Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2023 September Updates: Typo fixes and Implemented Standards #106

Closed
wants to merge 3 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ skip_list:
- 'name[casing]'
- 'name[template]'
- 'key-order[task]'
- 'yaml[line-length]'
- '204'
- '305'
- '303'
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/devel_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
# This will create messages for first-time contributors and direct them to the Discord server
welcome:
runs-on: ubuntu-latest

Expand All @@ -29,13 +29,13 @@
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.

# This workflow contains a single job which tests the playbook
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
env:
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
# Imported as a variable by Terraform
TF_VAR_repository: ${{ github.event.repository.name }}
defaults:
run:
Expand All @@ -48,7 +48,7 @@
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
# Pull in Terraform code for Linux servers
- name: Clone github IaC plan
uses: actions/checkout@v3
with:
Expand All @@ -74,23 +74,23 @@
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -108,12 +108,12 @@
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml

# Aws deployments taking a while to come up insert sleep or playbook fails
# AWS deployments taking a while to come up insert sleep or playbook fails

- name: Sleep for 60 seconds
run: sleep 60s

# Run the ansible playbook
# Run the Ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/main_pipeline_validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
# that can run sequentially or in parallel
jobs:

# This workflow contains a single job which tests the playbook
# This workflow contains a single job that tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
Expand All @@ -37,8 +37,8 @@
with:
ref: ${{ github.event.pull_request.head.sha }}

# Pull in terraform code for linux servers
- name: Clone github IaC plan
# Pull in Terraform code for Linux servers
- name: Clone GitHub IaC plan
uses: actions/checkout@v3
with:
repository: ansible-lockdown/github_linux_IaC
Expand All @@ -63,23 +63,23 @@
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}

Expand All @@ -102,7 +102,7 @@
- name: Sleep for 60 seconds
run: sleep 60s

# Run the ansible playbook
# Run the Ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
Expand Down
6 changes: 1 addition & 5 deletions .github/workflows/update_galaxy.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,8 @@
---

# This is a basic workflow to help you get started with Actions

name: update galaxy

# Controls when the action will run.
# Triggers the workflow on merge request events to the main branch
on: # yamllint disable-line rule:truthy
on:
push:
branches:
- main
Expand Down
1 change: 1 addition & 0 deletions .yamllint
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---

extends: default

ignore: |
Expand Down
16 changes: 8 additions & 8 deletions CONTRIBUTING.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,11 @@ Rules
-----
1) All commits must be GPG signed (details in Signing section)
2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
3) All work is done in your own branch or own fork
3) All work is done in your own branch or fork
4) Pull requests
a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing
b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel
4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit messages, and functional testing
b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit messages, and functional testing when going from staging to devel
4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit messages, and functional testing)
5) Be open and nice to each other

Workflow
Expand All @@ -32,19 +32,19 @@ The process is to certify the below DCO 1.1 text
By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
have the right to submit it under the open-source license
indicated in the file; or

(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
of my knowledge, is covered under an appropriate open-source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
by me, under the same open-source license (unless I am
permitted to submit under a different license), as indicated
in the file; or

(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
person who certified (a), (b), or (c) and I have not modified
it.

(d) I understand and agree that this project and the contribution
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
Copyright (c) 2023 MindPoint Group / Lockdown Enterprise / Lockdown Enterprise Releases

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
12 changes: 6 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to a

This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
This role was developed against a clean install of the Operating System. If you are implementing on an existing system, please review this role for any site-specific changes that are needed.

## Documentation

Expand All @@ -64,7 +64,7 @@ This role was developed against a clean install of the Operating System. If you
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/UBUNTU22-CIS/wiki/Main-Variables).
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/UBUNTU22-CIS/wiki/Main-Variables).

**Technical Dependencies:**

Expand All @@ -87,14 +87,14 @@ Further audit documentation can be found at [Read The Docs](https://ansible-lock

## Role Variables

This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.
This role is designed so the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.

## Branches

- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch
- **devel** - This is the default branch and the working development branch. Community pull requests will be pulled into this branch
- **main** - This is the release branch
- **reports** - This is a protected branch for our scoring reports, no code should ever go here
- **gh-pages** - This is the github pages branch
- **gh-pages** - This is the GitHub pages branch
- **all other branches** - Individual community member branches

## Community Contribution
Expand All @@ -111,7 +111,7 @@ We encourage you (the community) to contribute to this role. Please read the rul
uses:

- ansible-core 2.12
- ansible collections - pulls in the latest version based on requirements file
- ansible collections - pulls in the latest version based on the requirements file
- runs the audit using the devel branch
- This is an automated test that occurs on pull requests into devel

Expand Down
1 change: 1 addition & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
---

## Switching on/off specific baseline sections
# These variables govern whether the tasks of a particular section are to be executed when running the role.
# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
Expand Down
4 changes: 2 additions & 2 deletions tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,16 @@
owner: root
group: root
checksum: "{{ audit_bin_version.checksum }}"
mode: 0555
mode: '0555'
when:
- get_audit_binary_method == 'download'

- name: Pre Audit Setup | copy audit binary
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
mode: 0555
owner: root
group: root
mode: '0555'
when:
- get_audit_binary_method == 'copy'
4 changes: 2 additions & 2 deletions tasks/auditd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 0600
mode: '0600'
register: audit_rules_updated
notify:
- Auditd rules reload
Expand All @@ -21,7 +21,7 @@
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: 0600
mode: '0600'
notify: Restart auditd
when:
- ubtu22cis_allow_auditd_uid_user_exclusions
Expand Down
2 changes: 1 addition & 1 deletion tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
- name: Post Audit | ensure audit files readable by users
ansible.builtin.file:
path: "{{ item }}"
mode: 0644
mode: '0644'
state: file
loop:
- "{{ post_audit_outfile }}"
Expand Down
2 changes: 1 addition & 1 deletion tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@
ansible.builtin.template:
src: ansible_vars_goss.yml.j2
dest: "{{ audit_vars_path }}"
mode: 0600
mode: '0600'
when:
- run_audit
tags:
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: 0644
mode: '0644'
notify: Remount tmp
with_items:
- "{{ ansible_mounts }}"
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@
create: true
owner: root
group: root
mode: 0644
mode: '0644'

- name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package"
ansible.builtin.package:
Expand Down
6 changes: 3 additions & 3 deletions tasks/section_1/cis_1.7.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
path: /etc/motd
owner: root
group: root
mode: 0644
mode: '0644'
when:
- ubtu22cis_rule_1_7_4
tags:
Expand All @@ -77,7 +77,7 @@
path: /etc/issue
owner: root
group: root
mode: 0644
mode: '0644'
when:
- ubtu22cis_rule_1_7_5
tags:
Expand All @@ -94,7 +94,7 @@
path: /etc/issue.net
owner: root
group: root
mode: 0644
mode: '0644'
when:
- ubtu22cis_rule_1_7_6
tags:
Expand Down
Loading