From 6ca155905c52ed1f8f0874c9db59b8eca9cd8e93 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 28 Oct 2020 13:20:06 -0400 Subject: [PATCH 1/6] initial commit Signed-off-by: George Nalen --- tasks/prelim.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1d051982..0054f38a 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -334,5 +334,3 @@ - name: "PRELIM | Setting the fact" set_fact: rhel8stig_interactive_uid_min: "{{ rhel8stig_interactive.stdout | int }}" - -- debug: var=rhel8stig_interactive_uid_min \ No newline at end of file From 06a29703b3cc9d35a51121d53b261b7fe9e5971b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 28 Oct 2020 13:24:14 -0400 Subject: [PATCH 2/6] added github actions Signed-off-by: George Nalen --- .github/workflows/communitytodevel.yml | 38 ++++++++++++++++++++++++++ .github/workflows/develtomaster.yml | 38 ++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 .github/workflows/communitytodevel.yml create mode 100644 .github/workflows/develtomaster.yml diff --git a/.github/workflows/communitytodevel.yml b/.github/workflows/communitytodevel.yml new file mode 100644 index 00000000..70ca6cef --- /dev/null +++ b/.github/workflows/communitytodevel.yml @@ -0,0 +1,38 @@ +# This is a basic workflow to help you get started with Actions + +name: CommunityToDevel + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request: + branches: [ devel ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Refactr pipeline for devel pull request/merge + - name: Refactr - Run Pipeline (to devel) + # You may pin to the exact commit or the version. + # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 + uses: refactr/action-run-pipeline@v0.1.2 + with: + # API token + api_token: '${{ secrets.REFACTR_KEY }}' + # Project ID + project_id: 5f47f0c4a13c7b18373e5556 + # Job ID + job_id: 5f933cbcf9c74e86b1609c00 + # Variables + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-066df92ac6f03efca", "githubBranch": "${{ github.head_ref }}" }' + # Refactr API base URL + api_url: # optional diff --git a/.github/workflows/develtomaster.yml b/.github/workflows/develtomaster.yml new file mode 100644 index 00000000..5c3552a1 --- /dev/null +++ b/.github/workflows/develtomaster.yml @@ -0,0 +1,38 @@ +# This is a basic workflow to help you get started with Actions + +name: DevelToMaster + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the devel branch +on: + pull_request: + branches: [ master ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Refactr pipeline for devel pull request/merge + - name: Refactr - Run Pipeline (to master) + # You may pin to the exact commit or the version. + # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53 + uses: refactr/action-run-pipeline@v0.1.2 + with: + # API token + api_token: '${{ secrets.REFACTR_KEY }}' + # Project ID + project_id: 5f47f0c4a13c7b18373e5556 + # Job ID + job_id: 5f90ad90f9c74e6d1e606e33 + # Variables + variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL8-STIG.git", "image": "ami-066df92ac6f03efca" }' + # Refactr API base URL + api_url: # optional From b0627ca3636c63f73b7e8b7269e7b71001eff04e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 28 Oct 2020 13:25:45 -0400 Subject: [PATCH 3/6] modified the gitignore file Signed-off-by: George Nalen --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index c46be6db..7f0e241a 100644 --- a/.gitignore +++ b/.gitignore @@ -40,3 +40,5 @@ benchparse/ *xccdf.xml *.retry +# GitHub Action/Workflow files +.github/ From c371622047a08db3c909e12c24915a42fa55007f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 28 Oct 2020 14:36:32 -0400 Subject: [PATCH 4/6] added ec2 toggel to 010140 Signed-off-by: George Nalen --- defaults/main.yml | 4 ++++ tasks/fix-cat1.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index ddaf219b..942ab660 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -39,6 +39,10 @@ rhel8stig_system_is_chroot: "{{ ansible_is_chroot | default(False) }}" # tweak role to run in a non-privileged container rhel8stig_system_is_container: false +# rhel8cis is left off the front of this var for consistency in testing pipeline +# system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks +system_is_ec2: false + # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group # in order for the variables below to take effect. diff --git a/tasks/fix-cat1.yml b/tasks/fix-cat1.yml index 32d52354..d98b88aa 100644 --- a/tasks/fix-cat1.yml +++ b/tasks/fix-cat1.yml @@ -184,6 +184,7 @@ insertafter: '### BEGIN /etc/grub.d/01_users ###' notify: confirm grub2 user cfg when: + - not system_is_ec2 - rhel_08_010140 or rhel_08_010150 tags: From ab73cd2606b02f493ec0e7d44357fc36f6015fbf Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 29 Oct 2020 08:12:28 -0400 Subject: [PATCH 5/6] added another system_is_ec2 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index 2673eae1..b3287159 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -4,6 +4,7 @@ name: "*" state: latest when: + - not system_is_ec2 - rhel_08_010010 tags: - RHEL-08-010010 @@ -31,6 +32,7 @@ mode: '0644' notify: restart sshd when: + # - not system_is_ec2 - rhel_08_010040 or rhel_08_010060 tags: From 4fa3b2fa1e19df0374531051a922e30a00516e6d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 29 Oct 2020 16:02:27 -0400 Subject: [PATCH 6/6] swapped position of 040090 and 040100 Signed-off-by: George Nalen --- tasks/fix-cat2.yml | 54 +++++++++++++++++++++++----------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml index b3287159..6283ca2c 100644 --- a/tasks/fix-cat2.yml +++ b/tasks/fix-cat2.yml @@ -3105,6 +3105,32 @@ - RHEL-08-040080 - usb_devices +- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." + block: + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" + dnf: + name: firewalld + state: present + when: rhel8stig_firewall_service == "firewalld" + + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" + dnf: + name: iptables-services + state: present + when: rhel8stig_firewall_service == "iptables" + + - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" + service: + name: "{{ rhel8stig_firewall_service }}" + state: started + enabled: yes + when: + - rhel_08_040100 + tags: + - RHEL-08-040100 + - firewall + - "{{ rhel8stig_firewall_service }}" + - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems." block: - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone" @@ -3137,33 +3163,7 @@ - rhel_08_040090 tags: - RHEL-08-040090 - - firewall - -- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8." - block: - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld" - dnf: - name: firewalld - state: present - when: rhel8stig_firewall_service == "firewalld" - - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables" - dnf: - name: iptables-services - state: present - when: rhel8stig_firewall_service == "iptables" - - - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Start and enable service" - service: - name: "{{ rhel8stig_firewall_service }}" - state: started - enabled: yes - when: - - rhel_08_040100 - tags: - - RHEL-08-040100 - - firewall - - "{{ rhel8stig_firewall_service }}" + - firewall - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled." block: