Merge pull request #134 from ansible-lockdown/devel

New Benchmark updates and issue fixes
Signed-off-by: George Nalen <[email protected]>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,32 @@
+---
+name: Report Issue
+about: Create a bug issue ticket to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the Issue**
+A clear and concise description of what the bug is.
+
+**Expected Behavior**
+A clear and concise description of what you expected to happen.
+
+**Actual Behavior**
+A clear and concise description of what's happening.
+
+**Control(s) Affected**
+What controls are being affected by the issue
+
+**Environment (please complete the following information):**
+ - Ansible Version: [e.g. 2.10] 
+ - Host Python Version: [e.g. Python 3.7.6]
+ - Ansible Server Python Version: [e.g. Python 3.7.6]
+ - Additional Details:
+
+**Additional Notes**
+Anything additional goes here
+
+**Possible Solution**
+Enter a suggested fix here

.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md

@@ -0,0 +1,21 @@
+---
+name: Feature Request or Enhancement
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Feature Request or Enhancement**
+ - Feature []
+ - Enhancement []
+
+**Summary of Request**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Suggested Code**
+Please provide any code you have in mind to fulfill the request

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,17 @@
+---
+name: Question
+about: Ask away.......
+title: ''
+labels: question
+assignees: ''
+
+---
+
+**Question**
+Pose question here. 
+
+**Environment (please complete the following information):**
+ - Ansible Version: [e.g. 2.10] 
+ - Host Python Version: [e.g. Python 3.7.6]
+ - Ansible Server Python Version: [e.g. Python 3.7.6]
+ - Additional Details:

.github/pull_request_template.md

@@ -0,0 +1,12 @@
+**Overall Review of Changes:**
+A general description of the changes made that are being requested for merge
+
+**Issue Fixes:**
+Please list (using linking) any open issues this PR addresses
+
+**Enhancements:**
+Please list any enhancements/features that are not open issue tickets
+
+**How has this been tested?:**
+Please give an overview of how these changes were tested. If they were not please use N/A
+

.github/workflows/develtomain.yml

@@ -10,6 +10,7 @@ on:
  branches: [ main ]
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
+
 jobs:
  # This workflow contains a single job called "build"
  build:

.yamllint

@@ -8,16 +8,16 @@ ignore: |
 extends: default
 
 rules:
- indentation:
- # Requiring 4 space indentation
- spaces: 4
- # Requiring consistent indentation within a file, either indented or not
- indent-sequences: consistent
- truthy: disable
- braces:
- max-spaces-inside: 1
- level: error
- brackets:
- max-spaces-inside: 1
- level: error
- line-length: disable
+  indentation:
+  # Requiring 4 space indentation
+  spaces: 4
+  # Requiring consistent indentation within a file, either indented or not
+  indent-sequences: consistent
+  truthy: disable
+  braces:
+  max-spaces-inside: 1
+  level: error
+  brackets:
+  max-spaces-inside: 1
+  level: error
+  line-length: disable

Changelog.md

@@ -1,47 +1,68 @@
 # Changes to rhel8CIS
 
+## 1.3.1
+- CIS 1.0.1 updates
+- Added Issue and PR templates
+- Added better reboot logic
+- Added options to ensure idempotence
+- Enhanced flush handlers
+- Typo fixes
+- mount check improvements
+- Linting fixes
+- Added systemd tmp mount
+- Added systemd tmpfs block
+- #110 tmp.mount support
+ - thanks to @erpadmin
+
+
+## 1.3
+
+- extentions to LE audit capability
+- more lint and layout changes
+- sugroup assertion added 5.7
+- added extra logic variable to authselect/config section 5.3 related
+- AlmaLinux and Rocky tested (comments in readme - also rsyslog installed at build or will fail)
+- section 1.1 mount work has been rewritten and systemd tmp mount options added
+
+## 1.2.3
+
+- #117 sugroup enhancements
+ - thanks to @ihotz
+- #112 use of dnf module not shell
+ - thanks to @wolskie
+
 ## 1.2.2
 
 - #33 mkgrub missing variable issues - efi and bios path resolution
- - thanks to mrampant & mickey1928geo
+ - thanks to @mrampant & @mickey1928geo
 - #102 2.2.2 xorg pkg removal extended
- - thanks to RosarioVinoth
+ - thanks to @RosarioVinoth
 - #104 5.4.1 pwquality logic
- - thanks to RosarioVinoth
+ - thanks to @RosarioVinoth
 - #107 Idempotence improvement for 4.1.1.3 and 4.1.1.4
- - thanks to andreyzher
-
+ - thanks to @andreyzher
 - lint changes and updates to sync with ansible-galaxy
 
 ## v1.2.1
 
 - bootloader and default variables
 - empty strings lint updates
-
-### 87
-
+- #87
 - rule 6.1.1 - audit only - outputs file discrepancies to {{ rhel8cis_rpm_audit_file }}
-
-### 88
-
+- #88
 - checkmode_improvements added to relevant tasks
-
-### PR #96
-
+- PR #96
 - crypto policy idempotency
 
 ## v1.2.0
 
-### 86
-
+- #86
 - Adding on the goss auditing tool
 - remove deprecated warnings
 - format and layout
 - general improvements
 - readme updates
 - use ansible package_facts
-
-### 90
-
+- #90
 - cis fix - nfs-server not nfs
  - Thanks to danderemer

README.md

@@ -5,13 +5,13 @@ RHEL 8 CIS
 ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL8-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic)
 ![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL8-CIS?style=plastic)
 
-
 Configure RHEL/Centos 8 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
 
-Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.0 - 09-30-2019 ](https://www.cisecurity.org/cis-benchmarks/)
+Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/)
 
 Caution(s)
 -------
+
 This role **will make changes to the system** which may have unintended concequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
 
 This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
@@ -20,12 +20,13 @@ To use release version please point to main branch
 
 Documentation
 -------------
-[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
-[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
-[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
-[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
-[Wiki](https:/ansible-lockdown/RHEL8-CIS/wiki)<br>
-[Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-CIS/)<br>
+
+- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
+- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
+- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
+- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
+- [Wiki](https:/ansible-lockdown/RHEL8-CIS/wiki)
+- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-CIS/)
 
 Auditing (new)
 --------------
@@ -39,40 +40,45 @@ This audit will not only check the config has the correct setting but aims to ca
 
 Refer to [RHEL8-CIS-Audit](https:/ansible-lockdown/RHEL8-CIS-Audit).
 
-
 Requirements
 ------------
 
-RHEL 8 or CentOS 8 - Other versions are not supported.
-Access to download or add the goss binary and content to the system if using auditing. options are available on how to get the content to the system.
+RHEL/AlmaLinux/CentOS/Rocky 8 - Other versions are not supported.
+
+- AlmaLinux/Rocky Has been tested on 8.4(enabling crypto (sections 1.10&1.11) breaks updating or installs 01Jul2021
+- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.)
 
 **General:**
+
 - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
  - [Main Ansible documentation page](https://docs.ansible.com)
  - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
  - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
  - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
-- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. 
+- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
 - Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https:/ansible-lockdown/RHEL8-CIS/wiki/Main-Variables).
 
 Dependencies
 ------------
+
 - Python3
 - Ansible 2.9+
 - python-def (should be included in RHEL/CentOS 8)
 - libselinux-python
 
 Role Variables
 --------------
-This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https:/ansible-lockdown/RHEL8-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
 
+This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https:/ansible-lockdown/RHEL8-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
 
 Tags
 ----
-There are many tags available for added control precision. Each control has it's own set of tags noting what level, if it's scored/notscored, what OS element it relates to, if it's a patch or audit, and the rule number. 
 
-Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag services, this task will be skipped. The opposite can also happen where you run only controls tagged with services. 
-```
+There are many tags available for added control precision. Each control has it's own set of tags noting what level, if it's scored/notscored, what OS element it relates to, if it's a patch or audit, and the rule number.
+
+Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag services, this task will be skipped. The opposite can also happen where you run only controls tagged with services.
+
+```txt
  tags:
  - level1-server
  - level1-workstation
@@ -88,7 +94,9 @@ Example Audit Summary
 
 This is based on a vagrant image with selections enabled. e.g. No Gui or firewall.
 Note: More tests are run during audit as we check config and running state.
-````
+
+```txt
+
 ok: [default] => {
  "msg": [
  "The pre remediation results are: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].",
@@ -100,18 +108,21 @@ ok: [default] => {
 
 PLAY RECAP *******************************************************************************************************************************************
 default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 
-````
+```
+
 Branches
 -------
-**devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch<br>
-**main** - This is the release branch<br>
-**reports** - This is a protected branch for our scoring reports, no code should ever go here<br>
-**all other branches** - Individual community member branches<br>
+
+- devel - This is the default branch and the working development branch. Community pull requests will pull into this branch
+- main - This is the release branch
+- reports - This is a protected branch for our scoring reports, no code should ever go here
+- all other branches** - Individual community member branches
 
 Community Contribution
 ----------------------
 
-We encourage you (the community) to contribute to this role. Please read the rules below. 
+We encourage you (the community) to contribute to this role. Please read the rules below.
+
 - Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
 - All community Pull Requests are pulled into the devel branch
 - Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved