From f1d3ab3100786a40092508a1ac6cb925337b1d85 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 13 Sep 2023 09:06:24 +0100 Subject: [PATCH 1/5] added detected secrets audit Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 1 + .config/.secrets.baseline | 182 ++++++++++++++++++++++++++++++++++ 2 files changed, 183 insertions(+) create mode 100644 .config/.gitleaks-report.json create mode 100644 .config/.secrets.baseline diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 00000000..fe51488c --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1 @@ +[] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline new file mode 100644 index 00000000..3ddd0a0c --- /dev/null +++ b/.config/.secrets.baseline @@ -0,0 +1,182 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", + "is_verified": false, + "line_number": 382, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", + "is_verified": false, + "line_number": 22, + "is_secret": false + } + ], + "tasks/parse_etc_password.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_password.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18 + } + ], + "vars/CentOS.yml": [ + { + "type": "Hex High Entropy String", + "filename": "vars/CentOS.yml", + "hashed_secret": "2baa4bd2c505f21a0e48d6c17a174a0c8b6f3c3b", + "is_verified": false, + "line_number": 6, + "is_secret": false + } + ], + "vars/OracleLinux.yml": [ + { + "type": "Hex High Entropy String", + "filename": "vars/OracleLinux.yml", + "hashed_secret": "260c8f0806148cd568435cd3d7647f43150efdbb", + "is_verified": false, + "line_number": 9, + "is_secret": false + } + ], + "vars/is_container.yml": [ + { + "type": "Secret Keyword", + "filename": "vars/is_container.yml", + "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", + "is_verified": false, + "line_number": 377, + "is_secret": false + } + ] + }, + "generated_at": "2023-09-13T08:05:26Z" +} From d0981d8e08271435176b82246afc9c3c9fcd9c45 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 13 Sep 2023 09:07:17 +0100 Subject: [PATCH 2/5] added precommit config to repo Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 67 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..97c79434 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,67 @@ +--- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: [ '--baseline', '.config/.secrets.baseline' ] + exclude: .config/.gitleaks-report.json + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.17.0 + hooks: + - id: gitleaks + args: ['--baseline-path', '.config/.gitleaks-report.json'] + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint From 0c1d0602a8c72e8891f468459848428fd032c5af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 13 Sep 2023 09:10:34 +0100 Subject: [PATCH 3/5] added content on precommit Signed-off-by: Mark Bolwell --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index 59863e64..a1a652b8 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,22 @@ uses: - runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel +## Local Testing + +- Ansible + + - ansible-base 2.10.17 - python 3.8 + - ansible-core 2.13.4 - python 3.10 + - ansible-core 2.15.1 - python 3.11 + +## Added Extras + +- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory + +```sh +pre-commit run +``` + ## Credits This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) From 8630d4bb01371a64b9f089486725b2bbd7d6903a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 13 Sep 2023 10:07:08 +0100 Subject: [PATCH 4/5] updated .github folders Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 32 ------------------- .../feature-request-or-enhancement.md | 21 ------------ .github/ISSUE_TEMPLATE/question.md | 17 ---------- .github/pull_request_template.md | 12 ------- .github/workflows/update_galaxy.yml | 21 ++++++++++++ 5 files changed, 21 insertions(+), 82 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/update_galaxy.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 3a19c72b..00000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index bf457005..00000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -**Feature Request or Enhancement** - - Feature [] - - Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index cbab6e73..00000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - - Ansible Version: [e.g. 2.10] - - Host Python Version: [e.g. Python 3.7.6] - - Ansible Server Python Version: [e.g. Python 3.7.6] - - Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 05dadb6b..00000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,12 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A - diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml new file mode 100644 index 00000000..951a53cb --- /dev/null +++ b/.github/workflows/update_galaxy.yml @@ -0,0 +1,21 @@ +--- + +# This is a basic workflow to help you get started with Actions + +name: update galaxy + +# Controls when the action will run. +# Triggers the workflow on merge request events to the main branch +on: + push: + branches: + - main +jobs: + update_role: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main From 4fe5b3e706e8dee32fed0c4267549c801943a04e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 13 Sep 2023 10:15:14 +0100 Subject: [PATCH 5/5] fix typo Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index a38c1b44..c076fc2f 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -30,7 +30,7 @@ - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked | cron" ansible.builtin.cron: name: Run AIDE integrity check - file: "{{ rhel7cis_aide_cron['cron_file'] }}" + cron_file: "{{ rhel7cis_aide_cron['cron_file'] }}" user: "{{ rhel7cis_aide_cron['cron_user'] }}" minute: "{{ rhel7cis_aide_cron['aide_minute'] | default('0') }}" hour: "{{ rhel7cis_aide_cron['aide_hour'] | default('5') }}"