Release on CIS v3.0 (#386)

* initial v3.0.0

Signed-off-by: Mark Bolwell <[email protected]>

* updated

Signed-off-by: Mark Bolwell <[email protected]>

* removed old conflict line

Signed-off-by: Mark Bolwell <[email protected]>

* tidy up warning on 432

Signed-off-by: Mark Bolwell <[email protected]>

* tidy up ec2_checks

Signed-off-by: Mark Bolwell <[email protected]>

* updated warning on line 435

Signed-off-by: Mark Bolwell <[email protected]>

* updated prelim and typos

Signed-off-by: Mark Bolwell <[email protected]>

* [pre-commit.ci] pre-commit autoupdate

updates:
- [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1)

* March 24 updates (#356)

* added conditional to user password check #354 thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <[email protected]>

* updated logic to check root passwd locked

Signed-off-by: Mark Bolwell <[email protected]>

* Updated

Signed-off-by: Mark Bolwell <[email protected]>

* lint and audit order change

Signed-off-by: Mark Bolwell <[email protected]>

* updated for documentation format

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

* Allow for a local site policy for the openSSH server. (#358)

If changes to the system-wide crypto policy are required to meet local
site policy for the openSSH server, these changes should be done with a sub-policy
assigned to the system-wide crypto policy.

The role defaults can be overridden by the user's vars.
The user should implement a .pmod file, and add its basename to `rhel8cis_allowed_crypto_policies_modules`.
The role vars are harder to change due to the 21 priority levels of Ansible.

Signed-off-by: Bas Meijer <[email protected]>

* Issues March24 (#366)

* #359 addressed thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <[email protected]>

* sysctl matches requirement & handler added

Signed-off-by: Mark Bolwell <[email protected]>

* container updated and cautions updated

Signed-off-by: Mark Bolwell <[email protected]>

* issues #360 addressed thanks to @bbaassssiiee

Signed-off-by: Mark Bolwell <[email protected]>

* updated

Signed-off-by: Mark Bolwell <[email protected]>

* Added #361 ensure local interface on 3.4.2.2

Signed-off-by: Mark Bolwell <[email protected]>

* issue #363 addressed

Signed-off-by: Mark Bolwell <[email protected]>

* variable naming and lint

Signed-off-by: Mark Bolwell <[email protected]>

* variable naming and lint

Signed-off-by: Mark Bolwell <[email protected]>

* updated handler

Signed-off-by: Mark Bolwell <[email protected]>

* variable naming and lint updates

Signed-off-by: Mark Bolwell <[email protected]>

* updated

Signed-off-by: Mark Bolwell <[email protected]>

* fix issues with pam_unix

Signed-off-by: Mark Bolwell <[email protected]>

* added extra options

Signed-off-by: Mark Bolwell <[email protected]>

* issue #365 addressed

Signed-off-by: Mark Bolwell <[email protected]>

* fixed commenting alternate file

Signed-off-by: Mark Bolwell <[email protected]>

* updated var name to discovered

Signed-off-by: Mark Bolwell <[email protected]>

* renamed variable tomake it clearer

Signed-off-by: Mark Bolwell <[email protected]>

* updated

Signed-off-by: Mark Bolwell <[email protected]>

* fix typo

Signed-off-by: Mark Bolwell <[email protected]>

* updated discovered variable naming

Signed-off-by: Mark Bolwell <[email protected]>

* updated variable naming

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

* [pre-commit.ci] pre-commit autoupdate (#367)

updates:
- [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* [pre-commit.ci] pre-commit autoupdate (#368)

updates:
- [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](ansible/ansible-lint@v24.2.1...v24.2.2)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* updated for audit and url alignment (#370)

Signed-off-by: Mark Bolwell <[email protected]>

* [pre-commit.ci] pre-commit autoupdate (#372)

updates:
- [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](Yelp/detect-secrets@v1.4.0...v1.5.0)
- [github.com/gitleaks/gitleaks: v8.18.2 → v8.18.3](gitleaks/gitleaks@v8.18.2...v8.18.3)
- [github.com/ansible-community/ansible-lint: v24.2.2 → v24.6.0](ansible/ansible-lint@v24.2.2...v24.6.0)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* use RHEL8 chrony.conf (#371)

Signed-off-by: Tomáš Kuba <[email protected]>

* Update Alma 8 GPG Key (#369)

* Update Alma 8 GPG Key

Update AlmaLinux.yml

Signed-off-by: ajython <[email protected]>

* Update AlmaLinux.yml

Replace depricated Alma 8 GPG key 

Signed-off-by: ajython <[email protected]>

---------

Signed-off-by: ajython <[email protected]>

* May 24 updates (#376)

* updated path to match disa for audit tools

Signed-off-by: Mark Bolwell <[email protected]>

* updated dict control

Signed-off-by: Mark Bolwell <[email protected]>

* updated nullok logic

Signed-off-by: Mark Bolwell <[email protected]>

* updated typos

Signed-off-by: Mark Bolwell <[email protected]>

* updated typ thanks to @msachikanta

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

* [pre-commit.ci] pre-commit autoupdate (#383)

updates:
- [github.com/gitleaks/gitleaks: v8.18.3 → v8.18.4](gitleaks/gitleaks@v8.18.3...v8.18.4)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

* updated known issues thanks to @fgierlinger

Signed-off-by: Mark Bolwell <[email protected]>

* Interactive users logic and workflow (#385)

* interactive user vars updates

Signed-off-by: Mark Bolwell <[email protected]>

* improved conditionals checks

Signed-off-by: Mark Bolwell <[email protected]>

* Tidy up titles

Signed-off-by: Mark Bolwell <[email protected]>

* updated with latest devel

Signed-off-by: Mark Bolwell <[email protected]>

* removed file not required

Signed-off-by: Mark Bolwell <[email protected]>

* improved logic for /dev/null home dirs

Signed-off-by: Mark Bolwell <[email protected]>

* Updated workflow to new runner

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>
Signed-off-by: Bas Meijer <[email protected]>
Signed-off-by: Tomáš Kuba <[email protected]>
Signed-off-by: ajython <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Bas <[email protected]>
Co-authored-by: tomkuba <[email protected]>
Co-authored-by: ajython <[email protected]>
Co-authored-by: Fred W <[email protected]>

.github/workflows/devel_pipeline_validation.yml

@@ -1,138 +1,159 @@
 ---
 
-    name: Devel pipeline
-
-    on: # yamllint disable-line rule:truthy
-      pull_request_target:
-          types: [opened, reopened, synchronize]
-          branches:
-              - devel
-          paths:
-              - '**.yml'
-              - '**.sh'
-              - '**.j2'
-              - '**.ps1'
-              - '**.cfg'
-
-    # A workflow run is made up of one or more jobs
-    # that can run sequentially or in parallel
-    jobs:
-      # This will create messages for first time contributers and direct them to the Discord server
-        welcome:
-          runs-on: ubuntu-latest
-
-          steps:
-              - uses: actions/first-interaction@main
-                with:
-                  repo-token: ${{ secrets.GITHUB_TOKEN }}
-                  pr-message: |-
-                      Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-
-        # This workflow contains a single job that tests the playbook
-        playbook-test:
-          # The type of runner that the job will run on
-          runs-on: ubuntu-latest
-          env:
-            ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
-            # Imported as a variable by terraform
-            TF_VAR_repository: ${{ github.event.repository.name }}
-          defaults:
-            run:
-              shell: bash
-              working-directory: .github/workflows/github_linux_IaC
-
-          steps:
-            - name: Clone ${{ github.event.repository.name }}
-              uses: actions/checkout@v4
+  name: Devel pipeline
+
+  on: # yamllint disable-line rule:truthy
+    pull_request_target:
+        types: [opened, reopened, synchronize]
+        branches:
+            - devel
+        paths:
+            - '**.yml'
+            - '**.sh'
+            - '**.j2'
+            - '**.ps1'
+            - '**.cfg'
+    # Allow manual running of workflow
+    workflow_dispatch:
+
+  # Allow permissions for AWS auth
+  permissions:
+    id-token: write
+    contents: read
+    pull-requests: read
+
+  # A workflow run is made up of one or more jobs
+  # that can run sequentially or in parallel
+  jobs:
+    # This will create messages for first time contributers and direct them to the Discord server
+      welcome:
+        runs-on: self-hosted
+
+        steps:
+            - uses: actions/first-interaction@main
               with:
-                ref: ${{ github.event.pull_request.head.sha }}
-
-            # Pull in terraform code for linux servers
-            - name: Clone GitHub IaC plan
-              uses: actions/checkout@v4
-              with:
-                repository: ansible-lockdown/github_linux_IaC
-                path: .github/workflows/github_linux_IaC
-
-            - name: Add_ssh_key
-              working-directory: .github/workflows
-              env:
-                  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-                  PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
-              run: |
-                mkdir .ssh
-                chmod 700 .ssh
-                echo $PRIVATE_KEY > .ssh/github_actions.pem
-                chmod 600 .ssh/github_actions.pem
-
-            - name: DEBUG - Show IaC files
-              if: env.ENABLE_DEBUG == 'true'
-              run: |
-                echo "OSVAR = $OSVAR"
-                echo "benchmark_type = $benchmark_type"
-                pwd
-                ls
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Init
-              id: init
-              run: terraform init
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Validate
-              id: validate
-              run: terraform validate
-              env:
-                # Imported from GitHub variables this is used to load the relevant OS.tfvars file
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-
-            - name: Terraform_Apply
-              id: apply
-              env:
-                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
-
-  ## Debug Section
-            - name: DEBUG - Show Ansible hostfile
-              if: env.ENABLE_DEBUG == 'true'
-              run: cat hosts.yml
-
-      # Aws deployments taking a while to come up insert sleep or playbook fails
-
-            - name: Sleep for 60 seconds
-              run: sleep ${{ vars.BUILD_SLEEPTIME }}
-
-          # Run the Ansible playbook
-            - name: Run_Ansible_Playbook
-              uses: arillso/action.playbook@master
-              with:
-                playbook: site.yml
-                inventory: .github/workflows/github_linux_IaC/hosts.yml
-                galaxy_file: collections/requirements.yml
-                private_key: ${{ secrets.SSH_PRV_KEY }}
-        #          verbose: 3
-              env:
-                ANSIBLE_HOST_KEY_CHECKING: "false"
-                ANSIBLE_DEPRECATION_WARNINGS: "false"
-
-          # Remove test system - User secrets to keep if necessary
-
-            - name: Terraform_Destroy
-              if: always() && env.ENABLE_DEBUG == 'false'
-              env:
-                AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-                AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-                OSVAR: ${{ vars.OSVAR }}
-                TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
-              run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                pr-message: |-
+                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+
+      # This workflow contains a single job that tests the playbook
+      playbook-test:
+        # The type of runner that the job will run on
+        runs-on: self-hosted
+        env:
+          ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
+          # Imported as a variable by terraform
+          TF_VAR_repository: ${{ github.event.repository.name }}
+          AWS_REGION: "us-east-1"
+          ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
+        defaults:
+          run:
+            shell: bash
+            working-directory: .github/workflows/github_linux_IaC
+            # working-directory: .github/workflows
+
+        steps:
+
+          - name: Git clone the lockdown repository to test
+            uses: actions/checkout@v4
+            with:
+              ref: ${{ github.event.pull_request.head.sha }}
+
+          - name: If a variable for IAC_BRANCH is set use that branch
+            working-directory: .github/workflows
+            run: |
+              if [ ${{ vars.IAC_BRANCH }} != '' ]; then
+                 echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
+                 echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
+              else
+                 echo IAC_BRANCH=main >> $GITHUB_ENV
+              fi
+
+
+          # Pull in terraform code for linux servers
+          - name: Clone GitHub IaC plan
+            uses: actions/checkout@v4
+            with:
+              repository: ansible-lockdown/github_linux_IaC
+              path: .github/workflows/github_linux_IaC
+              ref: ${{ env.IAC_BRANCH }}
+
+          # Uses dedicated restricted role and policy to enable this only for this task
+          # No credentials are part of github for AWS auth
+          - name: configure aws credentials
+            uses: aws-actions/configure-aws-credentials@main
+            with:
+              role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+              role-session-name: ${{ secrets.AWS_ROLE_SESSION }}
+              aws-region: ${{ env.AWS_REGION }}
+
+          - name: DEBUG - Show IaC files
+            if: env.ENABLE_DEBUG == 'true'
+            run: |
+              echo "OSVAR = $OSVAR"
+              echo "benchmark_type = $benchmark_type"
+              echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID"
+              echo "VPC_ID" = $AWS_VPC_SECGRP_ID"
+              pwd
+              ls
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }}
+
+          - name: Tofu init
+            id: init
+            run: tofu init
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Tofu validate
+            id: validate
+            run: tofu validate
+            env:
+              # Imported from GitHub variables this is used to load the relevant OS.tfvars file
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+
+          - name: Tofu apply
+            id: apply
+            env:
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
+
+## Debug Section
+          - name: DEBUG - Show Ansible hostfile
+            if: env.ENABLE_DEBUG == 'true'
+            run: cat hosts.yml
+
+    # Aws deployments taking a while to come up insert sleep or playbook fails
+
+          - name: Sleep to allow system to come up
+            run: sleep ${{ vars.BUILD_SLEEPTIME }}
+
+        # Run the Ansible playbook
+          - name: Run_Ansible_Playbook
+            env:
+              ANSIBLE_HOST_KEY_CHECKING: "false"
+              ANSIBLE_DEPRECATION_WARNINGS: "false"
+            run: |
+              /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml
+
+        # Remove test system - User secrets to keep if necessary
+
+          - name: Tofu Destroy
+            if: always() && env.ENABLE_DEBUG == 'false'
+            env:
+              OSVAR: ${{ vars.OSVAR }}
+              TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
+              TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }}
+              TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }}
+            run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false