From dadbeaa84efe439899f6a2edb8170a995dfb82ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Mar 2023 15:15:49 +0000 Subject: [PATCH 1/4] Initial molecule thanks to @bbaassssiiee in rh8 Signed-off-by: Mark Bolwell --- molecule/default/converge.yml | 27 ++++++++++++++++++++++++++ molecule/default/molecule.yml | 34 +++++++++++++++++++++++++++++++++ molecule/default/verify.yml | 13 +++++++++++++ molecule/localhost/converge.yml | 18 +++++++++++++++++ molecule/localhost/molecule.yml | 30 +++++++++++++++++++++++++++++ molecule/localhost/verify.yml | 14 ++++++++++++++ molecule/wsl/converge.yml | 27 ++++++++++++++++++++++++++ molecule/wsl/molecule.yml | 29 ++++++++++++++++++++++++++++ molecule/wsl/verify.yml | 13 +++++++++++++ 9 files changed, 205 insertions(+) create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/verify.yml create mode 100644 molecule/localhost/converge.yml create mode 100644 molecule/localhost/molecule.yml create mode 100644 molecule/localhost/verify.yml create mode 100644 molecule/wsl/converge.yml create mode 100644 molecule/wsl/molecule.yml create mode 100644 molecule/wsl/verify.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 00000000..d558e806 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,27 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + gather_facts: true + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + ansible_user: root + system_is_container: true + rhel9cis_selinux_disable: true + rhel9cis_rule_5_3_4: false + rhel9cis_rule_1_1_10: false + rhel9cis_firewall: "none" + rhel9cis_rule_4_1_1_1: false + rhel9cis_rule_4_1_1_2: false + rhel9cis_rule_4_1_1_3: false + rhel9cis_rule_4_1_1_4: false + rhel9cis_rule_4_2_1_2: false + rhel9cis_rule_4_2_1_4: false + rhel9cis_rule_5_1_1: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 00000000..55a62745 --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,34 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: docker + +platforms: + - name: ubi9 + image: registry.access.redhat.com/ubi9/ubi-init + pre_build_image: true + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + privileged: true + command: "/usr/sbin/init" + capabilities: + - SYS_ADMIN + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 00000000..5c57ab4c --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,13 @@ +--- +- name: Verify + hosts: all + gather_facts: false + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify diff --git a/molecule/localhost/converge.yml b/molecule/localhost/converge.yml new file mode 100644 index 00000000..6dadcfcd --- /dev/null +++ b/molecule/localhost/converge.yml @@ -0,0 +1,18 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + become: true + gather_facts: true + + vars: + ansible_user: "{{ lookup('env', 'USER') }}" + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + rhel9cis_rule_5_3_4: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + diff --git a/molecule/localhost/molecule.yml b/molecule/localhost/molecule.yml new file mode 100644 index 00000000..94547051 --- /dev/null +++ b/molecule/localhost/molecule.yml @@ -0,0 +1,30 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: delegated + options: + managed: false + ansible_connection_options: + ansible_connection: local +platforms: + - name: localhost + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + stdout_callback: yaml + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/localhost/verify.yml b/molecule/localhost/verify.yml new file mode 100644 index 00000000..58afa467 --- /dev/null +++ b/molecule/localhost/verify.yml @@ -0,0 +1,14 @@ +--- +- name: Verify + hosts: all + gather_facts: false + become: true + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify diff --git a/molecule/wsl/converge.yml b/molecule/wsl/converge.yml new file mode 100644 index 00000000..0f5f3e62 --- /dev/null +++ b/molecule/wsl/converge.yml @@ -0,0 +1,27 @@ +--- +# This is a playbook to test the tasks. +- name: Converge + hosts: all + become: true + gather_facts: true + + vars: + ansible_user: "{{ lookup('env', 'USER') }}" + system_is_container: true + rhel8cis_selinux_disable: true + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + rhel8cis_rule_5_3_4: false + rhel8cis_rule_1_1_10: false + rhel8cis_rsyslog_ansiblemanaged: false + rhel8cis_rule_3_4_1_3: false + rhel8cis_rule_3_4_1_4: false + rhel8cis_rule_4_2_1_2: false + rhel8cis_rule_4_2_1_4: false + rhel8cis_rule_5_1_1: false + + pre_tasks: + tasks: + - name: "Include tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + diff --git a/molecule/wsl/molecule.yml b/molecule/wsl/molecule.yml new file mode 100644 index 00000000..9360997d --- /dev/null +++ b/molecule/wsl/molecule.yml @@ -0,0 +1,29 @@ +--- +# Molecule configuration +# https://molecule.readthedocs.io/en/latest/ + +driver: + name: delegated + options: + managed: false + ansible_connection_options: + ansible_connection: local +platforms: + - name: localhost + +provisioner: + name: ansible + config_options: + defaults: + interpreter_python: auto_silent + callbacks_enabled: profile_tasks, timer + +lint: | + set -e + yamllint . + ansible-lint + flake8 + +verifier: + name: ansible + diff --git a/molecule/wsl/verify.yml b/molecule/wsl/verify.yml new file mode 100644 index 00000000..5c57ab4c --- /dev/null +++ b/molecule/wsl/verify.yml @@ -0,0 +1,13 @@ +--- +- name: Verify + hosts: all + gather_facts: false + + vars: + role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" + + tasks: + - name: "Include verify tasks" + ansible.builtin.include_role: + name: "{{ role_name }}" + tasks_from: verify From 2f5709df703714f53a3f7a5a112cf6f3313a6d6d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Mar 2023 15:15:59 +0000 Subject: [PATCH 2/4] updated for empty lines Signed-off-by: Mark Bolwell --- .yamllint | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.yamllint b/.yamllint index 3af111e7..ec469292 100644 --- a/.yamllint +++ b/.yamllint @@ -20,6 +20,8 @@ rules: brackets: max-spaces-inside: 1 level: error + empty-lines: + max: 1 line-length: disable key-duplicates: enable new-line-at-end-of-file: enable From 42b9dc9e890e8842e91e9b3f397c216281574f39 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Mar 2023 15:16:15 +0000 Subject: [PATCH 3/4] Linting Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 ---------- tasks/main.yml | 1 - tasks/section_2/cis_2.2.x.yml | 1 - tasks/section_3/cis_3.4.2.x.yml | 1 - vars/is_container.yml | 4 ---- 5 files changed, 17 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 836f16fc..7ea583d0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -343,7 +343,6 @@ rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true - ## Section 1 vars #### 1.1.2 @@ -413,7 +412,6 @@ rhel9cis_selinux_enforce: enforcing ## 2. Services - ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 rhel9cis_time_synchronization_servers: @@ -461,7 +459,6 @@ rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false rhel9cis_ftp_client: false - ## Section3 vars ## Sysctl rhel9cis_sysctl_update: false @@ -478,7 +475,6 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public - # These are added to demonstrate how this can be done rhel9cis_firewalld_ports: - number: 80 @@ -514,7 +510,6 @@ update_audit_template: false ## Advanced option found in auditd post rhel9cis_allow_auditd_uid_user_exclusions: false - # This can be used to configure other keys in auditd.conf rhel9cis_auditd_extra_conf: {} # Example: @@ -535,7 +530,6 @@ rhel9cis_remote_log_protocol: tcp rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 - #### 4.2.1.7 rhel9cis_system_is_log_server: false @@ -584,7 +578,6 @@ rhel9cis_ssh_maxsessions: 4 rhel9cis_inactivelock: lock_days: 30 - rhel9cis_use_authconfig: false # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk @@ -599,7 +592,6 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false - rhel9cis_pass: max_days: 365 min_days: 7 @@ -648,7 +640,6 @@ rhel9cis_futurepwchgdate_autofix: true # 5.3.7 rhel9cis_sugroup: nosugroup - ## Section6 vars # RHEL-09_6.1.1 @@ -669,7 +660,6 @@ audit_run_script_environment: AUDIT_FILE: 'goss.yml' AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - ### Goss binary settings ### goss_version: release: v0.3.21 diff --git a/tasks/main.yml b/tasks/main.yml index d0833191..2bb0f3f5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -102,7 +102,6 @@ tags: - always - - name: Gather the package facts ansible.builtin.package_facts: manager: auto diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 496a92f7..e592d176 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,6 +1,5 @@ --- - - name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed" ansible.builtin.package: name: xorg-x11-server-common diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 540bda0d..865fe59b 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -157,7 +157,6 @@ - nftables - rule_3.4.2.4 - - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld" ansible.posix.firewalld: rich_rule: "{{ item }}" diff --git a/vars/is_container.yml b/vars/is_container.yml index 32504ee3..1a697845 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -6,14 +6,12 @@ ## controls - # Firewall rhel9cis_firewall: None # SElinux rhel9cis_selinux_disable: true - ## Related individual rules # Aide rhel9cis_rule_1_4_1: false @@ -42,7 +40,6 @@ rhel9cis_rule_5_1_8: false # crypto rhel9cis_rule_1_10: false - # grub rhel9cis_rule_1_5_1: false rhel9cis_rule_1_5_2: false @@ -88,6 +85,5 @@ rhel9cis_rule_4_2_2_3: false # systemd - # Users/passwords/accounts rhel9cis_rule_5_5_2: false From c62c2d44898036b7a8a0f72b043fa4d2384e96db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Mar 2023 15:17:58 +0000 Subject: [PATCH 4/4] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index 38005bbf..6fb56c4c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to rhel9CIS +## 1.0.5 + +updated yamllint +removed empty lines after lint +initial molecule added +galaxy workflow updated + ## 1.0.4 #40 tmp systemd file variable naming update