diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 3ddd0a0c..11bdb467 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,70 +109,11 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", - "is_verified": false, - "line_number": 382, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", - "is_verified": false, - "line_number": 22, - "is_secret": false - } - ], - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "vars/CentOS.yml": [ - { - "type": "Hex High Entropy String", - "filename": "vars/CentOS.yml", - "hashed_secret": "2baa4bd2c505f21a0e48d6c17a174a0c8b6f3c3b", - "is_verified": false, - "line_number": 6, - "is_secret": false - } - ], - "vars/OracleLinux.yml": [ - { - "type": "Hex High Entropy String", - "filename": "vars/OracleLinux.yml", - "hashed_secret": "260c8f0806148cd568435cd3d7647f43150efdbb", - "is_verified": false, - "line_number": 9, - "is_secret": false - } - ], - "vars/is_container.yml": [ - { - "type": "Secret Keyword", - "filename": "vars/is_container.yml", - "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", - "is_verified": false, - "line_number": 377, - "is_secret": false - } - ] - }, - "generated_at": "2023-09-13T08:05:26Z" + "results": {}, + "generated_at": "2023-10-09T15:14:50Z" } diff --git a/README.md b/README.md index 1024df79..cf1e6c88 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,6 @@ ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) diff --git a/ansible.cfg b/ansible.cfg index 39399065..c7c4ec86 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -22,4 +22,4 @@ transfer_method=scp [colors] -[diff] \ No newline at end of file +[diff] diff --git a/collections/requirements.yml b/collections/requirements.yml index 23596ec0..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,13 @@ collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index 9c3f8670..44e7e95a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -379,7 +379,7 @@ rhel7cis_rhnsd_required: false # 1.4.2 Bootloader password rhel7cis_set_boot_pass: false -rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' +rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret # System network parameters (host only OR host and router) rhel7cis_is_router: false diff --git a/tasks/main.yml b/tasks/main.yml index 05209d0e..bdbf9fa5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -19,8 +19,8 @@ - name: Check rhel7cis_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel7cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispart' - msg: "This role will not be able to run single user password commands as rhel7cis_bootloader_password_hash variable has not been set" + that: rhel7cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel7cis_bootloader_password_hash variable has not been set" # pragma: allowlist secret when: - ansible_distribution_version >= '7.2' - rhel7cis_set_boot_pass diff --git a/templates/audit/access.rules.j2 b/templates/audit/access.rules.j2 index d877a3b9..1a86703a 100644 --- a/templates/audit/access.rules.j2 +++ b/templates/audit/access.rules.j2 @@ -1,4 +1,4 @@ --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access diff --git a/templates/audit/logins.rules.j2 b/templates/audit/logins.rules.j2 index c47bf6e5..092a053c 100644 --- a/templates/audit/logins.rules.j2 +++ b/templates/audit/logins.rules.j2 @@ -1,3 +1,3 @@ --w /var/log/faillog -p wa -k logins +-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/faillock/ -p wa -k logins diff --git a/templates/audit/priv_commands.rules.j2 b/templates/audit/priv_commands.rules.j2 index 92eb78eb..ed65a428 100644 --- a/templates/audit/priv_commands.rules.j2 +++ b/templates/audit/priv_commands.rules.j2 @@ -1,4 +1,4 @@ -{% for proc in priv_procs.stdout_lines -%} +{% for proc in priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged {% endfor %} diff --git a/templates/audit/session.rules.j2 b/templates/audit/session.rules.j2 index ea5c4894..51d7254f 100644 --- a/templates/audit/session.rules.j2 +++ b/templates/audit/session.rules.j2 @@ -1,3 +1,3 @@ --w /var/run/utmp -p wa -k session --w /var/log/wtmp -p wa -k logins +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins diff --git a/templates/audit/system_local.rules.j2 b/templates/audit/system_local.rules.j2 index 32fb3083..63d590ed 100644 --- a/templates/audit/system_local.rules.j2 +++ b/templates/audit/system_local.rules.j2 @@ -1,5 +1,5 @@ --a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale --a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale diff --git a/templates/audit/time_change.rules.j2 b/templates/audit/time_change.rules.j2 index 625a117c..e39a529d 100644 --- a/templates/audit/time_change.rules.j2 +++ b/templates/audit/time_change.rules.j2 @@ -1,6 +1,6 @@ -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -{% if ansible_architecture == 'x86_64' -%} +{% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change {% endif %} diff --git a/vars/CentOS.yml b/vars/CentOS.yml index 1b6f75a1..e16bbcb6 100644 --- a/vars/CentOS.yml +++ b/vars/CentOS.yml @@ -3,4 +3,4 @@ rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 rpm_packager: "CentOS BuildSystem" -rpm_key: "24c6a8a7f4a80eb5" # found on https://www.centos.org/keys/ +rpm_key: "24c6a8a7f4a80eb5" # found on https://www.centos.org/keys/ # pragma: allowlist secret diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index 960a47a7..b7c1d32a 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -6,4 +6,4 @@ rpm_packager: "(none)" # found on https://linux.oracle.com/security/gpg/ -rpm_key: "72f97b74ec551f03" +rpm_key: "72f97b74ec551f03" # pragma: allowlist secret diff --git a/vars/is_container.yml b/vars/is_container.yml index bb45e082..7c7f57a4 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -374,7 +374,7 @@ rhel7cis_rhnsd_required: false # 1.4.2 Bootloader password rhel7cis_set_boot_pass: false -rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' +rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret # System network parameters (host only OR host and router) rhel7cis_is_router: false