Merge pull request #420 from ansible-lockdown/devel

Oct24_ devel to main

.github/workflows/devel_pipeline_validation.yml

@@ -27,7 +27,7 @@
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
       welcome:
-        runs-on: self-hosted
+        runs-on: ubuntu-latest
 
         steps:
             - uses: actions/first-interaction@main
@@ -55,7 +55,7 @@
 
         steps:
 
-          - name: Git clone the lockdown repository to test
+          - name: Git Clone the Lockdown Repository to test
             uses: actions/checkout@v4
             with:
               ref: ${{ github.event.pull_request.head.sha }}
@@ -81,7 +81,7 @@
 
           # Uses dedicated restricted role and policy to enable this only for this task
           # No credentials are part of github for AWS auth
-          - name: configure aws credentials
+          - name: Configure AWS Credentials
             uses: aws-actions/configure-aws-credentials@main
             with:
               role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
@@ -104,23 +104,23 @@
               PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
               VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
 
-          - name: Tofu init
+          - name: Tofu Init
             id: init
             run: tofu init
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Tofu validate
+          - name: Tofu Validate
             id: validate
             run: tofu validate
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Tofu apply
+          - name: Tofu Apply
             id: apply
             env:
               OSVAR: ${{ vars.OSVAR }}
@@ -136,11 +136,11 @@
 
     # Aws deployments taking a while to come up insert sleep or playbook fails
 
-          - name: Sleep to allow system to come up
+          - name: Sleep - Allow system to come up
             run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
         # Run the Ansible playbook
-          - name: Run_Ansible_Playbook
+          - name: Run Ansible Playbook
             env:
               ANSIBLE_HOST_KEY_CHECKING: "false"
               ANSIBLE_DEPRECATION_WARNINGS: "false"

.github/workflows/main_pipeline_validation.yml

@@ -23,18 +23,6 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: self-hosted
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-
       # This workflow contains a single job that tests the playbook
       playbook-test:
         # The type of runner that the job will run on
@@ -53,7 +41,7 @@
 
         steps:
 
-          - name: Git clone the lockdown repository to test
+          - name: Git Clone the Lockdown Repository to test
             uses: actions/checkout@v4
             with:
               ref: ${{ github.event.pull_request.head.sha }}
@@ -78,7 +66,7 @@
 
           # Uses dedicated restricted role and policy to enable this only for this task
           # No credentials are part of github for AWS auth
-          - name: configure aws credentials
+          - name: Configure AWS Credentials
             uses: aws-actions/configure-aws-credentials@main
             with:
               role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
@@ -101,23 +89,23 @@
               PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
               VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
 
-          - name: Tofu init
+          - name: Tofu Init
             id: init
             run: tofu init
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Tofu validate
+          - name: Tofu Validate
             id: validate
             run: tofu validate
             env:
               # Imported from GitHub variables this is used to load the relevant OS.tfvars file
               OSVAR: ${{ vars.OSVAR }}
               TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
 
-          - name: Tofu apply
+          - name: Tofu Apply
             id: apply
             env:
               OSVAR: ${{ vars.OSVAR }}
@@ -133,11 +121,11 @@
 
     # Aws deployments taking a while to come up insert sleep or playbook fails
 
-          - name: Sleep to allow system to come up
+          - name: Sleep - Allow system to come up
             run: sleep ${{ vars.BUILD_SLEEPTIME }}
 
         # Run the Ansible playbook
-          - name: Run_Ansible_Playbook
+          - name: Run Ansible Playbook
             env:
               ANSIBLE_HOST_KEY_CHECKING: "false"
               ANSIBLE_DEPRECATION_WARNINGS: "false"

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -33,18 +33,14 @@ repos:
   rev: v1.5.0
   hooks:
   - id: detect-secrets
-    args: ['--baseline', '.config/.secrets.baseline']
-    exclude: package.lock.json
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.4
+  rev: v8.20.1
   hooks:
   - id: gitleaks
-    args: ['--baseline-path', '.config/.gitleaks-report.json']
-    exclude: .config/.secrets.baseline
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.6.0
+  rev: v24.9.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

Changelog.md

@@ -1,5 +1,16 @@
 # Changes to rhel8CIS
 
+## Benchmark v3.0.0
+
+### 2.1 updates August 2024
+
+new workflow
+audit updates
+authselect rewrite
+thanks to @msachikanta, @fgierlinger, @bantify, @txdavec, @csabapatyi @dirkvdplas, @karlg100 and @devallan for issues and fixes
+now able to run audit on ARM64 although not officially supported by CIS feedback needed
+audit binary update to 0.4.8
+
 ## 2.0 based on CIS 3.0.0
 
 ### This is not an upgrade for CIS v2.0.0 due to the number of changes treat as a new baseline

defaults/main.yml

@@ -37,6 +37,9 @@ benchmark_version: v3.0.0
 # Whether to skip the reboot
 skip_reboot: true
 
+# Modify behavior of changed_when if reboot is pending and skipped to allow idempotency to succeed
+reboot_warning_changed_when: true
+
 ###
 ### Settings for associated Audit role using Goss
 ###
@@ -560,7 +563,7 @@ rhel8cis_ntp_server_options: "iburst"
 # mask - if a dependancy for product so cannot be removed
 # Server Services
 rhel8cis_autofs_services: false
-rhel8cis_autofs_mask: true
+rhel8cis_autofs_mask: false
 rhel8cis_avahi_server: false
 rhel8cis_avahi_mask: false
 rhel8cis_dhcp_server: false
@@ -683,21 +686,34 @@ rhel8cis_sudolog_location: "/var/log/sudo.log"
 rhel8cis_sudo_timestamp_timeout: 15
 
 ## PAM
-# 4.4.2.x
+## 4.4.2.x PAM and Authselect
 # Do not use authselect if:
 # Your host is part of Linux Identity Management.
 # Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host.
 # Your host is part of Active Directory via SSSD.
 # Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.
-rhel8cis_allow_authselect_updates: false
+rhel8cis_allow_authselect_updates: true
 ##
 rhel8cis_authselect_pkg_update: false  # NOTE the risks if system is using SSSD or using ipa-client-install
-rhel8cis_authselect_custom_profile_create: false
-rhel8cis_authselect_custom_profile_select: false
-rhel8cis_authselect:
-    custom_profile_name: 'cis_example_profile'
-    default_file_to_copy: "sssd --symlink-meta"
-    options: with-sudo with-faillock without-nullok with-pwhistory
+
+## PAM AND Authselect
+
+# To create a new profile (best for greenfield fresh sites not configured)
+# This allows creation of a custom profile using an existing one to build from
+# will only create if profiel does not already exist
+## options true or false
+rhel8cis_authselect_custom_profile_create: true
+## Controls:
+#  - 4.4.2.1 - Ensure custom authselect profile is used
+# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple
+# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk.
+
+# This variable configures the name of the custom profile to be created and selected.
+# To be changed from default - cis_example_profile
+rhel8cis_authselect_custom_profile_name: cis_example_profile
+# Name of the existing authselect profile to copy - options can be found with
+# ```authselect list``` on the host to be configured
+rhel8cis_authselect_default_profile_to_copy: "sssd --symlink-meta"
 
 rhel8cis_pam_faillock:
     attempts: 5
@@ -784,7 +800,7 @@ rhel8cis_auditd:
     disk_full_action: halt
     action_mail_acct: root
     space_left_action: email
-    admin_space_left_action: email
+    admin_space_left_action: single
     max_log_file_action: keep_logs
 
 # This can be used to configure other keys in auditd.conf

tasks/LE_audit_setup.yml

@@ -8,7 +8,7 @@
             audit_pkg_arch_name: AMD64
 
       - name: Pre Audit Setup | Set audit package name | ARM64
-        when: ansible_facts.machine == "arm64"
+        when: ansible_facts.machine == "aarch64"
         ansible.builtin.set_fact:
             audit_pkg_arch_name: ARM64