ansible-lockdown · uk-bolly · Mar 21, 2023 · Mar 20, 2023 · Mar 20, 2023 · Mar 20, 2023
diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf
@@ -5,7 +5,6 @@ provider "aws" {
 
 // Create a security group with access to port 22 and port 80 open to serve HTTP traffic
 
-
 resource "random_id" "server" {
  keepers = {
  # Generate a new id each time we switch to a new AMI id
@@ -80,4 +79,3 @@ resource "local_file" "inventory" {
  audit_git_version: devel
  EOF
 }
-
diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml
@@ -14,7 +14,8 @@ jobs:
  update_role:
  runs-on: ubuntu-latest
  steps:
- - uses: actions/checkout@v2
- - uses: hspaans/ansible-galaxy-action@master
+ - uses: actions/checkout@v3
+ - uses: robertdebock/galaxy-action@master
  with:
- api_key: ${{ secrets.GALAXY_API_KEY }}
+ galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
+ git_branch: main
diff --git a/.yamllint b/.yamllint
@@ -20,6 +20,8 @@ rules:
  brackets:
  max-spaces-inside: 1
  level: error
+ empty-lines:
+ max: 1
  line-length: disable
  key-duplicates: enable
  new-line-at-end-of-file: enable

diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
@@ -61,7 +61,6 @@ following text in your contribution commit message:
 
 ::
 
-
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
 option to `git commit` to automatically include the signoff message.
diff --git a/README.md b/README.md
@@ -165,7 +165,6 @@ uses:
 - runs the audit using the devel branch
 - This is an automated test that occurs on pull requests into devel
 
-
 ## Local Testing
 
 Molecule can be used to work on this role and test in distinct _scenarios_.
@@ -179,6 +178,7 @@ molecule verify -s localhost
 ```
 
 local testing uses:
+
 - ansible 2.13.3
 - molecule 4.0.1
 - molecule-docker 2.0.0

diff --git a/ansible.cfg b/ansible.cfg
@@ -12,7 +12,6 @@ stdout_callback = yaml
 # Use the stdout_callback when running ad-hoc commands.
 #bin_ansible_callbacks = True
 
-
 [privilege_escalation]
 
 [paramiko_connection]

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -388,7 +388,6 @@ rhel8cis_telnet_required: false
 rhel8cis_openldap_clients_required: false
 rhel8cis_tftp_client: false
 
-
 rhel8cis_allow_autofs: false
 
 ## Section 1 vars
@@ -414,7 +413,6 @@ rhel8cis_rh_sub_password: password
 # RedHat Satellite Subscription items
 rhel8cis_rhnsd_required: false
 
-
 # xinetd required
 rhel8cis_xinetd_required: false
 
@@ -589,7 +587,6 @@ rhel8cis_ssh_loglevel: INFO
 # 5.2.19 SSH MaxSessions setting. Must be 10 or less
 rhel8cis_ssh_maxsessions: 10
 
-
 # 5.3.1 Enable automation to create custom profile settings, using the settings above
 rhel8cis_authselect_custom_profile_create: false
 
@@ -625,7 +622,6 @@ rhel8cis_pass:
  min_days: 7
  warn_age: 7
 
-
 # 5.6.1.4
 rhel8cis_inactivelock:
  lock_days: 30
@@ -659,7 +655,6 @@ rhel8cis_rpm_audit_file: /var/tmp/rpm_file_check
 rhel8cis_no_world_write_adjust: true
 rhel8cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"
 
-
 # 6.2.9 - adjusting symlinks in home directories
 # Default in ansible is true this causes lots of issues for many users
 # set as variable so can be overridden but default is not to follow.

diff --git a/meta/main.yml b/meta/main.yml
@@ -22,11 +22,8 @@ galaxy_info:
  - redhat
  - rhel
  - compliance
-
-
 collections:
  - community.general
  - community.crypto
  - ansible.posix
-
 dependencies: []
diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml
@@ -61,7 +61,7 @@
  - automated
  - patch
  - cups
- - rule_2.2.3
+ - rule_2.2.4
 
 - name: "2.2.5 | PATCH | Ensure DHCP Server is not installed"
  package:
@@ -247,14 +247,14 @@
  when:
  - not rhel8cis_nis_server
  - "'ypserv' in ansible_facts.packages"
- - rhel8cis_rule_2_2_17
+ - rhel8cis_rule_2_2_15
  tags:
  - level1-server
  - level1-workstation
  - automated
  - patch
  - nis
- - rule_2.2.17
+ - rule_2.2.15
 
 - name: "2.2.16 | PATCH | Ensure telnet-server is not installed"
  package:

diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
@@ -68,7 +68,6 @@
  line: "blacklist dccp"
  create: true
  mode: 0600
-
  when:
  - rhel8cis_rule_3_1_3
  tags:

diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml
@@ -263,7 +263,7 @@
  - automated
  - patch
  - nftables
- - rule_3.4.3.5
+ - rule_3.4.3.8
 
 - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy"
  block:
@@ -330,7 +330,7 @@
  - automated
  - patch
  - nftables
- - rule_3.4.3.7
+ - rule_3.4.3.10
 
 - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent"
  lineinfile:

diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml
@@ -12,7 +12,6 @@
 - name: "SECTION | 4.1.3.x| Configure auditd rules"
  import_tasks: cis_4.1.3.x.yml
 
-
 # 4.2 Configure Logging
 - name: "SECTION | 4.2.1.x| Configure rsyslog"
  import_tasks: cis_4.2.1.x.yml

diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml
@@ -32,7 +32,7 @@
  lineinfile:
  path: /etc/sudoers
  regexp: '^Defaults\s+logfile='
- line: 'Defaults logfile="{{ rhel8cis_sudolog_location }}"'
+ line: 'Defaults logfile={{ rhel8cis_sudolog_location }}'
  when:
  - rhel8cis_rule_5_3_3
  tags:

diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
@@ -13,7 +13,7 @@
  - automated
  - patch
  - password
- - rule_5.5.1.1
+ - rule_5.6.1.1
 
 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
  lineinfile:
@@ -43,7 +43,7 @@
  - automated
  - patch
  - password
- - rule_5.5.1.3
+ - rule_5.6.1.3
 
 - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
  block:
@@ -127,4 +127,4 @@
  - level1-server
  - level1-workstation
  - patch
- - rule_5.5.1.5
+ - rule_5.6.1.5
diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
@@ -55,7 +55,7 @@
  - patch
  - stickybits
  - permissons
- - rule_1.1.21
+ - rule_6.1.2
 
 - name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured"
  file:
@@ -137,21 +137,21 @@
  - permissions
  - rule_6.1.7
 
-- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
+- name: "6.1.8 | PATCH | Ensure permissions on /etc/shadow- are configured"
  file:
  path: /etc/shadow-
  owner: root
  group: root
  mode: 0000
  when:
- - rhel8cis_rule_6_1_6
+ - rhel8cis_rule_6_1_8
  tags:
  - level1-server
  - level1-workstation
  - automated
  - patch
  - permissions
- - rule_6.1.6
+ - rule_6.1.8
 
 - name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured"
  file:

diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
@@ -296,7 +296,6 @@
  - users
  - rule_6.2.9
 
-
 - name: "6.2.10 | PATCH | Ensure users own their home directories"
  file:
  path: "{{ item.dir }}"

diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2
@@ -23,15 +23,12 @@ rhel8cis_level_2: {{ rhel8cis_level_2 }}
 
 rhel8cis_selinux_disable: {{ rhel8cis_selinux_disable }}
 
-
-
 # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy
 run_heavy_tests: true
 {% if rhel8cis_legacy_boot is defined %}
 rhel8cis_legacy_boot: {{ rhel8cis_legacy_boot }}
 {% endif %}
 
-
 rhel8cis_set_boot_pass: {{ rhel8cis_set_boot_pass }}
 # These variables correspond with the CIS rule IDs or paragraph numbers defined in
 # the CIS benchmark documents.
@@ -110,11 +107,9 @@ rhel8cis_rule_1_8_3: {{ rhel8cis_rule_1_8_3 }}
 rhel8cis_rule_1_8_4: {{ rhel8cis_rule_1_8_4 }}
 rhel8cis_rule_1_8_5: {{ rhel8cis_rule_1_8_5 }}
 
-
 rhel8cis_rule_1_9: {{ rhel8cis_rule_1_9 }}
 rhel8cis_rule_1_10: {{ rhel8cis_rule_1_10 }}
 
-
 # section 2 rules
 rhel8cis_rule_2_1_1: {{ rhel8cis_rule_2_1_1 }}
 rhel8cis_rule_2_1_2: {{ rhel8cis_rule_2_1_2 }}
@@ -206,7 +201,6 @@ rhel8cis_rule_3_4_3_3_4: {{ rhel8cis_rule_3_4_3_3_4 }}
 rhel8cis_rule_3_4_3_3_5: {{ rhel8cis_rule_3_4_3_3_5 }}
 rhel8cis_rule_3_4_3_3_6: {{ rhel8cis_rule_3_4_3_3_6 }}
 
-
 # Section 4 rules
 rhel8cis_rule_4_1_1_1: {{ rhel8cis_rule_4_1_1_1 }}
 rhel8cis_rule_4_1_1_2: {{ rhel8cis_rule_4_1_1_2 }}
@@ -252,7 +246,6 @@ rhel8cis_rule_4_2_2_1_2: {{ rhel8cis_rule_4_2_2_1_2 }}
 rhel8cis_rule_4_2_2_1_3: {{ rhel8cis_rule_4_2_2_1_3 }}
 rhel8cis_rule_4_2_2_1_4: {{ rhel8cis_rule_4_2_2_1_4 }}
 
-
 rhel8cis_rule_4_2_2_2: {{ rhel8cis_rule_4_2_2_2 }}
 rhel8cis_rule_4_2_2_3: {{ rhel8cis_rule_4_2_2_3 }}
 rhel8cis_rule_4_2_2_4: {{ rhel8cis_rule_4_2_2_4 }}
@@ -275,7 +268,6 @@ rhel8cis_rule_5_1_7: {{ rhel8cis_rule_5_1_7 }}
 rhel8cis_rule_5_1_8: {{ rhel8cis_rule_5_1_8 }}
 rhel8cis_rule_5_1_9: {{ rhel8cis_rule_5_1_9 }}
 
-
 rhel8cis_rule_5_2_1: {{ rhel8cis_rule_5_2_1 }}
 rhel8cis_rule_5_2_2: {{ rhel8cis_rule_5_2_2 }}
 rhel8cis_rule_5_2_3: {{ rhel8cis_rule_5_2_3 }}
@@ -324,7 +316,6 @@ rhel8cis_rule_5_6_3: {{ rhel8cis_rule_5_6_3 }}
 rhel8cis_rule_5_6_4: {{ rhel8cis_rule_5_6_4 }}
 rhel8cis_rule_5_6_5: {{ rhel8cis_rule_5_6_5 }}
 
-
 # Section 6
 rhel8cis_rule_6_1_1: {{ rhel8cis_rule_6_1_1 }}
 rhel8cis_rule_6_1_2: {{ rhel8cis_rule_6_1_2 }}
@@ -359,8 +350,6 @@ rhel8cis_rule_6_2_14: {{ rhel8cis_rule_6_2_14 }}
 rhel8cis_rule_6_2_15: {{ rhel8cis_rule_6_2_15 }}
 rhel8cis_rule_6_2_16: {{ rhel8cis_rule_6_2_16 }}
 
-
-
 # Service configuration booleans set true to keep service
 rhel8cis_avahi_server: {{ rhel8cis_avahi_server }}
 rhel8cis_cups_server: {{ rhel8cis_cups_server }}
@@ -382,8 +371,6 @@ rhel8cis_telnet_server: {{ rhel8cis_telnet_server }}
 rhel8cis_tftp_server: {{ rhel8cis_tftp_server }}
 rhel8cis_vsftpd_server: {{ rhel8cis_vsftpd_server }}
 
-
-
 rhel8cis_allow_autofs: {{ rhel8cis_allow_autofs }}
 
 # client services
@@ -451,7 +438,6 @@ rhel8cis_firewall_interface:
 
 rhel8cis_firewall_services: {% for svc in rhel8cis_firewall_services %}{{ svc }} {% endfor %}
 
-
 ### Section 4
 ## auditd settings
 rhel8cis_auditd: