Precommit

.config/.gitleaks-report.json

@@ -0,0 +1 @@
+[]

.config/.secrets.baseline

@@ -0,0 +1,182 @@
+{
+  "version": "1.4.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".config/.secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        ".config/.gitleaks-report.json"
+      ]
+    }
+  ],
+  "results": {
+    "defaults/main.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "defaults/main.yml",
+        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
+        "is_verified": false,
+        "line_number": 382,
+        "is_secret": false
+      }
+    ],
+    "tasks/main.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tasks/main.yml",
+        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
+        "is_verified": false,
+        "line_number": 22,
+        "is_secret": false
+      }
+    ],
+    "tasks/parse_etc_password.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tasks/parse_etc_password.yml",
+        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
+        "is_verified": false,
+        "line_number": 18
+      }
+    ],
+    "vars/CentOS.yml": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "vars/CentOS.yml",
+        "hashed_secret": "2baa4bd2c505f21a0e48d6c17a174a0c8b6f3c3b",
+        "is_verified": false,
+        "line_number": 6,
+        "is_secret": false
+      }
+    ],
+    "vars/OracleLinux.yml": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "vars/OracleLinux.yml",
+        "hashed_secret": "260c8f0806148cd568435cd3d7647f43150efdbb",
+        "is_verified": false,
+        "line_number": 9,
+        "is_secret": false
+      }
+    ],
+    "vars/is_container.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": "vars/is_container.yml",
+        "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d",
+        "is_verified": false,
+        "line_number": 377,
+        "is_secret": false
+      }
+    ]
+  },
+  "generated_at": "2023-09-13T08:05:26Z"
+}

.github/workflows/update_galaxy.yml

@@ -0,0 +1,21 @@
+---
+
+# This is a basic workflow to help you get started with Actions
+
+name: update galaxy
+
+# Controls when the action will run.
+# Triggers the workflow on merge request events to the main branch
+on:
+    push:
+        branches:
+            - main
+jobs:
+    update_role:
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v3
+            - uses: robertdebock/galaxy-action@master
+              with:
+                  galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
+                  git_branch: main

.pre-commit-config.yaml

@@ -0,0 +1,67 @@
+---
+##### CI for use by github no need for action to be added
+##### Inherited
+ci:
+    autofix_prs: false
+    skip: [detect-aws-credentials, ansible-lint ]
+
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v3.2.0
+  hooks:
+  # Safety
+  - id: detect-aws-credentials
+  - id: detect-private-key
+
+  # git checks
+  - id: check-merge-conflict
+  - id: check-added-large-files
+  - id: check-case-conflict
+
+  # General checks
+  - id: trailing-whitespace
+    name: Trim Trailing Whitespace
+    description: This hook trims trailing whitespace.
+    entry: trailing-whitespace-fixer
+    language: python
+    types: [text]
+    args: [--markdown-linebreak-ext=md]
+  - id: end-of-file-fixer
+
+# Scan for passwords
+- repo: https://github.com/Yelp/detect-secrets
+  rev: v1.4.0
+  hooks:
+  - id: detect-secrets
+    args: [ '--baseline', '.config/.secrets.baseline' ]
+    exclude: .config/.gitleaks-report.json
+
+- repo: https://github.com/gitleaks/gitleaks
+  rev: v8.17.0
+  hooks:
+  - id: gitleaks
+    args: ['--baseline-path', '.config/.gitleaks-report.json']
+
+- repo: https://github.com/ansible-community/ansible-lint
+  rev: v6.17.2
+  hooks:
+  - id: ansible-lint
+    name: Ansible-lint
+    description: This hook runs ansible-lint.
+    entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint
+    language: python
+    # do not pass files to ansible-lint, see:
+    # https://github.com/ansible/ansible-lint/issues/611
+    pass_filenames: false
+    always_run: true
+    additional_dependencies:
+    # https://github.com/pre-commit/pre-commit/issues/1526
+    # If you want to use specific version of ansible-core or ansible, feel
+    # free to override `additional_dependencies` in your own hook config
+    # file.
+    - ansible-core>=2.10.1
+
+- repo: https://github.com/adrienverge/yamllint.git
+  rev: v1.32.0  # or higher tag
+  hooks:
+  - id: yamllint

README.md

@@ -153,6 +153,22 @@ uses:
 - runs the audit using the devel branch
 - This is an automated test that occurs on pull requests into devel
 
+## Local Testing
+
+- Ansible
+
+  - ansible-base 2.10.17 - python 3.8
+  - ansible-core 2.13.4  - python 3.10
+  - ansible-core 2.15.1  - python 3.11
+
+## Added Extras
+
+- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory
+
+```sh
+pre-commit run
+```
+
 ## Credits
 
 This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)

tasks/section_1/cis_1.3.x.yml

@@ -30,7 +30,7 @@
 - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked | cron"
   ansible.builtin.cron:
       name: Run AIDE integrity check
-      file: "{{ rhel7cis_aide_cron['cron_file'] }}"
+      cron_file: "{{ rhel7cis_aide_cron['cron_file'] }}"
       user: "{{ rhel7cis_aide_cron['cron_user'] }}"
       minute: "{{ rhel7cis_aide_cron['aide_minute'] | default('0') }}"
       hour: "{{ rhel7cis_aide_cron['aide_hour'] | default('5') }}"