Oct24_ devel to main

.github/workflows/devel_pipeline_validation.yml

@@ -27,7 +27,7 @@
  jobs:
  # This will create messages for first time contributers and direct them to the Discord server
  welcome:
- runs-on: self-hosted
+ runs-on: ubuntu-latest
 
  steps:
  - uses: actions/first-interaction@main
@@ -55,7 +55,7 @@
 
  steps:
 
- - name: Git clone the lockdown repository to test
+ - name: Git Clone the Lockdown Repository to test
  uses: actions/checkout@v4
  with:
  ref: ${{ github.event.pull_request.head.sha }}
@@ -81,7 +81,7 @@
 
  # Uses dedicated restricted role and policy to enable this only for this task
  # No credentials are part of github for AWS auth
- - name: configure aws credentials
+ - name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@main
  with:
  role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
@@ -104,23 +104,23 @@
  PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
  VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
 
- - name: Tofu init
+ - name: Tofu Init
  id: init
  run: tofu init
  env:
  # Imported from GitHub variables this is used to load the relevant OS.tfvars file
  OSVAR: ${{ vars.OSVAR }}
  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
- - name: Tofu validate
+ - name: Tofu Validate
  id: validate
  run: tofu validate
  env:
  # Imported from GitHub variables this is used to load the relevant OS.tfvars file
  OSVAR: ${{ vars.OSVAR }}
  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
- - name: Tofu apply
+ - name: Tofu Apply
  id: apply
  env:
  OSVAR: ${{ vars.OSVAR }}
@@ -136,11 +136,11 @@
 
  # Aws deployments taking a while to come up insert sleep or playbook fails
 
- - name: Sleep to allow system to come up
+ - name: Sleep - Allow system to come up
  run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
  # Run the Ansible playbook
- - name: Run_Ansible_Playbook
+ - name: Run Ansible Playbook
  env:
  ANSIBLE_HOST_KEY_CHECKING: "false"
  ANSIBLE_DEPRECATION_WARNINGS: "false"

.github/workflows/main_pipeline_validation.yml

@@ -23,18 +23,6 @@
  # A workflow run is made up of one or more jobs
  # that can run sequentially or in parallel
  jobs:
- # This will create messages for first time contributers and direct them to the Discord server
- welcome:
- runs-on: self-hosted
-
- steps:
- - uses: actions/first-interaction@main
- with:
- repo-token: ${{ secrets.GITHUB_TOKEN }}
- pr-message: |-
- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
- Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-
  # This workflow contains a single job that tests the playbook
  playbook-test:
  # The type of runner that the job will run on
@@ -53,7 +41,7 @@
 
  steps:
 
- - name: Git clone the lockdown repository to test
+ - name: Git Clone the Lockdown Repository to test
  uses: actions/checkout@v4
  with:
  ref: ${{ github.event.pull_request.head.sha }}
@@ -78,7 +66,7 @@
 
  # Uses dedicated restricted role and policy to enable this only for this task
  # No credentials are part of github for AWS auth
- - name: configure aws credentials
+ - name: Configure AWS Credentials
  uses: aws-actions/configure-aws-credentials@main
  with:
  role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
@@ -101,23 +89,23 @@
  PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
  VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
 
- - name: Tofu init
+ - name: Tofu Init
  id: init
  run: tofu init
  env:
  # Imported from GitHub variables this is used to load the relevant OS.tfvars file
  OSVAR: ${{ vars.OSVAR }}
  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
- - name: Tofu validate
+ - name: Tofu Validate
  id: validate
  run: tofu validate
  env:
  # Imported from GitHub variables this is used to load the relevant OS.tfvars file
  OSVAR: ${{ vars.OSVAR }}
  TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
- - name: Tofu apply
+ - name: Tofu Apply
  id: apply
  env:
  OSVAR: ${{ vars.OSVAR }}
@@ -133,11 +121,11 @@
 
  # Aws deployments taking a while to come up insert sleep or playbook fails
 
- - name: Sleep to allow system to come up
+ - name: Sleep - Allow system to come up
  run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
  # Run the Ansible playbook
- - name: Run_Ansible_Playbook
+ - name: Run Ansible Playbook
  env:
  ANSIBLE_HOST_KEY_CHECKING: "false"
  ANSIBLE_DEPRECATION_WARNINGS: "false"

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https:/pre-commit/pre-commit-hooks
- rev: v4.6.0
+ rev: v5.0.0
  hooks:
  # Safety
  - id: detect-aws-credentials
@@ -33,18 +33,14 @@ repos:
  rev: v1.5.0
  hooks:
  - id: detect-secrets
- args: ['--baseline', '.config/.secrets.baseline']
- exclude: package.lock.json
 
 - repo: https:/gitleaks/gitleaks
- rev: v8.18.4
+ rev: v8.20.1
  hooks:
  - id: gitleaks
- args: ['--baseline-path', '.config/.gitleaks-report.json']
- exclude: .config/.secrets.baseline
 
 - repo: https:/ansible-community/ansible-lint
- rev: v24.6.0
+ rev: v24.9.2
  hooks:
  - id: ansible-lint
  name: Ansible-lint

Changelog.md

@@ -1,5 +1,16 @@
 # Changes to rhel8CIS
 
+## Benchmark v3.0.0
+
+### 2.1 updates August 2024
+
+new workflow
+audit updates
+authselect rewrite
+thanks to @msachikanta, @fgierlinger, @bantify, @txdavec, @csabapatyi @dirkvdplas, @karlg100 and @devallan for issues and fixes
+now able to run audit on ARM64 although not officially supported by CIS feedback needed
+audit binary update to 0.4.8
+
 ## 2.0 based on CIS 3.0.0
 
 ### This is not an upgrade for CIS v2.0.0 due to the number of changes treat as a new baseline

defaults/main.yml

@@ -37,6 +37,9 @@ benchmark_version: v3.0.0
 # Whether to skip the reboot
 skip_reboot: true
 
+# Modify behavior of changed_when if reboot is pending and skipped to allow idempotency to succeed
+reboot_warning_changed_when: true
+
 ###
 ### Settings for associated Audit role using Goss
 ###
@@ -560,7 +563,7 @@ rhel8cis_ntp_server_options: "iburst"
 # mask - if a dependancy for product so cannot be removed
 # Server Services
 rhel8cis_autofs_services: false
-rhel8cis_autofs_mask: true
+rhel8cis_autofs_mask: false
 rhel8cis_avahi_server: false
 rhel8cis_avahi_mask: false
 rhel8cis_dhcp_server: false
@@ -683,21 +686,34 @@ rhel8cis_sudolog_location: "/var/log/sudo.log"
 rhel8cis_sudo_timestamp_timeout: 15
 
 ## PAM
-# 4.4.2.x
+## 4.4.2.x PAM and Authselect
 # Do not use authselect if:
 # Your host is part of Linux Identity Management.
 # Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host.
 # Your host is part of Active Directory via SSSD.
 # Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.
-rhel8cis_allow_authselect_updates: false
+rhel8cis_allow_authselect_updates: true
 ##
 rhel8cis_authselect_pkg_update: false # NOTE the risks if system is using SSSD or using ipa-client-install
-rhel8cis_authselect_custom_profile_create: false
-rhel8cis_authselect_custom_profile_select: false
-rhel8cis_authselect:
- custom_profile_name: 'cis_example_profile'
- default_file_to_copy: "sssd --symlink-meta"
- options: with-sudo with-faillock without-nullok with-pwhistory
+
+## PAM AND Authselect
+
+# To create a new profile (best for greenfield fresh sites not configured)
+# This allows creation of a custom profile using an existing one to build from
+# will only create if profiel does not already exist
+## options true or false
+rhel8cis_authselect_custom_profile_create: true
+## Controls:
+# - 4.4.2.1 - Ensure custom authselect profile is used
+# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple
+# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk.
+
+# This variable configures the name of the custom profile to be created and selected.
+# To be changed from default - cis_example_profile
+rhel8cis_authselect_custom_profile_name: cis_example_profile
+# Name of the existing authselect profile to copy - options can be found with
+# ```authselect list``` on the host to be configured
+rhel8cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
 
 rhel8cis_pam_faillock:
  attempts: 5
@@ -784,7 +800,7 @@ rhel8cis_auditd:
  disk_full_action: halt
  action_mail_acct: root
  space_left_action: email
- admin_space_left_action: email
+ admin_space_left_action: single
  max_log_file_action: keep_logs
 
 # This can be used to configure other keys in auditd.conf

tasks/LE_audit_setup.yml

@@ -8,7 +8,7 @@
  audit_pkg_arch_name: AMD64
 
  - name: Pre Audit Setup | Set audit package name | ARM64
- when: ansible_facts.machine == "arm64"
+ when: ansible_facts.machine == "aarch64"
  ansible.builtin.set_fact:
  audit_pkg_arch_name: ARM64