ansible.builtin.import_tasks: - file: prelim.yml + file: prelim.yml tags: - prelim_tasks - run_audit - name: include pre-remediation audit ansible.builtin.import_tasks: - file: pre_remediation_audit.yml + file: pre_remediation_audit.yml when: - run_audit tags: @@ -95,7 +95,7 @@ - name: Include CAT I patches ansible.builtin.import_tasks: - file: fix-cat1.yml + file: fix-cat1.yml when: rhel7stig_cat1_patch tags: - cat1 @@ -103,7 +103,7 @@ - name: Include CAT II patches ansible.builtin.import_tasks: - file: fix-cat2.yml + file: fix-cat2.yml when: rhel7stig_cat2_patch tags: - cat2 @@ -111,7 +111,7 @@ - name: Include CAT III patches ansible.builtin.import_tasks: - file: fix-cat3.yml + file: fix-cat3.yml when: rhel7stig_cat3_patch tags: - cat3 @@ -139,7 +139,7 @@ - name: include post-remediation audit ansible.builtin.import_tasks: - file: post_remediation_audit.yml + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 81f53f79..7b4d06f5 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -2,7 +2,7 @@ - name: Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: - file: LE_audit_setup.yml + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index fe3e3c93..84373abd 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -227,7 +227,7 @@ - name: "PRELIM | RHEL-07-020600 | RHEL-07-020620 | RHEL-07-020630 | RHEL-07-020640 | RHEL-07-020650 | RHEL-07-020660 | RHEL-07-020690 | Parse /etc/passwd" ansible.builtin.include_tasks: - file: parse_etc_passwd.yml + file: parse_etc_passwd.yml vars: rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" when: From 223624e9941c7f8e8ef9c13601a73df108aa6c22 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 17:01:48 +0100 Subject: [PATCH 06/31] removed old Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 190 -------------------------------------- 1 file changed, 190 deletions(-) delete mode 100644 .config/.secrets.baseline diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 522a6339..00000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,190 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json" - ] - } - ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 467, - "is_secret": false - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "is_verified": false, - "line_number": 1449, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", - "is_verified": false, - "line_number": 39, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 56, - "is_secret": false - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "is_verified": false, - "line_number": 228, - "is_secret": false - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173, - "is_secret": false - } - ] - }, - "generated_at": "2023-09-14T14:19:49Z" -} From 20a720a780bc8da17abca7a74ac6b2882265a442 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 17:02:56 +0100 Subject: [PATCH 07/31] added new defined secrets file Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 143 ++++++++++++++++++++++++- .config/.secrets.baseline | 190 ++++++++++++++++++++++++++++++++++ 2 files changed, 332 insertions(+), 1 deletion(-) create mode 100644 .config/.secrets.baseline diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json index fe51488c..bea9d1d8 100644 --- a/.config/.gitleaks-report.json +++ b/.config/.gitleaks-report.json @@ -1 +1,142 @@ -[] +[ + { + "Description": "Generic API Key", + "StartLine": 125, + "EndLine": 125, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:125" + }, + { + "Description": "Generic API Key", + "StartLine": 135, + "EndLine": 135, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"673504d3db128a01a93d32de2b104a05dc2e6859\"", + "Secret": "673504d3db128a01a93d32de2b104a05dc2e6859", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.7750704, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:135" + }, + { + "Description": "Generic API Key", + "StartLine": 145, + "EndLine": 145, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2784977b09b611a32db88f631d88a5806605967e\"", + "Secret": "2784977b09b611a32db88f631d88a5806605967e", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.718454, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:145" + }, + { + "Description": "Generic API Key", + "StartLine": 153, + "EndLine": 153, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:153" + }, + { + "Description": "Generic API Key", + "StartLine": 163, + "EndLine": 163, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:163" + }, + { + "Description": "Generic API Key", + "StartLine": 172, + "EndLine": 172, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"fd917ab33fb6bd01e799f4b72da0586589cd909a\"", + "Secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.808695, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:172" + }, + { + "Description": "Generic API Key", + "StartLine": 182, + "EndLine": 182, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\"", + "Secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "File": ".config/.secrets.baseline", + "SymlinkFile": "", + "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", + "Entropy": 3.8250706, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-14T14:20:12Z", + "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:182" + } +] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline new file mode 100644 index 00000000..47521f1c --- /dev/null +++ b/.config/.secrets.baseline @@ -0,0 +1,190 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 467, + "is_secret": false + } + ], + "tasks/fix-cat2.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/fix-cat2.yml", + "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", + "is_verified": false, + "line_number": 1450, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", + "is_verified": false, + "line_number": 39, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 56, + "is_secret": false + } + ], + "tasks/parse_etc_passwd.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_passwd.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18 + } + ], + "tasks/prelim.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/prelim.yml", + "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", + "is_verified": false, + "line_number": 232, + "is_secret": false + } + ], + "templates/pam_pkcs11.conf.j2": [ + { + "type": "Secret Keyword", + "filename": "templates/pam_pkcs11.conf.j2", + "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "is_verified": false, + "line_number": 173, + "is_secret": false + } + ] + }, + "generated_at": "2023-09-15T16:02:38Z" +} From 5956a0f6ba4134a1ce579a0ad482392793648078 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 17:03:14 +0100 Subject: [PATCH 08/31] added precommit Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..40a21e27 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,6 +41,7 @@ repos: hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] + exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 From aa000e8c31a227501a657baa3ec7327a6e776a60 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:39:15 +0100 Subject: [PATCH 09/31] lint updates Signed-off-by: Mark Bolwell --- CONTRIBUTING.rst | 1 - ChangeLog.md | 4 ++-- ansible.cfg | 1 - doc/README.md | 1 - templates/01-banner-message.j2 | 2 +- templates/ansible_vars_goss.yml.j2 | 4 ++-- templates/audit/99_auditd.rules.j2 | 2 +- templates/pam_pkcs11.conf.j2 | 12 ++++++------ 8 files changed, 12 insertions(+), 15 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 2fa743d8..23ce2fb7 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -65,4 +65,3 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` option to `git commit` to automatically include the signoff message. - diff --git a/ChangeLog.md b/ChangeLog.md index 0859edd9..608849fd 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -115,14 +115,14 @@ README ## Release 1.9.0 -- RHEL-07-010271 - New Control Added +- RHEL-07-010271 - New Control Added - Update to STIG V3R9 Oct 27th 2022 - Changes Listed Below - RHEL-07-010342, RHEL-07-010343, RHEL- 07-020023, RHEL-07-030201 - Updated fix text. - RHEL-07-021040, RHEL-07-021700 - Updated check text command to eliminate false positives. - RHEL-07-030840 - Updated check and fix text. - RHEL-07-040160 - Updated check text. - RHEL-07-040310 - Corrected typo in the Vulnerability Discussion. - - RHEL-07-040360, RHEL-07-040530 - Updated CCI. + - RHEL-07-040360, RHEL-07-040530 - Updated CCI. - Update to README and requirements - RHEL-07-010010, RHEL-07-010020, RHEL-07-010291, RHEL-07-021030,RHEL-07-021040 - Updated Tag Information diff --git a/ansible.cfg b/ansible.cfg index f0ab6836..c7c4ec86 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -23,4 +23,3 @@ transfer_method=scp [colors] [diff] - diff --git a/doc/README.md b/doc/README.md index fb11aec8..923de017 100644 --- a/doc/README.md +++ b/doc/README.md @@ -5,4 +5,3 @@ To generate the documentation on a RHEL/CentOS 7 system, take the following step * `sudo pip3 install -r requirements.txt` 3. Generate the documentation: * `make singlehtml` - diff --git a/templates/01-banner-message.j2 b/templates/01-banner-message.j2 index 21e7c2b2..7d9c917b 100644 --- a/templates/01-banner-message.j2 +++ b/templates/01-banner-message.j2 @@ -1,4 +1,4 @@ -[org/gnome/login-screen] +[org/gnome/login-screen] banner-message-enable=true banner-message-text='{{ rhel7stig_logon_banner }}' diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7e75ab30..8e562654 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -28,7 +28,7 @@ rhel7stig_cat1: {{ rhel7stig_cat1_patch }} rhel7stig_cat2: {{ rhel7stig_cat2_patch }} rhel7stig_cat3: {{ rhel7stig_cat3_patch }} -## CAT I +## CAT I RHEL_07_010010: {{ rhel_07_010010 }} RHEL_07_010020: {{ rhel_07_010020 }} RHEL_07_010290: {{ rhel_07_010290 }} @@ -337,7 +337,7 @@ rhel7stig_staff_u: # host intrision protection e.g. Mcafee HIPS rhel7stig_hip_enabled: false -rhel7stig_hip_pkg: +rhel7stig_hip_pkg: rhel7stig_hip_proc: # RHEL-07-010483 & RHEL-07-010492 diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 2b730902..445e5ef7 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -50,7 +50,7 @@ {% endif %} {% if rhel_07_030620 %} --w /var/log/lastlog -p wa -k logins +-w /var/log/lastlog -p wa -k logins {% endif %} {% if rhel_07_030630 %} diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index 7ca73675..657b9931 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -9,7 +9,7 @@ pam_pkcs11 { nullok = true; # Enable debugging support. - debug = false; + debug = false; # If the smart card is inserted, only use it card_only = true; @@ -32,7 +32,7 @@ pam_pkcs11 { screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module {{ rhel07stig_smartcarddriver }} { - {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} + {% if rhel07stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel07stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} module = /usr/lib64/libcackey.so; description = "{{ rhel07stig_smartcarddriver }}"; slot_num = 0; @@ -54,7 +54,7 @@ pam_pkcs11 { # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; - + # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } @@ -96,10 +96,10 @@ pam_pkcs11 { # When no absolute path or module info is provided, use this # value as module search path # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH + # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; - # + # # Generic certificate contents mapper mapper generic { debug = true; @@ -194,7 +194,7 @@ pam_pkcs11 { module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or - # leave empty "" or "none" to use no map + # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; From d14af2e9be8c479f3d429fb03b6b1b89865533cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:39:26 +0100 Subject: [PATCH 10/31] updated Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 47521f1c..a363f314 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,7 +109,8 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" ] } ], @@ -124,8 +121,7 @@ "filename": "defaults/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 467, - "is_secret": false + "line_number": 467 } ], "tasks/fix-cat2.yml": [ @@ -134,8 +130,7 @@ "filename": "tasks/fix-cat2.yml", "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", "is_verified": false, - "line_number": 1450, - "is_secret": false + "line_number": 1450 } ], "tasks/main.yml": [ @@ -144,16 +139,14 @@ "filename": "tasks/main.yml", "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", "is_verified": false, - "line_number": 39, - "is_secret": false + "line_number": 39 }, { "type": "Secret Keyword", "filename": "tasks/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 56, - "is_secret": false + "line_number": 56 } ], "tasks/parse_etc_passwd.yml": [ @@ -171,8 +164,7 @@ "filename": "tasks/prelim.yml", "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", "is_verified": false, - "line_number": 232, - "is_secret": false + "line_number": 232 } ], "templates/pam_pkcs11.conf.j2": [ @@ -181,10 +173,9 @@ "filename": "templates/pam_pkcs11.conf.j2", "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", "is_verified": false, - "line_number": 173, - "is_secret": false + "line_number": 173 } ] }, - "generated_at": "2023-09-15T16:02:38Z" + "generated_at": "2023-10-09T14:38:05Z" } From 1dc0f9b6af888b6f8dd40358ec27a6b0cadc0cba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 15:43:48 +0100 Subject: [PATCH 11/31] added pragma allow list Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 68 ++---------------------------------- defaults/main.yml | 2 +- tasks/fix-cat2.yml | 2 +- tasks/main.yml | 6 ++-- tasks/prelim.yml | 2 +- templates/pam_pkcs11.conf.j2 | 2 +- 6 files changed, 10 insertions(+), 72 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index a363f314..eab74d91 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -110,72 +110,10 @@ "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ ".config/.gitleaks-report.json", - "tasks/parse_etc_password.yml" + "tasks/parse_etc_passwd.yml" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 467 - } - ], - "tasks/fix-cat2.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/fix-cat2.yml", - "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "is_verified": false, - "line_number": 1450 - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", - "is_verified": false, - "line_number": 39 - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 56 - } - ], - "tasks/parse_etc_passwd.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_passwd.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "tasks/prelim.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/prelim.yml", - "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "is_verified": false, - "line_number": 232 - } - ], - "templates/pam_pkcs11.conf.j2": [ - { - "type": "Secret Keyword", - "filename": "templates/pam_pkcs11.conf.j2", - "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_verified": false, - "line_number": 173 - } - ] - }, - "generated_at": "2023-10-09T14:38:05Z" + "results": {}, + "generated_at": "2023-10-09T14:42:52Z" } diff --git a/defaults/main.yml b/defaults/main.yml index 916abcca..5310cee1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -464,7 +464,7 @@ rhel7stig_force_exact_packages: "{{ rhel7stig_disruption_high }}" # RHEL-07-010480 and RHEL-07-010490 # Password protect the boot loader -rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' +rhel7stig_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret rhel7stig_boot_superuser: root # RHEL-07-021700 set the value for correctly configured grub bootloader sequence diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index de38a195..0355d7a5 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1447,7 +1447,7 @@ ansible.builtin.include_tasks: file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler + rhel7stig_passwd_tasks: "RHEL-07-020270" # noqa: no-handler # pragma: allowlist secret when: rhel_07_020270_patch is changed when: - rhel_07_020270 diff --git a/tasks/main.yml b/tasks/main.yml index e807f16e..2041044a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -36,7 +36,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: RHEL-07-010340 + sudo_password_rule: RHEL-07-010340 # pragma: allowlist secret when: - rhel_07_010340 - ansible_env.SUDO_USER is defined @@ -53,8 +53,8 @@ - name: Check rhel7stig_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" + that: rhel7stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel7stig_bootloader_password_hash variable has not been set. You can create the hash on a RHEL 7.9 system using the command 'grub2-mkpasswd-pbkdf2'" # pragma: allowlist secret when: - rhel_07_010481 or rhel_07_010482 or diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 84373abd..8bfaf00b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -229,7 +229,7 @@ ansible.builtin.include_tasks: file: parse_etc_passwd.yml vars: - rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" + rhel7stig_passwd_tasks: "RHEL-07-020620 RHEL-07-020630 RHEL-07-020640 RHEL-07-020650 RHEL-07-020660 RHEL-07-020690" # pragma: allowlist secret when: - rhel_07_020600 or rhel_07_020620 or diff --git a/templates/pam_pkcs11.conf.j2 b/templates/pam_pkcs11.conf.j2 index 657b9931..9fac3d9f 100644 --- a/templates/pam_pkcs11.conf.j2 +++ b/templates/pam_pkcs11.conf.j2 @@ -170,7 +170,7 @@ pam_pkcs11 { # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN - passwd = "test"; + passwd = "test"; # pragma: allowlist secret # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate From 6098b0256fc2e5c233e3b4ae9fd6d91e5d2d3788 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:03:42 +0100 Subject: [PATCH 12/31] updated due to galaxy changes Signed-off-by: Mark Bolwell --- collections/requirements.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index 4a418efa..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,8 +1,14 @@ --- collections: -- name: community.general + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git -- name: community.crypto + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git -- name: ansible.posix + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git From 197f96149baf54fdf668d9e96ba9dba9e2a4c0ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:06:34 +0100 Subject: [PATCH 13/31] moved file Signed-off-by: Mark Bolwell --- {vars => tasks}/CentOS.yml | 0 vars/Centos.yml | 9 --------- 2 files changed, 9 deletions(-) rename {vars => tasks}/CentOS.yml (100%) delete mode 100644 vars/Centos.yml diff --git a/vars/CentOS.yml b/tasks/CentOS.yml similarity index 100% rename from vars/CentOS.yml rename to tasks/CentOS.yml diff --git a/vars/Centos.yml b/vars/Centos.yml deleted file mode 100644 index 05e0e648..00000000 --- a/vars/Centos.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -gpg_keys: - - name: 'CentOS 7 Official Signing Key' - packager: "security@centos.org" - fingerprint: "6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5" - -gpg_package: centos-release -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 From d49469b0b69672411a59f4c9d703ba3e318f0b0b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:06:55 +0100 Subject: [PATCH 14/31] updated path Signed-off-by: Mark Bolwell --- {tasks => vars}/CentOS.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {tasks => vars}/CentOS.yml (100%) diff --git a/tasks/CentOS.yml b/vars/CentOS.yml similarity index 100% rename from tasks/CentOS.yml rename to vars/CentOS.yml From 5aae574e522fc3ae91f62d6dff6e97dbfc0d9049 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Oct 2023 16:24:50 +0100 Subject: [PATCH 15/31] removed quality badge since galaxy-ng Signed-off-by: Mark Bolwell --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 40081ffc..70be8088 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) From fb6f4fefa384b9538cbf582ab485c4f5eab520de Mon Sep 17 00:00:00 2001 From: layluke Date: Wed, 18 Oct 2023 17:44:53 -0400 Subject: [PATCH 16/31] Adding additional condition for rhel7stig_grub2_user_cfg for task Signed-off-by: layluke --- handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c414bd4c..88fb8027 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -27,7 +27,7 @@ - name: make grub2 config ansible.builtin.shell: /usr/sbin/grub2-mkconfig --output={{ rhel7stig_bootloader_path }}grub.cfg when: - - rhel7stig_grub2_user_cfg.stat.exists + - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists) - not rhel7stig_skip_for_travis - not rhel7stig_system_is_container @@ -42,7 +42,7 @@ - grub.cfg - user.cfg when: - - rhel7stig_grub2_user_cfg.stat.exists + - (rhel7stig_grub2_user_cfg is defined) and (rhel7stig_grub2_user_cfg.stat.exists) - rhel7stig_workaround_for_disa_benchmark - not rhel7stig_skip_for_travis - not rhel7stig_system_is_container From b3f324894dfe8a13013e31169ebf4c624405635e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 16:25:23 +0000 Subject: [PATCH 17/31] updated the workflow version and galaxy setup Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..9fbe7aa8 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..67ee9d90 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53cb..f9352800 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From d687371cf0ff509bf1e9fa0a0da7526995825119 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:26:54 +0000 Subject: [PATCH 18/31] removed file Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 142 ---------------------------------- 1 file changed, 142 deletions(-) delete mode 100644 .config/.gitleaks-report.json diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json deleted file mode 100644 index bea9d1d8..00000000 --- a/.config/.gitleaks-report.json +++ /dev/null @@ -1,142 +0,0 @@ -[ - { - "Description": "Generic API Key", - "StartLine": 125, - "EndLine": 125, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:125" - }, - { - "Description": "Generic API Key", - "StartLine": 135, - "EndLine": 135, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"673504d3db128a01a93d32de2b104a05dc2e6859\"", - "Secret": "673504d3db128a01a93d32de2b104a05dc2e6859", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.7750704, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:135" - }, - { - "Description": "Generic API Key", - "StartLine": 145, - "EndLine": 145, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2784977b09b611a32db88f631d88a5806605967e\"", - "Secret": "2784977b09b611a32db88f631d88a5806605967e", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.718454, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:145" - }, - { - "Description": "Generic API Key", - "StartLine": 153, - "EndLine": 153, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", - "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.646039, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:153" - }, - { - "Description": "Generic API Key", - "StartLine": 163, - "EndLine": 163, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", - "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.8439426, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:163" - }, - { - "Description": "Generic API Key", - "StartLine": 172, - "EndLine": 172, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"fd917ab33fb6bd01e799f4b72da0586589cd909a\"", - "Secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.808695, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:172" - }, - { - "Description": "Generic API Key", - "StartLine": 182, - "EndLine": 182, - "StartColumn": 18, - "EndColumn": 68, - "Match": "secret\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\"", - "Secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "File": ".config/.secrets.baseline", - "SymlinkFile": "", - "Commit": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131", - "Entropy": 3.8250706, - "Author": "Mark Bolwell", - "Email": "mark.bollyuk@gmail.com", - "Date": "2023-09-14T14:20:12Z", - "Message": "gcsm \"added and setup secrets\"\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", - "Tags": [], - "RuleID": "generic-api-key", - "Fingerprint": "a5bff3aeebed42fc2ae23d04d64cf9ed560bf131:.config/.secrets.baseline:generic-api-key:182" - } -] From 9dd216c104c7942e2aa5c7c75c86c4b8848863df Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:27:08 +0000 Subject: [PATCH 19/31] updated Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 40a21e27..97c79434 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,6 @@ repos: hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 From 388f85061c0b8ffe04d9a10173666e0542c1b02b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:27:44 +0000 Subject: [PATCH 20/31] updated Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..00d0e09d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -34,16 +34,16 @@ repos: hooks: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - exclude: .config/.gitleaks-report.json + - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.21.1 hooks: - id: ansible-lint name: Ansible-lint From 22f7dabfedc1afb76f45deba55129427de70f169 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:28:47 +0000 Subject: [PATCH 21/31] lint update Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 00d0e09d..f2f732af 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,6 @@ repos: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - - repo: https://github.com/gitleaks/gitleaks rev: v8.18.0 hooks: From 51b2df3a671cc1d33eb6d891a1b480283857942f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Nov 2023 12:30:39 +0000 Subject: [PATCH 22/31] fix typo Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- .github/workflows/main_pipeline_validation.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa8..39af625a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -113,7 +113,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d90..8ded7018 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -102,7 +102,7 @@ - name: Sleep for 60 seconds run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansibleplaybook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: From 444074df1e271f4a156a5233ca86d69f2c0ae1c8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Nov 2023 16:28:23 +0000 Subject: [PATCH 23/31] rhel7stig_boot_part variable now discovered Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 -- tasks/prelim.yml | 15 +++------------ 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5310cee1..d773ab60 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -693,8 +693,6 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" -rhel7stig_boot_part: "{{ rhel_07_boot_part.stdout }}" - rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8bfaf00b..5c66c1a1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -300,18 +300,6 @@ - RHEL-07-031000 - RHEL-07-031010 -- name: "PRELIM | RHEL-07-021350 | Check if /boot or /boot/efi reside on separate partitions" - ansible.builtin.shell: df --output=target /boot | tail -n 1 - changed_when: false - check_mode: false - register: rhel_07_boot_part - when: - - rhel_07_021350 - tags: - - cat1 - - high - - RHEL-07-021350 - - name: "PRELIM | RHEL-07-030300 | RHEL-07-030310 | RHEL-07-030320 | RHEL-07-030321 | Install audit remote plugin." ansible.builtin.package: name: audispd-plugins @@ -443,6 +431,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false + rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path @@ -452,6 +441,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false + rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution == 'CentOS' @@ -461,6 +451,7 @@ rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true + rhel7stig_boot_part: /boot when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state From 6276776d77ab640872d7aba4365b765516d80110 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 14 Nov 2023 17:22:51 +0000 Subject: [PATCH 24/31] tidy up of rhel7stig_boot_part variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ tasks/prelim.yml | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d773ab60..89b65ab1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -693,6 +693,8 @@ rhel7stig_auditd_failure_flag: "{{ rhel7stig_availability_override | ternary(1, rhel7stig_audit_part: "{{ rhel_07_audit_part.stdout }}" +rhel7stig_boot_part: /boot + rhel7stig_legacy_boot_path: '/boot/grub2/' rhel7stig_efi_boot_path: '/boot/efi/EFI/' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5c66c1a1..17fe42bb 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -431,7 +431,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}redhat" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false - rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution != 'CentOS' # Note: rhel & OEL both use redhat path @@ -441,7 +440,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_efi_boot_path }}centos" rhel7stig_not_boot_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_legacy_boot: false - rhel7stig_boot_part: /boot/efi when: - rhel7_efi_boot.stat.exists - ansible_distribution == 'CentOS' @@ -451,7 +449,6 @@ rhel7stig_bootloader_path: "{{ rhel7stig_legacy_boot_path }}" rhel7stig_not_boot_path: "{{ rhel7stig_efi_boot_path }}" rhel7stig_legacy_boot: true - rhel7stig_boot_part: /boot when: not rhel7_efi_boot.stat.exists - name: PRELIM | output bootloader and efi state From ad3b174385559e249b5d644bb058c50bc660dc5f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 15 Nov 2023 17:23:22 +0000 Subject: [PATCH 25/31] changed logic on 20620 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 0355d7a5..efc68379 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1554,7 +1554,7 @@ label: "{{ rhel7stig_passwd_label }}" when: - rhel_07_020620 - - rhel7stig_interactive_uid_start | int <= item.uid + - item.uid >= rhel7stig_interactive_uid_start | int tags: - RHEL-07-020620 - CAT2 From 617e0084622f1fcdf8be449221d2a0c4ba8c98f4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Nov 2023 18:23:48 +0000 Subject: [PATCH 26/31] updated logic for uuid Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index a46c1f74..37dd1f24 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -441,6 +441,7 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: + - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." ansible.builtin.replace: path: /etc/default/grub @@ -456,6 +457,7 @@ insert: true when: - rhel7stig_boot_part not in ['/', ''] + - item.uuid is defined - not ansible_check_mode or rhel7_stig_grub_template is not changed notify: confirm grub2 user cfg @@ -474,9 +476,9 @@ - ansible_check_mode - rhel_07_021350_audit is failed failed_when: - - rhel_07_021350_audit is failed - - not ansible_check_mode or - rhel_07_021350_audit.rc > 1 + - rhel_07_021350_audit.rc not in [ 0, 1 ] + - not ansible_check_mode + when: - not ansible_check_mode or rhel7_stig_grub_template is not changed From 6e7329b786396c601791d3221e9a2ba4f76e5dac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 14:06:20 +0000 Subject: [PATCH 27/31] removed extra line Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 37dd1f24..a8dab97d 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -441,7 +441,6 @@ - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." block: - - name: "HIGH | RHEL-07-021350 | PATCH | If /boot or /boot/efi reside on separate partitions, the kernel parameter boot= must be added to the kernel command line." ansible.builtin.replace: path: /etc/default/grub From 207be13c6f3cb0d66a23ef95dde5e1b1b1d9ab34 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 11 Jan 2024 15:29:34 +0000 Subject: [PATCH 28/31] removed doc dir Signed-off-by: Mark Bolwell --- doc/README.md | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 doc/README.md diff --git a/doc/README.md b/doc/README.md deleted file mode 100644 index 923de017..00000000 --- a/doc/README.md +++ /dev/null @@ -1,7 +0,0 @@ -To generate the documentation on a RHEL/CentOS 7 system, take the following steps: -1. Install required packages: - * `yum install python3-pip python-sphinx` -2. Install the requirements: - * `sudo pip3 install -r requirements.txt` -3. Generate the documentation: - * `make singlehtml` From 3901021fabd66678a590e443d00edaebed177bd5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:33:41 +0000 Subject: [PATCH 29/31] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) - [github.com/ansible-community/ansible-lint: v6.21.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.21.1...v6.22.2) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f2f732af..43020660 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.21.1 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From 594ece92b5f0189ec4daf1313d54eada17765796 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 10:15:35 +0000 Subject: [PATCH 30/31] Issue #446 tag update to always - thanks to @prestonSeaman2 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 17fe42bb..a4cdb913 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -159,13 +159,7 @@ rhel_07_010491 or rhel_07_021350 tags: - - cat1 - - high - - RHEL-07-010481 - - RHEL-07-010482 - - RHEL-07-010483 - - RHEL-07-010491 - - RHEL-07-021350 + - always - name: "PRELIM | RHEL-07-010480 | RHEL-07-010490 | RHEL-07-021350 | RHEL-07-021700 | Check whether machine is UEFI-based" ansible.builtin.stat: From e401d83f636572fd2d8caebf976d32f6252ee390 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 26 Jan 2024 10:19:02 +0000 Subject: [PATCH 31/31] conditional updated 021000 & 021010 #448 thanks @erosen03 Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index efc68379..1ea2f6de 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2042,7 +2042,7 @@ removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - "'nosuid' not in removable_mount.options" - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media." ansible.posix.mount: @@ -2055,7 +2055,7 @@ removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - - "'nosuid' not in home_mount.options" + - "'nosuid' not in removable_mount2.options" when: - rhel_07_021010 - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)