Issue 226 and alignment

.ansible-lint

@@ -6,12 +6,10 @@ skip_list:
     - 'schema'
     - 'no-changed-when'
     - 'var-spacing'
-    - 'fqcn-builtins'
     - 'experimental'
     - 'name[play]'
     - 'name[casing]'
     - 'name[template]'
-    - 'fqcn[action]'
     - 'key-order[task]'
     - '204'
     - '305'

.config/.secrets.baseline

@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".config/.secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,78 +109,12 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_passwd.yml",
+        "templates/pam_pkcs11.conf.j2"
       ]
     }
   ],
-  "results": {
-    "defaults/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 600,
-        "is_secret": false
-      }
-    ],
-    "tasks/fix-cat2.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/fix-cat2.yml",
-        "hashed_secret": "8458c0f07cce6d8c92d030b23562f791e57e30d6",
-        "is_verified": false,
-        "line_number": 4277,
-        "is_secret": false
-      }
-    ],
-    "tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "8eab8633ccf31cc656649638e6d6b45bd7235ffe",
-        "is_verified": false,
-        "line_number": 66,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-        "is_verified": false,
-        "line_number": 101,
-        "is_secret": false
-      }
-    ],
-    "tasks/parse_etc_passwd.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_passwd.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 18
-      }
-    ],
-    "tasks/prelim.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/prelim.yml",
-        "hashed_secret": "43c1e0cadc7daa65d95fbf97f335a9896c8e58c6",
-        "is_verified": false,
-        "line_number": 124,
-        "is_secret": false
-      }
-    ],
-    "templates/pam_pkcs11.conf.j2": [
-      {
-        "type": "Secret Keyword",
-        "filename": "templates/pam_pkcs11.conf.j2",
-        "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-        "is_verified": false,
-        "line_number": 173,
-        "is_secret": false
-      }
-    ]
-  },
-  "generated_at": "2023-09-15T08:39:31Z"
+  "results": {},
+  "generated_at": "2023-09-25T15:48:01Z"
 }

.gitattributes

@@ -3,4 +3,4 @@
 *.yml linguist-detectable=true
 *.ps1 linguist-detectable=true
 *.j2 linguist-detectable=true
-*.md linguist-documentation
+*.md linguist-documentation

.yamllint

@@ -30,4 +30,4 @@ rules:
     trailing-spaces: enable
     truthy:
         allowed-values: ['true', 'false']
-        check-keys: false
+        check-keys: true

Changelog.md

@@ -1,8 +1,16 @@
 # Changes to RHEL8STIG
 
-## Stig V1R11 - 26th July 2023
+## 3.0.2 - Stig V1R11 - 26th July 2023
 
-### 3.0.1
+- workflow and pipeline updates
+- links updates in documentation
+- #222 thanks to @BJSmithIEEE
+- #226 thanks to @jmalpede
+- lint config updates
+- lint updates
+- precommit added and configured
+
+### 3.0.1 - Stig V1R11 - 26th July 2023
 
 Issues:
 

README.md

@@ -15,19 +15,21 @@ This role is based on RHEL 8 DISA STIG: [Version 1, Rel 11 released on July 26,
 ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56380?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
-![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status)
-![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/rhel8-stig/devel?color=dark%20green&label=Devel%20Branch%20Commits)
-
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
-![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status)
-![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/rhel8-stig?label=Release%20Date)
-![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/rhel8-stig?label=Release%20Tag&&color=success)
+![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-STIG)
+![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL8-STIG)
+
+[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/main_pipeline_validation.yml)
+
+[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL8-STIG/actions/workflows/devel_pipeline_validation.yml)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL8-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits)
+
+![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL8-STIG?label=Open%20Issues)
+![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL8-STIG?label=Closed%20Issues&&color=success)
+![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL8-STIG?label=Pull%20Requests)
 
-![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/rhel8-stig?label=Open%20Issues)
-![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/rhel8-stig?label=Closed%20Issues&&color=success)
-![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/rhel8-stig?label=Pull%20Requests)
+![License](https://img.shields.io/github/license/ansible-lockdown/RHEL8-STIG?label=License)
 
-![License](https://img.shields.io/github/license/ansible-lockdown/rhel8-stig?label=License)
 
 ---
 

defaults/main.yml

@@ -597,7 +597,7 @@ rhel8stig_tftp_required: false
 
 # RHEL-08-010140 and RHEL-08-020280
 # Password protect the boot loader
-rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword
+rhel8stig_bootloader_password_hash: grub.pbkdf2.sha512.changethispassword  # pragma: allowlist secret
 rhel8stig_boot_superuser: bootloader_admin
 
 # AIDE settings

tasks/fix-cat2.yml

@@ -836,7 +836,7 @@
             regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)'
             line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>'
             backrefs: true
-  notify: change_requires_reboot
+        notify: change_requires_reboot
   when:
       - rhel_08_010290
   tags:
@@ -861,7 +861,7 @@
             regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)'
             line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>'
             backrefs: true
-  notify: change_requires_reboot
+        notify: change_requires_reboot
   when:
       - rhel_08_010291
   tags:
@@ -4274,7 +4274,7 @@
       - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file"
         ansible.builtin.include_tasks: parse_etc_passwd.yml
         vars:
-            rhel8stig_passwd_tasks: "RHEL-08-020320"
+            rhel8stig_passwd_tasks: "RHEL-08-020320"  # pragma: allowlist secret
         when: rhel_08_020320_accounts_removed is changed  # noqa no-handler
   when:
       - rhel_08_020320
@@ -7407,8 +7407,7 @@
         when:
             - rhel8stig_current_kex is defined
             - rhel8stig_current_kex.stdout | length > 0
-
-  notify: change_requires_reboot
+        notify: change_requires_reboot
   when:
       - rhel_08_040342
       - rhel8stig_ssh_required

tasks/main.yml

@@ -63,7 +63,7 @@
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
             success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }}"
         vars:
-            sudo_password_rule: RHEL-08-010380
+            sudo_password_rule: RHEL-08-010380  # pragma: allowlist secret
   when:
       - rhel_08_010380
       - ansible_env.SUDO_USER is defined
@@ -98,8 +98,8 @@
 
 - name: Check rhel8stig_bootloader_password_hash variable has been changed
   ansible.builtin.assert:
-      that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
-      msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set"
+      that: rhel8stig_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
+      msg: "This role will not be able to run single user password commands as rhel8stig_bootloader_password_hash variable has not been set"  # pragma: allowlist secret
 
   when:
       - not system_is_ec2

tasks/prelim.yml

@@ -121,7 +121,7 @@
 - name: "PRELIM | RHEL-08-010740 | RHEL-08-010750 | RHEL-08-020320 | Parse /etc/passwd"
   ansible.builtin.import_tasks: parse_etc_passwd.yml
   vars:
-      rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320"
+      rhel8stig_passwd_tasks: "RHEL-08-010740 RHEL-08-010750 RHEL-08-020320"  # pragma: allowlist secret
   when:
       - rhel_08_010141 or
         rhel_08_010149 or

templates/01-banner-message.j2

@@ -1,4 +1,4 @@
-[org/gnome/login-screen] 
+[org/gnome/login-screen]
 banner-message-enable=true
 
 banner-message-text='{{ rhel8stig_logon_banner }}'

templates/aide.conf.j2

@@ -319,4 +319,4 @@ DATAONLY =  FIPSR
 
 
 # Ditto /var/log/sa/ same reason...
-!/var/log/httpd/
+!/var/log/httpd/

templates/ansible_vars_goss.yml.j2

@@ -14,7 +14,7 @@ rpm_gpg_key: {{ rpm_gpg_key }}
 rhel8stig_os_version_pre_8_2: {% if ansible_distribution_version >= '8.2' %}false{% else %}true{% endif %}
 
 
-# Some tests may need to scan every filesystem or have an impact on a system 
+# Some tests may need to scan every filesystem or have an impact on a system
 # these may need be scheduled to minimise impact also ability to set a timeout if taking too long
 run_heavy_tests: {{ audit_run_heavy_tests }}
 timeout_ms: {{ audit_cmd_timeout }}

templates/pam_pkcs11.conf.j2

@@ -9,7 +9,7 @@ pam_pkcs11 {
   nullok = true;
 
   # Enable debugging support.
-  debug = false; 
+  debug = false;
 
   # If the smart card is inserted, only use it
   card_only = true;
@@ -32,7 +32,7 @@ pam_pkcs11 {
   screen_savers = gnome-screensaver,xscreensaver,kscreensaver
 
   pkcs11_module {{ rhel08stig_smartcarddriver }} {
-    {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %} 
+    {% if rhel08stig_smartcarddriver == 'cackey' %}module = /usr/lib64/libcackey.so;{% elif rhel08stig_smartcarddriver == 'coolkey' %}module = libcoolkeypk11.so;{% endif %}
     module = /usr/lib64/libcackey.so;
     description = "{{ rhel08stig_smartcarddriver }}";
     slot_num = 0;
@@ -54,7 +54,7 @@ pam_pkcs11 {
     # you can mange the certs in this database with the certutil command in
     # the package nss-tools
     nss_dir = /etc/pki/nssdb;
-  
+
     # Sets the Certificate Policy, (see above)
     cert_policy = ca, signature;
   }
@@ -96,10 +96,10 @@ pam_pkcs11 {
   # When no absolute path or module info is provided, use this
   # value as module search path
   # TODO:
-  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 
+  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
   mapper_search_path = /usr/$LIB/pam_pkcs11;
 
-  # 
+  #
   # Generic certificate contents mapper
   mapper generic {
         debug = true;
@@ -194,7 +194,7 @@ pam_pkcs11 {
   module = internal;
   # module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
   # Declare mapfile or
-  # leave empty "" or "none" to use no map 
+  # leave empty "" or "none" to use no map
   mapfile = file:///etc/pam_pkcs11/mail_mapping;
   # Some certs store email in uppercase. take care on this
   ignorecase = true;

templates/resolv.conf.j2

@@ -11,4 +11,4 @@ nameserver {{ server }}
 {% endif %}
 {% if rhel8_stig_resolv_options is iterable %}
 options {{ rhel8_stig_resolv_options | join(' ') }}
-{% endif %}
+{% endif %}

test_plugins/rhel8_stig_ansible_backport.py

@@ -19,4 +19,4 @@ def tests(self):
         return {
             # set theory
             'contains':    contains,
-        }
+        }

test_plugins/rhel8_stig_jinja_compat.py

@@ -38,4 +38,4 @@ def tests(self):
             'lessthan':    operator.lt,
             '<=':          operator.le,
             'le':          operator.le,
-        }
+        }