Final v3.0.0 release to main (#334)

* Replace service with systemd module

Signed-off-by: Anže Luzar <[email protected]>

* Use FQCNs in tasks/section_5/cis_5.5.x.yml

Signed-off-by: Anže Luzar <[email protected]>

* Use FQCN for user module

Signed-off-by: Anže Luzar <[email protected]>

* Use FQCN for debug module

Signed-off-by: Anže Luzar <[email protected]>

* Use name instead of list in package

Signed-off-by: Anže Luzar <[email protected]>

* Add that parameter and remove when for the assert module

Signed-off-by: Anže Luzar <[email protected]>

* updated discord link

Signed-off-by: Mark Bolwell <[email protected]>

* updated required pkgs

Signed-off-by: Mark Bolwell <[email protected]>

* updated lint files

Signed-off-by: Mark Bolwell <[email protected]>

* discord update

Signed-off-by: Mark Bolwell <[email protected]>

* lint updates

Signed-off-by: Mark Bolwell <[email protected]>

* Aligned and updated

Signed-off-by: Mark Bolwell <[email protected]>

* removed quality badge since galaxy-ng

Signed-off-by: Mark Bolwell <[email protected]>

* updated since galaxy changes

Signed-off-by: Mark Bolwell <[email protected]>

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/pre-commit/pre-commit-hooks: v3.2.0 → v4.5.0](pre-commit/pre-commit-hooks@v3.2.0...v4.5.0)
- [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.1](gitleaks/gitleaks@v8.17.0...v8.18.1)
- [github.com/ansible-community/ansible-lint: v6.17.2 → v6.22.1](ansible/ansible-lint@v6.17.2...v6.22.1)
- [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0)

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](ansible/ansible-lint@v6.22.1...v6.22.2)

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](gitleaks/gitleaks@v8.18.1...v8.18.2)
- [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](ansible/ansible-lint@v6.22.2...v24.2.0)
- [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1)

* updated for galaxy_ng

Signed-off-by: Mark Bolwell <[email protected]>

* Add audit_only and tidy up

Signed-off-by: Mark Bolwell <[email protected]>

* Lint updates

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Anže Luzar <[email protected]>
Signed-off-by: Mark Bolwell <[email protected]>
Co-authored-by: Anže Luzar <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

.ansible-lint

@@ -6,12 +6,10 @@ skip_list:
     - 'schema'
     - 'no-changed-when'
     - 'var-spacing'
-    - 'fqcn-builtins'
     - 'experimental'
     - 'name[play]'
     - 'name[casing]'
     - 'name[template]'
-    - 'fqcn[action]'
     - 'key-order[task]'
     - '204'
     - '305'

.config/.secrets.baseline

@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".config/.secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,70 +109,11 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_password.yml"
       ]
     }
   ],
-  "results": {
-    "defaults/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
-        "is_verified": false,
-        "line_number": 382,
-        "is_secret": false
-      }
-    ],
-    "tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
-        "is_verified": false,
-        "line_number": 22,
-        "is_secret": false
-      }
-    ],
-    "tasks/parse_etc_password.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_password.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 18
-      }
-    ],
-    "vars/CentOS.yml": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "vars/CentOS.yml",
-        "hashed_secret": "2baa4bd2c505f21a0e48d6c17a174a0c8b6f3c3b",
-        "is_verified": false,
-        "line_number": 6,
-        "is_secret": false
-      }
-    ],
-    "vars/OracleLinux.yml": [
-      {
-        "type": "Hex High Entropy String",
-        "filename": "vars/OracleLinux.yml",
-        "hashed_secret": "260c8f0806148cd568435cd3d7647f43150efdbb",
-        "is_verified": false,
-        "line_number": 9,
-        "is_secret": false
-      }
-    ],
-    "vars/is_container.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "vars/is_container.yml",
-        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
-        "is_verified": false,
-        "line_number": 377,
-        "is_secret": false
-      }
-    ]
-  },
-  "generated_at": "2023-09-13T08:05:26Z"
+  "results": {},
+  "generated_at": "2023-10-09T15:14:50Z"
 }

.github/workflows/devel_pipeline_validation.yml

@@ -27,7 +27,7 @@
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                       Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
         # This workflow contains a single job which tests the playbook
         playbook-test:

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v4.5.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -37,13 +37,13 @@ repos:
     exclude: .config/.gitleaks-report.json
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.17.0
+  rev: v8.18.2
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.17.2
+  rev: v24.2.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -62,6 +62,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.32.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint

.yamllint

@@ -30,4 +30,4 @@ rules:
     trailing-spaces: enable
     truthy:
         allowed-values: ['true', 'false']
-        check-keys: false
+        check-keys: true

README.md

@@ -11,7 +11,6 @@
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
@@ -39,7 +38,7 @@
 
 ### Community
 
-On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
+On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
 
 ---
 
@@ -169,6 +168,10 @@ uses:
 pre-commit run
 ```
 
-## Credits
+## Credits and Thanks
 
-This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)
+Massive thanks to the fantastic community and all its members.
+
+This includes a huge thanks and credit to the original authors and maintainers.
+
+Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell

ansible.cfg

@@ -22,4 +22,4 @@ transfer_method=scp
 
 [colors]
 
-[diff]
+[diff]

collections/requirements.yml

@@ -2,7 +2,13 @@
 
 collections:
     - name: community.general
+      source: https://github.com/ansible-collections/community.general
+      type: git
 
     - name: community.crypto
+      source: https://github.com/ansible-collections/community.crypto
+      type: git
 
     - name: ansible.posix
+      source: https://github.com/ansible-collections/ansible.posix
+      type: git

defaults/main.yml

@@ -26,25 +26,46 @@ python2_bin: /bin/python2.7
 benchmark: RHEL7-CIS
 benchmark_version: v3.1.1
 
-#### Basic external goss audit enablement settings ####
-#### Precise details - per setting can be found at the bottom of this file ####
+##########################################
+### Goss is required on the remote host ###
+## Refer to vars/auditd.yml for any other settings ##
 
-### Goss is required on the remote host
+# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
-# How to retrive goss
+
+# enable audits to run - this runs the audit and get the latest content
+run_audit: false
+
+# Only run Audit do not remediate
+audit_only: false
+# As part of audit_only
+# This will enable files to be copied back to control node
+fetch_audit_files: false
+# Path to copy the files to will create dir structure
+audit_capture_files_dir: /some/location to copy to on control node
+
+# How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
 # you will need to access to either github or the file already dowmloaded
-get_goss_file: download
+get_audit_binary_method: download
+
+## if get_audit_binary_method - copy the following needs to be updated for your environment
+## it is expected that it will be copied from somewhere accessible to the control node
+## e.g copy from ansible control node to remote host
+audit_bin_copy_location: /some/accessible/path
 
 # how to get audit files onto host options
-# options are git/copy/get_url
+# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# Timeout for those cmds that take longer to run where timeout set
-audit_cmd_timeout: 30000
+# archive or copy:
+audit_conf_copy: "some path to copy from"
 
-# enable audits to run - this  runs the audit and get the latest content
-run_audit: false
+# get_url:
+audit_files_url: "some url maybe s3?"
+
+# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
+audit_run_heavy_tests: true
 
 ### End Goss enablements ####
 #### Detailed settings found at the end of this document ####
@@ -379,7 +400,7 @@ rhel7cis_rhnsd_required: false
 
 # 1.4.2 Bootloader password
 rhel7cis_set_boot_pass: false
-rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart'
+rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart'  # pragma: allowlist secret
 
 # System network parameters (host only OR host and router)
 rhel7cis_is_router: false
@@ -565,55 +586,3 @@ rhel7cis_dotperm_ansiblemanaged: true
 
 # RHEL-07-6.2.18 Clear users from shadow group
 rhel7cis_remove_shadow_grp_usrs: true
-
-#### Goss Configuration Settings ####
-audit_run_script_environment:
-    AUDIT_BIN: "{{ audit_bin }}"
-    AUDIT_FILE: 'goss.yml'
-    AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-
-### Goss binary settings ###
-goss_version:
-    release: v0.3.23
-    checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
-audit_bin_path: /usr/local/bin/
-audit_bin: "{{ audit_bin_path }}goss"
-audit_format: json
-
-# if get_goss_file == download change accordingly
-goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
-
-## if get_goss_file - copy the following needs to be updated for your environment
-## it is expected that it will be copied from somewhere accessible to the control node
-## e.g copy from ansible control node to remote host
-copy_goss_from_path: /some/accessible/path
-
-### Goss Audit Benchmark file ###
-## managed by the control audit_content
-# git
-audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: "benchmark_{{ benchmark_version }}"
-
-# copy:
-audit_local_copy: "some path to copy from"
-
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-# Where the goss audit configuration will be stored
-audit_files: "/opt/{{ benchmark }}-Audit/"
-
-## Goss configuration information
-# Where the goss configs and outputs are stored
-audit_out_dir: '/opt'
-audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
-pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-
-## The following should not need changing
-goss_file: "{{ audit_conf_dir }}goss.yml"
-audit_vars_path: "{{ audit_conf_dir  }}/vars/{{ ansible_hostname }}.yml"
-audit_results: |
-      The pre remediation results are: {{ pre_audit_summary }}.
-      The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ audit_out_dir }}

meta/main.yml

@@ -1,7 +1,7 @@
 ---
 
 galaxy_info:
-    author: "Sam Doran, Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, Mark Bolwell, George Nalen"
+    author: "MindPoint group"
     description: "Apply the CIS RHEL7 role"
     company: "MindPoint Group"
     license: MIT

tasks/LE_audit_setup.yml

@@ -1,22 +1,34 @@
 ---
 
-- name: Download goss binary
+- name: Pre Audit Setup | Set audit package name
+  block:
+      - name: Pre Audit Setup | Set audit package name | 64bit
+        ansible.builtin.set_fact:
+            audit_pkg_arch_name: AMD64
+        when: ansible_facts.machine == "x86_64"
+
+      - name: Pre Audit Setup | Set audit package name | ARM64
+        ansible.builtin.set_fact:
+            audit_pkg_arch_name: ARM64
+        when: ansible_facts.machine == "arm64"
+
+- name: Pre Audit Setup | Download audit binary
   ansible.builtin.get_url:
-      url: "{{ goss_url }}"
+      url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
       dest: "{{ audit_bin }}"
       owner: root
       group: root
-      checksum: "{{ goss_version.checksum }}"
-      mode: 0555
+      checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
+      mode: '0555'
   when:
-      - get_goss_file == 'download'
+      - get_audit_binary_method == 'download'
 
-- name: Copy goss binary
+- name: Pre Audit Setup | Copy audit binary
   ansible.builtin.copy:
-      src: "{{ copy_goss_from_path }}"
+      src: "{{ audit_bin_copy_location }}"
       dest: "{{ audit_bin }}"
-      mode: 0555
+      mode: '0555'
       owner: root
       group: root
   when:
-      - get_goss_file == 'copy'
+      - get_audit_binary_method == 'copy'