Skip to content

Commit 70638ab

Browse files
uk-bollyuk-bolly
authored
Merge pull request #86 from ansible-lockdown/devel
Stig v2r1 to main
2 parents 5d20ee7 + 2990d52 commit 70638ab

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

62 files changed

+6197
-6649
lines changed

.ansible-lint

Lines changed: 2 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -3,21 +3,7 @@
33
parseable: true
44
quiet: true
55
skip_list:
6-
- 'schema'
7-
- 'no-changed-when'
8-
- 'var-spacing'
9-
- 'experimental'
10-
- 'name[play]'
11-
- 'name[casing]'
12-
- 'name[template]'
13-
- 'key-order[task]'
14-
- 'yaml[line-length]'
15-
- '204'
16-
- '305'
17-
- '303'
18-
- '403'
19-
- '306'
20-
- '602'
21-
- '208'
6+
- 'package-latest'
7+
- 'risky-shell-pipe'
228
use_default_rules: true
239
verbosity: 0

.github/workflows/devel_pipeline_validation.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
jobs:
2828
# This will create messages for first time contributers and direct them to the Discord server
2929
welcome:
30-
runs-on: self-hosted
30+
runs-on: ubuntu-latest
3131

3232
steps:
3333
- uses: actions/first-interaction@main
@@ -70,7 +70,6 @@
7070
echo IAC_BRANCH=main >> $GITHUB_ENV
7171
fi
7272
73-
7473
# Pull in terraform code for linux servers
7574
- name: Clone GitHub IaC plan
7675
uses: actions/checkout@v4

.github/workflows/main_pipeline_validation.yml

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -23,18 +23,6 @@
2323
# A workflow run is made up of one or more jobs
2424
# that can run sequentially or in parallel
2525
jobs:
26-
# This will create messages for first time contributers and direct them to the Discord server
27-
welcome:
28-
runs-on: self-hosted
29-
30-
steps:
31-
- uses: actions/first-interaction@main
32-
with:
33-
repo-token: ${{ secrets.GITHUB_TOKEN }}
34-
pr-message: |-
35-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
36-
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
37-
3826
# This workflow contains a single job that tests the playbook
3927
playbook-test:
4028
# The type of runner that the job will run on

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,5 +41,8 @@ benchparse/
4141
*xccdf.xml
4242
*.retry
4343

44+
# pre-commit cache
45+
.ansible/
46+
4447
# GitHub Action/Workflow files
4548
.github/

.pre-commit-config.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,8 +3,8 @@
33
##### CI for use by github no need for action to be added
44
##### Inherited
55
ci:
6-
autofix_prs: false
7-
skip: [detect-aws-credentials, ansible-lint ]
6+
autofix_prs: false
7+
skip: [detect-aws-credentials, ansible-lint ]
88

99
repos:
1010
- repo: https://github.com/pre-commit/pre-commit-hooks
@@ -36,12 +36,12 @@ repos:
3636
- id: detect-secrets
3737

3838
- repo: https://github.com/gitleaks/gitleaks
39-
rev: v8.23.3
39+
rev: v8.24.0
4040
hooks:
4141
- id: gitleaks
4242

4343
- repo: https://github.com/ansible-community/ansible-lint
44-
rev: v25.1.2
44+
rev: v25.1.3
4545
hooks:
4646
- id: ansible-lint
4747
name: Ansible-lint

.yamllint

Lines changed: 29 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,31 +1,38 @@
11
---
22
extends: default
3-
43
ignore: |
54
tests/
65
molecule/
76
.github/
87
.gitlab-ci.yml
98
*molecule.yml
10-
119
rules:
12-
indentation:
13-
# Requiring consistent indentation within a file, either indented or not
14-
indent-sequences: consistent
15-
braces:
16-
max-spaces-inside: 1
17-
level: error
18-
brackets:
19-
max-spaces-inside: 1
20-
level: error
21-
empty-lines:
22-
max: 1
23-
line-length: disable
24-
key-duplicates: enable
25-
new-line-at-end-of-file: enable
26-
new-lines:
27-
type: unix
28-
trailing-spaces: enable
29-
truthy:
30-
allowed-values: ['true', 'false']
31-
check-keys: true
10+
braces:
11+
max-spaces-inside: 1
12+
level: error
13+
brackets:
14+
max-spaces-inside: 1
15+
level: error
16+
comments:
17+
ignore-shebangs: true
18+
min-spaces-from-content: 1 # prettier compatibility
19+
comments-indentation: disable
20+
empty-lines:
21+
max: 1
22+
indentation:
23+
# Requiring 2 space indentation
24+
spaces: 2
25+
# Requiring consistent indentation within a file, either indented or not
26+
indent-sequences: consistent
27+
key-duplicates: enable
28+
line-length: disable
29+
new-line-at-end-of-file: enable
30+
new-lines:
31+
type: unix
32+
octal-values:
33+
forbid-implicit-octal: true # yamllint defaults to false
34+
forbid-explicit-octal: true
35+
trailing-spaces: enable
36+
truthy:
37+
allowed-values: ['true', 'false']
38+
check-keys: true

Changelog.md

Lines changed: 108 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,113 @@
11
# RHEL9STIG
22

3+
## 1.4.0 Based on STIG V2R1 Jul24 2024
4+
5+
- Every control ruleid updates due to STiG new CMS
6+
- Removed as no longer required
7+
- RHEL-09-211025
8+
- RHEL-09-611016
9+
- RHEL-09-611020
10+
- Following updated NIST relationships
11+
- RHEL-09-653010
12+
- RHEL-09-213020
13+
- RHEL-09-214010
14+
- RHEL-09-214015
15+
- RHEL-09-214020
16+
- RHEL-09-214025
17+
- RHEL-09-215010
18+
- RHEL-09-215075
19+
- RHEL-09-653015
20+
- RHEL-09-654215
21+
- RHEL-09-654220
22+
- RHEL-09-654225
23+
- RHEL-09-654230
24+
- RHEL-09-654235
25+
- RHEL-09-654240
26+
- RHEL-09-252010
27+
- RHEL-09-252015
28+
- RHEL-09-252020
29+
- RHEL-09-255035
30+
- RHEL-09-255045
31+
- RHEL-09-255100
32+
- RHEL-09-271045
33+
- RHEL-09-271050
34+
- RHEL-09-271055
35+
- RHEL-09-271060
36+
- RHEL-09-654245
37+
- RHEL-09-411010
38+
- RHEL-09-411015
39+
- RHEL-09-411050
40+
- RHEL-09-412010
41+
- RHEL-09-432015
42+
- RHEL-09-432025
43+
- RHEL-09-432035
44+
- RHEL-09-611010
45+
- RHEL-09-611040
46+
- RHEL-09-611050
47+
- RHEL-09-611055
48+
- RHEL-09-611060
49+
- RHEL-09-611065
50+
- RHEL-09-611070
51+
- RHEL-09-611075
52+
- RHEL-09-611080
53+
- RHEL-09-611085
54+
- RHEL-09-611090
55+
- RHEL-09-611095
56+
- RHEL-09-611100
57+
- RHEL-09-611110
58+
- RHEL-09-611115
59+
- RHEL-09-611120
60+
- RHEL-09-611125
61+
- RHEL-09-611130
62+
- RHEL-09-611135
63+
- RHEL-09-611140
64+
- RHEL-09-611145
65+
- RHEL-09-611150
66+
- RHEL-09-611160
67+
- RHEL-09-611165
68+
- RHEL-09-611170
69+
- RHEL-09-611175
70+
- RHEL-09-611180
71+
- RHEL-09-611185
72+
- RHEL-09-631010
73+
- RHEL-09-671015
74+
- RHEL-09-671025
75+
- RHEL-09-291010
76+
- RHEL-09-291015
77+
- RHEL-09-291020
78+
79+
## 1.3.0 Based on STIG V1r3 Jan24 2024
80+
81+
- RuleIDs updated
82+
- RHEL-09-212045
83+
- RHEL-09-213060
84+
- RHEL-09-215060
85+
- RHEL-09-255025
86+
- RHEL-09-255030
87+
- RHEL-09-255035
88+
- RHEL-09-255040
89+
- RHEL-09-255045
90+
- RHEL-09-255050
91+
- RHEL-09-255055
92+
- RHEL-09-255080
93+
- RHEL-09-255085
94+
- RHEL-09-255090
95+
- RHEL-09-255095
96+
- RHEL-09-255100
97+
- RHEL-09-255130
98+
- RHEL-09-255135
99+
- RHEL-09-255140
100+
- RHEL-09-255145
101+
- RHEL-09-255150
102+
- RHEL-09-255155
103+
- RHEL-09-155160
104+
- RHEL-09-255165
105+
- RHEL-09-255170
106+
- RHEL-09-255175
107+
108+
- RHEL-09-255070 removed as duplicate of 255075
109+
- RHEL-09-255075 updated
110+
3111
## 1.2.1 Based on STIG V1R2 Jan24 2024
4112

5113
- precommit updates

README.md

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## Configure a RHEL9 based system to be complaint with Disa STIG
44

5-
This role is based on RHEL 9 DISA STIG: [Version 1, Rel 3 released on Apr 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V1R3_STIG.zip).
5+
This role is based on RHEL 9 DISA STIG: [Version 2, Rel 1 released on Oct 24, 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/U_RHEL_9_V2R1_STIG.zip).
66

77
## Initial Release from STIG, still many items that not quite aligned in the documentation
88

@@ -21,6 +21,8 @@ This role is based on RHEL 9 DISA STIG: [Version 1, Rel 3 released on Apr 24, 20
2121
![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-STIG)
2222
![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-STIG)
2323

24+
25+
2426
[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-STIG/actions/workflows/main_pipeline_validation.yml)
2527

2628
[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-STIG/actions/workflows/devel_pipeline_validation.yml)
@@ -29,6 +31,7 @@ This role is based on RHEL 9 DISA STIG: [Version 1, Rel 3 released on Apr 24, 20
2931
![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-STIG?label=Open%20Issues)
3032
![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-STIG?label=Closed%20Issues&&color=success)
3133
![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL9-STIG?label=Pull%20Requests)
34+
[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)
3235

3336
![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-STIG?label=License)
3437

@@ -59,7 +62,7 @@ This contains rewrites and ID reference changes as per STIG documentation.
5962

6063
## Auditing
6164

62-
This can be turned on or off within the defaults/main.yml file with the variable rhel7stig_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role.
65+
This can be turned on or off within the defaults/main.yml file with the variable rhel9stig_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role.
6366

6467
This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.
6568

@@ -69,10 +72,6 @@ This audit will not only check the config has the correct setting but aims to ca
6972
## Documentation
7073

7174
- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
72-
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH9_stig)
73-
- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH9_stig)
74-
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH9_stig)
75-
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH9_stig)
7675

7776
## Requirements
7877

collections/requirements.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
---
22

33
collections:
4-
- name: community.general
5-
source: https://github.com/ansible-collections/community.general
6-
type: git
4+
- name: community.general
5+
source: https://github.com/ansible-collections/community.general
6+
type: git
77

8-
- name: community.crypto
9-
source: https://github.com/ansible-collections/community.crypto
10-
type: git
8+
- name: community.crypto
9+
source: https://github.com/ansible-collections/community.crypto
10+
type: git
1111

12-
- name: ansible.posix
13-
source: https://github.com/ansible-collections/ansible.posix
14-
type: git
12+
- name: ansible.posix
13+
source: https://github.com/ansible-collections/ansible.posix
14+
type: git

0 commit comments

Comments
 (0)