diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json index ba634848..5fcadd2b 100644 --- a/.config/.gitleaks-report.json +++ b/.config/.gitleaks-report.json @@ -1,4 +1,104 @@ [ + { + "Description": "Generic API Key", + "StartLine": 9, + "EndLine": 9, + "StartColumn": 5, + "EndColumn": 55, + "Match": "Secret\": \"0f5b530255e5a064cc73699e4fa44ba8b2ad399f\"", + "Secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f", + "File": ".config/.gitleaks-report.json", + "SymlinkFile": "", + "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", + "Entropy": 3.7561984, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-13T11:09:38Z", + "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:9" + }, + { + "Description": "Generic API Key", + "StartLine": 29, + "EndLine": 29, + "StartColumn": 5, + "EndColumn": 39, + "Match": "Secret\": \"grub.pbkdf2.sha512.10000\"", + "Secret": "grub.pbkdf2.sha512.10000", + "File": ".config/.gitleaks-report.json", + "SymlinkFile": "", + "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", + "Entropy": 3.8035088, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-13T11:09:38Z", + "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:29" + }, + { + "Description": "Generic API Key", + "StartLine": 49, + "EndLine": 49, + "StartColumn": 5, + "EndColumn": 55, + "Match": "Secret\": \"4fae1797297d5c73819a504516f2de7740e4b52d\"", + "Secret": "4fae1797297d5c73819a504516f2de7740e4b52d", + "File": ".config/.gitleaks-report.json", + "SymlinkFile": "", + "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", + "Entropy": 3.7898228, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-13T11:09:38Z", + "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:49" + }, + { + "Description": "Generic API Key", + "StartLine": 69, + "EndLine": 69, + "StartColumn": 5, + "EndColumn": 55, + "Match": "Secret\": \"f395ee0a2d842bfcf81da0aad13591e2a9311fe1\"", + "Secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1", + "File": ".config/.gitleaks-report.json", + "SymlinkFile": "", + "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", + "Entropy": 3.618454, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-13T11:09:38Z", + "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:69" + }, + { + "Description": "Generic API Key", + "StartLine": 89, + "EndLine": 89, + "StartColumn": 5, + "EndColumn": 55, + "Match": "Secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".config/.gitleaks-report.json", + "SymlinkFile": "", + "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-09-13T11:09:38Z", + "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:89" + }, { "Description": "Generic API Key", "StartLine": 133, diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 23ed11cf..85b45d85 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,6 +75,10 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".config/.secrets.baseline" + }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -120,14 +124,16 @@ "filename": "defaults/main.yml", "hashed_secret": "4fae1797297d5c73819a504516f2de7740e4b52d", "is_verified": false, - "line_number": 480 + "line_number": 480, + "is_secret": false }, { "type": "Secret Keyword", "filename": "defaults/main.yml", "hashed_secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f", "is_verified": false, - "line_number": 623 + "line_number": 623, + "is_secret": false } ], "tasks/main.yml": [ @@ -136,7 +142,8 @@ "filename": "tasks/main.yml", "hashed_secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1", "is_verified": false, - "line_number": 54 + "line_number": 54, + "is_secret": false } ], "tasks/parse_etc_password.yml": [ @@ -149,5 +156,5 @@ } ] }, - "generated_at": "2023-09-13T11:09:17Z" + "generated_at": "2023-09-19T11:33:19Z" } diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 76c3a8a4..1680d197 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -66,4 +66,4 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` -option to `git commit` to automatically include the signoff message. \ No newline at end of file +option to `git commit` to automatically include the signoff message. diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml index e83ee509..ca62a624 100644 --- a/tasks/section_5/cis_5.1.2.x.yml +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -89,6 +89,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" + create: true with_items: - { regexp: '^\*.emerg', line: '*.emerg :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' } - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.* /var/log/auth.log', insertafter: '^# First some standard log files. Log by facility' } diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 5ee2bcf9..fb608066 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -3,13 +3,11 @@ audit_run: ansible # This is forced to wrapper by running the run_audit wrapper benchmark_version: '2.0.1' - -# Some audit tests may need to scan every filesystem or have an impact on a system +# Some audit tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long run_heavy_tests: {{ audit_run_heavy_tests }} timeout_ms: {{ audit_cmd_timeout }} - ubtu20cis_section1: true ubtu20cis_section2: true ubtu20cis_section3: true @@ -281,7 +279,6 @@ ubtu20cis_rule_5_1_2_7: {{ ubtu20cis_rule_5_1_2_7 }} ubtu20cis_rule_5_1_3: {{ ubtu20cis_rule_5_1_3 }} - ubtu20cis_rule_5_2_1_1: {{ ubtu20cis_rule_5_2_1_1 }} ubtu20cis_rule_5_2_1_2: {{ ubtu20cis_rule_5_2_1_2 }} ubtu20cis_rule_5_2_1_3: {{ ubtu20cis_rule_5_2_1_3 }} @@ -339,7 +336,6 @@ ubtu20cis_rule_6_1_11: {{ ubtu20cis_rule_6_1_11 }} ubtu20cis_rule_6_1_12: {{ ubtu20cis_rule_6_1_12 }} ubtu20cis_rule_6_1_13: {{ ubtu20cis_rule_6_1_13 }} - ubtu20cis_rule_6_2_1: {{ ubtu20cis_rule_6_2_1 }} ubtu20cis_rule_6_2_2: {{ ubtu20cis_rule_6_2_2 }} ubtu20cis_rule_6_2_3: {{ ubtu20cis_rule_6_2_3 }} @@ -353,7 +349,6 @@ ubtu20cis_rule_6_2_10: {{ ubtu20cis_rule_6_2_10 }} ubtu20cis_rule_6_2_11: {{ ubtu20cis_rule_6_2_11 }} ubtu20cis_rule_6_2_12: {{ ubtu20cis_rule_6_2_12 }} - # AIDE ubtu20cis_config_aide: true @@ -442,7 +437,6 @@ ubtu20_exim_conf: - dc_mailname_in_oh='true' - dc_localdelivery='mail_spool' - ubtu20cis_rsyncd_server: {{ ubtu20cis_rsync_server }} ubtu20cis_nis_server: {{ ubtu20cis_nis_server }} @@ -455,7 +449,6 @@ ubtu20cis_telnet_required: {{ ubtu20cis_telnet_required }} ubtu20cis_ldap_clients_required: {{ ubtu20cis_ldap_clients_required }} ubtu20cis_rpc_required: {{ ubtu20cis_rpc_required }} - # Section 3 # IPv6 required ubtu20cis_ipv6_required: {{ ubtu20cis_ipv6_required }} @@ -463,7 +456,6 @@ ubtu20cis_ipv6_required: {{ ubtu20cis_ipv6_required }} # System network parameters (host only OR host and router) ubtu20cis_is_router: false - ubtu20cis_firewall: {{ ubtu20cis_firewall_package }} ubtu20_default_firewall_zone: public @@ -519,7 +511,6 @@ ubtu20cis_ssh_weak_kex: - diffie-hellman-group14-sha1 - diffie-hellman-group-exchange-sha1 - ubtu20cis_ssh_aliveinterval: 300 ubtu20cis_ssh_countmax: 3 ## PAM diff --git a/templates/audit/ubtu20cis_5_2_3_6_privileged.rules.j2 b/templates/audit/ubtu20cis_5_2_3_6_privileged.rules.j2 index a005b3c2..47de8267 100644 --- a/templates/audit/ubtu20cis_5_2_3_6_privileged.rules.j2 +++ b/templates/audit/ubtu20cis_5_2_3_6_privileged.rules.j2 @@ -1,3 +1,3 @@ -{% for proc in priv_procs.stdout_lines -%} +{% for proc in priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged {% endfor %} diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2 index 119165dc..1102ce60 100644 --- a/templates/chrony.conf.j2 +++ b/templates/chrony.conf.j2 @@ -90,4 +90,4 @@ logchange 0.5 # change it if necessary. rtconutc -user {{ ubtu20cis_chrony_user }} \ No newline at end of file +user {{ ubtu20cis_chrony_user }} diff --git a/templates/etc/systemd/timesyncd.conf.d/50-timesyncd.conf.j2 b/templates/etc/systemd/timesyncd.conf.d/50-timesyncd.conf.j2 index 7442cd42..9136a6bf 100644 --- a/templates/etc/systemd/timesyncd.conf.d/50-timesyncd.conf.j2 +++ b/templates/etc/systemd/timesyncd.conf.d/50-timesyncd.conf.j2 @@ -6,6 +6,4 @@ NTP={% for pool in ubtu20cis_time_pool %}{{ pool.name }}{% endfor %} - FallbackNTP={% for servers in ubtu20cis_time_servers %}{{ servers.name }} {% endfor %} - diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 index 1a8bbecf..d2d32f1f 100644 --- a/templates/ntp.conf.j2 +++ b/templates/ntp.conf.j2 @@ -66,4 +66,4 @@ restrict source notrap nomodify noquery #fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware #server 127.127.22.1 # ATOM(PPS) -#fudge 127.127.22.1 flag3 1 # enable PPS API \ No newline at end of file +#fudge 127.127.22.1 flag3 1 # enable PPS API