Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release devel -> main #104

Merged
merged 79 commits into from
Sep 26, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
79 commits
Select commit Hold shift + click to select a range
568239c
bugfix: When IPv6 is disabled / not available we can not add ufw rule.
jamesv1994 Aug 12, 2023
8d22db5
Merge pull request #61 from jamesv1994/devel
uk-bolly Aug 23, 2023
61fe3da
Only modify /etc/aide.conf when ubtu22cis_config_aide is true
colinbruner Aug 25, 2023
f3becb2
Merge pull request #64 from colinbruner/config-aide
uk-bolly Aug 30, 2023
4144b85
Addressed #62
uk-bolly Aug 30, 2023
2a7c649
Merge pull request #66 from ansible-lockdown/issue_#62
uk-bolly Sep 6, 2023
de2a1f5
fix: #68 Role fails when ubtu22cis_time_sync_tool: "systemd-timesyncd…
Jason-Hendry Sep 8, 2023
8e012de
Merge pull request #69 from Jason-Hendry/fix/68-time_sync_tool-system…
uk-bolly Sep 8, 2023
9130f99
Added condition for associated task
uk-bolly Sep 11, 2023
e2afe3f
Merge pull request #70 from ansible-lockdown/issue_#67
uk-bolly Sep 11, 2023
fbd2f9d
updated secrets
uk-bolly Sep 11, 2023
7d39bfe
fix var name
uk-bolly Sep 11, 2023
0f0d1b1
Added tasks
uk-bolly Sep 11, 2023
783f441
lint
uk-bolly Sep 11, 2023
4f865aa
update test
uk-bolly Sep 12, 2023
e7198d2
added daemon_reload
uk-bolly Sep 12, 2023
a0d3fe8
updated
uk-bolly Sep 12, 2023
50713b6
Merge pull request #71 from ansible-lockdown/goss_update
uk-bolly Sep 13, 2023
27923d6
Initial draft of documenting variables in defaults/main.yml more exte…
bgro Sep 14, 2023
8dd4371
Fix loop indentation for lineinfile
anzoman Sep 15, 2023
95736f8
Replace 'when' keyword with a required 'that' param in assert
anzoman Sep 15, 2023
4f2b6f7
Correcting comments for variables before Section 1.
bgro Sep 15, 2023
e794b6e
Merge pull request #72 from anzoman/steampunk-spotter-fixes
uk-bolly Sep 15, 2023
cc564a3
Removing duplicate variable signifying containerized systems.
bgro Sep 15, 2023
3fb5642
Merge pull request #74 from siemens/siemens/feat/double_variable_rgd_…
uk-bolly Sep 15, 2023
8192f21
Removing merge conflict.
bgro Sep 15, 2023
a463905
fix(R5.4.3). Correct regexes so that they match
raabf Sep 15, 2023
98ad1a3
Correcting comments up to and including Section 2.
bgro Sep 18, 2023
3ec604d
update discord link
uk-bolly Sep 18, 2023
b51cd68
Merge pull request #75 from ansible-lockdown/discord_link
uk-bolly Sep 18, 2023
05c3c42
Fixing variable documentation up to and including Section 4.
bgro Sep 19, 2023
b7405d4
Removing unsued variable.
bgro Sep 19, 2023
0f72f9d
Merge pull request #78 from siemens/siemens/feature/unused_variable_s…
uk-bolly Sep 19, 2023
eb646bf
Resolving merge conflict.
bgro Sep 19, 2023
9c87f01
Fixed variable descriptions up to 4.1.2.2/3
bgro Sep 19, 2023
ba124c8
lint updates
uk-bolly Sep 19, 2023
ad02acb
tidy up auditd uid exclusion explanation #79
uk-bolly Sep 19, 2023
99e4e44
linting
uk-bolly Sep 19, 2023
4090460
Added pragma for secrets
uk-bolly Sep 19, 2023
c60234b
updated secrets files
uk-bolly Sep 19, 2023
ec76028
issue 80 updates
uk-bolly Sep 19, 2023
bd77283
Further improvements regarding variable descriptions.
bgro Sep 20, 2023
d67877b
issues #81 addressed
uk-bolly Sep 20, 2023
b0d4032
updated
uk-bolly Sep 20, 2023
5b64949
issue_#82
uk-bolly Sep 20, 2023
2d6ae06
tidyup_tags
uk-bolly Sep 20, 2023
b3cd484
adopted PR #63
uk-bolly Sep 20, 2023
0be2ea4
updated
uk-bolly Sep 20, 2023
8079e20
import_tasks added file
uk-bolly Sep 20, 2023
1fdd442
updated
uk-bolly Sep 20, 2023
1455764
Fixed further variable descriptions
bgro Sep 20, 2023
2a4a738
Finalizing improved variable documentation.
bgro Sep 20, 2023
9a3b7c9
Reverting valuee of allow_users and allow_groups to what was set orig…
bgro Sep 20, 2023
179d252
Readding comment symbol that somehow got deleted.
bgro Sep 20, 2023
1dc2a9f
updated truthy
uk-bolly Sep 21, 2023
a4c63ca
Adjusting command for identifying interactive users in prelim task
ipruteanu-sie Sep 21, 2023
0aed2e4
Merge pull request #83 from ansible-lockdown/sept_issues
uk-bolly Sep 21, 2023
30a8a16
Fixing merge conflicts and adding documentation.
bgro Sep 21, 2023
74e87ca
Merge pull request #85 from siemens/siemens/feat/improve_doc_of_varia…
uk-bolly Sep 21, 2023
8777ce3
🐛(R4.1.3.12): Change wrong /var/log/faillog to /var/run/faillock
raabf Sep 21, 2023
ffdef06
Fixing syntax for 1.8.4, sub-task | session profile |
ipruteanu-sie Sep 22, 2023
852b2b3
Removing accidentally duplicated block-header in previous commit
ipruteanu-sie Sep 22, 2023
24cd6a3
Merge pull request #87 from siemens/siemens/feat/prelim_interactive_u…
uk-bolly Sep 22, 2023
30b50f1
Fixing indentation issue, by adjusting no. of spaces for compliance w…
ipruteanu-sie Sep 22, 2023
ad7e127
Getting rule 4.1.3.2 in line with what CIS expects.
bgro Sep 22, 2023
b15ee75
Merge pull request #92 from siemens/siemens/feat/r1_8_4_SyntaxIssueIn…
uk-bolly Sep 22, 2023
f3658c9
Removing restricting of chage operations to UIDs > 1000
bgro Sep 22, 2023
e4b22fe
Linting.
bgro Sep 22, 2023
0e1baf7
Trimming trailing whitespace.
bgro Sep 22, 2023
0cf30ed
Merge pull request #95 from siemens/siemens/feat/audit_rule_4_1_3_2_n…
uk-bolly Sep 25, 2023
adc7620
Merge pull request #97 from siemens/siemens/feat/pw_settings_for_root
uk-bolly Sep 25, 2023
42cf4bb
updated truthy
uk-bolly Sep 25, 2023
bcd41c1
updated link and typo
uk-bolly Sep 25, 2023
2f7905f
addressed #88 due is pipeline issues
uk-bolly Sep 25, 2023
083f9f7
Merge pull request #98 from siemens/siemens/ubuntu22/r5_4_3-pam_d-pas…
uk-bolly Sep 25, 2023
ad2c8b7
Merge pull request #99 from siemens/siemens/r4_1_3_12-faillock
uk-bolly Sep 25, 2023
4d60564
Merge branch 'devel' into alignment
uk-bolly Sep 25, 2023
19647c7
updated for fqcn
uk-bolly Sep 25, 2023
129c3b0
Merge pull request #100 from ansible-lockdown/alignment
uk-bolly Sep 26, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions .ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,10 @@ skip_list:
- 'schema'
- 'no-changed-when'
- 'var-spacing'
- 'fqcn-builtins'
- 'experimental'
- 'name[play]'
- 'name[casing]'
- 'name[template]'
- 'fqcn[action]'
- 'key-order[task]'
- '204'
- '305'
Expand Down
1 change: 1 addition & 0 deletions .config/.gitleaks-report.json
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
[]
57 changes: 4 additions & 53 deletions .config/.secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -75,10 +75,6 @@
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
{
"path": "detect_secrets.filters.common.is_baseline_file",
"filename": ".config/.secrets.baseline"
},
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
Expand Down Expand Up @@ -113,56 +109,11 @@
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
".config/.gitleaks-report.json"
".config/.gitleaks-report.json",
"tasks/parse_etc_password.yml"
]
}
],
"results": {
"defaults/main.yml": [
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"is_verified": false,
"line_number": 454,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "62d080aa835d5cde69e3162f928472a204769a63",
"is_verified": false,
"line_number": 641,
"is_secret": false
}
],
"tasks/main.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "d042db4b269513126cd2a41f7e62a0a23cdb91dc",
"is_verified": false,
"line_number": 48,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"is_verified": false,
"line_number": 57,
"is_secret": false
}
],
"tasks/parse_etc_password.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/parse_etc_password.yml",
"hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
"is_verified": false,
"line_number": 19
}
]
},
"generated_at": "2023-08-09T10:22:53Z"
"results": {},
"generated_at": "2023-09-20T07:45:19Z"
}
2 changes: 1 addition & 1 deletion .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.

# This workflow contains a single job which tests the playbook
playbook-test:
Expand Down
2 changes: 1 addition & 1 deletion .yamllint
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,4 @@ rules:
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: false
check-keys: true
2 changes: 1 addition & 1 deletion CONTRIBUTING.rst
Original file line number Diff line number Diff line change
Expand Up @@ -66,4 +66,4 @@ following text in your contribution commit message:

This message can be entered manually, or if you have configured git
with the correct `user.name` and `user.email`, you can use the `-s`
option to `git commit` to automatically include the signoff message.
option to `git commit` to automatically include the signoff message.
31 changes: 31 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,37 @@

## Based on CIS V1.0.0

### V1.0.5

updated import_tasks to state file

issues addressed
thanks to @bgro

- #79
- #80
- #81
- #82

adopted PR changed
thanks to @andrejzverev

- #63

### v1.0.4

Several issues addressed
Version of goss updated along with associated audit content
linting update
pre-commit added

- #59
- #61
- #62
- #64
- #67
- #69

### v1.0.3

Issues:
Expand Down
7 changes: 4 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@

### Community

On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.

## Caution(s)

Expand Down Expand Up @@ -68,16 +68,17 @@ This role was developed against a clean install of the Operating System. If you

**Technical Dependencies:**

- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
- Running Ansible/Tower setup (this role is tested against Ansible version 2.10.1 and newer)
- Python3 Ansible run environment
- goss >= 0.4.0 (If using for audit)

## Auditing (new)

This can be turned on or off within the defaults/main.yml file with the variable run_audit. The value is false by default, please refer to the wiki for more details.

This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.

A new form of auditing has been develeoped, by using a small (12MB) go binary called [goss](https://github.com/aelsabbahy/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process.

Refer to [UBUNTU22-CIS-Audit](https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit).
Expand Down
Loading