ansible-lockdown · uk-bolly · Mar 12, 2024 · Mar 11, 2024 · Mar 11, 2024 · Mar 11, 2024
diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline
diff --git a/.gitignore b/.gitignore
@@ -3,15 +3,16 @@
 *.retry
 .cache
 .vagrant
-vagrantfile
-Vagrantfile
 tests/*redhat-subscription
 tests/Dockerfile
 *.iso
 *.box
 packer_cache
 delete*
 ignore*
+test_inv
+# temp remove doc while this is built up
+doc/
 # VSCode
 .vscode
 
@@ -45,4 +46,3 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
-.DS_Store
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -33,13 +33,11 @@ repos:
   rev: v1.4.0
   hooks:
   - id: detect-secrets
-    args: [ '--baseline', '.config/.secrets.baseline' ]
 
 - repo: https://github.com/gitleaks/gitleaks
   rev: v8.18.2
   hooks:
   - id: gitleaks
-    args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
   rev: v24.2.0

diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## Based on Stig v1r7 - Jan 2023
+
+- ansible version updated to 2.10.1 minimum
+- updates to pre-commit config
+- gitignore updated
+
 ## Release 0.9.1
 
 - yamllint update
@@ -15,7 +21,7 @@ Issues
 - thanks to @kfiresmith
   - #11
   - #12
-- thanks to €aelx-rowe
+- thanks to @alex-rowe
   - #13
 
 ## Release 0.9.0

diff --git a/meta/main.yml b/meta/main.yml
@@ -7,7 +7,7 @@ galaxy_info:
     license: MIT
     role_name: ubuntu20_stig
     namespace: mindpointgroup
-    min_ansible_version: 2.9.0
+    min_ansible_version: 2.10.1
     platforms:
         - name: Ubuntu
           versions:

diff --git a/site.yml b/site.yml
@@ -1,6 +1,7 @@
 ---
 
-- hosts: all  # noqa: name[play]
+- name: Run Ubuntu20-stig remediation role
+  hosts: all
   become: true
 
   roles:

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,10 +1,17 @@
 ---
 
-- name: Gather distribution info
-  ansible.builtin.setup:
-      gather_subset: distribution,!all,!min
-  when:
-      - ansible_distribution is not defined
+- name: Check OS version and family
+  ansible.builtin.assert:
+      that: ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('20', '==')
+      msg: "This role can only be run against Ubuntu 20. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
+  tags:
+      - always
+
+- name: Check ansible version
+  ansible.builtin.assert:
+      that: ansible_version.full is version_compare(min_ansible_version, '>=')
+      fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
+      success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
   tags:
       - always
 

diff --git a/tasks/parse_etc_passwd.yml b/tasks/parse_etc_passwd.yml
@@ -16,7 +16,7 @@
         vars:
             ld_passwd_regex: >-
                 ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
-            ld_passwd_yaml: |
+            ld_passwd_yaml: |  # pragma: allowlist secret
                 id: >-4
                     \g<id>
                 password: >-4

diff --git a/vars/main.yml b/vars/main.yml
@@ -1,6 +1,7 @@
 ---
 
 # vars file for .
+min_ansible_version: 2.10.1
 
 # Used to control warning summary
 warn_control_list: ""