Skip to content

Commit

Permalink
Merge pull request #214 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Merge devel to main
  • Loading branch information
uk-bolly authored Jul 4, 2022
2 parents 068aca0 + 1ee0d1e commit 0220ed1
Show file tree
Hide file tree
Showing 54 changed files with 691 additions and 278 deletions.
1 change: 1 addition & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ What controls are being affected by the issue
- Ansible Version: [e.g. 2.10]
- Host Python Version: [e.g. Python 3.7.6]
- Ansible Server Python Version: [e.g. Python 3.7.6]
- Using branch: [e.g. main]
- Additional Details:

**Additional Notes**
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/OS.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,6 @@ ami_os = "rocky8"
ami_username = "rocky"
ami_user_home = "/home/rocky"
instance_tags = {
Name = "RHEL8-STIG"
Name = "RHEL8-CIS"
Environment = "lockdown_github_repo_workflow"
}
4 changes: 2 additions & 2 deletions .github/workflows/github_networks.tf
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
resource "aws_vpc" "Main" {
cidr_block = var.main_vpc_cidr
tags = var.instance_tags
tags = var.instance_tags
}

resource "aws_internet_gateway" "IGW" {
vpc_id = aws_vpc.Main.id
tags = {
Name = "${var.namespace}-IGW"
Name = "${var.namespace}-IGW"
}
}
2 changes: 1 addition & 1 deletion .github/workflows/github_vars.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
// Declared in variables.tf
//

namespace = "github_actions"
namespace = "github_actions"

// Matching pair name found in AWS for keypairs PEM key
ami_key_pair_name = "github_actions"
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ resource "aws_security_group" "github_actions" {
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

ingress {
from_port = 80
to_port = 80
Expand All @@ -44,7 +44,7 @@ resource "aws_security_group" "github_actions" {
}
tags = {
Name = "${var.namespace}-SG"
}
}
}

// instance setup
Expand All @@ -57,16 +57,16 @@ resource "aws_instance" "testing_vm" {
tags = var.instance_tags
vpc_security_group_ids = [aws_security_group.github_actions.id]
root_block_device {
delete_on_termination = true
delete_on_termination = true
}
}

// generate inventory file
resource "local_file" "inventory" {
filename = "./hosts.yml"
filename = "./hosts.yml"
directory_permission = "0755"
file_permission = "0644"
content = <<EOF
content = <<EOF
# benchmark host
all:
hosts:
Expand Down
5 changes: 0 additions & 5 deletions .github/workflows/terraform.tfvars

This file was deleted.

2 changes: 1 addition & 1 deletion .github/workflows/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ variable "ami_os" {

variable "ami_id" {
description = "AMI ID reference"
type = string
type = string
}

variable "ami_username" {
Expand Down
65 changes: 65 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,70 @@
# Changes to rhel8CIS

## 1.3.9

- tidy up become statements

Improvements for idempotency

- update to auditd template
- uses facts and template new variable
- update_audit_template (default false)
- 3.4.1.5 discovery improvement
- 5.6.1.4 discovery improvement


## 1.3.8

Issues

- #185 thanks to @flwitten rsyslog and journald work
- #189
- #190 being addressed thanks to @ztmr - any feedback helpful on this one
- #196 #200 thanks to @Thulium-Drake
- #203 thanks to @scottdoane
- #204 thanks to @ccravens
- #206 flush handler tidy up

## improvements

- Dynamic UID discovery
- Several title updates and alignments
- Logic and idempotence improvement
- Tag updates and fixes
- Removed config no longer used
- Dynamic container discovery
- Update container variables and usage

## 1.3.7

Issues

- thanks to @ccravens
- #160 & #183 - Please not this changes the variable for the aide cron job from /etc/crontab - manual tidy up maybe required.
- thanks to @flwitten
- #180 - update to assert in main.yml and 1.4.1 conditional update
- #181 - 1.8.5 typo resolved
- #182 - 1.2.2 fixed variable and enhanced gpg check with vendor key

Improvements

- changed crypto to DEFAULT in defaults/main and updated as allowed option
- 3.4.1.2 - removed enabled option as errors if masked and enable option
- workflow added branch option to issues.

## 1.3.6

- Issues
- #164
- #165
- #168
- #176

## 1.3.5

- Update to V2.0.0
- many changes inline with new benchamrk requirements please refer to official docs

## 1.3.4

- CentOS no longer supported due to moving to Stream updates
Expand Down
19 changes: 19 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,18 @@ To use release version please point to main branch
- [Wiki](https://github.com/ansible-lockdown/RHEL8-CIS/wiki)
- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL8-CIS/)

### Running level1 or level2 only

While the defaults/main.yml has the options this is used for auditing purposes.
In order to run level(1|2)-server level(1|2)-workstation This is carried out via tags.

e.g.

``` shell
ansible-playbook -l test-server -i test_inv site.yml -t level1-server

```

## Auditing (new)

This can be turned on or off within the defaults/main.yml file with the variable rhel8cis_run_audit. The value is false by default, please refer to the wiki for more details.
Expand Down Expand Up @@ -130,6 +142,13 @@ uses:
- runs the audit using the devel branch
- This is an automated test that occurs on pull requests into devel

## known-issues

cloud0init - due to a bug this will stop working if noexec is added to /var.
rhel8cis_rule_1_1_3_3

https://bugs.launchpad.net/cloud-init/+bug/1839899

## Support

This is a community project at its core and will be managed as such.
Expand Down
37 changes: 26 additions & 11 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,10 @@
# defaults file for rhel8-cis

rhel8cis_skip_for_travis: false
rhel8cis_system_is_container: false
system_is_container: false
# Place to find the container yml file for your environment - /vars/... This can be adjusted for your requirements.
container_vars_file: is_container.yml

os_check: true
# rhel8cis is left off the front of this var for consistency in testing pipeline
# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
Expand Down Expand Up @@ -430,7 +433,7 @@ rhel8cis_set_boot_pass: false

# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS.
rhel8cis_crypto_policy: "FUTURE"
rhel8cis_crypto_policy: "DEFAULT"

# System network parameters (host only OR host and router)
rhel8cis_is_router: false
Expand All @@ -443,7 +446,7 @@ rhel8cis_config_aide: true
# AIDE cron settings
rhel8cis_aide_cron:
cron_user: root
cron_file: /etc/crontab
cron_file: /etc/cron.d/cis_aide
aide_job: '/usr/sbin/aide --check'
aide_minute: 0
aide_hour: 5
Expand Down Expand Up @@ -499,8 +502,9 @@ rhel8cis_int_zone: customezone
rhel8cis_interface: eth0

rhel8cis_firewall_services:
- ssh
- cockpit
- dhcpv6-client
- ssh

# 3.4.2.5 Set nftables new table create
# 3.4.2.6
Expand All @@ -521,6 +525,8 @@ rhel8cis_warning_banner: |

## Section4 vars

update_audit_template: false

rhel8cis_auditd:
space_left_action: email
action_mail_acct: root
Expand All @@ -535,10 +541,14 @@ rhel8cis_audit_back_log_limit: 8192
# The max_log_file parameter should be based on your sites policy
rhel8cis_max_log_file_size: 10

# RHEL-08-4.2.1.4/4.2.1.5 remote and destation log server name
# OS logging system - either rsyslog or journald or other if 3rd party tool
rhel8cis_syslog: rsyslog
rhel8cis_rsyslog_ansiblemanaged: true

# RHEL-08-4.2.1.4/4.2.1.5 remote and destination log server name
rhel8cis_remote_log_server: logagg.example.com

# 4.2.1.5
# 4.2.1.5, 4.2.2.1.3, 4.2.2.1.4
rhel8cis_system_is_log_server: false

# 4.2.2.1.2
Expand Down Expand Up @@ -619,9 +629,7 @@ rhel8cis_pass:
max_days: 365
min_days: 7
warn_age: 7
# Syslog system - either rsyslog or syslog-ng
rhel8cis_syslog: rsyslog
rhel8cis_rsyslog_ansiblemanaged: true


# 5.6.1.4
rhel8cis_inactivelock:
Expand All @@ -635,8 +643,10 @@ rhel8cis_pam_password:
minlen: 14
minclass: 4

# Starting GID for interactive users
rhel8cis_int_gid: 1000
# This is a dynamic check but can be overridden here marking it as false and uncomment
rhel8uid_info_dynamic: true
#rhel8uid_interactive_uid_start: 1000
#rhel8uid_interactive_uid_stop: 60000

# 5.6.3
# Session timeout setting file (TMOUT setting can be set in multiple files)
Expand Down Expand Up @@ -690,6 +700,11 @@ audit_files_url: "some url maybe s3?"
audit_files: "/var/tmp/{{ benchmark }}-Audit/"

## Goss configuration information
# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_run_script_environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_FILE: 'goss.yml'
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
# Where the goss configs and outputs are stored
audit_out_dir: '/var/tmp'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"
Expand Down
24 changes: 5 additions & 19 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,27 +2,26 @@
# handlers file for RHEL8-CIS

- name: sysctl flush ipv4 route table
become: yes
sysctl:
name: net.ipv4.route.flush
value: '1'
sysctl_set: yes
ignore_errors: yes
when: ansible_virtualization_type != "docker"
when:
- not system_is_container
tags:
- skip_ansible_lint

- name: sysctl flush ipv6 route table
become: yes
sysctl:
name: net.ipv6.route.flush
value: '1'
sysctl_set: yes
ignore_errors: yes
when: ansible_virtualization_type != "docker"
when:
- not system_is_container

- name: systemd restart tmp.mount
become: yes
systemd:
name: tmp.mount
daemon_reload: yes
Expand All @@ -31,7 +30,6 @@
state: reloaded

- name: systemd restart var-tmp.mount
become: yes
systemd:
name: var-tmp.mount
daemon_reload: yes
Expand All @@ -45,31 +43,26 @@
warn: false

- name: restart firewalld
become: yes
service:
name: firewalld
state: restarted

- name: restart xinetd
become: yes
service:
name: xinetd
state: restarted

- name: restart sshd
become: yes
service:
name: sshd
state: restarted

- name: restart postfix
become: yes
service:
name: postfix
state: restarted

- name: reload dconf
become: yes
command: dconf update

- name: update auditd
Expand Down Expand Up @@ -103,25 +96,18 @@
name: systemd-journal-upload
state: restarted

- name: grub2cfg
- name: rhel8cis_grub2cfg
command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
ignore_errors: True
notify: change_requires_reboot
tags:
- skip_ansible_lint

- name: restart rsyslog
become: yes
service:
name: rsyslog
state: restarted

- name: restart syslog-ng
become: yes
service:
name: syslog-ng
state: restarted

- name: systemd_daemon_reload
systemd:
daemon-reload: yes
Expand Down
Loading

0 comments on commit 0220ed1

Please sign in to comment.