From e42219ebba65a012f5b97ad9a1cec839f67c9879 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 14:59:17 +0100 Subject: [PATCH 01/22] issue #53 Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/section_1/cis_1.3.x.yml | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d369f209..1fd4b604 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -436,7 +436,7 @@ ubtu22cis_config_aide: true ubtu22cis_aide_cron: cron_user: root cron_file: /etc/cron.d/aide_cron - aide_job: '/usr/bin/aide.wrapper --config /etc/aide/aide.conf --check' + aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' aide_minute: 0 aide_hour: 5 aide_day: '*' diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index e795d1fc..b68d61ee 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -7,13 +7,18 @@ name: ['aide', 'aide-common'] state: present update_cache: true + register: ubtu22cis_rule_1.3.1_aide_added + when: + - "'aide' not in ansible_facts.packages or + 'aide-common' not in ansible_facts.packages" - name: "1.3.1 | PATCH | Ensure AIDE is installed | Recapture packages" ansible.builtin.package_facts: manager: auto + when: not ubtu22cis_rule_1.3.1_aide_added.skipped - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.shell: aide init && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db + ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db args: creates: /var/lib/aide/aide.db changed_when: false @@ -24,9 +29,6 @@ when: - ubtu22cis_rule_1_3_1 - ubtu22cis_config_aide - - ubtu22cis_autofs_service_status - - "'aide' not in ansible_facts.packages or - 'aide-common' not in ansible_facts.packages" tags: - level1-server - level1-workstation From 683a1b3e9b804818857782e940cb6b1068a8e358 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 15:30:12 +0100 Subject: [PATCH 02/22] Added aide tag to cron Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index b68d61ee..e404f0e9 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -58,3 +58,4 @@ - patch - rule_1.3.2 - cron + - aide From 39c4b719b5208a8cf70e2689ab39f506a58082d1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 15:50:20 +0100 Subject: [PATCH 03/22] logic improvements Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index e404f0e9..72cd5737 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -7,15 +7,14 @@ name: ['aide', 'aide-common'] state: present update_cache: true - register: ubtu22cis_rule_1.3.1_aide_added + register: ubtu22cis_rule_1_3_1_aide_added when: - - "'aide' not in ansible_facts.packages or - 'aide-common' not in ansible_facts.packages" + - "'aide' not in ansible_facts.packages or 'aide-common' not in ansible_facts.packages" - name: "1.3.1 | PATCH | Ensure AIDE is installed | Recapture packages" ansible.builtin.package_facts: manager: auto - when: not ubtu22cis_rule_1.3.1_aide_added.skipped + when: ubtu22cis_rule_1_3_1_aide_added.skipped is not defined - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db From 895250ea38c256bec769d6367e6aaf48772c0f00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:01:07 +0100 Subject: [PATCH 04/22] updates to syslog server #54 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 85b8cbb1..8497b790 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -149,11 +149,11 @@ - name: "4.2.2.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not a log host" ansible.builtin.replace: path: /etc/rsyslog.conf - regexp: '({{ item }}|)' + regexp: '({{ item }})' replace: '#\1' with_items: - '^(\$ModLoad|module(load="imtcp"))' - - '^(\$InputTCPServerRun|input(type="imtcp" port="514"))' + - '^(\$(InputTCP|InputRELP|UDP)ServerRun|input(type="imtcp" port=".*"))' notify: Restart syslog service when: not ubtu22cis_system_is_log_server From e961e41162d0378070f5aed1ee6315e4d452e70f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:16:12 +0100 Subject: [PATCH 05/22] updated grub config #55 Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 ++++-- tasks/main.yml | 27 +++++++++++++++++++++++++++ tasks/section_1/cis_1.4.x.yml | 17 +++++++++-------- templates/etc/grub.d/00_user.j2 | 8 ++++++++ 4 files changed, 48 insertions(+), 10 deletions(-) create mode 100644 templates/etc/grub.d/00_user.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 1fd4b604..327bd7f8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -448,9 +448,11 @@ ubtu22cis_aide_cron: # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu22cis_grub_user: root +ubtu22cis_set_grub_user_pass: false +ubtu22cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme ubtu22cis_grub_user_file: /etc/grub.d/00_user ubtu22cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" -ubtu22cis_set_boot_pass: false +ubtu22cis_set_boot_pass: true ubtu22cis_grub_file: /etc/default/grub.cfg @@ -569,7 +571,7 @@ ubtu22cis_auditd: # Set to be rsyslog or journald dependent on what you are using ubtu22cis_syslog_service: rsyslog ubtu22cis_remote_log_server: 192.168.2.100 -ubtu22cis_system_is_log_server: true +ubtu22cis_system_is_log_server: false # Control 4.2.1.1.x & 4.2.1.x journald ubtu22cis_journal_upload_serverkeyfile: diff --git a/tasks/main.yml b/tasks/main.yml index 66cd410a..392de8b3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -62,6 +62,33 @@ tags: - always +- name: Check ubtu22cis_grub_user password variable has been changed + block: + - name: "Check ubtu22cis_grub_user password variable has been changed | check password is set" + ansible.builtin.shell: "grep ^{{ ubtu22cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" + changed_when: false + register: ubtu22cis_password_set_grub_user + + - name: "Check ubtu22cis_grub_user password variable has been changed | check password is set" + ansible.builtin.assert: + that: ubtu22cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' + msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" + when: + - "'$y$' in ubtu22cis_password_set_grub_user.stdout" + - ubtu22cis_set_grub_user_pass + - ubtu22cis_rule_1_4_3 + + - name: "Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set" + ansible.builtin.assert: + that: ( ubtu22cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu22cis_password_set_grub_user.stdout + fail_msg: "Grub User {{ ubtu22cis_grub_user }} has no password set or incorrect encryption" + success_msg: "Grub User {{ ubtu22cis_grub_user }} has a valid password set to be used in single user mode" + when: + - not ubtu22cis_set_grub_user_pass + tags: + - always + + - name: Setup rules if container block: - name: Discover and set container variable if required diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index f32255a1..872dc83e 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -3,12 +3,12 @@ - name: "1.4.1 | PATCH | Ensure bootloader password is set" block: - name: "1.4.1 | PATCH | Ensure bootloader password is set" - ansible.builtin.lineinfile: - path: "{{ ubtu22cis_grub_user_file }}" - regexp: '^(password_pbkdf2 {{ ubtu22cis_grub_user }}) grub.pbkdf2.*' - line: '\1 {{ ubtu22cis_bootloader_password_hash }}' - insertafter: set superusers="{{ ubtu22cis_grub_user }}" - state: present + ansible.builtin.template: + src: etc/grub.d/00_user.j2 + dest: "{{ ubtu22cis_grub_user_file }}" + owner: root + group: root + mode: 0755 notify: Grub update - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" @@ -59,10 +59,10 @@ - name: "1.4.3 | PATCH | Ensure authentication required for single user mode" ansible.builtin.user: name: "{{ ubtu22cis_grub_user }}" - password: "{{ ubtu22cis_bootloader_password_hash }}" + password: "{{ ubtu22cis_grub_user_passwd }}" when: - ubtu22cis_rule_1_4_3 - - ubtu22cis_set_boot_pass + - ubtu22cis_set_grub_user_pass tags: - level1-server - level1-workstation @@ -70,3 +70,4 @@ - patch - rule_1.4.3 - passwd + - grub diff --git a/templates/etc/grub.d/00_user.j2 b/templates/etc/grub.d/00_user.j2 new file mode 100644 index 00000000..132ac33b --- /dev/null +++ b/templates/etc/grub.d/00_user.j2 @@ -0,0 +1,8 @@ +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by MindPointGroup LLC + +cat < Date: Wed, 9 Aug 2023 11:17:48 +0100 Subject: [PATCH 06/22] added new workflow file Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 138 ++++++++++++++++++ .../workflows/main_pipeline_validation.yml | 127 ++++++++++++++++ 2 files changed, 265 insertions(+) create mode 100644 .github/workflows/devel_pipeline_validation.yml create mode 100644 .github/workflows/main_pipeline_validation.yml diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 00000000..a4e7d48a --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,138 @@ +--- + + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml new file mode 100644 index 00000000..0b149fb3 --- /dev/null +++ b/.github/workflows/main_pipeline_validation.yml @@ -0,0 +1,127 @@ +--- + + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false From 4f255e8997fff0c95231b0951cbbf66d3ec51e27 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:20:53 +0100 Subject: [PATCH 07/22] updated lint files Signed-off-by: Mark Bolwell --- .ansible-lint | 6 +++++- .yamllint | 1 - 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 10e309ad..057c65e0 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,14 +1,18 @@ +--- + parseable: true quiet: true skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' + - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' -# - 'fqcn[action]' + - 'fqcn[action]' + - 'key-order[task]' - '204' - '305' - '303' diff --git a/.yamllint b/.yamllint index a49f4977..ec469292 100755 --- a/.yamllint +++ b/.yamllint @@ -1,5 +1,4 @@ --- - extends: default ignore: | From 7a3d42f96edee1862fa79349447871f7fffc470a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:22:05 +0100 Subject: [PATCH 08/22] lint updates Signed-off-by: Mark Bolwell --- tasks/main.yml | 1 - tasks/section_1/cis_1.3.x.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 392de8b3..c93d8ec4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -88,7 +88,6 @@ tags: - always - - name: Setup rules if container block: - name: Discover and set container variable if required diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 72cd5737..13af402e 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -9,7 +9,7 @@ update_cache: true register: ubtu22cis_rule_1_3_1_aide_added when: - - "'aide' not in ansible_facts.packages or 'aide-common' not in ansible_facts.packages" + - "'aide' not in ansible_facts.packages or 'aide-common' not in ansible_facts.packages" - name: "1.3.1 | PATCH | Ensure AIDE is installed | Recapture packages" ansible.builtin.package_facts: From 22b22b339c4104ead610bbb0363c910eec9583ba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:22:18 +0100 Subject: [PATCH 09/22] update readme layout Signed-off-by: Mark Bolwell --- README.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index cbae3cb2..54cbbfa1 100644 --- a/README.md +++ b/README.md @@ -13,19 +13,20 @@ ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/ubuntu22-cis/linux_benchmark_testing.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/ubuntu22-cis/devel?color=dark%20green&label=Devel%20Branch%20commits) - ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/ubuntu22-cis/linux_benchmark_testing.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/ubuntu22-cis?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/ubuntu22-cis?label=Release%20Tag&&color=success) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU22-CIS) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/UBUNTU22-CIS) + +[![Main Pipeline Status](https://github.com/ansible-lockdown/UBUNTU22-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/UBUNTU22-CIS/actions/workflows/main_pipeline_validation.yml) + +[![Devel Pipeline Status](https://github.com/ansible-lockdown/UBUNTU22-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/UBUNTU22-CIS/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/UBUNTU22-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) -![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/ubuntu22-cis?label=Open%20Issues) -![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/ubuntu22-cis?label=Closed%20Issues&&color=success) -![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/ubuntu22-cis?label=Pull%20Requests) +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/UBUNTU22-CIS?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/UBUNTU22-CIS?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/UBUNTU22-CIS?label=Pull%20Requests) -![License](https://img.shields.io/github/license/ansible-lockdown/ubuntu22-cis?label=License) +![License](https://img.shields.io/github/license/ansible-lockdown/UBUNTU22-CIS?label=License) --- From e951808d37148ac486276b2d94e4814ec863d92b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:23:08 +0100 Subject: [PATCH 10/22] Added secrets baseline Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 168 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 168 insertions(+) create mode 100644 .config/.secrets.baseline diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline new file mode 100644 index 00000000..7d38f629 --- /dev/null +++ b/.config/.secrets.baseline @@ -0,0 +1,168 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 454, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "62d080aa835d5cde69e3162f928472a204769a63", + "is_verified": false, + "line_number": 641, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "d042db4b269513126cd2a41f7e62a0a23cdb91dc", + "is_verified": false, + "line_number": 48, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 57, + "is_secret": false + } + ], + "tasks/parse_etc_password.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_password.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 19 + } + ] + }, + "generated_at": "2023-08-09T10:22:53Z" +} From 120f8cde3f7a88ae04eac7ca57ef646eab54a31a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:26:12 +0100 Subject: [PATCH 11/22] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/Changelog.md b/Changelog.md index 705f4d9a..073576ea 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,21 @@ ## Based on CIS V1.0.0 +### v1.0.2 + +Issues: +Thanks to zac90 + +- [#53](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/53) +- [#54](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/54) +- [#55](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/55) + +Updates to workflow now using centralised config + +lint file updates +readme updates to badges and layout +added secrets-baseline in preperation for pre-commit + ### v1.0.1 Issues: From 6b0e2a34ff9078cf510869876f560a6b06fff8c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 08:34:21 +0100 Subject: [PATCH 12/22] tidy up Signed-off-by: Mark Bolwell --- Changelog.md | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/Changelog.md b/Changelog.md index 4ec0f368..073576ea 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,6 @@ ## Based on CIS V1.0.0 -<<<<<<< HEAD ### v1.0.2 Issues: @@ -17,27 +16,6 @@ Updates to workflow now using centralised config lint file updates readme updates to badges and layout added secrets-baseline in preperation for pre-commit -======= -## v1.0.2 - -- issues addressed - - thanks to @zac90 - - [#35](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/35) - - [#36](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/36) - - [#37](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/37) - - [#39](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/39) - - [#40](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/40) - - [#41](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/41) - - [#42](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/42) - - [#43](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/43) - - [#44](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/44) - - [#45](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/45) - -Improvements to the mount commands and fstype usage as part of [#37](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/37) -section 5.4 tags updated -.ansible-lint updated -improvements to 5.5.4 for umask ->>>>>>> devel ### v1.0.1 From f4c7030b7c7dcd0c33e9f9746f1a26c88e9bad09 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 08:35:21 +0100 Subject: [PATCH 13/22] updated Signed-off-by: Mark Bolwell --- Changelog.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 073576ea..50e17834 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,7 @@ ## Based on CIS V1.0.0 -### v1.0.2 +### v1.0.3 Issues: Thanks to zac90 @@ -17,6 +17,26 @@ lint file updates readme updates to badges and layout added secrets-baseline in preperation for pre-commit +## v1.0.2 + +- issues addressed + - thanks to @zac90 + - [#35](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/35) + - [#36](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/36) + - [#37](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/37) + - [#39](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/39) + - [#40](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/40) + - [#41](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/41) + - [#42](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/42) + - [#43](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/43) + - [#44](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/44) + - [#45](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/45) + +Improvements to the mount commands and fstype usage as part of [#37](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/37) +section 5.4 tags updated +.ansible-lint updated +improvements to 5.5.4 for umask + ### v1.0.1 Issues: From f92275f14a39420c68ae955ba33a2fddaac19205 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 08:36:21 +0100 Subject: [PATCH 14/22] removed unnecssary quotes Signed-off-by: Mark Bolwell --- tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 6d9171d8..690c62f9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -64,12 +64,12 @@ - name: Check ubtu22cis_grub_user password variable has been changed block: - - name: "Check ubtu22cis_grub_user password variable has been changed | check password is set" + - name: Check ubtu22cis_grub_user password variable has been changed | check password is set ansible.builtin.shell: "grep ^{{ ubtu22cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" changed_when: false register: ubtu22cis_password_set_grub_user - - name: "Check ubtu22cis_grub_user password variable has been changed | check password is set" + - name: Check ubtu22cis_grub_user password variable has been changed | check password is set ansible.builtin.assert: that: ubtu22cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" @@ -78,7 +78,7 @@ - ubtu22cis_set_grub_user_pass - ubtu22cis_rule_1_4_3 - - name: "Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set" + - name: Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set ansible.builtin.assert: that: ( ubtu22cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu22cis_password_set_grub_user.stdout fail_msg: "Grub User {{ ubtu22cis_grub_user }} has no password set or incorrect encryption" From f717557cec40675a28559579698d07a31a4a5d45 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 08:42:54 +0100 Subject: [PATCH 15/22] #50 blockist usb - thanks to @rspataru Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.10.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml index 074470be..3ea9324c 100644 --- a/tasks/section_1/cis_1.1.10.yml +++ b/tasks/section_1/cis_1.1.10.yml @@ -9,6 +9,12 @@ line: 'install usb-storage /bin/true' create: true + - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist usb-storage' + insertafter: EOF + - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" community.general.modprobe: name: usb-storage From 008f2740cc829c92b2884b2fef4a243c930a09aa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 08:48:11 +0100 Subject: [PATCH 16/22] updated Signed-off-by: Mark Bolwell --- Changelog.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 50e17834..02500b48 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,17 +5,23 @@ ### v1.0.3 Issues: -Thanks to zac90 +Thanks to @zac90 - [#53](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/53) - [#54](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/54) - [#55](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/55) +PR: +thanks to @rspataru + +- [#50](https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/50) + Updates to workflow now using centralised config lint file updates readme updates to badges and layout added secrets-baseline in preperation for pre-commit +readme tidy up ## v1.0.2 From 14cb116491d726e7bfe625d17b832ea292d02a0e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 09:07:10 +0100 Subject: [PATCH 17/22] added required vars to test workflow Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index ad6e51fc..c882f773 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -24,7 +24,7 @@ resource "aws_security_group" "github_actions" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } - + ingress { from_port = 80 to_port = 80 @@ -75,6 +75,10 @@ resource "local_file" "inventory" { setup_audit: true run_audit: true system_is_ec2: true + grub_user_pass: 'grub.pbkdf2.sha512.10000.D268F2334B417C788C859A1104D489BE73205AFB74539DCAB0AC3F4A3B2ADE34D994D6D86A6F665200608F88050BCBC5D161ED07DE78C39D3C2BAE345F22DCEE.730C7E0F06BBDD2A54FF7BE93B710E94E1B1B61FE8E0BF27313E2429AF2C57348BF2EA647E39EF5AB13BE3EF3B1972FA5082EEB62AB9436314EA851D8042F423' + ubtu22cis_bootloader_password_hash: {{ grub_user_pass }} + ubtu22cis_set_grub_user_pass: true + ubtu22cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' EOF } From 661eb85fc374d915b3df4bb000d87aca0c149356 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 09:12:41 +0100 Subject: [PATCH 18/22] added required vars to test workflow Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index c882f773..1fc1127b 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -76,7 +76,7 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true grub_user_pass: 'grub.pbkdf2.sha512.10000.D268F2334B417C788C859A1104D489BE73205AFB74539DCAB0AC3F4A3B2ADE34D994D6D86A6F665200608F88050BCBC5D161ED07DE78C39D3C2BAE345F22DCEE.730C7E0F06BBDD2A54FF7BE93B710E94E1B1B61FE8E0BF27313E2429AF2C57348BF2EA647E39EF5AB13BE3EF3B1972FA5082EEB62AB9436314EA851D8042F423' - ubtu22cis_bootloader_password_hash: {{ grub_user_pass }} + ubtu22cis_bootloader_password_hash: "{{ grub_user_pass }}" ubtu22cis_set_grub_user_pass: true ubtu22cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' EOF From 7c5bdaae9375ba1a5411be3e26f20676c40e6d75 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 10:07:52 +0100 Subject: [PATCH 19/22] removed templates to inherit from org Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 32 ------------------- .../feature-request-or-enhancement.md | 21 ------------ .github/ISSUE_TEMPLATE/question.md | 17 ---------- .github/pull_request_template.md | 11 ------- 4 files changed, 81 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 3a19c72b..00000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index bf457005..00000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -**Feature Request or Enhancement** - - Feature [] - - Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index cbab6e73..00000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 1bf89d37..00000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,11 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A From a2c2dede79a90e899d526b305c9f17b495ce753c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 10:08:55 +0100 Subject: [PATCH 20/22] removed legacy workflow files Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 9 -- .github/workflows/github_networks.tf | 51 -------- .github/workflows/github_vars.tfvars | 13 -- .github/workflows/linux_benchmark_testing.yml | 111 ------------------ .github/workflows/main.tf | 84 ------------- .github/workflows/terraform.tfvars | 5 - .github/workflows/test.sh | 6 - .github/workflows/variables.tf | 69 ----------- 8 files changed, 348 deletions(-) delete mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/github_networks.tf delete mode 100644 .github/workflows/github_vars.tfvars delete mode 100644 .github/workflows/linux_benchmark_testing.yml delete mode 100644 .github/workflows/main.tf delete mode 100644 .github/workflows/terraform.tfvars delete mode 100644 .github/workflows/test.sh delete mode 100644 .github/workflows/variables.tf diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index 904898af..00000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -#Ami ubuntu 2004 -ami_id = "ami-051dcca84f1edfff1" -ami_os = "ubuntu22" -ami_username = "ubuntu" -ami_user_home = "/home/ubuntu" -instance_tags = { - Name = "UBUNTU22-CIS" - Environment = "Ansible_Lockdown_GH_PR_Pipeline" -} diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf deleted file mode 100644 index 94cde062..00000000 --- a/.github/workflows/github_networks.tf +++ /dev/null @@ -1,51 +0,0 @@ -resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - instance_tenancy = "default" - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } -} - -resource "aws_internet_gateway" "IGW" { - vpc_id = aws_vpc.Main.id - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-IGW" - } -} - -resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" - } -} - -resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - cidr_block = var.private_subnets - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" - } -} - -resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" - } -} - -resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id - route_table_id = aws_route_table.PublicRT.id -} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars deleted file mode 100644 index b79af632..00000000 --- a/.github/workflows/github_vars.tfvars +++ /dev/null @@ -1,13 +0,0 @@ -// github_actions variables -// Resourced in github_networks.tf -// Declared in variables.tf -// - -namespace = "Ansible_Lockdown_GH_PR_Actions" -environment = "Ansible_Lockdown_GH_PR_Pipeline" - -// Matching pair name found in AWS for keypairs PEM key -ami_key_pair_name = "github_actions" -main_vpc_cidr = "172.22.0.0/24" -public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml deleted file mode 100644 index eed42b3d..00000000 --- a/.github/workflows/linux_benchmark_testing.yml +++ /dev/null @@ -1,111 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: linux_benchmark_pipeline - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep 60s - shell: bash - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index 1fc1127b..00000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,84 +0,0 @@ -provider "aws" { - profile = "" - region = var.aws_region -} - -// Create a security group with access to port 22 and port 80 open to serve HTTP traffic - -resource "random_id" "server" { - keepers = { - # Generate a new id each time we switch to a new AMI id - ami_id = "${var.ami_id}" - } - - byte_length = 8 -} - -resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}" - vpc_id = aws_vpc.Main.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-SG" - } -} - -// instance setup - -resource "aws_instance" "testing_vm" { - ami = var.ami_id - associate_public_ip_address = true - key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs - instance_type = var.instance_type - tags = var.instance_tags - vpc_security_group_ids = [aws_security_group.github_actions.id] - subnet_id = aws_subnet.Main.id - root_block_device { - delete_on_termination = true - } -} - -// generate inventory file -resource "local_file" "inventory" { - filename = "./hosts.yml" - directory_permission = "0755" - file_permission = "0644" - content = < Date: Thu, 10 Aug 2023 10:11:05 +0100 Subject: [PATCH 21/22] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 02500b48..512c1515 100644 --- a/Changelog.md +++ b/Changelog.md @@ -17,6 +17,8 @@ thanks to @rspataru - [#50](https://github.com/ansible-lockdown/UBUNTU22-CIS/pull/50) Updates to workflow now using centralised config +templates removed as inherited from org +legacy workflow files removed lint file updates readme updates to badges and layout From 8153344a40d8c9b36a2f7a9fa86252d7628b0263 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 13:40:25 +0100 Subject: [PATCH 22/22] updated when statement Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 13af402e..2f4bfb0c 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -9,7 +9,8 @@ update_cache: true register: ubtu22cis_rule_1_3_1_aide_added when: - - "'aide' not in ansible_facts.packages or 'aide-common' not in ansible_facts.packages" + - "'aide' not in ansible_facts.packages or + 'aide-common' not in ansible_facts.packages" - name: "1.3.1 | PATCH | Ensure AIDE is installed | Recapture packages" ansible.builtin.package_facts: