Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge devel to main #214

Merged
merged 77 commits into from
Jul 4, 2022
Merged

Merge devel to main #214

merged 77 commits into from
Jul 4, 2022

Conversation

uk-bolly
Copy link
Member

@uk-bolly uk-bolly commented Jun 30, 2022
edited
Loading

Signed-off-by: Mark Bolwell mark.bollyuk@gmail.com

Issues linked

Thanks to the community:
@ccravens
#160
#183
#204
@flwitten
#180
#181
#182
#185
@ChandlerSwift
#187
#192
#195
@scottdoane
#203
@ztmr
#190
@Thulium-Drake
#196
#198
#200
#208
@pavloos
#186

#201
#205
#210
#211
#213

Enhancements

  • changed crypto to DEFAULT in defaults/main and updated as allowed option
  • 3.4.1.2 - removed enabled option as errors if masked and enable option
  • github workflow added branch option to issues.
  • Dynamic UID discovery
  • several title updates and alignments
  • logic and idempotence improvement
  • tag updates and fixes
  • removed config no longer used
  • dynamic container discovery
  • update container variables and usage
  • firewall services audit template output now works with goss correctly
  • firewall services included cockpit as default
  • 4.2.2.1.4 - changed to be socket service as per documentation
  • update to auditd template
  • uses facts and template new variable
  • update_audit_template (default false)
  • 3.4.1.5 discovery improvement
  • 5.6.1.4 discovery improvement
  • Added a warning comment managed by Ansible to all template files

uk-bolly and others added 30 commits February 20, 2022 14:32
@uk-bolly
added workflow data
c03018d 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
addec collections file
6d1ec85 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
merged
6b64967 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Merge branch 'devel' of github.com:ansible-lockdown/RHEL8-CIS into devel
ed3d8f0
@uk-bolly
Merge branch 'devel' of github.com:ansible-lockdown/RHEL8-CIS into devel
4ef266f
@uk-bolly
latest merged
6255e5b 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
#180 boot password logic
3261546 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
#181 fixed typo 1.8.5
f24125e 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
fixed variable name
72351b1 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
#160 & #183 crontab location change
338137c 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated logic for pwd hash assertion
eb90a0b 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated gpg key check
f5876f6 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated with issues
f7ccbaa 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
added branch to issue template
504a7e6 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Added Crypto to become DEFAULT not FUTURE
f65dd59 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
removed enabled option when used with mask
3e79d60 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated changelog
4e6c26c 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Add workflow change
b9d7339 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Merge pull request #184 from ansible-lockdown/April_issues
e1b7290 
April issues
@ChandlerSwift
Always run parse_etc_passwd.yml
be3db9e 
Signed-off-by: Chandler Swift <chandler+pearson@chandlerswift.com>
@uk-bolly
Merge pull request #188 from ChandlerSwift/devel
c8883b9 
Always run parse_etc_passwd.yml
@pavloos
Allow setting environment for run_audit.sh invocation
742a747 
Signed-off-by: Pawel Fiuto <pavloos@gmail.com>
@uk-bolly
Merge pull request #191 from pavloos/devel
2b7606a 
Allow setting environment for run_audit.sh invocation
@ChandlerSwift
Fix flipped conditional in 5.6.2
81daf5c 
Fixes #192.

From the issue:

> **Describe the Issue**
> 6.5.2 has a flipped conditional, and locks out roughly the complement
> of the set it should lock out.
>
> **Expected Behavior**
> System accounts (UID&lt;1000) have shell set to `nologin`, and have a
> locked password in `/etc/shadow`.
>
> **Actual Behavior**
> All accounts except those (well, not counting an off-by-one bug with
> the account 1000) get locked out, but not the onew that are supposed
> to be locked out.
>
> **Control(s) Affected**
> 6.5.2
>
> **Additional Notes**
> As noted in the CIS documentation, `rhel8cis_int_gid` should be parsed
> out of `/etc/login.defs`, not hardcoded.
>
> The CIS docs suggest we should be comparing the `item.uid` of the
> user, not `item.gid`.
>
> Since I'm not aware of the full rationale behind those two points,
> I've excluded those fixes from the PR.

Signed-off-by: Chandler Swift <chandler+pearson@chandlerswift.com>
@ChandlerSwift
Fix path for /etc/group control 6.1.5
ec66e7c 
Fixes #194

Signed-off-by: Chandler Swift <chandler+pearson@chandlerswift.com>
@uk-bolly
Merge pull request #195 from ChandlerSwift/bugfix/fix-6.1.5-for-issue…
b073314 
…-194

Fix path for /etc/group control 6.1.5
@Thulium-Drake
Added extra conditions to prevent breaking GUI workstations
6f2a939 
Signed-off-by: Jeffrey van Pelt <jeff@vanpelt.one>
@georgenalen
Merge pull request #198 from Thulium-Drake/fix_197
3a6d0fe 
Fix #197
@uk-bolly
fixed typo
af20cbe 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Merge pull request #201 from ansible-lockdown/rule_4.1.3.7
092f8e8 
fixed typo in 4.1.3.7 rule
uk-bolly and others added 26 commits June 8, 2022 12:22
@uk-bolly
changed syslog default to rsyslog
e770b6e 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
changed default syslog to rsyslog
60d2d6f 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
#190 update container checks
dcdb527 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
#189 cloudinit bug and running levels individually
d9dad53 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
#200 incorporated thanks to @Thulium-Drake
18495ba 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
#206 removed repeated flush handlers
482f75b 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated the container vars
08aa8bb 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
container var update
f4d6e15 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
updated changelog
694358d 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
added file and variable
6c52982 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Merge pull request #205 from ansible-lockdown/improvements
f3cd592 
Improvements
@Thulium-Drake
Excluded nobody user from 6.2.10
0e168b2 
Signed-off-by: Jeffrey van Pelt <jeff@vanpelt.one>
@uk-bolly
Merge pull request #208 from Thulium-Drake/fix_6_2_11
cff2c76 
Excluded nobody user from 6.2.10
@uk-bolly
updated fw svcs and aligned for audit
fa46aac 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
aligned to benchmark for socket process
2dd7e64 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
changed_when bool now false
cad81ac 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
idempotent improvements auditd
69d05e8 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
discovery improvement
6b8f397 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
discovery improvements
961faba 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
changelog updated
4a75868 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
fixed typo
612fd9d 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
tidy up become statements
2ec73ac 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Merge pull request #210 from ansible-lockdown/audit_alignment
07f4ea5 
Audit alignment
@uk-bolly
Merge pull request #211 from ansible-lockdown/idempotent_improvements
2fabf2a 
Idempotent improvements
@uk-bolly
added managed by ansible warning
8b41132 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
@uk-bolly
Merge pull request #213 from ansible-lockdown/template_warnings
1ee0d1e 
added managed by ansible warning to templates
@uk-bolly uk-bolly marked this pull request as ready for review June 30, 2022 16:26
georgenalen
georgenalen approved these changes Jun 30, 2022
View reviewed changes
Copy link
Contributor

@georgenalen georgenalen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@uk-bolly uk-bolly merged commit 0220ed1 into main Jul 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@georgenalen georgenalen georgenalen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@uk-bolly @georgenalen @ChandlerSwift @pavloos @Thulium-Drake