added to create when configured logfile does not exist

.config/.gitleaks-report.json

@@ -1,4 +1,104 @@
 [
+ {
+  "Description": "Generic API Key",
+  "StartLine": 9,
+  "EndLine": 9,
+  "StartColumn": 5,
+  "EndColumn": 55,
+  "Match": "Secret\": \"0f5b530255e5a064cc73699e4fa44ba8b2ad399f\"",
+  "Secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f",
+  "File": ".config/.gitleaks-report.json",
+  "SymlinkFile": "",
+  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
+  "Entropy": 3.7561984,
+  "Author": "Mark Bolwell",
+  "Email": "[email protected]",
+  "Date": "2023-09-13T11:09:38Z",
+  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \[email protected]\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:9"
+ },
+ {
+  "Description": "Generic API Key",
+  "StartLine": 29,
+  "EndLine": 29,
+  "StartColumn": 5,
+  "EndColumn": 39,
+  "Match": "Secret\": \"grub.pbkdf2.sha512.10000\"",
+  "Secret": "grub.pbkdf2.sha512.10000",
+  "File": ".config/.gitleaks-report.json",
+  "SymlinkFile": "",
+  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
+  "Entropy": 3.8035088,
+  "Author": "Mark Bolwell",
+  "Email": "[email protected]",
+  "Date": "2023-09-13T11:09:38Z",
+  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \[email protected]\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:29"
+ },
+ {
+  "Description": "Generic API Key",
+  "StartLine": 49,
+  "EndLine": 49,
+  "StartColumn": 5,
+  "EndColumn": 55,
+  "Match": "Secret\": \"4fae1797297d5c73819a504516f2de7740e4b52d\"",
+  "Secret": "4fae1797297d5c73819a504516f2de7740e4b52d",
+  "File": ".config/.gitleaks-report.json",
+  "SymlinkFile": "",
+  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
+  "Entropy": 3.7898228,
+  "Author": "Mark Bolwell",
+  "Email": "[email protected]",
+  "Date": "2023-09-13T11:09:38Z",
+  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \[email protected]\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:49"
+ },
+ {
+  "Description": "Generic API Key",
+  "StartLine": 69,
+  "EndLine": 69,
+  "StartColumn": 5,
+  "EndColumn": 55,
+  "Match": "Secret\": \"f395ee0a2d842bfcf81da0aad13591e2a9311fe1\"",
+  "Secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1",
+  "File": ".config/.gitleaks-report.json",
+  "SymlinkFile": "",
+  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
+  "Entropy": 3.618454,
+  "Author": "Mark Bolwell",
+  "Email": "[email protected]",
+  "Date": "2023-09-13T11:09:38Z",
+  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \[email protected]\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:69"
+ },
+ {
+  "Description": "Generic API Key",
+  "StartLine": 89,
+  "EndLine": 89,
+  "StartColumn": 5,
+  "EndColumn": 55,
+  "Match": "Secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"",
+  "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
+  "File": ".config/.gitleaks-report.json",
+  "SymlinkFile": "",
+  "Commit": "ccba850bbd069650698ee18c27592f0c6ccef12e",
+  "Entropy": 3.8439426,
+  "Author": "Mark Bolwell",
+  "Email": "[email protected]",
+  "Date": "2023-09-13T11:09:38Z",
+  "Message": "updated secrets scan\n\nSigned-off-by: Mark Bolwell \[email protected]\u003e",
+  "Tags": [],
+  "RuleID": "generic-api-key",
+  "Fingerprint": "ccba850bbd069650698ee18c27592f0c6ccef12e:.config/.gitleaks-report.json:generic-api-key:89"
+ },
  {
   "Description": "Generic API Key",
   "StartLine": 133,

.config/.secrets.baseline

@@ -75,6 +75,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".config/.secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -120,14 +124,16 @@
         "filename": "defaults/main.yml",
         "hashed_secret": "4fae1797297d5c73819a504516f2de7740e4b52d",
         "is_verified": false,
-        "line_number": 480
+        "line_number": 480,
+        "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "defaults/main.yml",
         "hashed_secret": "0f5b530255e5a064cc73699e4fa44ba8b2ad399f",
         "is_verified": false,
-        "line_number": 623
+        "line_number": 623,
+        "is_secret": false
       }
     ],
     "tasks/main.yml": [
@@ -136,7 +142,8 @@
         "filename": "tasks/main.yml",
         "hashed_secret": "f395ee0a2d842bfcf81da0aad13591e2a9311fe1",
         "is_verified": false,
-        "line_number": 54
+        "line_number": 54,
+        "is_secret": false
       }
     ],
     "tasks/parse_etc_password.yml": [
@@ -149,5 +156,5 @@
       }
     ]
   },
-  "generated_at": "2023-09-13T11:09:17Z"
+  "generated_at": "2023-09-19T11:33:19Z"
 }

CONTRIBUTING.rst

@@ -66,4 +66,4 @@ following text in your contribution commit message:
 
 This message can be entered manually, or if you have configured git
 with the correct `user.name` and `user.email`, you can use the `-s`
-option to `git commit` to automatically include the signoff message.
+option to `git commit` to automatically include the signoff message.

tasks/section_5/cis_5.1.2.x.yml

@@ -89,6 +89,7 @@
             regexp: "{{ item.regexp }}"
             line: "{{ item.line }}"
             insertafter: "{{ item.insertafter }}"
+            create: true
         with_items:
             - { regexp: '^\*.emerg', line: '*.emerg                         :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' }
             - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.*                  /var/log/auth.log', insertafter: '^# First some standard log files.  Log by facility' }

templates/ansible_vars_goss.yml.j2

@@ -3,13 +3,11 @@ audit_run: ansible # This is forced to wrapper by running the run_audit wrapper
 
 benchmark_version: '2.0.1'
 
-
-# Some audit tests may need to scan every filesystem or have an impact on a system 
+# Some audit tests may need to scan every filesystem or have an impact on a system
 # these may need be scheduled to minimise impact also ability to set a timeout if taking too long
 run_heavy_tests: {{ audit_run_heavy_tests }}
 timeout_ms: {{ audit_cmd_timeout }}
 
-
 ubtu20cis_section1: true
 ubtu20cis_section2: true
 ubtu20cis_section3: true
@@ -281,7 +279,6 @@ ubtu20cis_rule_5_1_2_7: {{ ubtu20cis_rule_5_1_2_7 }}
 
 ubtu20cis_rule_5_1_3: {{ ubtu20cis_rule_5_1_3 }}
 
-
 ubtu20cis_rule_5_2_1_1: {{ ubtu20cis_rule_5_2_1_1 }}
 ubtu20cis_rule_5_2_1_2: {{ ubtu20cis_rule_5_2_1_2 }}
 ubtu20cis_rule_5_2_1_3: {{ ubtu20cis_rule_5_2_1_3 }}
@@ -339,7 +336,6 @@ ubtu20cis_rule_6_1_11: {{ ubtu20cis_rule_6_1_11 }}
 ubtu20cis_rule_6_1_12: {{ ubtu20cis_rule_6_1_12 }}
 ubtu20cis_rule_6_1_13: {{ ubtu20cis_rule_6_1_13 }}
 
-
 ubtu20cis_rule_6_2_1: {{ ubtu20cis_rule_6_2_1 }}
 ubtu20cis_rule_6_2_2: {{ ubtu20cis_rule_6_2_2 }}
 ubtu20cis_rule_6_2_3: {{ ubtu20cis_rule_6_2_3 }}
@@ -353,7 +349,6 @@ ubtu20cis_rule_6_2_10: {{ ubtu20cis_rule_6_2_10 }}
 ubtu20cis_rule_6_2_11: {{ ubtu20cis_rule_6_2_11 }}
 ubtu20cis_rule_6_2_12: {{ ubtu20cis_rule_6_2_12 }}
 
-
 # AIDE
 ubtu20cis_config_aide: true
 
@@ -442,7 +437,6 @@ ubtu20_exim_conf:
   - dc_mailname_in_oh='true'
   - dc_localdelivery='mail_spool'
 
-
 ubtu20cis_rsyncd_server: {{ ubtu20cis_rsync_server }}
 ubtu20cis_nis_server: {{ ubtu20cis_nis_server }}
 
@@ -455,15 +449,13 @@ ubtu20cis_telnet_required: {{ ubtu20cis_telnet_required }}
 ubtu20cis_ldap_clients_required: {{ ubtu20cis_ldap_clients_required }}
 ubtu20cis_rpc_required: {{ ubtu20cis_rpc_required }}
 
-
 # Section 3
 # IPv6 required
 ubtu20cis_ipv6_required: {{ ubtu20cis_ipv6_required }}
 
 # System network parameters (host only OR host and router)
 ubtu20cis_is_router: false
 
-
 ubtu20cis_firewall: {{ ubtu20cis_firewall_package }}
 
 ubtu20_default_firewall_zone: public
@@ -519,7 +511,6 @@ ubtu20cis_ssh_weak_kex:
   - diffie-hellman-group14-sha1
   - diffie-hellman-group-exchange-sha1
 
-
 ubtu20cis_ssh_aliveinterval: 300
 ubtu20cis_ssh_countmax: 3
 ## PAM

templates/audit/ubtu20cis_5_2_3_6_privileged.rules.j2

@@ -1,3 +1,3 @@
-{% for proc in priv_procs.stdout_lines -%} 
+{% for proc in priv_procs.stdout_lines -%}
 -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
 {% endfor %}

templates/chrony.conf.j2

@@ -90,4 +90,4 @@ logchange 0.5
 # change it if necessary.
 rtconutc
 
-user {{ ubtu20cis_chrony_user }}
+user {{ ubtu20cis_chrony_user }}

templates/etc/systemd/timesyncd.conf.d/50-timesyncd.conf.j2

@@ -6,6 +6,4 @@
 
 NTP={% for pool in ubtu20cis_time_pool %}{{ pool.name }}{% endfor %}
 
-
 FallbackNTP={% for servers in ubtu20cis_time_servers %}{{ servers.name }} {% endfor %}
-

templates/ntp.conf.j2

@@ -66,4 +66,4 @@ restrict source notrap nomodify noquery
 #fudge 127.127.8.1 time1 0.0042        # relative to PPS for my hardware
 
 #server 127.127.22.1                   # ATOM(PPS)
-#fudge 127.127.22.1 flag3 1            # enable PPS API
+#fudge 127.127.22.1 flag3 1            # enable PPS API