From e7405a25f8e7a0eb5c59eb6b15fd9e04583a461d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 08:21:56 +0000 Subject: [PATCH 01/12] updated comntrol conditional Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5c7d059a..119b4a79 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,9 +4,7 @@ block: - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" debug: - msg: "Warning!! /tmp is not mounted on a separate partition" - when: - - required_mount not in mount_names + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" ansible.builtin.import_tasks: warning_facts.yml @@ -15,6 +13,7 @@ required_mount: '/tmp' when: - rhel8cis_rule_1_1_2_1 + - "'/tmp' not in mount_names" tags: - level1-server - level1-workstation From f5cf5233be15d5f8d323d2eb52ae8f570b1ca393 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 08:22:19 +0000 Subject: [PATCH 02/12] updated date Signed-off-by: Mark Bolwell --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 4f5e4fdb..f6d2b57f 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From c43ba942b67062551f22a1f9b6a590be30b02093 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 15:01:51 +0000 Subject: [PATCH 03/12] added audit benchamkr versions and git branch details Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index ad1a63d4..d40f8b01 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -30,6 +30,7 @@ python2_bin: /bin/python2.7 ## Benchmark name used by audting control role # The audit variable found at the base benchmark: RHEL8-CIS +benchmark_version: v2.0.0 # Whether to skip the reboot skip_reboot: true @@ -682,7 +683,7 @@ copy_goss_from_path: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: main +audit_git_version: "benchmark_{{ benchmark_version }}_rh8" # copy: audit_local_copy: "some path to copy from" From 78286a3bcbd134ded5fffb850ba3c1bb00299c38 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Mar 2023 15:02:10 +0000 Subject: [PATCH 04/12] updated Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Changelog.md b/Changelog.md index 87e6c4dd..47da99e7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,11 @@ # Changes to rhel8CIS +## 1.5.4 + +- improved conditional for 1.1.2.1 +- updated audit git branch now runs correct version +- added var for benchmark_version + ## 1.5.3 Issues. From d7b9a1557874fdd48b474471cd091f15f2fe40a0 Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Fri, 3 Mar 2023 16:11:54 +0100 Subject: [PATCH 05/12] Fixes: yamllint .yamllint Signed-off-by: Bas Meijer --- .yamllint | 55 +++++++++++++++++++++++++++---------------------------- 1 file changed, 27 insertions(+), 28 deletions(-) diff --git a/.yamllint b/.yamllint index 5f9d71cd..3af111e7 100644 --- a/.yamllint +++ b/.yamllint @@ -1,32 +1,31 @@ --- -ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml - extends: default +ignore: | + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml + rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - #truthy: disable - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false From c4e56713fd6f78cb92da4f4e24dc7c9c87db9de6 Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Fri, 3 Mar 2023 16:14:14 +0100 Subject: [PATCH 06/12] Fixes: yamllint .ansible-lint Signed-off-by: Bas Meijer --- .ansible-lint | 1 + 1 file changed, 1 insertion(+) diff --git a/.ansible-lint b/.ansible-lint index 162b761e..20da51a0 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,3 +1,4 @@ +--- parseable: true quiet: true skip_list: From 10d4d6af922e24a5ad794050edd71e59f55f3aea Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Fri, 3 Mar 2023 16:19:51 +0100 Subject: [PATCH 07/12] 'no' is a literal value, not a Boolean. Signed-off-by: Bas Meijer --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index eb5edb77..454dcdfd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -579,7 +579,7 @@ rhel8cis_pam_faillock: attempts: 5 interval: 900 unlock_time: 900 - fail_for_root: no # noqa yaml[truthy] + fail_for_root: 'no' remember: 5 pwhash: sha512 From 83cb0ce510f69bf4f333c9e812434ac6d2f8653e Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Fri, 3 Mar 2023 17:01:16 +0100 Subject: [PATCH 08/12] Molecule testing with ubi8 and WSL2 Signed-off-by: Bas Meijer --- molecule/default/converge.yml | 30 ++++++++++++++++++++++++++++++ molecule/default/molecule.yml | 34 ++++++++++++++++++++++++++++++++++ molecule/default/verify.yml | 13 +++++++++++++ molecule/wsl/converge.yml | 27 +++++++++++++++++++++++++++ molecule/wsl/molecule.yml | 29 +++++++++++++++++++++++++++++ molecule/wsl/verify.yml | 13 +++++++++++++ 6 files changed, 146 insertions(+) create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/verify.yml create mode 100644 molecule/wsl/converge.yml create mode 100644 molecule/wsl/molecule.yml create mode 100644 molecule/wsl/verify.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 00000000..4c3d0995 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,30 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + gather_facts: true + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + ansible_user: root + system_is_container: true + rhel8cis_selinux_disable: true + rhel8cis_rule_5_3_4: false + rhel8cis_rule_1_1_10: false + rhel8cis_rsyslog_ansiblemanaged: false + rhel8cis_rule_3_4_1_3: false + rhel8cis_rule_3_4_1_4: false + rhel8cis_rule_4_1_1_1: false + rhel8cis_rule_4_1_1_2: false + rhel8cis_rule_4_1_1_3: false + rhel8cis_rule_4_1_1_4: false + rhel8cis_rule_4_2_1_2: false + rhel8cis_rule_4_2_1_4: false + rhel8cis_rule_5_1_1: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 00000000..086feb9a --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,34 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: docker + +platforms: + - name: ubi8 + image: registry.access.redhat.com/ubi8/ubi-init + pre_build_image: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + command: "/usr/sbin/init" + capabilities: + - SYS_ADMIN + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 00000000..5c57ab4c --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,13 @@ +--- +- name: Verify + hosts: all + gather_facts: false + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify diff --git a/molecule/wsl/converge.yml b/molecule/wsl/converge.yml new file mode 100644 index 00000000..0f5f3e62 --- /dev/null +++ b/molecule/wsl/converge.yml @@ -0,0 +1,27 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + become: true + gather_facts: true + + vars: + ansible_user: "{{ lookup('env', 'USER') }}" + system_is_container: true + rhel8cis_selinux_disable: true + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + rhel8cis_rule_5_3_4: false + rhel8cis_rule_1_1_10: false + rhel8cis_rsyslog_ansiblemanaged: false + rhel8cis_rule_3_4_1_3: false + rhel8cis_rule_3_4_1_4: false + rhel8cis_rule_4_2_1_2: false + rhel8cis_rule_4_2_1_4: false + rhel8cis_rule_5_1_1: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + diff --git a/molecule/wsl/molecule.yml b/molecule/wsl/molecule.yml new file mode 100644 index 00000000..9360997d --- /dev/null +++ b/molecule/wsl/molecule.yml @@ -0,0 +1,29 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: delegated + options: + managed: false + ansible_connection_options: + ansible_connection: local +platforms: + - name: localhost + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/wsl/verify.yml b/molecule/wsl/verify.yml new file mode 100644 index 00000000..5c57ab4c --- /dev/null +++ b/molecule/wsl/verify.yml @@ -0,0 +1,13 @@ +--- +- name: Verify + hosts: all + gather_facts: false + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify From 6af3b57332f782845323a65e151ec0ae2c825850 Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Mon, 6 Mar 2023 09:43:53 +0100 Subject: [PATCH 09/12] Howto test with Molecule Signed-off-by: Bas Meijer --- README.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0aa63a5a..acacae2c 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,7 @@ ok: [default] => { } PLAY RECAP ******************************************************************************************************************************************* -default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 +default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 ``` ## Branches @@ -165,6 +165,26 @@ uses: - runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel + +## Local Testing + +Molecule can be used to work on this role and test in distinct _scenarios_. + +**examples** + +```bash +molecule test -s default +molecule converge -s wsl -- --check +``` + +local testing uses: +- ansible 2.13.3 +- molecule 4.0.1 +- molecule-docker 2.0.0 +- molecule-podman 2.0.2 +- molecule-vagrant 1.0.0 +- molecule-azure 0.5.0 + ## known-issues cloud0init - due to a bug this will stop working if noexec is added to /var. From 32d8120aeed76c23a77f07c60b76797d400c93df Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 16:19:09 +0000 Subject: [PATCH 10/12] updated tags Signed-off-by: Mark Bolwell --- meta/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index 1b6d56de..de8e94c1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -16,6 +16,13 @@ galaxy_info: - security - cis - hardening + - rocky + - alma + - oel + - redhat + - rhel + - compliance + collections: - community.general From bf7a16c8a38ab346fad626e0a2e7c06709f9c4d1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 6 Mar 2023 16:53:12 +0000 Subject: [PATCH 11/12] added oracle to readme Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index acacae2c..2b882969 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ Refer to [RHEL8-CIS-Audit](https://github.com/ansible-lockdown/RHEL8-CIS-Audit). ## Requirements -RHEL/AlmaLinux/Rocky 8 - Other versions are not supported. +RHEL/AlmaLinux/Rocky/Oracle 8 - Other versions are not supported. - AlmaLinux/Rocky Has been tested on 8.4(enabling crypto (sections 1.10&1.11) breaks updating or installs 01Jul2021 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) From 12912e76e71c091c35797b2ac3ecbde03e57960a Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Tue, 14 Mar 2023 17:06:41 +0100 Subject: [PATCH 12/12] Feature: molecule verify -s localhost Signed-off-by: Bas Meijer --- README.md | 1 + molecule/localhost/converge.yml | 18 ++++++++++++++++++ molecule/localhost/molecule.yml | 30 ++++++++++++++++++++++++++++++ molecule/localhost/verify.yml | 14 ++++++++++++++ tasks/verify.yml | 19 +++++++++++++++++++ 5 files changed, 82 insertions(+) create mode 100644 molecule/localhost/converge.yml create mode 100644 molecule/localhost/molecule.yml create mode 100644 molecule/localhost/verify.yml create mode 100644 tasks/verify.yml diff --git a/README.md b/README.md index 2b882969..00e62cd8 100644 --- a/README.md +++ b/README.md @@ -175,6 +175,7 @@ Molecule can be used to work on this role and test in distinct _scenarios_. ```bash molecule test -s default molecule converge -s wsl -- --check +molecule verify -s localhost ``` local testing uses: diff --git a/molecule/localhost/converge.yml b/molecule/localhost/converge.yml new file mode 100644 index 00000000..9a78fb97 --- /dev/null +++ b/molecule/localhost/converge.yml @@ -0,0 +1,18 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + become: true + gather_facts: true + + vars: + ansible_user: "{{ lookup('env', 'USER') }}" + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + rhel8cis_rule_5_3_4: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + diff --git a/molecule/localhost/molecule.yml b/molecule/localhost/molecule.yml new file mode 100644 index 00000000..94547051 --- /dev/null +++ b/molecule/localhost/molecule.yml @@ -0,0 +1,30 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: delegated + options: + managed: false + ansible_connection_options: + ansible_connection: local +platforms: + - name: localhost + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + stdout_callback: yaml + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/localhost/verify.yml b/molecule/localhost/verify.yml new file mode 100644 index 00000000..58afa467 --- /dev/null +++ b/molecule/localhost/verify.yml @@ -0,0 +1,14 @@ +--- +- name: Verify + hosts: all + gather_facts: false + become: true + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify diff --git a/tasks/verify.yml b/tasks/verify.yml new file mode 100644 index 00000000..bd54f336 --- /dev/null +++ b/tasks/verify.yml @@ -0,0 +1,19 @@ +--- + +- name: Install openscap + ansible.builtin.dnf: + state: present + name: + - openscap-scanner + - scap-security-guide + +- name: Run CIS oscap scan and create /tmp/report.html + ansible.builtin.command: + oscap xccdf eval \ + --report /tmp/report.html + --profile cis + --fetch-remote-resources + /usr/share/xml/scap/ssg/content/ssg-almalinux8-ds.xml + changed_when: true + no_log: false + ignore_errors: true