Merge pull request #351 from ansible-lockdown/v3.0.0_initial

V3.0.0 initial
ansible-lockdown · Mar 12, 2024 · 3f171be · 3f171be
2 parents 44a20ca + 670a0b0
commit 3f171be
Show file tree

Hide file tree

Showing 109 changed files with 7,700 additions and 5,718 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,36 +1,18 @@
 # Changes to rhel8CIS
 
-## 1.5.16 - Based on CIS v2.0.0
+## 2.0 based on CIS 3.0.0
 
-- updated min ansibleversion to 2.11.1
+### This is not an upgrade for CIS v2.0.0 due to the number of changes treat as a new baseline
 
-- changes to 5.6.1.[ 1, 2, 3]
-  - ability to change current users
-  - variables added to defaults/main.yml to enable
+Inline with new CIS baseline
+Rewrite and ordering of nearly all controls
+Many new controls added
+Authselect is now used to setup pam options
+Min ansible version now 2.11.1
 
-- ability to choose remove for mask for nfs,rpc and rsync
-
-## 1.5.15 - based on CIS v2.0.0
-
-### Audit
-
-- ability to run audit_only
-  - var audit_only: true
-  - tidy up of audit variables to var/audit.yml and some in defaults/main.ym
-- goss version increased to 0.3.23 - Doesn't run with latest version 0.4+
-
-- updated 5.4.1 and 5.4.2 for authselect
-
-- Update to 2.1.2. sysconfig for chronyd
-
-- Added optional control thanks to @bbaassssiiee
-  - #273 - ability to use crypto Future with options - optional control added
-  - #329 - pam remove nullok - optional control added
-
-- update to audit thanks you @aaosopra
-  - #336
-  - #337
-  - #338
+- variable audit_only - ability to run audit only without remediate
+- New ansible-lint layout
+- New variable rhel8cis_disruption_high - found in defaults/main.yml default false
 
 ## 1.5.14 based on CIS v2.0.0
 

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 ## Configure a RHEL/Rocky/AlmaLinux 8 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
 
-### Based on [ CIS RedHat Enterprise Linux 8 Benchmark v2.0.0 - 02-23-2022 ](https://www.cisecurity.org/cis-benchmarks/)
+### Based on [ CIS RedHat Enterprise Linux 8 Benchmark v3.0.0 - 11-10-2023 ](https://www.cisecurity.org/cis-benchmarks/)
 
 ---
 
@@ -53,6 +53,8 @@ This role was developed against a clean install of the Operating System. If you
 
 To use release version please point to main branch and relevant release for the cis benchmark you wish to work with.
 
+If moving across major releases e.g. v2.0.0 - v3.0.0 there are significant changes to the benchmarks and controls it is suggested to start as a new standard not to upgrade.
+
 ---
 
 ## Matching a security Level for CIS
@@ -133,8 +135,8 @@ RHEL/AlmaLinux/Rocky/Oracle 8 - Other versions are not supported.
 - AlmaLinux/Rocky Has been tested on 8.8(enabling crypto (sections 1.10 & 1.11) breaks updating or installs : July 01 2021
 - Access to download or add the goss binary and content to the system if using auditing
 (other options are available on how to get the content to the system.)
-- Python3
-- Ansible 2.10+
+- Python3.8
+- Ansible 2.11+
 - python-def (should be included in RHEL 8)
 - libselinux-python
 
@@ -175,6 +177,8 @@ rhel8cis_rule_1_1_3_3
 
 [bug 1839899](https://bugs.launchpad.net/cloud-init/+bug/1839899)
 
+Almalinux BaseOS, EPEL and many cloud providers repositories, do not allow repo_gpgcheck on rule_1.2.3 this will cause issues during the playbook unless or a workaround is found.
+
 ## Pipeline Testing
 
 uses: