diff --git a/.ansible-lint b/.ansible-lint index 39c4d623..057c65e0 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -5,20 +5,20 @@ quiet: true skip_list: - 'schema' - 'no-changed-when' + - 'var-spacing' - 'fqcn-builtins' - 'experimental' - - 'fqcn[action-core]' - - 'fqcn[action]' + - 'name[play]' - 'name[casing]' - 'name[template]' - - 'jinja[spacing]' - - 'var-naming' # Older playbook no new release + - 'fqcn[action]' + - 'key-order[task]' - '204' - - '208' - '305' - '303' - '403' - '306' - '602' + - '208' use_default_rules: true verbosity: 0 diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 00000000..fe51488c --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1 @@ +[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline new file mode 100644 index 00000000..522a6339 --- /dev/null +++ b/.config/.secrets.baseline @@ -0,0 +1,190 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 467, + "is_secret": false + } + ], + "tasks/fix-cat2.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/fix-cat2.yml", + "hashed_secret": "673504d3db128a01a93d32de2b104a05dc2e6859", + "is_verified": false, + "line_number": 1449, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "2784977b09b611a32db88f631d88a5806605967e", + "is_verified": false, + "line_number": 39, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 56, + "is_secret": false + } + ], + "tasks/parse_etc_passwd.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_passwd.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18 + } + ], + "tasks/prelim.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/prelim.yml", + "hashed_secret": "fd917ab33fb6bd01e799f4b72da0586589cd909a", + "is_verified": false, + "line_number": 228, + "is_secret": false + } + ], + "templates/pam_pkcs11.conf.j2": [ + { + "type": "Secret Keyword", + "filename": "templates/pam_pkcs11.conf.j2", + "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "is_verified": false, + "line_number": 173, + "is_secret": false + } + ] + }, + "generated_at": "2023-09-14T14:19:49Z" +} diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 3a19c72b..00000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index bf457005..00000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -**Feature Request or Enhancement** - - Feature [] - - Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index cbab6e73..00000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 05dadb6b..00000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,12 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A - diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index 325c24f2..00000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -#Ami centos 7.11 -ami_id = "ami-00e87074e52e6c9f9" -ami_os = "centos7" -ami_username = "centos" -ami_user_home = "/home/centos" -instance_tags = { - Name = "RHEL7-STIG" - Environment = "github_test_pipeline" -} diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 00000000..a4e7d48a --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,138 @@ +--- + + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf deleted file mode 100644 index ba777642..00000000 --- a/.github/workflows/github_networks.tf +++ /dev/null @@ -1,53 +0,0 @@ -resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - instance_tenancy = "default" - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } -} - -resource "aws_internet_gateway" "IGW" { - vpc_id = aws_vpc.Main.id - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-IGW" - } -} - -resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" - } -} - -resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - cidr_block = var.private_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" - } -} - -resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" - } -} - -resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id - route_table_id = aws_route_table.PublicRT.id -} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars deleted file mode 100644 index 24daeca6..00000000 --- a/.github/workflows/github_vars.tfvars +++ /dev/null @@ -1,14 +0,0 @@ -// github_actions variables -// Resourced in github_networks.tf -// Declared in variables.tf -// - -namespace = "github_actions" -environment = "lockdown_github_repo_workflow" - -// Matching pair name found in AWS for keypairs PEM key -ami_key_pair_name = "github_actions" -private_key = ".ssh/github_actions.pem" -main_vpc_cidr = "172.22.0.0/24" -public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml deleted file mode 100644 index 591617f2..00000000 --- a/.github/workflows/linux_benchmark_testing.yml +++ /dev/null @@ -1,111 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: linux_benchmark_pipeline - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - ### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index 0e5660c3..00000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,84 +0,0 @@ -provider "aws" { - profile = "" - region = var.aws_region -} - -// Create a security group with access to port 22 and port 80 open to serve HTTP traffic - - -resource "random_id" "server" { - keepers = { - # Generate a new id each time we switch to a new AMI id - ami_id = "${var.ami_id}" - } - - byte_length = 8 -} - -resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}-SG" - vpc_id = aws_vpc.Main.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-SG" - } -} - -// instance setup - -resource "aws_instance" "testing_vm" { - ami = var.ami_id - availability_zone = var.availability_zone - associate_public_ip_address = true - key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs - instance_type = var.instance_type - tags = var.instance_tags - vpc_security_group_ids = [aws_security_group.github_actions.id] - subnet_id = aws_subnet.Main.id - root_block_device { - delete_on_termination = true - } -} - -// generate inventory file -resource "local_file" "inventory" { - filename = "./hosts.yml" - directory_permission = "0755" - file_permission = "0644" - content = < .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/terraform.tfvars b/.github/workflows/terraform.tfvars deleted file mode 100644 index 31113784..00000000 --- a/.github/workflows/terraform.tfvars +++ /dev/null @@ -1,6 +0,0 @@ -// vars should be loaded by OSname.tfvars -availability_zone = "us-east-1b" -aws_region = "us-east-1" -ami_os = var.ami_os -ami_username = var.ami_username -instance_tags = var.instance_tags diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 2052b0a8..951a53cb 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -6,7 +6,7 @@ name: update galaxy # Controls when the action will run. # Triggers the workflow on merge request events to the main branch -on: # yamllint disable-line rule:truthy +on: push: branches: - main diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf deleted file mode 100644 index 7e05228b..00000000 --- a/.github/workflows/variables.tf +++ /dev/null @@ -1,81 +0,0 @@ -// Taken from the OSname.tfvars - -variable "aws_region" { - description = "AWS region" - default = "us-east-1" - type = string -} - -variable "availability_zone" { - description = "List of availability zone in the region" - default = "us-east-1b" - type = string -} - -variable "instance_type" { - description = "EC2 Instance Type" - default = "t3.micro" - type = string -} - -variable "instance_tags" { - description = "Tags to set for instances" - type = map(string) -} - -variable "ami_key_pair_name" { - description = "Name of key pair in AWS thats used" - type = string -} - -variable "private_key" { - description = "path to private key for ssh" - type = string -} - -variable "ami_os" { - description = "AMI OS Type" - type = string -} - -variable "ami_id" { - description = "AMI ID reference" - type = string -} - -variable "ami_username" { - description = "Username for the ami id" - type = string -} - -variable "ami_user_home" { - description = "home dir for the username" - type = string -} - -variable "namespace" { - description = "Name used across all tags" - type = string -} - -variable "environment" { - description = "Env Name used across all tags" - type = string -} - -// taken from github_vars.tfvars & - -variable "main_vpc_cidr" { - description = "Private cidr block to be used for vpc" - type = string -} - -variable "public_subnets" { - description = "public subnet cidr block" - type = string -} - -variable "private_subnets" { - description = "private subnet cidr block" - type = string -} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..97c79434 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,67 @@ +--- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: [ '--baseline', '.config/.secrets.baseline' ] + exclude: .config/.gitleaks-report.json + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.17.0 + hooks: + - id: gitleaks + args: ['--baseline-path', '.config/.gitleaks-report.json'] + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint diff --git a/ChangeLog.md b/ChangeLog.md index 58351024..0859edd9 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,28 @@ # Changelog +## 3.0 Stig V3R12 26th July 2023 + +- RHEL-07-010199 - pamd password and system auth rewrite and ruleid updated +- RHEL-07-010200 - ruleid update +- RHEL_07-010270 - rewritten to align to new settings and ruleid updated - will now skip if 010199 +- RHEL_07_020700 - ruleid updated +- RHEL_07_020710 - ruleid updated fixed rule +- RHEL_07_031000 - added new var for log aggregation port default to '@@' =TCP and ruleid updated +- RHEL_07_040300 - ruleid updated +- RHEL_07_040310 - ruleid updated +- RHEL_07_040320 - ruleid updated +- RHEL_07_040340 - ruleid updated + +- RHEL-07-010320 & RHEL-07-010330 will now skip if 010199 as this now uses compliant template + +- [#431](https://github.com/ansible-lockdown/RHEL7-STIG/issues/431) added thanks to @whitehat237 + +- ansible lint config update and new lint applied + +## 2.1.1 Stig V3r11 27th April 2023 + +- #428 improvement in test for sudo user has a passwd set + ## 2.1 Stig V3r11 27th April 2023 Consistent on ansible version diff --git a/LICENSE b/LICENSE index 4f5e4fdb..7e4285ae 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2023 Mindpoint Group Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 68be4ff5..40081ffc 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL7 based system to be complaint with Disa STIG -This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on April 27, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R11_STIG.zip). +This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on July 23, 2023 ](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_7_V3R12_STIG.zip). --- @@ -15,13 +15,14 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on April 27 ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61792?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL7-STIG/devel?color=dark%20green&label=Devel%20Branch%20commits) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL7-STIG) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL7-STIG) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/rhel8-stig/linux_benchmark_testing.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL7-STIG?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL7-STIG?label=Release%20Tag&&color=success) +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL7-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL7-STIG/actions/workflows/main_pipeline_validation.yml) + +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL7-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL7-STIG/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL7-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL7-STIG?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL7-STIG?label=Closed%20Issues&&color=success) @@ -39,7 +40,7 @@ This role is based on RHEL 7 DISA STIG: [ Version 3, Rel 11 released on April 27 ### Community -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users --- @@ -47,6 +48,18 @@ Configure a RHEL 7 system to be DISA STIG compliant. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `true`. +# Caution(s) + +This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. + +Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL7-STIG-Audit role or a compliance scanner should be used for compliance checking over check mode. + +This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. + +To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. + +--- + ## Updating Coming from a previous release. @@ -138,7 +151,7 @@ ok: [cent7_bios] => { ] } PLAY RECAP **************************************************************************************************************** -rhel7test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 rescued=0 ignored=0 +rhel7test : ok=369 changed=192 unreachable=0 failed=0 skipped=125 rescued=0 ignored=0 ``` ## Branches @@ -199,6 +212,12 @@ If you would are interested in dedicated support to assist or provide bespoke se - [Ansible Counselor](https://www.mindpointgroup.com/products/ansible-counselor-on-demand-ansible-services-and-consulting/) - [Try us out](https://engage.mindpointgroup.com/try-ansible-counselor) +## Added Extras + +```sh +pre-commit run +``` + ## Credits This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) diff --git a/defaults/main.yml b/defaults/main.yml index a56b9ced..916abcca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,7 +13,7 @@ python2_bin: /bin/python2.7 # audit variable found at the base benchmark: RHEL7-STIG ## metadata for Audit benchmark -benchmark_version: 'v3r11' +benchmark_version: 'v3r12' # Whether to skip the reboot rhel7stig_skip_reboot: true @@ -354,8 +354,8 @@ rhel7stig_smartcarddriver: cackey # You will need to map both the local interactive and LDAP groups to map selinux user groups to. # If LDAP is not in use, it will ignore the settings below and not attempt to map LDAP users. rhel_07_020020_selinux_change_users: true -rhel_07_020020_HBSS_path: /opt/McAfee/Agent/bin -rhel_07_020020_HIPS_path: /opt/McAfee/Agent/bin +rhel_07_020020_hbbs_path: /opt/McAfee/Agent/bin +rhel_07_020020_hips_path: /opt/McAfee/Agent/bin rhel_07_020020_selinux_ldap_maps: false # rhel_07_020020_selinux_local_interactive_admin_group: wheel rhel_07_020020_selinux_local_interactive_users_group: users @@ -369,7 +369,7 @@ rhel7stig_change_user_path: false # RHEL-07-020730 # Do we change world-writable executable programs to mode 0755? -rhel_07_020730_WWP_Change: true +rhel_07_020730_wwp_change: true # RHEL-07-020250 # This is a check for a "supported release" @@ -430,16 +430,16 @@ rhel7stig_system_is_log_aggregator: false rhel7stig_use_fips: true fips_value: '0' -rhel7stig_FIPS_ciphers: aes256-ctr,aes192-ctr,aes128-ctr -rhel7stig_FIPS_MACs: hmac-sha2-512,hmac-sha2-256 -rhel7stig_FIPS_KEX: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 +rhel7stig_fips_ciphers: aes256-ctr,aes192-ctr,aes128-ctr +rhel7stig_fips_macs: hmac-sha2-512,hmac-sha2-256 +rhel7stig_fips_kex: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 # RHEL-07-040300 # RHEL-07-040310 # Install and enable ssh on networked systems rhel7stig_ssh_required: true -rhel7stig_ssh_ciphers: "{{ rhel7stig_FIPS_ciphers }}" -rhel7stig_ssh_macs: "{{ rhel7stig_FIPS_MACs }}" -rhel7stig_ssh_kex: "{{ rhel7stig_FIPS_KEX }}" +rhel7stig_ssh_ciphers: "{{ rhel7stig_fips_ciphers }}" +rhel7stig_ssh_macs: "{{ rhel7stig_fips_macs }}" +rhel7stig_ssh_kex: "{{ rhel7stig_fips_kex }}" # RHEL-07-040490 # If not required, remove vsftpd. @@ -663,6 +663,8 @@ rhel7stig_homedir_mode: g-w,o-rwx # RHEL-07-031000 # rhel7stig_log_aggregation_server: logagg.example.com +# Log aggregation port can be set the following '@'=UDP and '@@'=TCP +# rhel7stig_log_aggregation_port: '@@' # RHEL-07-040180 # Whether the system should be using LDAP for authentication diff --git a/tasks/audit_firewalld.yml b/tasks/audit_firewalld.yml index ebfc496c..3f06dd5e 100644 --- a/tasks/audit_firewalld.yml +++ b/tasks/audit_firewalld.yml @@ -31,7 +31,8 @@ - RHEL-07-040810 - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - ansible.builtin.debug: var=rhel_07_040810_firewalld_zone_default_audit.stdout_lines + ansible.builtin.debug: + var: rhel_07_040810_firewalld_zone_default_audit.stdout_lines changed_when: true when: - rhel_07_040810_firewalld_zone_audit.stdout | length > 0 diff --git a/tasks/audit_iptables.yml b/tasks/audit_iptables.yml index d478dfa6..fac625d4 100644 --- a/tasks/audit_iptables.yml +++ b/tasks/audit_iptables.yml @@ -23,7 +23,8 @@ - firewall - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services." - ansible.builtin.debug: var=rhel_07_040810_iptables_audit.stdout_lines + ansible.builtin.debug: + var: rhel_07_040810_iptables_audit.stdout_lines changed_when: false when: - rhel_07_040810_iptables_audit.stdout_lines is defined diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 533cedf0..a46c1f74 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -449,7 +449,7 @@ with_items: - "{{ ansible_mounts | json_query(query) }}" vars: - query: "[?mount=='{{ rhel7stig_boot_part }}'] | [0]" + query: "[?mount=='{{ rhel7stig_boot_part }}'] | [0]" # noqa: jinja[invalid] key: GRUB_CMDLINE_LINUX param: boot value: UUID={{ item.uuid }} @@ -468,7 +468,7 @@ - "fips={{ fips_value }}" - boot=UUID={{ ansible_mounts | json_query(query) }} vars: - query: "[?mount=='{{ rhel7stig_boot_part }}'].uuid | [0]" + query: "[?mount=='{{ rhel7stig_boot_part }}'].uuid | [0]" # noqa: jinja[invalid] register: rhel_07_021350_audit changed_when: - ansible_check_mode diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 7dca60d6..694a304c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -152,7 +152,7 @@ path: /etc/dconf/db/local.d/00-login-screen line: "{{ item }}" mode: '0644' - create": true + create: true loop: - [org/gnome/login-screen] - disable-user-list=true @@ -163,7 +163,7 @@ path: /etc/dconf/profile/gdm line: "{{ item }}" mode: '0644' - create": true + create: true loop: - user-db:user - system-db:gdm @@ -493,14 +493,27 @@ - V-204414 - pwquality -- name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | symlink" - ansible.builtin.file: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - state: link - loop: - - { 'src': '/etc/pam.d/password-auth', 'dest': '/etc/pam.d/password-auth-local' } - - { 'src': '/etc/pam.d/system-auth', 'dest': '/etc/pam.d/system-auth-local' } +- name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility." + block: + - name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | local file" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + owner: root + group: root + mode: 0644 + loop: + - etc/pam.d/password-auth-local + - etc/pam.d/system-auth-local + + - name: "MEDIUM | RHEL-07-010199 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | copy and symlink" + ansible.builtin.shell: "if [[ -f {{ item }} && ! -L {{ item }} ]]; then cp -p {{ item }} {{ item }}-ac; ln -sf {{ item }}-local {{ item }} && (exit 99); else (exit 98); fi" + changed_when: rhel_07_010199_changed.rc == 99 + failed_when: rhel_07_010199_changed.rc not in [ 98, 99 ] + register: rhel_07_010199_changed + loop: + - /etc/pam.d/password-auth + - /etc/pam.d/system-auth when: - rhel_07_010199 tags: @@ -508,7 +521,7 @@ - CAT2 - CCI-000196 - SRG-OS-000072-GPOS-00040 - - SV-255928r902706_rule + - SV-255928r917838_rule - V-255928 - pamd @@ -539,7 +552,7 @@ - CAT2 - CCI-000196 - SRG-OS-000073-GPOS-00041 - - SV-204415r880833_rule + - SV-204415r917816_rule - V-204415 - pamd @@ -670,35 +683,23 @@ - name: "MEDIUM | RHEL-07-010270 | The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations." block: - - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory rule exists" + - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory rule exists | system-auth" community.general.pamd: - name: "{{ item }}" + name: system-auth state: before type: password - control: sufficient - module_path: pam_unix.so + control: requisite + module_path: pam_pwquality.so new_type: password new_control: requisite new_module_path: pam_pwhistory.so - with_items: - - "system-auth" - - "password-auth" - - # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent - - name: "MEDIUM | RHEL-07-010270 | AUDIT | Check for existing password history reuse settings" - ansible.builtin.shell: "grep -iE '^password\\s+requisite\\s+pam_pwhistory.so\\s+use_authtok\\s+remember={{ rhel7stig_pam_pwhistory.remember | default(5) }}\\s+retry={{ rhel7stig_pam_pwhistory.retries | default(3) }}$' /etc/pam.d/{{ item }}" - check_mode: false - changed_when: false - failed_when: rhel_07_010270_audit.rc > 1 - register: rhel_07_010270_audit - with_items: - - "system-auth" - - "password-auth" + module_arguments: + - remember={{ rhel7stig_pam_pwhistory.remember | default(5) }} + - retry={{ rhel7stig_pam_pwhistory.retries | default(3) }} - # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following. - - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory module arguments are set" + - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory module arguments are set | password-auth" community.general.pamd: - name: "{{ item.item }}" + name: password-auth state: updated type: password control: requisite @@ -707,17 +708,15 @@ - use_authtok - remember={{ rhel7stig_pam_pwhistory.remember | default(5) }} - retry={{ rhel7stig_pam_pwhistory.retries | default(3) }} - with_items: - - "{{ rhel_07_010270_audit.results }}" - when: item.rc == 1 when: + - not rhel_07_010199 # 010199 uses template that is compliant already - rhel_07_010270 tags: - RHEL-07-010270 - CAT2 - CCI-000200 - SRG-OS-000077-GPOS-00045 - - SV-204422r880836_rule + - SV-204422r917818_rule - V-204422 - pamd @@ -870,6 +869,7 @@ - "system-auth" - "password-auth" when: + - not rhel_07_010199 # 010199 uses template that is compliant already - rhel_07_010320 or rhel_07_010330 tags: @@ -1141,7 +1141,7 @@ # This remediates the pam_pkcs11.conf file to enforce the cackey usage for smartcard authentication ### NOTE: If you have custom rules for /etc/pam_pkcs11/pam_pkcs11.conf then change the template pam_pkcs11.conf.j2 - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. - ansible.builtin.template: + ansible.builtin.template: # noqa: no-handler src: pam_pkcs11.conf.j2 dest: /etc/pam_pkcs11/pam_pkcs11.conf owner: root @@ -1350,7 +1350,7 @@ enabled: false state: stopped when: - - rhel_07_020110_autofs_service_status == "loaded" + - rhel_07_020110_autofs_service_status.stdout == "loaded" - not rhel7stig_autofs_required when: - rhel_07_020110 @@ -1444,7 +1444,7 @@ - "{{ rhel7stig_unnecessary_accounts }}" - name: "MEDIUM | RHEL-07-020270 | AUDIT | Re-parse /etc/passwd since it changed." - include_tasks: parse_etc_passwd.yml + include_tasks: parse_etc_passwd.yml # noqa: no-handler vars: rhel7stig_passwd_tasks: "RHEL-07-020270" when: rhel_07_020270_patch is changed @@ -1647,7 +1647,7 @@ with_items: "{{ rhel_07_020660_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" - when: item is changed + when: item is changed # noqa: no-handler vars: this_item: "{{ item.item }}" vars: @@ -1696,7 +1696,7 @@ with_items: "{{ rhel_07_020670_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" - when: item is changed + when: item is changed # noqa: no-handler vars: this_item: "{{ item.item.item }}" this_result: "{{ item.item }}" @@ -1801,7 +1801,7 @@ with_items: "{{ rhel_07_020690_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" - when: item is changed + when: item is changed # noqa: no-handler vars: this_item: "{{ item.item }}" vars: @@ -1815,7 +1815,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204474r603834_rule + - SV-204474r917821_rule - V-204474 - permissions @@ -1839,7 +1839,7 @@ with_items: "{{ rhel_07_020700_audit.results }}" loop_control: label: "{{ rhel7stig_passwd_label }}" - when: item is changed + when: item is changed # noqa: no-handler vars: this_item: "{{ item.item }}" vars: @@ -1853,14 +1853,14 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204475r603836_rule + - SV-204475r917824_rule - V-204475 - permissions - name: "MEDIUM | RHEL-07-020710 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files must have mode 0740 or less permissive." ansible.builtin.file: path: "{{ item }}" - mode: '0640' + mode: '0740' state: touch with_items: - "{{ rhel_07_stig_interactive_homedir_inifiles }}" @@ -1872,7 +1872,7 @@ - RHEL-07-020710 - CAT2 - CCI-000366 - - SV-204476r603261_rule + - SV-204476r917827_rule - V-204476 - complexity-high @@ -1941,7 +1941,7 @@ - "{{ rhel_07_020730_perms_results.stdout_lines }}" when: - rhel_07_020730_perms_results.stdout_lines is defined - - rhel_07_020730_WWP_Change + - rhel_07_020730_wwp_change when: - rhel_07_020730 - rhel7stig_disruption_high @@ -2014,7 +2014,7 @@ fstype: "{{ home_mount.fstype }}" opts: "{{ home_mount.options }},nosuid" vars: - home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" + home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}" # noqa: jinja[invalid] when: - rhel_07_021000 - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0 @@ -2037,7 +2037,7 @@ fstype: "{{ removable_mount.fstype }}" opts: "{{ removable_mount.options }},nosuid" vars: - removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" + removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0 - "'nosuid' not in home_mount.options" @@ -2050,7 +2050,7 @@ fstype: "{{ removable_mount2.fstype }}" opts: "{{ removable_mount2.options }},nosuid" vars: - removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" + removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}" # noqa: jinja[invalid] when: - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0 - "'nosuid' not in home_mount.options" @@ -2073,9 +2073,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},nosuid" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: - "{{ rhel7stig_nfs_mounts }}" when: @@ -2098,9 +2098,9 @@ opts: "{{ ansible_mounts | json_query(options_query) }},noexec" state: mounted vars: - device_query: '[?mount == `{{ item }}`] | [0].device' - fstype_query: '[?mount == `{{ item }}`] | [0].fstype' - options_query: '[?mount == `{{ item }}`] | [0].options' + device_query: '[?mount == `{{ item }}`] | [0].device' # noqa: jinja[invalid] + fstype_query: '[?mount == `{{ item }}`] | [0].fstype' # noqa: jinja[invalid] + options_query: '[?mount == `{{ item }}`] | [0].options' # noqa: jinja[invalid] with_items: - "{{ rhel7stig_nfs_mounts }}" when: @@ -3149,7 +3149,7 @@ $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional - *.* @@{{ rhel7stig_log_aggregation_server }} + *.* {{ rhel7stig_log_aggregation_port }}{{ rhel7stig_log_aggregation_server }} insertafter: EOF failed_when: - result is failed @@ -3163,7 +3163,7 @@ - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - SV-204574r603261_rule + - SV-204574r917830_rule - V-204574 - rsyslog @@ -3211,17 +3211,17 @@ changed_when: false failed_when: false check_mode: false - register: rhel7stig_PPSM_CLSA_check_firewalld + register: rhel7stig_ppsm_clsa_check_firewalld when: rhel7stig_firewall_ports_protocols is defined - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments." ansible.builtin.debug: msg: "Warning!! Firewalld is accepting the following port/protocols that are not in the accepted list: {{ item }}." changed_when: false - with_items: "{{ rhel7stig_PPSM_CLSA_check_firewalld.stdout }}" + with_items: "{{ rhel7stig_ppsm_clsa_check_firewalld.stdout }}" when: - - rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines is defined - - rhel7stig_PPSM_CLSA_check_firewalld.stdout_lines | length > 0 + - rhel7stig_ppsm_clsa_check_firewalld.stdout_lines is defined + - rhel7stig_ppsm_clsa_check_firewalld.stdout_lines | length > 0 when: - rhel7stig_firewall_service == "firewalld" - rhel7stig_start_firewall_service @@ -3442,7 +3442,7 @@ - CCI-002420 - CCI-002421 - SRG-OS-000423-GPOS-00187 - - SV-204585r603261_rule + - SV-204585r916422_rule - V-204585 - ssh @@ -3462,7 +3462,7 @@ - CCI-002421 - CCI-002422 - SRG-OS-000423-GPOS-00187 - - SV-204586r861071_rule + - SV-204585r916422_rule - V-204586 - ssh @@ -3484,7 +3484,7 @@ - CCI-001133 - CCI-002361 - SRG-OS-000163-GPOS-00072 - - SV-204587r603261_rule + - SV-204587r917833_rule - V-204587 - ssh @@ -3526,7 +3526,7 @@ - CCI-001133 - CCI-002361 - SRG-OS-000163-GPOS-00072 - - SV-204589r603261_rule + - SV-204589r917836_rule - V-204589 - ssh diff --git a/tasks/fix-cat3.yml b/tasks/fix-cat3.yml index b544a948..a1c52225 100644 --- a/tasks/fix-cat3.yml +++ b/tasks/fix-cat3.yml @@ -71,8 +71,8 @@ fstype: "{{ dev_shm_mount.fstype | default('tmpfs') }}" opts: "{{ dev_shm_mount_opts }}" vars: - dev_shm_mount: "{{ ansible_mounts | json_query('[?mount == `/dev/shm`] | [0]') }}" - dev_shm_mount_opts: "{{ dev_shm_mount.options | default('defaults') }},nodev,nosuid{{ (rhel_07_021024) | ternary(',noexec', '') }}" + dev_shm_mount: "{{ ansible_mounts | json_query('[?mount == `/dev/shm`] | [0]') }}" # noqa: jinja[invalid] + dev_shm_mount_opts: "{{ dev_shm_mount.options | default('defaults') }},nodev,nosuid{{ (rhel_07_021024) | ternary(',noexec', '') }}" # noqa: jinja[invalid] when: - rhel_07_021024 tags: diff --git a/tasks/main.yml b/tasks/main.yml index 2da32ba8..33a01a26 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,6 +39,7 @@ sudo_password_rule: RHEL-07-010340 when: - rhel_07_010340 + - ansible_env.SUDO_USER is defined tags: - user_passwd diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8bf9ce22..f1863acd 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -2,11 +2,10 @@ - name: "PRELIM | Check required packages installed | Python2" ansible.builtin.package: - list: "{{ item }}" + name: + - rpm-python + - libselinux-python state: present - loop: - - rpm-python - - libselinux-python vars: ansible_python_interpreter: "{{ python2_bin }}" when: ansible_python.version.major == 2 @@ -38,7 +37,7 @@ - name: "PRELIM | Disable Epel repo if installed earlier" ansible.builtin.shell: yum-config-manager disable epel - when: epel_installed.changed + when: epel_installed.changed # noqa: no-handler when: - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) vars: @@ -419,7 +418,7 @@ notify: clean up ssh host key when: not rhel7stig_ssh_host_rsa_key_stat.stat.exists when: - -rhel7stig_ssh_required + - rhel7stig_ssh_required - name: "PRELIM | Check whether machine is UEFI-based" ansible.builtin.stat: @@ -427,6 +426,7 @@ register: rhel7_efi_boot tags: - goss_template + - always - name: set bootloader type block: @@ -460,6 +460,8 @@ msg: - "bootloader path set to {{ rhel7stig_bootloader_path }}" - "legacy boot equals {{ rhel7stig_legacy_boot }}" + tags: + - always - name: "PRELIM | Gather interactive user ID min" block: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 08140a1b..7e75ab30 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,5 +1,5 @@ ## metadata for Audit benchmark -benchmark_version: '3.5' +benchmark_version: '3.12' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} diff --git a/templates/etc/pam.d/password-auth-local.j2 b/templates/etc/pam.d/password-auth-local.j2 new file mode 100644 index 00000000..42a64b65 --- /dev/null +++ b/templates/etc/pam.d/password-auth-local.j2 @@ -0,0 +1,17 @@ +# Managed via configuration Managed +# Created for https://github.com/ansible-lockdown by MindPointGroup + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include password-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include password-auth-ac + +password requisite pam_pwhistory.so use_authtok remember=5 retry=3 +password requisite pam_pwquality.so retry=3 +password include password-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include password-auth-ac diff --git a/templates/etc/pam.d/system-auth-local.j2 b/templates/etc/pam.d/system-auth-local.j2 new file mode 100644 index 00000000..2fd996c8 --- /dev/null +++ b/templates/etc/pam.d/system-auth-local.j2 @@ -0,0 +1,17 @@ +# Managed via configuration Managed +# Created for https://github.com/ansible-lockdown by MindPointGroup + +auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 +auth include system-auth-ac +auth sufficient pam_unix.so try_first_pass +auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 + +account required pam_faillock.so +account include system-auth-ac + +password requisite pam_pwhistory.so remember=5 retry=3 +password requisite pam_pwquality.so retry=3 +password include system-auth-ac +password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok + +session include system-auth-ac