Skip to content

Commit

Permalink
Merge pull request #265 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Release to main
  • Loading branch information
uk-bolly authored Mar 20, 2023
2 parents c993d0c + 0142a9b commit b07f1d7
Show file tree
Hide file tree
Showing 18 changed files with 297 additions and 38 deletions.
1 change: 1 addition & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
parseable: true
quiet: true
skip_list:
Expand Down
55 changes: 27 additions & 28 deletions .yamllint
Original file line number Diff line number Diff line change
@@ -1,32 +1,31 @@
---
ignore: |
tests/
molecule/
.github/
.gitlab-ci.yml
*molecule.yml

extends: default

ignore: |
tests/
molecule/
.github/
.gitlab-ci.yml
*molecule.yml

rules:
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
#truthy: disable
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: false
8 changes: 6 additions & 2 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
# Changes to rhel8CIS

## 1.5.4
## 1.5.5

- improved conditional for 1.1.2.1
- updated audit git branch now runs correct version
- added var for benchmark_version

PR
## 1.5.4

Many thanks to @dulin-gnet and community feedback on this one
Changed default to not follow symlinks due to number of issues it has been causing.
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
25 changes: 23 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Refer to [RHEL8-CIS-Audit](https://github.com/ansible-lockdown/RHEL8-CIS-Audit).

## Requirements

RHEL/AlmaLinux/Rocky 8 - Other versions are not supported.
RHEL/AlmaLinux/Rocky/Oracle 8 - Other versions are not supported.

- AlmaLinux/Rocky Has been tested on 8.4(enabling crypto (sections 1.10&1.11) breaks updating or installs 01Jul2021
- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.)
Expand Down Expand Up @@ -114,7 +114,7 @@ ok: [default] => {
}
PLAY RECAP *******************************************************************************************************************************************
default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0
default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0
```

## Branches
Expand Down Expand Up @@ -165,6 +165,27 @@ uses:
- runs the audit using the devel branch
- This is an automated test that occurs on pull requests into devel


## Local Testing

Molecule can be used to work on this role and test in distinct _scenarios_.

**examples**

```bash
molecule test -s default
molecule converge -s wsl -- --check
molecule verify -s localhost
```

local testing uses:
- ansible 2.13.3
- molecule 4.0.1
- molecule-docker 2.0.0
- molecule-podman 2.0.2
- molecule-vagrant 1.0.0
- molecule-azure 0.5.0

## known-issues

cloud0init - due to a bug this will stop working if noexec is added to /var.
Expand Down
5 changes: 3 additions & 2 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ python2_bin: /bin/python2.7
## Benchmark name used by audting control role
# The audit variable found at the base
benchmark: RHEL8-CIS
benchmark_version: v2.0.0

# Whether to skip the reboot
skip_reboot: true
Expand Down Expand Up @@ -578,7 +579,7 @@ rhel8cis_pam_faillock:
attempts: 5
interval: 900
unlock_time: 900
fail_for_root: no # noqa yaml[truthy]
fail_for_root: 'no'
remember: 5
pwhash: sha512

Expand Down Expand Up @@ -689,7 +690,7 @@ copy_goss_from_path: /some/accessible/path
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: main
audit_git_version: "benchmark_{{ benchmark_version }}_rh8"

# copy:
audit_local_copy: "some path to copy from"
Expand Down
7 changes: 7 additions & 0 deletions meta/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,13 @@ galaxy_info:
- security
- cis
- hardening
- rocky
- alma
- oel
- redhat
- rhel
- compliance


collections:
- community.general
Expand Down
30 changes: 30 additions & 0 deletions molecule/default/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
# This is a playbook to test the tasks.
- name: Converge
hosts: all
gather_facts: true

vars:
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
ansible_user: root
system_is_container: true
rhel8cis_selinux_disable: true
rhel8cis_rule_5_3_4: false
rhel8cis_rule_1_1_10: false
rhel8cis_rsyslog_ansiblemanaged: false
rhel8cis_rule_3_4_1_3: false
rhel8cis_rule_3_4_1_4: false
rhel8cis_rule_4_1_1_1: false
rhel8cis_rule_4_1_1_2: false
rhel8cis_rule_4_1_1_3: false
rhel8cis_rule_4_1_1_4: false
rhel8cis_rule_4_2_1_2: false
rhel8cis_rule_4_2_1_4: false
rhel8cis_rule_5_1_1: false

pre_tasks:
tasks:
- name: "Include tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"

34 changes: 34 additions & 0 deletions molecule/default/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
# Molecule configuration
# https://molecule.readthedocs.io/en/latest/

driver:
name: docker

platforms:
- name: ubi8
image: registry.access.redhat.com/ubi8/ubi-init
pre_build_image: true
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
command: "/usr/sbin/init"
capabilities:
- SYS_ADMIN

provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
callbacks_enabled: profile_tasks, timer

lint: |
set -e
yamllint .
ansible-lint
flake8
verifier:
name: ansible

13 changes: 13 additions & 0 deletions molecule/default/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
- name: Verify
hosts: all
gather_facts: false

vars:
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

tasks:
- name: "Include verify tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"
tasks_from: verify
18 changes: 18 additions & 0 deletions molecule/localhost/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
# This is a playbook to test the tasks.
- name: Converge
hosts: all
become: true
gather_facts: true

vars:
ansible_user: "{{ lookup('env', 'USER') }}"
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
rhel8cis_rule_5_3_4: false

pre_tasks:
tasks:
- name: "Include tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"

30 changes: 30 additions & 0 deletions molecule/localhost/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
# Molecule configuration
# https://molecule.readthedocs.io/en/latest/

driver:
name: delegated
options:
managed: false
ansible_connection_options:
ansible_connection: local
platforms:
- name: localhost

provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
stdout_callback: yaml
callbacks_enabled: profile_tasks, timer

lint: |
set -e
yamllint .
ansible-lint
flake8
verifier:
name: ansible

14 changes: 14 additions & 0 deletions molecule/localhost/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
- name: Verify
hosts: all
gather_facts: false
become: true

vars:
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

tasks:
- name: "Include verify tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"
tasks_from: verify
27 changes: 27 additions & 0 deletions molecule/wsl/converge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
# This is a playbook to test the tasks.
- name: Converge
hosts: all
become: true
gather_facts: true

vars:
ansible_user: "{{ lookup('env', 'USER') }}"
system_is_container: true
rhel8cis_selinux_disable: true
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
rhel8cis_rule_5_3_4: false
rhel8cis_rule_1_1_10: false
rhel8cis_rsyslog_ansiblemanaged: false
rhel8cis_rule_3_4_1_3: false
rhel8cis_rule_3_4_1_4: false
rhel8cis_rule_4_2_1_2: false
rhel8cis_rule_4_2_1_4: false
rhel8cis_rule_5_1_1: false

pre_tasks:
tasks:
- name: "Include tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"

29 changes: 29 additions & 0 deletions molecule/wsl/molecule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
# Molecule configuration
# https://molecule.readthedocs.io/en/latest/

driver:
name: delegated
options:
managed: false
ansible_connection_options:
ansible_connection: local
platforms:
- name: localhost

provisioner:
name: ansible
config_options:
defaults:
interpreter_python: auto_silent
callbacks_enabled: profile_tasks, timer

lint: |
set -e
yamllint .
ansible-lint
flake8
verifier:
name: ansible

13 changes: 13 additions & 0 deletions molecule/wsl/verify.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
- name: Verify
hosts: all
gather_facts: false

vars:
role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"

tasks:
- name: "Include verify tasks"
ansible.builtin.include_role:
name: "{{ role_name }}"
tasks_from: verify
Loading

0 comments on commit b07f1d7

Please sign in to comment.