Merge pull request #29 from ansible-lockdown/devel

Final v1r7 release to main

.gitignore

@@ -3,15 +3,16 @@
 *.retry
 .cache
 .vagrant
-vagrantfile
-Vagrantfile
 tests/*redhat-subscription
 tests/Dockerfile
 *.iso
 *.box
 packer_cache
 delete*
 ignore*
+test_inv
+# temp remove doc while this is built up
+doc/
 # VSCode
 .vscode
 
@@ -45,4 +46,3 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
-.DS_Store

.pre-commit-config.yaml

@@ -33,16 +33,14 @@ repos:
   rev: v1.4.0
   hooks:
   - id: detect-secrets
-    args: [ '--baseline', '.config/.secrets.baseline' ]
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.0
+  rev: v8.18.2
   hooks:
   - id: gitleaks
-    args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.21.1
+  rev: v24.2.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -61,6 +59,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.32.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint

ChangeLog.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## Based on Stig v1r7 - Jan 2023
+
+- ansible version updated to 2.10.1 minimum
+- updates to pre-commit config
+- gitignore updated
+
 ## Release 0.9.1
 
 - yamllint update
@@ -15,7 +21,7 @@ Issues
 - thanks to @kfiresmith
   - #11
   - #12
-- thanks to €aelx-rowe
+- thanks to @alex-rowe
   - #13
 
 ## Release 0.9.0

meta/main.yml

@@ -7,7 +7,7 @@ galaxy_info:
     license: MIT
     role_name: ubuntu20_stig
     namespace: mindpointgroup
-    min_ansible_version: 2.9.0
+    min_ansible_version: 2.10.1
     platforms:
         - name: Ubuntu
           versions:

site.yml

@@ -1,6 +1,7 @@
 ---
 
-- hosts: all  # noqa: name[play]
+- name: Run Ubuntu20-stig remediation role
+  hosts: all
   become: true
 
   roles:

tasks/fix-cat1.yml

@@ -191,7 +191,7 @@
 - name: "HIGH | UBTU-20-010048 | PATCH | The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements."
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
-      regexp: '^#?(\s+|)X11Forwarding'
+      regexp: '^#?X11Forwarding'
       line: "X11Forwarding no"
   notify: restart sshd
   when:

tasks/main.yml

@@ -1,10 +1,17 @@
 ---
 
-- name: Gather distribution info
-  ansible.builtin.setup:
-      gather_subset: distribution,!all,!min
-  when:
-      - ansible_distribution is not defined
+- name: Check OS version and family
+  ansible.builtin.assert:
+      that: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('20', '==')
+      msg: "This role can only be run against Ubuntu 20. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
+  tags:
+      - always
+
+- name: Check ansible version
+  ansible.builtin.assert:
+      that: ansible_version.full is version_compare(min_ansible_version, '>=')
+      fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
+      success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
   tags:
       - always
 

tasks/parse_etc_passwd.yml

@@ -16,7 +16,7 @@
         vars:
             ld_passwd_regex: >-
                 ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
-            ld_passwd_yaml: |
+            ld_passwd_yaml: |  # pragma: allowlist secret
                 id: >-4
                     \g<id>
                 password: >-4

vars/main.yml

@@ -1,6 +1,7 @@
 ---
 
 # vars file for .
+min_ansible_version: 2.10.1
 
 # Used to control warning summary
 warn_control_list: ""