Merge pull request #337 from ansible-lockdown/devel

Release v2r1 to main

Author: uk-bolly

.github/workflows/devel_pipeline_validation.yml

@@ -27,7 +27,7 @@
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
       welcome:
-        runs-on: self-hosted
+        runs-on: ubuntu-latest
 
         steps:
             - uses: actions/first-interaction@main

.github/workflows/main_pipeline_validation.yml

@@ -23,18 +23,6 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: self-hosted
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
-
       # This workflow contains a single job that tests the playbook
       playbook-test:
         # The type of runner that the job will run on

.gitignore

@@ -43,3 +43,6 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
+
+# ansible-lint
+.ansible/

.pre-commit-config.yaml

@@ -11,12 +11,17 @@ repos:
   hooks:
   # Safety
   - id: detect-aws-credentials
+    name: Detect AWS Credentials
   - id: detect-private-key
+    name: Detect Private Keys
 
   # git checks
   - id: check-merge-conflict
+    name: Check for merge conflicts
   - id: check-added-large-files
+    name: Check for Large files
   - id: check-case-conflict
+    name: Check case conflict
 
   # General checks
   - id: trailing-whitespace
@@ -27,6 +32,7 @@ repos:
     types: [text]
     args: [--markdown-linebreak-ext=md]
   - id: end-of-file-fixer
+    name: Ensure line at end of file
 
 # Scan for passwords
 - repo: https://github.com/Yelp/detect-secrets
@@ -35,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.23.3
+  rev: v8.24.2
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.1.2
+  rev: v25.2.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -51,14 +57,15 @@ repos:
     # https://github.com/ansible/ansible-lint/issues/611
     pass_filenames: false
     always_run: true
-    additional_dependencies:
+    # additional_dependencies:
     # https://github.com/pre-commit/pre-commit/issues/1526
     # If you want to use specific version of ansible-core or ansible, feel
     # free to override `additional_dependencies` in your own hook config
     # file.
-    - ansible-core>=2.10.1
+    # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.35.1  # or higher tag
+  rev: v1.37.0  # or higher tag
   hooks:
   - id: yamllint
+    name: Check YAML Lint

Changelog.md

@@ -1,5 +1,23 @@
 # Changes to RHEL8STIG
 
+## 3.4 STIG v2r1
+
+RuleIDs updated for all controls
+Nist Control ID associations added
+
+- RHEL-08-010350 - command updated
+- RHEL-08-010472 - Not Applicable if fips
+- RHEL-08-020035 - version 8.7+
+- RHEL-08-020039 RHEL-08-020040 RHEL-08-020041 RHEL-08-020042, RHEL-08-020070 - TMUX removed
+- RHEL-08-020220, RHEL-08-020221 - remember not required for PAM
+- RHEL-08-020320 - Updated Check and Fix
+- RHEL-08-030603, RHEL-08-040139, RHEL-08-040140, RHEL-08-040141 - Rules updated Ok if no USB peripherals
+- RHEL-08-040284
+- RHEL-08-040370
+- RHEL-08-010001 - removed as not a NIST value
+
+Min OS version updated to 8.10
+
 ## 3.3 STIG V1R14
 
 - #232 - thanks to  @eday87 @BJSmithIEEE

README.md

@@ -2,7 +2,7 @@
 
 ## Configure a RHEL8 based system to be complaint with Disa STIG
 
-This role is based on RHEL 8 DISA STIG: [Version 1, Rel 14 released on  24, April 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R14_STIG.zip).
+This role is based on RHEL 8 DISA STIG: [Version 2, Rel 1 released on  24, Oct 2024](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V2R1_STIG.zip).
 
 ---
 

ansible.cfg

@@ -5,6 +5,7 @@ system_warnings=False
 command_warnings=False
 nocows=1
 retry_files_save_path=/dev/null
+pipelining=true
 
 # Use the YAML callback plugin.
 # stdout_callback = yaml

defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 ## metadata for Audit benchmark
-benchmark_version: 'v1r14'
+benchmark_version: 'v2r1'
 
 ## Benchmark name used by audting control role
 # The audit variable found at the base
@@ -134,7 +134,6 @@ rhel_08_040200: true
 rhel_08_040360: true
 
 # CAT 2 rules
-rhel_08_010001: true
 rhel_08_010010: true
 rhel_08_010019: true
 rhel_08_010030: true
@@ -275,12 +274,8 @@ rhel_08_020030: true
 rhel_08_020031: true
 rhel_08_020032: true
 rhel_08_020035: true
-rhel_08_020039: true
-rhel_08_020040: true
-rhel_08_020041: true
 rhel_08_020050: true
 rhel_08_020060: true
-rhel_08_020070: true
 rhel_08_020080: true
 rhel_08_020081: true
 rhel_08_020082: true
@@ -301,8 +296,6 @@ rhel_08_020180: true
 rhel_08_020190: true
 rhel_08_020200: true
 rhel_08_020210: true
-rhel_08_020220: true
-rhel_08_020221: true
 rhel_08_020230: true
 rhel_08_020235: true
 rhel_08_020231: true
@@ -479,7 +472,6 @@ rhel_08_010540: true
 rhel_08_010541: true
 rhel_08_010542: true
 rhel_08_020024: true
-rhel_08_020042: true
 rhel_08_020340: true
 rhel_08_030063: true
 rhel_08_030601: true
@@ -619,11 +611,11 @@ rhel8stig_blacklist_conf_file_perms: 0640
 # These are the minimum supported releases.
 # (Red Hat has support for older versions if you pay extra for it.)
 rhel8stig_min_supported_os_ver:
-    RedHat: "8.7"
-    CentOS: "8.7"
-    Rocky: "8.7"
-    AlmaLinux: "8.7"
-    OracleLinux: "8.7"
+    RedHat: "8.10"
+    CentOS: "8.10"
+    Rocky: "8.10"
+    AlmaLinux: "8.10"
+    OracleLinux: "8.10"
 
 # RHEL-08-040260
 # If system is not router, run tasks that disable router functions.
@@ -760,7 +752,6 @@ rhel8stig_remove_unnecessary_user_files: false
 # RHEL-08-020221
 # pam_pwhistory settings - Verify the operating system prohibits password reuse for a minimum of five generations.
 rhel8stig_pam_pwhistory:
-    remember: 5
     retries: 3
 
 # RHEL-08-020010