Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feb 24 updates to devel #58

Merged
merged 12 commits into from
Mar 6, 2024
Merged

Feb 24 updates to devel #58

merged 12 commits into from
Mar 6, 2024

Conversation

uk-bolly
Copy link
Member

Overall Review of Changes:
Updates to Audit method

  • Tidy up or audit template
  • audit_only option added

Issue Fixes:
#14 added always tag to ensure GPG package updated

How has this been tested?:
Manually

@uk-bolly
updated to use ansible_facts variables
8f973fb 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Merge branch 'devel' into Feb_24
8ae2bf3
@uk-bolly
Squashed commit of the following:
3494538 
commit 0cad737fe35db33ff0b867ac4439688cd2bcb009
Author: Mark Bolwell <mark.bollyuk@gmail.com>
Date:   Fri Feb 23 09:41:39 2024 +0000

    updated and tidied up

    Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

commit 1fa72013209866be66f7f2a353b9cf6264a3681d
Author: Mark Bolwell <mark.bollyuk@gmail.com>
Date:   Fri Feb 23 09:41:10 2024 +0000

    audit_only

    Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Always tag for 1.2.1 gpg_key package update #14
abb55c1 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
tidy up prelim removal step
ee60af6 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated changelog
d75e1f6 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
removed inject facts as vars
cd1c1f5 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly uk-bolly changed the title Feb 24 Feb 24 updates to devel Feb 23, 2024
@uk-bolly
4.6.5 related to #27 thanks to @DianaMariaDDM
2511f5a 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
6.1.10 thanks to @DianaMariaDDM #37
0326c0b 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
tage change to alwasy thanks to @DianaMariaDDM #41
da7c8b1 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated changelog
0cec444 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated changelog
403c728 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
georgenalen
georgenalen approved these changes Mar 5, 2024
View reviewed changes
Copy link

@georgenalen georgenalen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@uk-bolly uk-bolly merged commit b238cf5 into devel Mar 6, 2024
4 checks passed
@uk-bolly uk-bolly deleted the Feb_24 branch March 6, 2024 10:55
uk-bolly added a commit that referenced this pull request Apr 15, 2024
@uk-bolly @DianaMariaDDM
@pre-commit-ci @tom-henderson
New release to main (#70)
01dd973 
* Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/3 by editing the destination path!

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/4 by masking both the socket and the service!

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/6 by editing the value of `clientalivecountmax` to 3!

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/2 by using `import_tasks` module so as the rules will get added and executed!

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/5 by adding the necessary lines to both sshd_config file and sshd_config.d/ files. The same method is used for all the rules from 4.2.x, to make them compliant with CISs checks.

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Removing trailing whitespaces

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Removing trailing whitespaces and fixing an end-of-file

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Refactoring docs

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Small fixings for https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/19

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Removing trailing whitespace

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Fixing fail message so that is states the correct number of the rule that requires the root password to be set

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Fixing inconsistencies for issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Fixing minor syntax issues by adding missing "PATCH" keywords or missing "|".

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Fixing PRELIM task "PRELIM | 4.3.3 | Find all sudoers files" mentioned in issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22.

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Removing 1.1.2.1 from multiline task 1.1.2.2 ,1.1.2.3, 1.1.2.4 because it was not supposed to be there!

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Removing prelim for installing authconfig, as it is not used.

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0)
- [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.2](gitleaks/gitleaks@v8.17.0...v8.18.2)
- [github.com/ansible-community/ansible-lint: v6.18.0 → v24.2.0](ansible/ansible-lint@v6.18.0...v24.2.0)
- [github.com/adrienverge/yamllint.git: v1.32.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.35.1)

* Removing the 6.1.12 duplicate task and adding it to the 6.1.10 task as it was implementing something needed by 6.1.10.

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* De-commenting allow and deny variables for sshd.

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Removing double import of cis_5.3.yml.

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* As authconfig is not needed anymore, the variable related to its installation is removed!

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>

* Feb 24 updates to devel (#58)

* updated to use ansible_facts variables

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Squashed commit of the following:

commit 0cad737fe35db33ff0b867ac4439688cd2bcb009
Author: Mark Bolwell <mark.bollyuk@gmail.com>
Date:   Fri Feb 23 09:41:39 2024 +0000

    updated and tidied up

    Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

commit 1fa72013209866be66f7f2a353b9cf6264a3681d
Author: Mark Bolwell <mark.bollyuk@gmail.com>
Date:   Fri Feb 23 09:41:10 2024 +0000

    audit_only

    Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Always tag for 1.2.1 gpg_key package update #14

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tidy up prelim removal step

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated changelog

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* removed inject facts as vars

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* 4.6.5 related to #27 thanks to @DianaMariaDDM

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* 6.1.10 thanks to @DianaMariaDDM #37

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tage change to alwasy thanks to @DianaMariaDDM #41

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated changelog

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated changelog

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated ansible fact naming and checkout action (#64)

* updated ansible fact naming for ansible_facts.virtualization_type

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated checkout version

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* ansible fact update

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated ansible facts and timeout now inherited

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* [pre-commit.ci] pre-commit autoupdate (#65)

updates:
- [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* 4.2.16: Add variable for SSH MaxAuthTries (#66)

Signed-off-by: Tom Henderson <tom.henderson@pushpay.com>

* 4.2.16: Correct variable name and required max value (#67)

Signed-off-by: Tom Henderson <tom.henderson@pushpay.com>

* March 24 updates (#68)

* addressed #59 thanks to @DianaMariaDDM

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #59 thanks to @DianaMariaDDM

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #62 thanks to @DianaMariaDDM

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated variable name in conditional

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated container check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated authselect PR

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix conditional typo

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix conditional typo

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fix var typo

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* [pre-commit.ci] pre-commit autoupdate (#69)

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

---------

Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com>
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
Signed-off-by: Tom Henderson <tom.henderson@pushpay.com>
Co-authored-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com>
Co-authored-by: Tom Henderson <tomhenderson@mac.com>
Co-authored-by: Tom Henderson <tom.henderson@pushpay.com>
@uk-bolly uk-bolly mentioned this pull request Aug 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@georgenalen georgenalen georgenalen approved these changes

@MrSteve81 MrSteve81 Awaiting requested review from MrSteve81

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@uk-bolly @georgenalen