Merge pull request #95 from ansible-lockdown/issue_#90

Issue #90

.config/.gitleaks-report.json

@@ -1,222 +1 @@
-[
- {
-  "Description": "Generic API Key",
-  "StartLine": 9,
-  "EndLine": 9,
-  "StartColumn": 5,
-  "EndColumn": 55,
-  "Match": "Secret\": \"0f5b530255e5a064cc73699e4fa44ba8b2ad399f\"",
-  "Secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f",
-  "File": ".config/.gitleaks-report.json",
-  "SymlinkFile": "",
-  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
-  "Entropy": 3.7561984,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-13T11:09:38Z",
-  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:9"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 29,
-  "EndLine": 29,
-  "StartColumn": 5,
-  "EndColumn": 39,
-  "Match": "Secret\": \"grub.pbkdf2.sha512.10000\"",
-  "Secret": "grub.pbkdf2.sha512.10000",
-  "File": ".config/.gitleaks-report.json",
-  "SymlinkFile": "",
-  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
-  "Entropy": 3.8035088,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-13T11:09:38Z",
-  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:29"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 49,
-  "EndLine": 49,
-  "StartColumn": 5,
-  "EndColumn": 55,
-  "Match": "Secret\": \"4fae1797297d5c73819a504516f2de7740e4b52d\"",
-  "Secret": "4fae1797297d5c73819a504516f2de7740e4b52d",
-  "File": ".config/.gitleaks-report.json",
-  "SymlinkFile": "",
-  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
-  "Entropy": 3.7898228,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-13T11:09:38Z",
-  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:49"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 69,
-  "EndLine": 69,
-  "StartColumn": 5,
-  "EndColumn": 55,
-  "Match": "Secret\": \"f395ee0a2d842bfcf81da0aad13591e2a9311fe1\"",
-  "Secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1",
-  "File": ".config/.gitleaks-report.json",
-  "SymlinkFile": "",
-  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
-  "Entropy": 3.618454,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-13T11:09:38Z",
-  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:69"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 89,
-  "EndLine": 89,
-  "StartColumn": 5,
-  "EndColumn": 55,
-  "Match": "Secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"",
-  "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-  "File": ".config/.gitleaks-report.json",
-  "SymlinkFile": "",
-  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
-  "Entropy": 3.8439426,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-13T11:09:38Z",
-  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:89"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 133,
-  "EndLine": 133,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"0f5b530255e5a064cc73699e4fa44ba8b2ad399f\"",
-  "Secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f",
-  "File": ".config/.secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "358016009cd8ec06f468d091aba4e92e984a8c4b",
-  "Entropy": 3.7561984,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-11T10:19:54Z",
-  "Message": "updated secrets\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "358016009cd8ec06f468d091aba4e92e984a8c4b:.config/.secrets.baseline:generic-api-key:133"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 9,
-  "EndLine": 9,
-  "StartColumn": 5,
-  "EndColumn": 39,
-  "Match": "Secret\": \"grub.pbkdf2.sha512.10000\"",
-  "Secret": "grub.pbkdf2.sha512.10000",
-  "File": ".config/.gitleaks-report.json",
-  "SymlinkFile": "",
-  "Commit": "f046ed0c486cba258a6d50e7124566a314b87c8e",
-  "Entropy": 3.8035088,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-11T09:06:43Z",
-  "Message": "added pre-commit setup\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "f046ed0c486cba258a6d50e7124566a314b87c8e:.config/.gitleaks-report.json:generic-api-key:9"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 125,
-  "EndLine": 125,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"4fae1797297d5c73819a504516f2de7740e4b52d\"",
-  "Secret": "4fae1797297d5c73819a504516f2de7740e4b52d",
-  "File": ".config/.secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "f046ed0c486cba258a6d50e7124566a314b87c8e",
-  "Entropy": 3.7898228,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-11T09:06:43Z",
-  "Message": "added pre-commit setup\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "f046ed0c486cba258a6d50e7124566a314b87c8e:.config/.secrets.baseline:generic-api-key:125"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 135,
-  "EndLine": 135,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"f395ee0a2d842bfcf81da0aad13591e2a9311fe1\"",
-  "Secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1",
-  "File": ".config/.secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "f046ed0c486cba258a6d50e7124566a314b87c8e",
-  "Entropy": 3.618454,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-11T09:06:43Z",
-  "Message": "added pre-commit setup\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "f046ed0c486cba258a6d50e7124566a314b87c8e:.config/.secrets.baseline:generic-api-key:135"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 145,
-  "EndLine": 145,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"",
-  "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-  "File": ".config/.secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "f046ed0c486cba258a6d50e7124566a314b87c8e",
-  "Entropy": 3.8439426,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-09-11T09:06:43Z",
-  "Message": "added pre-commit setup\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "f046ed0c486cba258a6d50e7124566a314b87c8e:.config/.secrets.baseline:generic-api-key:145"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 479,
-  "EndLine": 479,
-  "StartColumn": 23,
-  "EndColumn": 63,
-  "Match": "password_hash: \"grub.pbkdf2.sha512.10000\"",
-  "Secret": "grub.pbkdf2.sha512.10000",
-  "File": "defaults/main.yml",
-  "SymlinkFile": "",
-  "Commit": "ea067d7f8f12f2a81d7b2b99449799b1fae1ae51",
-  "Entropy": 3.8035088,
-  "Author": "Mark Bolwell",
-  "Email": "[email protected]",
-  "Date": "2023-07-10T15:12:00Z",
-  "Message": "updated default vars\n\nSigned-off-by: Mark Bolwell \u003c[email protected]\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "ea067d7f8f12f2a81d7b2b99449799b1fae1ae51:defaults/main.yml:generic-api-key:479"
- }
-]
+[]

.config/.secrets.baseline

@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".config/.secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -113,48 +109,11 @@
     {
       "path": "detect_secrets.filters.regex.should_exclude_file",
       "pattern": [
-        ".config/.gitleaks-report.json"
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_password.yml"
       ]
     }
   ],
-  "results": {
-    "defaults/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "4fae1797297d5c73819a504516f2de7740e4b52d",
-        "is_verified": false,
-        "line_number": 480,
-        "is_secret": false
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "defaults/main.yml",
-        "hashed_secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f",
-        "is_verified": false,
-        "line_number": 623,
-        "is_secret": false
-      }
-    ],
-    "tasks/main.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/main.yml",
-        "hashed_secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1",
-        "is_verified": false,
-        "line_number": 54,
-        "is_secret": false
-      }
-    ],
-    "tasks/parse_etc_password.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_password.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 16
-      }
-    ]
-  },
-  "generated_at": "2023-09-19T11:33:19Z"
+  "results": {},
+  "generated_at": "2023-09-19T12:32:59Z"
 }

.pre-commit-config.yaml

@@ -34,13 +34,14 @@ repos:
   hooks:
   - id: detect-secrets
     args: [ '--baseline', '.config/.secrets.baseline' ]
-    exclude: .config/.gitleaks-report.json
+    exclude: .config/.gitleaks-report.json tasks/parse_etc_password
 
 - repo: https://github.com/gitleaks/gitleaks
   rev: v8.17.0
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
+    exclude: .config/.secrets.baseline
 
 - repo: https://github.com/ansible-community/ansible-lint
   rev: v6.17.2

defaults/main.yml

@@ -477,7 +477,7 @@ ubtu20cis_set_grub_password: true
 ubtu20cis_grub_user_file: /etc/grub.d/40_custom
 ubtu20cis_grub_user: root
 ubtu20cis_grub_file: /boot/grub/grub.cfg
-ubtu20cis_bootloader_password_hash: "grub.pbkdf2.sha512.10000"
+ubtu20cis_bootloader_password_hash: "grub.pbkdf2.sha512.10000"  # pragma: allowlist secret
 
 # Change the following value to true if you wish to be prompted to get past grub bootloader
 ubtu20cis_ask_passwd_to_boot: false
@@ -620,7 +620,7 @@ ubtu20cis_sudo_timestamp_timeout: 15
 ubtu20cis_sugroup: nosugroup
 
 # Controls 4.4.x
-ubtu20cis_passwd_hash_algo: sha512
+ubtu20cis_passwd_hash_algo: sha512  # pragma: allowlist secret
 # pam_tally2 login options allows for audit to be removed if required
 ubtu20cis_pamtally2_login_opts: 'onerr=fail audit silent deny=5 unlock_time=900'
 

tasks/main.yml

@@ -51,7 +51,7 @@
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
             success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}"
         vars:
-            sudo_password_rule: ubtu20cis_rule_4_3_4
+            sudo_password_rule: ubtu20cis_rule_4_3_4  # pragma: allowlist secret
   when:
       - ubtu20cis_rule_4_3_4
       - ansible_env.SUDO_USER is defined