Merge pull request #125 from ansible-lockdown/devel

Release to main

Author: uk-bolly

.github/workflows/devel_pipeline_validation.yml

@@ -29,7 +29,7 @@
                       Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
                       Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
-        # This workflow contains a single job which tests the playbook
+        # This workflow contains a single job that tests the playbook
         playbook-test:
           # The type of runner that the job will run on
           runs-on: ubuntu-latest
@@ -44,13 +44,13 @@
 
           steps:
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                 ref: ${{ github.event.pull_request.head.sha }}
 
             # Pull in terraform code for linux servers
-            - name: Clone github IaC plan
-              uses: actions/checkout@v3
+            - name: Clone GitHub IaC plan
+              uses: actions/checkout@v4
               with:
                 repository: ansible-lockdown/github_linux_IaC
                 path: .github/workflows/github_linux_IaC
@@ -74,23 +74,23 @@
                 pwd
                 ls
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Init
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -111,9 +111,9 @@
       # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
-              run: sleep 60s
+              run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the ansible playbook
+          # Run the Ansibleplaybook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:

.github/workflows/main_pipeline_validation.yml

@@ -18,7 +18,7 @@
     # that can run sequentially or in parallel
     jobs:
 
-        # This workflow contains a single job which tests the playbook
+        # This workflow contains a single job that tests the playbook
         playbook-test:
           # The type of runner that the job will run on
           runs-on: ubuntu-latest
@@ -33,13 +33,13 @@
 
           steps:
             - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
               with:
                 ref: ${{ github.event.pull_request.head.sha }}
 
             # Pull in terraform code for linux servers
-            - name: Clone github IaC plan
-              uses: actions/checkout@v3
+            - name: Clone GitHub IaC plan
+              uses: actions/checkout@v4
               with:
                 repository: ansible-lockdown/github_linux_IaC
                 path: .github/workflows/github_linux_IaC
@@ -63,23 +63,23 @@
                 pwd
                 ls
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Init
               id: init
               run: terraform init
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
             - name: Terraform_Validate
               id: validate
               run: terraform validate
               env:
-                # Imported from github variables this is used to load the relvent OS.tfvars file
+                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
                 OSVAR: ${{ vars.OSVAR }}
                 TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
@@ -100,9 +100,9 @@
       # Aws deployments taking a while to come up insert sleep or playbook fails
 
             - name: Sleep for 60 seconds
-              run: sleep 60s
+              run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
-          # Run the ansible playbook
+          # Run the Ansibleplaybook
             - name: Run_Ansible_Playbook
               uses: arillso/action.playbook@master
               with:

.github/workflows/update_galaxy.yml

@@ -1,11 +1,7 @@
 ---
 
-# This is a basic workflow to help you get started with Actions
-
 name: update galaxy
 
-# Controls when the action will run.
-# Triggers the workflow on merge request events to the main branch
 on:
     push:
         branches:
@@ -14,8 +10,10 @@ jobs:
     update_role:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
-            - uses: robertdebock/galaxy-action@master
+            - name: Checkout repo
+              uses: actions/checkout@v4
+
+            - name: Action Ansible Galaxy Release ${{ github.ref_name }}
+              uses: ansible-actions/ansible-galaxy-action@main
               with:
-                  galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
-                  git_branch: main
+                galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v4.5.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -37,14 +37,14 @@ repos:
     exclude: .config/.gitleaks-report.json tasks/parse_etc_password
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.17.0
+  rev: v8.18.1
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
     exclude: .config/.secrets.baseline
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.17.2
+  rev: v6.22.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -63,6 +63,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.32.0  # or higher tag
+  rev: v1.33.0  # or higher tag
   hooks:
   - id: yamllint

Changelog.md

@@ -1,5 +1,12 @@
 # Change log for Ubuntu 2004
 
+## v2.0.1 based upon CIS 2.0.1
+
+- ability to run goss audit only audit_only variable
+  - audit vars mainly move dto var/audit.yml
+- several control updates
+- goss version update to 0.4.4
+
 ## V2.0 based upon CIS 2.0.1
 
 - v2.0.1 - refer to change history from official CIS pdf.

README.md

@@ -10,7 +10,6 @@
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/54777?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)

collections/requirements.yml

@@ -2,7 +2,13 @@
 
 collections:
     - name: community.general
+      source: https://github.com/ansible-collections/community.general
+      type: git
 
     - name: community.crypto
+      source: https://github.com/ansible-collections/community.crypto
+      type: git
 
     - name: ansible.posix
+      source: https://github.com/ansible-collections/ansible.posix
+      type: git

defaults/main.yml

@@ -18,26 +18,53 @@ benchmark: UBUNTU20-CIS
 ## metadata for Audit benchmark
 benchmark_version: 'v2.0.1'
 
-### Audit Binary is required on the remote host
+##########################################
+### Goss is required on the remote host ###
+## Refer to vars/auditd.yml for any other settings ##
+
+# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
+
+# enable audits to run - this runs the audit and get the latest content
+run_audit: false
+
+# Only run Audit do not remediate
+audit_only: false
+# As part of audit_only
+# This will enable files to be copied back to control node
+fetch_audit_files: false
+# Path to copy the files to will create dir structure
+audit_capture_files_dir: /some/location to copy to on control node
+
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
 # you will need to access to either github or the file already dowmloaded
 get_audit_binary_method: download
 
+## if get_audit_binary_method - copy the following needs to be updated for your environment
+## it is expected that it will be copied from somewhere accessible to the control node
+## e.g copy from ansible control node to remote host
+audit_bin_copy_location: /some/accessible/path
+
 # how to get audit files onto host options
 # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# enable audits to run - this  runs the audit and get the latest content
-run_audit: false
+# archive or copy:
+audit_conf_copy: "some path to copy from"
+
+# get_url:
+audit_files_url: "some url maybe s3?"
 
 # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
 audit_run_heavy_tests: true
-# Timeout for those cmds that take longer to run where timeout set
-audit_cmd_timeout: 60000
 
-### End Audit enablements ####
+# This variable specifies the timeout (in ms) for audit commands that
+# take a very long time: if a command takes too long to complete,
+# it will be forcefully terminated after the specified duration.
+audit_cmd_timeout: 120000
+
+### End Goss enablements ####
 
 # We've defined complexity-high to mean that we cannot automatically remediate
 # the rule in question.  In the future this might mean that the remediation
@@ -415,7 +442,7 @@ ubtu20cis_dovecot_server: false
 ubtu20cis_smb_server: false
 ubtu20cis_squid_server: false
 ubtu20cis_snmp_server: false
-ubtu20cis_rsync_server: false
+ubtu20cis_rsync_server: mask  # Can be set to true, mask or remove depending on requirements
 ubtu20cis_nis_server: false
 ubtu20cis_nfs_client: false
 # rpcbind is required by nfs-common which is required on client and server
@@ -467,15 +494,17 @@ ubtu20cis_aide_cron:
     aide_weekday: '*'
 
 # Control 1.4.1
-# THIS VARIABLE SHOULD BE CHANGED
+# THESE VARIABLES SHOULD BE CHANGED
 # This will fail assertion if not changed and rule 1.4.2 is enabled
 # insert password as per output of running grub-mkpasswd-pbkdf2
 # refers to https://help.ubuntu.com/community/Grub2/Passwords
 
+# You maybe changing the root password if grub user root - Ensure you understand the risks
+ubtu20cis_set_grub_user_password: false
+ubtu20cis_grub_user: root
+ubtu20cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'  # Set to changeme
 ubtu20cis_set_boot_pass: false
-ubtu20cis_set_grub_password: true
 ubtu20cis_grub_user_file: /etc/grub.d/40_custom
-ubtu20cis_grub_user: root
 ubtu20cis_grub_file: /boot/grub/grub.cfg
 
 # This is used to set the password in grub the full string is required.
@@ -739,51 +768,3 @@ ubtu20cis_sgid_adjust: false
 # Control 6.2.5 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable
 # ubtu20cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
 ubtu20cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
-
-#### Audit Configuration Settings ####
-
-### Audit binary settings ###
-audit_bin_version:
-    release: v0.3.23
-    checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
-audit_bin_path: /usr/local/bin/
-audit_bin: "{{ audit_bin_path }}goss"
-audit_format: json
-
-# if get_audit_binary_method == download change accordingly
-audit_bin_url: "https://github.com/aelsabbahy/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64"
-
-## if get_audit_binary_method - copy the following needs to be updated for your environment
-## it is expected that it will be copied from somewhere accessible to the control node
-## e.g copy from ansible control node to remote host
-audit_bin_copy_location: /some/accessible/path
-
-### Goss Audit Benchmark file ###
-## managed by the control audit_content
-# git
-audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: "benchmark_{{ benchmark_version }}"
-
-# archive or copy:
-audit_conf_copy: "some path to copy from"
-
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-## Goss configuration information
-# Where the goss configs and outputs are stored
-audit_out_dir: '/opt'
-# Where the goss audit configuration will be stored
-audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
-
-# If changed these can affect other products
-pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-
-## The following should not need changing
-audit_control_file: "{{ audit_conf_dir }}goss.yml"
-audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
-audit_results: |
-      The pre remediation results are: {{ pre_audit_summary }}.
-      The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ audit_out_dir }}