Merge pull request #11 from ansible-lockdown/devel

Initial release

.ansible-lint

@@ -6,12 +6,10 @@ skip_list:
     - 'schema'
     - 'no-changed-when'
     - 'var-spacing'
-    - 'fqcn-builtins'
     - 'experimental'
     - 'name[play]'
     - 'name[casing]'
     - 'name[template]'
-    - 'fqcn[action]'
     - 'key-order[task]'
     - '204'
     - '305'

.config/.secrets.baseline

@@ -105,18 +105,15 @@
     },
     {
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        ".config/.gitleaks-report.json",
+        "tasks/parse_etc_password.yml"
+      ]
     }
   ],
-  "results": {
-    "tasks/parse_etc_password.yml": [
-      {
-        "type": "Secret Keyword",
-        "filename": "tasks/parse_etc_password.yml",
-        "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-        "is_verified": false,
-        "line_number": 18
-      }
-    ]
-  },
-  "generated_at": "2023-08-23T10:10:15Z"
+  "results": {},
+  "generated_at": "2023-09-22T13:20:34Z"
 }

.github/workflows/devel_pipeline_validation.yml

@@ -27,7 +27,7 @@
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                       Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
         # This workflow contains a single job which tests the playbook
         playbook-test:

.yamllint

@@ -30,4 +30,4 @@ rules:
     trailing-spaces: enable
     truthy:
         allowed-values: ['true', 'false']
-        check-keys: false
+        check-keys: true

README.md

@@ -1,8 +1,4 @@
-# AMAZON 2023 CIS - Beta
-
-****************************
-NOTE AUDIT NOT YET AVAILABLE
-****************************
+# AMAZON 2023 CIS
 
 ## Configure a Amazon 2023 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
 
@@ -16,7 +12,7 @@ NOTE AUDIT NOT YET AVAILABLE
 ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
 
-![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible)
+![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/?label=Quality&&logo=ansible)
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
@@ -26,7 +22,7 @@ NOTE AUDIT NOT YET AVAILABLE
 [![Main Pipeline Status](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/main_pipeline_validation.yml)
 
 [![Devel Pipeline Status](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/devel_pipeline_validation.yml)
-![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/AMAZON2023-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/AMAZON2023-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits)
 
 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/AMAZON2023-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/AMAZON2023-CIS?label=Closed%20Issues&&color=success)
@@ -38,13 +34,13 @@ NOTE AUDIT NOT YET AVAILABLE
 
 ## Looking for support?
 
-[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9_cis)
+[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_AMZ2023_cis)
 
-[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9_cis)
+[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_AMZ2023_cis)
 
 ### Community
 
-Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
+Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
 
 ### Contributing
 
@@ -96,10 +92,10 @@ Refer to [AMAZON2023-CIS-Audit](https://github.com/ansible-lockdown/AMAZON2023-C
 ## Documentation
 
 - [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
-- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH9_cis)
-- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH9_cis)
-- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH9_cis)
-- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH9_cis)
+- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_AMZ2023_cis)
+- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_AMZ2023_cis)
+- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_AMZ2023_cis)
+- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_AMZ2023_cis)
 
 ## Requirements
 
@@ -195,7 +191,6 @@ uses:
 
 ## Added Extras
 
-- makefile - this is there purely for testing and initial setup purposes.
 - [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory
 
 ```sh

defaults/main.yml

@@ -61,6 +61,9 @@ run_audit: false
 # Timeout for those cmds that take longer to run where timeout set
 audit_cmd_timeout: 60000
 
+# Some tests can be resource heavy allow these to take place
+amzn2023cis_run_heavy_tests: true
+
 ### End Goss enablements ####
 #### Detailed settings found at the end of this document ####
 
@@ -380,7 +383,7 @@ amzn2023cis_aide_cron:
 
 # SELinux policy
 amzn2023cis_selinux_pol: targeted
-# chose onf or enfocing or permissive
+# chose conf or enforcing or permissive
 amzn2023cis_selinux_enforce: enforcing
 
 # Whether or not to run tasks related to auditing/patching the desktop environment
@@ -419,15 +422,10 @@ amzn2023cis_is_mail_server: false
 # Note the options
 # Packages are used for client services and Server- only remove if you dont use the client service
 #
-
-amzn2023cis_use_nfs_server: false
-amzn2023cis_use_nfs_service: false
-
-amzn2023cis_use_rpc_server: false
-amzn2023cis_use_rpc_service: false
-
-amzn2023cis_use_rsync_server: false
-amzn2023cis_use_rsync_service: false
+# optional either remove or mask
+amzn2023cis_nfs_server: mask
+amzn2023cis_rpc_server: mask
+amzn2023cis_rsync_server: mask
 
 #### 2.3 Service clients
 amzn2023cis_telnet_required: false
@@ -475,10 +473,10 @@ amzn2023cis_auditd:
     max_log_file_action: keep_logs
 
 # The audit_back_log_limit value should never be below 8192
-amzn2023cis_audit_back_log_limit: 8192
+amzn2023cis_audit_back_log_limit: '8192'
 
 # The max_log_file parameter should be based on your sites policy
-amzn2023cis_max_log_file_size: 10
+amzn2023cis_max_log_file_size: '10'
 
 ### 4.1.3.x audit template
 update_audit_template: false
@@ -495,7 +493,7 @@ amzn2023cis_auditd_extra_conf: {}
 ## Preferred method of logging
 ## Whether rsyslog or journald preferred method for local logging
 ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
-amzn2023cis_syslog: rsyslog
+amzn2023cis_syslog_service: rsyslog
 amzn2023cis_rsyslog_ansiblemanaged: true
 
 #### 4.2.1.6 remote and destation log server name
@@ -570,7 +568,7 @@ amzn2023cis_authselect_custom_profile_select: false
 
 amzn2023cis_pass:
     max_days: 365
-    min_days: 7
+    min_days: 1
     warn_age: 7
 
 # UID settings for interactive users
@@ -636,10 +634,10 @@ audit_run_script_environment:
     AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
 
 ### Goss binary settings ###
-audit_bin_release: v0.3.23
+audit_bin_release: v0.4.0
 audit_bin_version:
-    AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
-    ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e'
+    AMD64_checksum: 'sha256:9cb37863d3d25e2af80cb5cf55198c0c115b2477724153ba9afd0a2e544cb46e'
+    ARM64_checksum: 'sha256:ce364fad93f9c0702e73767d60fddbb87a8c5f2a586b0d99ec823e8331e6a73b'
 audit_bin_path: /usr/local/bin/
 audit_bin: "{{ audit_bin_path }}goss"
 audit_format: json

tasks/LE_audit_setup.yml

@@ -23,7 +23,7 @@
   when:
       - get_audit_binary_method == 'download'
 
-- name: Pre Audit Setup | copy audit binary
+- name: Pre Audit Setup | Copy audit binary
   ansible.builtin.copy:
       src: "{{ audit_bin_copy_location }}"
       dest: "{{ audit_bin }}"

tasks/auditd.yml

@@ -20,7 +20,8 @@
       - Restart auditd
 
 - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count  # noqa no-handler
-  ansible.builtin.import_tasks: warning_facts.yml
+  ansible.builtin.import_tasks:
+      file: warning_facts.yml
   vars:
       warn_control_id: 'Auditd template updated, see diff output for details'
   when: