From d81e0511bd5a835f71e553b1b9e3e4a7f03ae109 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:01 +0100 Subject: [PATCH 01/12] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.ansible-lint b/.ansible-lint index b717f678..057c65e0 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,10 +6,12 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' + - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' + - 'fqcn[action]' - 'key-order[task]' - '204' - '305' From 9375097e60c14fd2f99afc3fac8c693938d57f05 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:13 +0100 Subject: [PATCH 02/12] updated date Signed-off-by: Mark Bolwell --- LICENSE | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index 19045696..c0d26910 100644 --- a/LICENSE +++ b/LICENSE @@ -1,7 +1,6 @@ - The MIT License -Copyright (c) 2022 MindPoint Group http://www.mindpointgroup.com +Copyright (c) 2023 MindPoint Group http://www.mindpointgroup.com Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From 2fee28d24f67fddaae782a3aa7cd408f92114ca7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:28 +0100 Subject: [PATCH 03/12] precommit and modules Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 1 + .config/.secrets.baseline | 190 ++++++++++++++++++++++++++++++++++ .pre-commit-config.yaml | 67 ++++++++++++ 3 files changed, 258 insertions(+) create mode 100644 .config/.gitleaks-report.json create mode 100644 .config/.secrets.baseline create mode 100644 .pre-commit-config.yaml diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 00000000..fe51488c --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1 @@ +[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline new file mode 100644 index 00000000..41368ff4 --- /dev/null +++ b/.config/.secrets.baseline @@ -0,0 +1,190 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 600, + "is_secret": false + } + ], + "tasks/fix-cat2.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/fix-cat2.yml", + "hashed_secret": "8458c0f07cce6d8c92d030b23562f791e57e30d6", + "is_verified": false, + "line_number": 4277, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "8eab8633ccf31cc656649638e6d6b45bd7235ffe", + "is_verified": false, + "line_number": 66, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 101, + "is_secret": false + } + ], + "tasks/parse_etc_passwd.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_passwd.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18 + } + ], + "tasks/prelim.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/prelim.yml", + "hashed_secret": "43c1e0cadc7daa65d95fbf97f335a9896c8e58c6", + "is_verified": false, + "line_number": 124, + "is_secret": false + } + ], + "templates/pam_pkcs11.conf.j2": [ + { + "type": "Secret Keyword", + "filename": "templates/pam_pkcs11.conf.j2", + "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "is_verified": false, + "line_number": 173, + "is_secret": false + } + ] + }, + "generated_at": "2023-09-15T08:39:31Z" +} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..97c79434 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,67 @@ +--- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: [ '--baseline', '.config/.secrets.baseline' ] + exclude: .config/.gitleaks-report.json + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.17.0 + hooks: + - id: gitleaks + args: ['--baseline-path', '.config/.gitleaks-report.json'] + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint From 5982c1f93a6bfe04e7eb526cb655dd8d613acc9a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:35 +0100 Subject: [PATCH 04/12] updated Signed-off-by: Mark Bolwell --- README.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 79083a39..7593de99 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,9 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20commits) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20Commits) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) ![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success) @@ -39,7 +39,7 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26, ### Community -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users --- @@ -112,14 +112,14 @@ This is based on a vagrant image with selections enabled. e.g. No Gui or firewal Note: More tests are run during audit as we check config and running state. ```sh -ok: [rocky8_efi] => +ok: [rocky8_efi] => msg: - 'The pre remediation results are: Count: 804, Failed: 416, Duration: 6.488s.' - 'The post remediation results are: Count: 804, Failed: 28, Duration: 68.687s.' - Full breakdown can be found in /opt PLAY RECAP **************************************************************************************************************** -rocky8_efi : ok=482 changed=269 unreachable=0 failed=0 skipped=207 rescued=0 ignored=0 +rocky8_efi : ok=482 changed=269 unreachable=0 failed=0 skipped=207 rescued=0 ignored=0 ``` ## Branches @@ -180,3 +180,12 @@ If you would are interested in dedicated support to assist or provide bespoke se ## Credits This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) + +## Added Extras + +- makefile - this is there purely for testing and initial setup purposes. +- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory + +```sh +pre-commit run +``` From 02f50777a6bc364dd263ab16f91d51a01d8c9441 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:48:50 +0100 Subject: [PATCH 05/12] Linting Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 370d2f66..f0a7664e 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -4,9 +4,9 @@ ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" changed_when: true environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: From 3df7de8f1883e6630f6ad102e6f93e8532507bd2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:49:20 +0100 Subject: [PATCH 06/12] updated Signed-off-by: Mark Bolwell --- .github/workflows/update_galaxy.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 21a888ef..951a53cb 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -7,14 +7,15 @@ name: update galaxy # Controls when the action will run. # Triggers the workflow on merge request events to the main branch on: - push: - branches: - - main + push: + branches: + - main jobs: update_role: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: hspaans/ansible-galaxy-action@master - with: - api_key: ${{ secrets.GALAXY_API_KEY }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main From 92867670ffd0d9ddbc5c3c99ee85aea04926f45f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:49:36 +0100 Subject: [PATCH 07/12] removed file not required Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 32 ----- .../feature-request-or-enhancement.md | 21 ---- .github/ISSUE_TEMPLATE/question.md | 17 --- .github/pull_request_template.md | 11 -- .github/workflows/linux_benchmark_testing.yml | 111 ------------------ .github/workflows/test.sh | 4 - 6 files changed, 196 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md delete mode 100644 .github/workflows/linux_benchmark_testing.yml delete mode 100644 .github/workflows/test.sh diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 3a19c72b..00000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index bf457005..00000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -**Feature Request or Enhancement** - - Feature [] - - Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index cbab6e73..00000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 1bf89d37..00000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,11 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml deleted file mode 100644 index 6ceb2cbb..00000000 --- a/.github/workflows/linux_benchmark_testing.yml +++ /dev/null @@ -1,111 +0,0 @@ -# This is a basic workflow to help you get started with Actions ---- -name: linux_benchmark_pipeline - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/test.sh b/.github/workflows/test.sh deleted file mode 100644 index 4b939870..00000000 --- a/.github/workflows/test.sh +++ /dev/null @@ -1,4 +0,0 @@ -RHEL7=$(grep -c RHEL7 OS.tfvars) -if [ `echo $?` != 0 ]; then - exit 0 -fi From d5f8f442ddf7e9e4afa95a254f1ce6e282cde0c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 09:50:44 +0100 Subject: [PATCH 08/12] New pipeline files Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 138 ++++++++++++++++++ .../workflows/main_pipeline_validation.yml | 127 ++++++++++++++++ 2 files changed, 265 insertions(+) create mode 100644 .github/workflows/devel_pipeline_validation.yml create mode 100644 .github/workflows/main_pipeline_validation.yml diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 00000000..a4e7d48a --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,138 @@ +--- + + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml new file mode 100644 index 00000000..0b149fb3 --- /dev/null +++ b/.github/workflows/main_pipeline_validation.yml @@ -0,0 +1,127 @@ +--- + + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false From 778cc71078d0ca05d98796728581476dbd603571 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 10:03:15 +0100 Subject: [PATCH 09/12] lint updates Signed-off-by: Mark Bolwell --- tasks/fix-cat1.yml | 4 ++-- tasks/fix-cat2.yml | 40 ++++++++++++++++++++-------------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 03408954..a215e10c 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -91,7 +91,7 @@ regexp: "{{ rhel8stig_regexp_quoted_params }}" replace: "{{ rhel8stig_replace_quoted_params }}" with_items: - - "{{ ansible_mounts | json_query(query) }}" + - "{{ ansible_mounts | json_query(query) }}" # noqa: jinja[invalid] vars: query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'] | [0]" key: GRUB_CMDLINE_LINUX @@ -112,7 +112,7 @@ - fips=1 - boot=UUID={{ ansible_mounts | json_query(query) }} vars: - query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'].uuid | [0]" + query: "[?mount=='{{ rhel8stig_boot_part.stdout }}'].uuid | [0]" # noqa: jinja[invalid] register: rhel_08_010020_audit when: - not ansible_check_mode or diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 6b5ccdbe..3e0543a0 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -1805,7 +1805,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - "'nosuid' not in home_mount.options" vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" # noqa: jinja[invalid] tags: - RHEL-08-010570 - CAT2 @@ -1828,7 +1828,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/boot$') | list | length != 0 - "'nosuid' not in boot_mount.options" vars: - boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" + boot_mount: "{{ ansible_mounts | json_query('[?mount == `/boot`] | [0]') }}" # noqa: jinja[invalid] tags: - RHEL-08-010571 - CAT2 @@ -1851,7 +1851,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/boot/efi$') | list | length != 0 - "'nosuid' not in boot_efi_mount.options" vars: - boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" + boot_efi_mount: "{{ ansible_mounts | json_query('[?mount == `/boot/efi`] | [0]') }}" # noqa: jinja[invalid] tags: - RHEL-08-010572 - CAT2 @@ -1927,7 +1927,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 - "'noexec' not in home_mount.options" vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" # noqa: jinja[invalid] tags: - RHEL-08-010590 - CAT2 @@ -1955,7 +1955,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nodev' not in home_mount.options" vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt" ansible.posix.mount: @@ -1969,7 +1969,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nodev' not in home_mount.options" vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - rhel_08_010600 - not rhel8stig_system_is_chroot @@ -1997,7 +1997,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'noexec' not in home_mount.options" vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt" ansible.posix.mount: @@ -2011,7 +2011,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'noexec' not in home_mount.options" vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - rhel_08_010610 - not rhel8stig_system_is_chroot @@ -2039,7 +2039,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nosuid' not in home_mount.options" vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] - name: "MEDIUM | RHEL-08-010620 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt" ansible.posix.mount: @@ -2053,7 +2053,7 @@ - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nosuid' not in home_mount.options" vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - rhel_08_010620 - not rhel8stig_system_is_chroot @@ -2075,9 +2075,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},noexec" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: "{{ rhel8stig_nfs_mounts }}" when: - rhel_08_010630 @@ -2100,9 +2100,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},nodev" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: "{{ rhel8stig_nfs_mounts }}" when: - rhel_08_010640 @@ -6214,7 +6214,7 @@ fstype: "{{ tmp_mount.fstype }}" opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}" vars: - tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" + tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/tmp`] | [0]') }}" # noqa: jinja[invalid] when: rhel8stig_040123_dev_status.stdout | length > 0 when: @@ -6261,7 +6261,7 @@ fstype: "{{ var_log_mount.fstype }}" opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}" vars: - var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" + var_log_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log`] | [0]') }}" # noqa: jinja[invalid] when: rhel8stig_040126_var_log_status.stdout | length > 0 when: - rhel_08_040126 or @@ -6307,7 +6307,7 @@ fstype: "{{ audit_mount.fstype }}" opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}" vars: - audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" + audit_mount: "{{ ansible_mounts | json_query('[?mount == `/var/log/audit`] | [0]') }}" # noqa: jinja[invalid] when: rhel8stig_040129_var_log_audit_status.stdout | length > 0 when: - rhel_08_040129 or @@ -6353,7 +6353,7 @@ fstype: "{{ var_tmp_mount.fstype }}" opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}" vars: - var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" + var_tmp_mount: "{{ ansible_mounts | json_query('[?mount == `/var/tmp`] | [0]') }}" # noqa: jinja[invalid] when: rhel8stig_040132_var_tmp_status.stdout | length > 0 when: - rhel_08_040132 or From bfd3ab31e89259796435b19c7be554f3001bf8d2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 10:03:23 +0100 Subject: [PATCH 10/12] lint update Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 3e0543a0..ac57b66e 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4348,7 +4348,6 @@ - "{{ rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten }}" when: - (rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten ) is defined - when: - rhel_08_020352 tags: From 1175cfbed752a1ba5a3e97f8c052cba99e6fe58e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 10:07:38 +0100 Subject: [PATCH 11/12] lint Signed-off-by: Mark Bolwell --- tasks/fix-cat2.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index ac57b66e..88f0ba57 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -2125,9 +2125,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: "{{ rhel8stig_nfs_mounts }}" when: - rhel_08_010650 @@ -4345,7 +4345,7 @@ regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})" state: absent with_items: - - "{{ rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten }}" + - "{{ rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten }}" # noqa: jinja[invalid] when: - (rhel8stig_020352_file | json_query('results[*].files[*].path') | flatten ) is defined when: From 469ab30f6d4f6ee9bb7ec665511e22910f1f9cb4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 15:46:06 +0100 Subject: [PATCH 12/12] updated discord link Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48a..dba39dc0 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: