From 4107f1fbdb4e635a8fd326866ab82dc653971a76 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Mar 2024 16:39:08 +0000 Subject: [PATCH 1/4] config updates Signed-off-by: Mark Bolwell --- .gitignore | 6 +++--- .pre-commit-config.yaml | 2 -- tasks/parse_etc_passwd.yml | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.gitignore b/.gitignore index c4d29c3..f67408e 100644 --- a/.gitignore +++ b/.gitignore @@ -3,8 +3,6 @@ *.retry .cache .vagrant -vagrantfile -Vagrantfile tests/*redhat-subscription tests/Dockerfile *.iso @@ -12,6 +10,9 @@ tests/Dockerfile packer_cache delete* ignore* +test_inv +# temp remove doc while this is built up +doc/ # VSCode .vscode @@ -45,4 +46,3 @@ benchparse/ # GitHub Action/Workflow files .github/ -.DS_Store diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 82858b5..717f0e6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,13 +33,11 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks rev: v8.18.2 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v24.2.0 diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml index ce4f48f..47b4a7f 100644 --- a/tasks/parse_etc_passwd.yml +++ b/tasks/parse_etc_passwd.yml @@ -16,7 +16,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 From 3a1319fdb954eb88cb1f314860f4f74efcd3d563 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Mar 2024 16:39:46 +0000 Subject: [PATCH 2/4] lint updates Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 119 -------------------------------------- site.yml | 3 +- 2 files changed, 2 insertions(+), 120 deletions(-) delete mode 100644 .config/.secrets.baseline diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 9887dca..0000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,119 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_passwd.yml" - ] - } - ], - "results": {}, - "generated_at": "2023-09-20T12:31:28Z" -} diff --git a/site.yml b/site.yml index ddb551b..1082c66 100644 --- a/site.yml +++ b/site.yml @@ -1,6 +1,7 @@ --- -- hosts: all # noqa: name[play] +- name: Run Ubuntu20-stig remediation role + hosts: all become: true roles: From 258713e762919d2569a53ec764bcba84ac57bc02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Mar 2024 16:40:11 +0000 Subject: [PATCH 3/4] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index 2c7f534..8583848 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,11 @@ # Changelog +## Based on Stig v1r7 - Jan 2023 + +- ansible version updated to 2.10.1 minimum +- updates to pre-commit config +- gitignore updated + ## Release 0.9.1 - yamllint update @@ -15,7 +21,7 @@ Issues - thanks to @kfiresmith - #11 - #12 -- thanks to €aelx-rowe +- thanks to @alex-rowe - #13 ## Release 0.9.0 From 9b5fb28089c29d3b2a4834f8346bed15d18bfa90 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Mar 2024 16:44:00 +0000 Subject: [PATCH 4/4] updates to min ansible version and chk. Signed-off-by: Mark Bolwell --- meta/main.yml | 2 +- tasks/main.yml | 17 ++++++++++++----- vars/main.yml | 1 + 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 554c73c..17b6d39 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: license: MIT role_name: ubuntu20_stig namespace: mindpointgroup - min_ansible_version: 2.9.0 + min_ansible_version: 2.10.1 platforms: - name: Ubuntu versions: diff --git a/tasks/main.yml b/tasks/main.yml index c089d00..0e5d002 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,10 +1,17 @@ --- -- name: Gather distribution info - ansible.builtin.setup: - gather_subset: distribution,!all,!min - when: - - ansible_distribution is not defined +- name: Check OS version and family + ansible.builtin.assert: + that: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('20', '==') + msg: "This role can only be run against Ubuntu 20. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + tags: + - always + +- name: Check ansible version + ansible.builtin.assert: + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - always diff --git a/vars/main.yml b/vars/main.yml index aca9029..f185b68 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,7 @@ --- # vars file for . +min_ansible_version: 2.10.1 # Used to control warning summary warn_control_list: ""