Merge pull request #1 from ansible-lockdown/georgenalen

Added GitHub actions and added gitgnore
ansible-lockdown · Oct 30, 2020 · d77f528 · d77f528
2 parents 16d264e + 4fa3b2f
commit d77f528
Show file tree

Hide file tree

Showing 7 changed files with 112 additions and 29 deletions.
diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml
@@ -0,0 +1,38 @@
+# This is a basic workflow to help you get started with Actions
+
+name: CommunityToDevel
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+  pull_request:
+    branches: [ devel ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run Pipeline (to devel)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f933cbcf9c74e86b1609c00
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-066df92ac6f03efca", "githubBranch": "${{ github.head_ref }}" }'
+          # Refactr API base URL
+          api_url: # optional
diff --git a/.github/workflows/develtomaster.yml b/.github/workflows/develtomaster.yml
@@ -0,0 +1,38 @@
+# This is a basic workflow to help you get started with Actions
+
+name: DevelToMaster
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+  pull_request:
+    branches: [ master ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run Pipeline (to master)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f90ad90f9c74e6d1e606e33
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-066df92ac6f03efca" }'
+          # Refactr API base URL
+          api_url: # optional
diff --git a/.gitignore b/.gitignore
@@ -40,3 +40,5 @@ benchparse/
 *xccdf.xml
 *.retry
 
+# GitHub Action/Workflow files
+.github/
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -39,6 +39,10 @@ rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
 # tweak role to run in a non-privileged container
 rhel8stig_system_is_container: false
 
+# rhel8cis is left off the front of this var for consistency in testing pipeline
+# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
+system_is_ec2: false
+
 # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
 # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
 # in order for the variables below to take effect.

diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml
@@ -184,6 +184,7 @@
             insertafter: '### BEGIN /etc/grub.d/01_users ###'
         notify: confirm grub2 user cfg
   when:
+      - not system_is_ec2
       - rhel_08_010140 or
         rhel_08_010150
   tags:

diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
@@ -4,6 +4,7 @@
       name: "*"
       state: latest
   when:
+      - not system_is_ec2
       - rhel_08_010010
   tags:
       - RHEL-08-010010
@@ -31,6 +32,7 @@
             mode: '0644'
         notify: restart sshd
         when:
+            # - not system_is_ec2
             - rhel_08_010040 or
               rhel_08_010060
         tags:
@@ -3103,6 +3105,32 @@
       - RHEL-08-040080
       - usb_devices
 
+- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8."
+  block:
+      - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld"
+        dnf:
+            name: firewalld
+            state: present
+        when: rhel8stig_firewall_service == "firewalld"
+
+      - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables"
+        dnf:
+            name: iptables-services
+            state: present
+        when: rhel8stig_firewall_service == "iptables"
+
+      - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service"
+        service:
+            name: "{{ rhel8stig_firewall_service }}"
+            state: started
+            enabled: yes
+  when:
+      - rhel_08_040100
+  tags:
+      - RHEL-08-040100
+      - firewall
+      - "{{ rhel8stig_firewall_service }}"
+
 - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems."
   block:
       - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone"
@@ -3135,33 +3163,7 @@
       - rhel_08_040090
   tags:
       - RHEL-08-040090
-      - firewall
-
-- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8."
-  block:
-      - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld"
-        dnf:
-            name: firewalld
-            state: present
-        when: rhel8stig_firewall_service == "firewalld"
-
-      - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables"
-        dnf:
-            name: iptables-services
-            state: present
-        when: rhel8stig_firewall_service == "iptables"
-
-      - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service"
-        service:
-            name: "{{ rhel8stig_firewall_service }}"
-            state: started
-            enabled: yes
-  when:
-      - rhel_08_040100
-  tags:
-      - RHEL-08-040100
-      - firewall
-      - "{{ rhel8stig_firewall_service }}"
+      - firewall 
 
 - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled."
   block:

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -334,5 +334,3 @@
       - name: "PRELIM | Setting the fact"
         set_fact:
             rhel8stig_interactive_uid_min: "{{ rhel8stig_interactive.stdout | int }}"
-
-- debug: var=rhel8stig_interactive_uid_min