ptoal/product-demos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ptoal:wtome-devspaces
Branches Tags
ptoal:main ptoal:fix_ci ptoal:cnv_fixes2 ptoal:jce/cloud-cleanup ptoal:jce/firewalld-fix ptoal:fix_aws_groups ptoal:windows_change_pass ptoal:jce/multi-arch-ee ptoal:abandon-galaxy ptoal:wtome-devspaces ptoal:jce/devcontainer ptoal:jce/ansible-cfg ptoal:jce/disa-update ptoal:jce/apd-org ptoal:jce/session-timeout ptoal:jce/az-fix ptoal:collection ptoal:wtome/2.5 ptoal:usr_app ptoal:wtome/windows-bsod ptoal:jce/goals ptoal:small_fixes ptoal:azure-finops ptoal:csv-inventory ptoal:gitlab_ver ptoal:creds-exist ptoal:rhpd_test ptoal:rhc ptoal:master
ptoal:test ptoal:TEST
..
compare: ptoal:jce/session-timeout
Branches Tags
ptoal:main ptoal:fix_ci ptoal:cnv_fixes2 ptoal:jce/cloud-cleanup ptoal:jce/firewalld-fix ptoal:fix_aws_groups ptoal:windows_change_pass ptoal:jce/multi-arch-ee ptoal:abandon-galaxy ptoal:wtome-devspaces ptoal:jce/devcontainer ptoal:jce/ansible-cfg ptoal:jce/disa-update ptoal:jce/apd-org ptoal:jce/session-timeout ptoal:jce/az-fix ptoal:collection ptoal:wtome/2.5 ptoal:usr_app ptoal:wtome/windows-bsod ptoal:jce/goals ptoal:small_fixes ptoal:azure-finops ptoal:csv-inventory ptoal:gitlab_ver ptoal:creds-exist ptoal:rhpd_test ptoal:rhc ptoal:master
ptoal:test ptoal:TEST

1 Commits
wtome-devs ... jce/sessio

Author SHA1 Message Date
Chris Edillon
c4398a7deb Removed controller session cookie age setting 
In AAP 2.5, the session age cookie is now managed in the gateway instead
of the controller.  Will need to be added back once we start adding in
separate gateway configuration as code.
 2025-02-19 16:15:08 -05:00
38 changed files with 3159 additions and 3419 deletions
Expand all files Collapse all files

8
.ansible-lint
View File

@@ -1,16 +1,10 @@
---
profile: production
offline: true
offline: false
skip_list:
- "galaxy[no-changelog]"
warn_list:
# seems to be a bug, see https://github.com/ansible/ansible-lint/issues/4172
- "fqcn[canonical]"
# @matferna: really not sure why lint thinks it can't find jmespath, it is installed and functional
- "jinja[invalid]"
exclude_paths:
# would be better to move the roles here to the top-level roles directory
- collections/ansible_collections/demo/compliance/roles/

11
.devfile.yaml
View File

@@ -1,16 +1,13 @@
---
schemaVersion: 2.2.2
schemaVersion: 2.2.0
metadata:
name: product-demos
components:
- name: tooling-container
- name: product-demos-ee
container:
image: quay.io/ansible-product-demos/apd-ee-25 # ghcr.io/ansible/ansible-devspaces:latest
image: quay.io/mloriedo/ansible-creator-ee:latest # workaround for https://github.com/eclipse/che/issues/21778
memoryRequest: 256M
memoryLimit: 5Gi
cpuRequest: 250m
cpuLimit: 2000m
args:
- 'tail'
- '-f'
- '/dev/null'
args: ['tail', '-f', '/dev/null']

25
.github/workflows/README.md vendored
View File

@@ -1,25 +0,0 @@
# GitHub Actions
## Background
We want to make attempts to run our integration tests in the same manner wether using GitHub actions or on a developers's machine locally. For this reason, the tests are curated to run using conatiner images. As of this writing, two images exist which we would like to test against:
- quay.io/ansible-product-demos/apd-ee-24:latest
- quay.io/ansible-product-demos/apd-ee-25:latest
These images are built given the structure defined in their respective EE [definitions][../execution_environments]. Because they differ (mainly due to their python versions), each gets some special handling.
## Troubleshooting GitHub Actions
### Interactive
It is likely the most straight-forward approach to interactively debug issues. The following podman command can be run from the project root directory to replicate the GitHub action:
```
podman run \
--user root \
-v $(pwd):/runner:Z \
-it \
<image> \
/bin/bash
```
`<image>` is one of `quay.io/ansible-product-demos/apd-ee-25:latest`, `quay.io/ansible-product-demos/apd-ee-24:latest`
It is not exact because GitHub seems to run closer to a sidecar container paradigm, and uses docker instead of podman, but hopefully it's close enough.
For the 24 EE, the python interpreriter verions is set for our pre-commit script like so: `USE_PYTHON=python3.9 ./.github/workflows/run-pc.sh`
The 25 EE is similary run but without the need for this variable: `./.github/workflows/run-pc.sh`

32
.github/workflows/pre-commit.yml vendored
View File

@@ -4,23 +4,17 @@ on:
- push
- pull_request_target
jobs:
pre-commit-25:
container:
image: quay.io/ansible-product-demos/apd-ee-25
options: --user root
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: ./.github/workflows/run-pc.sh
shell: bash
pre-commit-24:
container:
image: quay.io/ansible-product-demos/apd-ee-24
options: --user root
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: USE_PYTHON=python3.9 ./.github/workflows/run-pc.sh
shell: bash
env:
ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_CERTIFIED_TOKEN }}
ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN: ${{ secrets.ANSIBLE_GALAXY_SERVER_VALIDATED_TOKEN }}
jobs:
pre-commit:
name: pre-commit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- uses: pre-commit/action@v3.0.1
...

24
.github/workflows/run-pc.sh vendored
View File

@@ -1,24 +0,0 @@
#!/bin/bash -x
dnf install git-lfs -y
PYTHON_VARIANT="${USE_PYTHON:-python3.11}"
PATH="$PATH:$HOME/.local/bin"
# intsall pip
eval "${PYTHON_VARIANT} -m pip install --user --upgrade pip"
# try to fix 2.4 incompatibility
eval "${PYTHON_VARIANT} -m pip install --user --upgrade setuptools wheel twine check-wheel-contents"
# intsall pre-commit
eval "${PYTHON_VARIANT} -m pip install --user pre-commit"
# view pip packages
eval "${PYTHON_VARIANT} -m pip freeze --local"
# fix permissions on directory
git config --global --add safe.directory $(pwd)
# run pre-commit
pre-commit run --config $(pwd)/.pre-commit-gh.yml --show-diff-on-failure --color=always

1
.gitignore vendored
View File

@@ -12,4 +12,3 @@ roles/*
.deployment_id
.cache/
.ansible/
**/tmp/

9
.pre-commit-config.yaml
View File

@@ -14,12 +14,13 @@ repos:
- id: check-json
- id: check-symlinks
- repo: local
- repo: https://github.com/ansible/ansible-lint.git
# get latest release tag from https://github.com/ansible/ansible-lint/releases/
rev: v6.20.3
hooks:
- id: ansible-lint
name: ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25:latest --mode stdout
language: python
entry: bash -c "ansible-navigator lint --eei quay.io/ansible-product-demos/apd-ee-25 -v --force-color --mode stdout"
additional_dependencies:
- jmespath
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 23.11.0

30
.pre-commit-gh.yml
View File

@@ -1,30 +0,0 @@
---
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: trailing-whitespace
exclude: rhel[89]STIG/.*$
- id: check-yaml
exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$
args: [--unsafe] # see https://github.com/pre-commit/pre-commit-hooks/issues/273
- id: check-toml
- id: check-json
- id: check-symlinks
- repo: https://github.com/ansible/ansible-lint.git
# get latest release tag from https://github.com/ansible/ansible-lint/releases/
rev: v6.20.3
hooks:
- id: ansible-lint
additional_dependencies:
- jmespath
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 23.11.0
hooks:
- id: black
exclude: rhel[89]STIG/.*$
...

2
ansible.cfg
View File

@@ -1,5 +1,5 @@
[defaults]
collections_path=./collections:/usr/share/ansible/collections
collections_path=./collections
roles_path=./roles
[galaxy]

15
cloud/README.md
View File

@@ -19,11 +19,12 @@ This category of demos shows examples of multi-cloud provisioning and management
### Jobs
- [**Cloud / AWS / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
- [**Cloud / AWS / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
- [**Cloud / AWS / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
- [**Cloud / AWS / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider. By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
- [**Cloud / Resize EC2**](resize_ec2.yml) - Re-size an EC2 instance.
- [**Cloud / Create Infra**](create_infra.yml) - Creates a VPC with required routing and firewall rules for provisioning VMs
- [**Cloud / Create Keypair**](aws_key.yml) - Creates a keypair for connecting to EC2 instances
- [**Cloud / Create VM**](create_vm.yml) - Create a VM based on a [blueprint](blueprints/) in the selected cloud provider
- [**Cloud / Destroy VM**](destroy_vm.yml) - Destroy a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be deleted.
- [**Cloud / Snapshot EC2**](snapshot_ec2.yml) - Snapshot a VM that has been created in a cloud provider. VM must be imported into dynamic inventory to be snapshot.
- [**Cloud / Restore EC2 from Snapshot**](snapshot_ec2.yml) - Restore a VM that has been created in a cloud provider. By default, volumes will be restored from their latest snapshot. VM must be imported into dynamic inventory to be patched.
### Inventory
@@ -58,13 +59,11 @@ After running the setup job template, there are a few steps required to make the
## Suggested Usage
**Deploy Cloud Stack in AWS** - This workflow builds out many helpful and convient resources in AWS. Given an AWS region, key, and some organizational paremetres for tagging it builds a default VPC, keypair, five VMs (three RHEL and two Windows), and even provides a report for cloud stats. It is the typical starting point for using Ansible Product-Demos in AWS.
**Cloud / Create Keypair** - The Create Keypair job creates an EC2 keypair which can be used when creating EC2 instances to enable SSH access.
**Cloud / Create VM** - The Create VM job builds a VM in the given provider based on the included `demo.cloud` collection. VM [blueprints](blueprints/) define variables for each provider that override the defaults in the collection. When creating VMs it is recommended to follow naming conventions that can be used as host patterns. (eg. VM names: `win1`, `win2`, `win3`. Host Pattern: `win*` )
**Cloud / AWS / Patch EC2 Workflow** - Create a VPC and one or more linux VM(s) in AWS using the `Cloud / Create VPC` and `Cloud / Create VM` templates. Run the workflow and observe the instance snapshots followed by patching operation. Optionally, use the survey to force a patch failure in order to demonstrate the restore path. At this time, the workflow does not support patching Windows instances.
**Cloud / AWS / Resize EC2** - Given an EC2 instance, change its size. This takes an AWS region, target host pattern, and a target instance size as parameters. As a final step, this job refreshes the AWS inventory so the re-created instance is accessible from AAP.
## Known Issues
Azure does not work without a custom execution environment that includes the Azure dependencies.

10
cloud/resize_ec2.yml
View File

@@ -1,10 +0,0 @@
---
- name: Resize ec2 instances
hosts: "{{ _hosts | default(omit) }}"
gather_facts: false
tasks:
- name: Include snapshot role
ansible.builtin.include_role:
name: "demo.cloud.aws"
tasks_from: resize_ec2

2
cloud/setup.yml
View File

@@ -283,7 +283,7 @@ controller_workflows:
- identifier: Deploy Windows GUI Blueprint
unified_job_template: Cloud / AWS / Create VM
extra_data:
create_vm_vm_name: aws-dc
create_vm_vm_name: aws_dc
vm_blueprint: windows_full
success_nodes:
- Update Inventory

45
collections/ansible_collections/demo/cloud/roles/aws/tasks/resize_ec2.yml
View File

@@ -1,45 +0,0 @@
---
# parameters
# instance_type: new instance type, e.g. t3.large
- name: AWS | RESIZE VM
delegate_to: localhost
vars:
controller_dependency_check: false # noqa: var-naming[no-role-prefix]
controller_inventory_sources:
- name: AWS Inventory
inventory: Demo Inventory
organization: Default
wait: true
block:
- name: AWS | RESIZE EC2 | assert required vars
ansible.builtin.assert:
that:
- instance_id is defined
- aws_region is defined
fail_msg: "instance_id, aws_region is required for resize operations"
- name: AWS | RESIZE EC2 | shutdown instance
amazon.aws.ec2_instance:
instance_ids: "{{ instance_id }}"
region: "{{ aws_region }}"
state: stopped
wait: true
- name: AWS | RESIZE EC2 | update instance type
amazon.aws.ec2_instance:
region: "{{ aws_region }}"
instance_ids: "{{ instance_id }}"
instance_type: "{{ instance_type }}"
wait: true
- name: AWS | RESIZE EC2 | start instance
amazon.aws.ec2_instance:
instance_ids: "{{ instance_id }}"
region: "{{ aws_region }}"
state: started
wait: true
- name: Synchronize inventory
run_once: true
ansible.builtin.include_role:
name: infra.controller_configuration.inventory_source_update

25
collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml
View File

@@ -3,7 +3,7 @@ rhel8STIG_stigrule_230225_Manage: True
rhel8STIG_stigrule_230225_banner_Line: banner /etc/issue
# R-230226 RHEL-08-010050
rhel8STIG_stigrule_230226_Manage: True
rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: "''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.''"
rhel8STIG_stigrule_230226__etc_dconf_db_local_d_01_banner_message_Value: '''You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'''
# R-230227 RHEL-08-010060
rhel8STIG_stigrule_230227_Manage: True
rhel8STIG_stigrule_230227__etc_issue_Dest: /etc/issue
@@ -43,6 +43,9 @@ rhel8STIG_stigrule_230241_policycoreutils_State: installed
# R-230244 RHEL-08-010200
rhel8STIG_stigrule_230244_Manage: True
rhel8STIG_stigrule_230244_ClientAliveCountMax_Line: ClientAliveCountMax 1
# R-230252 RHEL-08-010291
rhel8STIG_stigrule_230252_Manage: True
rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
# R-230255 RHEL-08-010294
rhel8STIG_stigrule_230255_Manage: True
rhel8STIG_stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'MinProtocol = TLSv1.2'
@@ -135,9 +138,16 @@ rhel8STIG_stigrule_230346__etc_security_limits_conf_Line: '* hard maxlogins 10'
# R-230347 RHEL-08-020030
rhel8STIG_stigrule_230347_Manage: True
rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true'
# R-230348 RHEL-08-020040
rhel8STIG_stigrule_230348_Manage: True
rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed
rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock'
# R-230352 RHEL-08-020060
rhel8STIG_stigrule_230352_Manage: True
rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900'
# R-230353 RHEL-08-020070
rhel8STIG_stigrule_230353_Manage: True
rhel8STIG_stigrule_230353__etc_tmux_conf_Line: 'set -g lock-after-time 900'
# R-230354 RHEL-08-020080
rhel8STIG_stigrule_230354_Manage: True
rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line: '/org/gnome/desktop/screensaver/lock-delay'
@@ -325,8 +335,8 @@ rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b32_Line: '
rhel8STIG_stigrule_230438__etc_audit_rules_d_audit_rules_init_module_b64_Line: '-a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng'
# R-230439 RHEL-08-030361
rhel8STIG_stigrule_230439_Manage: True
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line: '-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line: '-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng'
# R-230444 RHEL-08-030370
rhel8STIG_stigrule_230444_Manage: True
rhel8STIG_stigrule_230444__etc_audit_rules_d_audit_rules__usr_bin_gpasswd_Line: '-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd'
@@ -422,8 +432,7 @@ rhel8STIG_stigrule_230527_Manage: True
rhel8STIG_stigrule_230527_RekeyLimit_Line: RekeyLimit 1G 1h
# R-230529 RHEL-08-040170
rhel8STIG_stigrule_230529_Manage: True
rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled: false
rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked: true
rhel8STIG_stigrule_230529_systemctl_mask_ctrl_alt_del_target_Command: systemctl mask ctrl-alt-del.target
# R-230531 RHEL-08-040172
rhel8STIG_stigrule_230531_Manage: True
rhel8STIG_stigrule_230531__etc_systemd_system_conf_Value: 'none'
@@ -505,9 +514,6 @@ rhel8STIG_stigrule_244523__usr_lib_systemd_system_emergency_service_Value: '-/us
# R-244525 RHEL-08-010201
rhel8STIG_stigrule_244525_Manage: True
rhel8STIG_stigrule_244525_ClientAliveInterval_Line: ClientAliveInterval 600
# R-244526 RHEL-08-010287
rhel8STIG_stigrule_244526_Manage: True
rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line: '# CRYPTO_POLICY='
# R-244527 RHEL-08-010472
rhel8STIG_stigrule_244527_Manage: True
rhel8STIG_stigrule_244527_rng_tools_State: installed
@@ -520,6 +526,9 @@ rhel8STIG_stigrule_244535__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 5'
# R-244536 RHEL-08-020032
rhel8STIG_stigrule_244536_Manage: True
rhel8STIG_stigrule_244536__etc_dconf_db_local_d_02_login_screen_Value: 'true'
# R-244537 RHEL-08-020039
rhel8STIG_stigrule_244537_Manage: True
rhel8STIG_stigrule_244537_tmux_State: installed
# R-244538 RHEL-08-020081
rhel8STIG_stigrule_244538_Manage: True
rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line: '/org/gnome/desktop/session/idle-delay'

1682
collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V2R3_Manual-xccdf.xml → collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

19
collections/ansible_collections/demo/compliance/roles/rhel8STIG/handlers/main.yml
View File

@@ -6,25 +6,6 @@
service:
name: sshd
state: restarted
- name: rsyslog_restart
service:
name: rsyslog
state: restarted
- name: sysctl_load_settings
command: sysctl --system
- name: daemon_reload
systemd:
daemon_reload: true
- name: networkmanager_reload
service:
name: NetworkManager
state: reloaded
- name: logind_restart
service:
name: systemd-logind
state: restarted
- name: with_faillock_enable
command: authselect enable-feature with-faillock
- name: do_reboot
reboot:
pre_reboot_delay: 60

84
collections/ansible_collections/demo/compliance/roles/rhel8STIG/tasks/main.yml
View File

@@ -88,6 +88,16 @@
when:
- rhel8STIG_stigrule_230244_Manage
- "'openssh-server' in packages"
# R-230252 RHEL-08-010291
- name: stigrule_230252__etc_sysconfig_sshd
lineinfile:
path: /etc/sysconfig/sshd
regexp: '^# CRYPTO_POLICY='
line: "{{ rhel8STIG_stigrule_230252__etc_sysconfig_sshd_Line }}"
create: yes
notify: do_reboot
when:
- rhel8STIG_stigrule_230252_Manage
# R-230255 RHEL-08-010294
- name: stigrule_230255__etc_crypto_policies_back_ends_opensslcnf_config
lineinfile:
@@ -101,7 +111,6 @@
- name: stigrule_230256__etc_crypto_policies_back_ends_gnutls_config
lineinfile:
path: /etc/crypto-policies/back-ends/gnutls.config
regexp: '^\+VERS'
line: "{{ rhel8STIG_stigrule_230256__etc_crypto_policies_back_ends_gnutls_config_Line }}"
create: yes
when:
@@ -413,6 +422,20 @@
when:
- rhel8STIG_stigrule_230347_Manage
- "'dconf' in packages"
# R-230348 RHEL-08-020040
- name: stigrule_230348_ensure_tmux_is_installed
yum:
name: tmux
state: "{{ rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State }}"
when: rhel8STIG_stigrule_230348_Manage
# R-230348 RHEL-08-020040
- name: stigrule_230348__etc_tmux_conf
lineinfile:
path: /etc/tmux.conf
line: "{{ rhel8STIG_stigrule_230348__etc_tmux_conf_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230348_Manage
# R-230352 RHEL-08-020060
- name: stigrule_230352__etc_dconf_db_local_d_00_screensaver
ini_file:
@@ -425,13 +448,20 @@
when:
- rhel8STIG_stigrule_230352_Manage
- "'dconf' in packages"
# R-230353 RHEL-08-020070
- name: stigrule_230353__etc_tmux_conf
lineinfile:
path: /etc/tmux.conf
line: "{{ rhel8STIG_stigrule_230353__etc_tmux_conf_Line }}"
create: yes
when:
- rhel8STIG_stigrule_230353_Manage
# R-230354 RHEL-08-020080
- name: stigrule_230354__etc_dconf_db_local_d_locks_session
lineinfile:
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_230354__etc_dconf_db_local_d_locks_session_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_230354_Manage
# R-230357 RHEL-08-020110
@@ -986,7 +1016,7 @@
- name : stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
regexp: '^-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b32_Line }}"
notify: auditd_restart
when: rhel8STIG_stigrule_230439_Manage
@@ -994,7 +1024,7 @@
- name : stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64
lineinfile:
path: /etc/audit/rules.d/audit.rules
regexp: '^-a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete$'
regexp: '^-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=unset -k module_chng$'
line: "{{ rhel8STIG_stigrule_230439__etc_audit_rules_d_audit_rules_rename_b64_Line }}"
notify: auditd_restart
when: rhel8STIG_stigrule_230439_Manage
@@ -1307,33 +1337,13 @@
- rhel8STIG_stigrule_230527_Manage
- "'openssh-server' in packages"
# R-230529 RHEL-08-040170
- name: check if ctrl-alt-del.target is installed
shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_230529_ctrl_alt_del_target_disable
systemd_service:
- name: stigrule_230529_systemctl_mask_ctrl_alt_del_target
systemd:
name: ctrl-alt-del.target
enabled: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_disable_Enabled }}"
enabled: no
masked: yes
when:
- rhel8STIG_stigrule_230529_Manage
- result.rc == 0
# R-230529 RHEL-08-040170
- name: check if ctrl-alt-del.target is installed
shell: ! systemctl list-unit-files | grep "^ctrl-alt-del.target[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_230529_ctrl_alt_del_target_mask
systemd_service:
name: ctrl-alt-del.target
masked: "{{ rhel8STIG_stigrule_230529_ctrl_alt_del_target_mask_Masked }}"
when:
- rhel8STIG_stigrule_230529_Manage
- result.rc == 0
# R-230531 RHEL-08-040172
- name: stigrule_230531__etc_systemd_system_conf
ini_file:
@@ -1613,16 +1623,6 @@
when:
- rhel8STIG_stigrule_244525_Manage
- "'openssh-server' in packages"
# R-244526 RHEL-08-010287
- name: stigrule_244526__etc_sysconfig_sshd
lineinfile:
path: /etc/sysconfig/sshd
regexp: '^# CRYPTO_POLICY='
line: "{{ rhel8STIG_stigrule_244526__etc_sysconfig_sshd_Line }}"
create: yes
notify: do_reboot
when:
- rhel8STIG_stigrule_244526_Manage
# R-244527 RHEL-08-010472
- name: stigrule_244527_rng_tools
yum:
@@ -1663,13 +1663,18 @@
when:
- rhel8STIG_stigrule_244536_Manage
- "'dconf' in packages"
# R-244537 RHEL-08-020039
- name: stigrule_244537_tmux
yum:
name: tmux
state: "{{ rhel8STIG_stigrule_244537_tmux_State }}"
when: rhel8STIG_stigrule_244537_Manage
# R-244538 RHEL-08-020081
- name: stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay
lineinfile:
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_244538__etc_dconf_db_local_d_locks_session_idle_delay_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_244538_Manage
# R-244539 RHEL-08-020082
@@ -1678,7 +1683,6 @@
path: /etc/dconf/db/local.d/locks/session
line: "{{ rhel8STIG_stigrule_244539__etc_dconf_db_local_d_locks_session_lock_enabled_Line }}"
create: yes
notify: dconf_update
when:
- rhel8STIG_stigrule_244539_Manage
# R-244542 RHEL-08-030181

45
collections/ansible_collections/demo/compliance/roles/rhel9STIG/defaults/main.yml
View File

@@ -159,7 +159,7 @@ rhel9STIG_stigrule_257834_Manage: True
rhel9STIG_stigrule_257834_tuned_State: removed
# R-257835 RHEL-09-215060
rhel9STIG_stigrule_257835_Manage: True
rhel9STIG_stigrule_257835_tftp_server_State: removed
rhel9STIG_stigrule_257835_tftp_State: removed
# R-257836 RHEL-09-215065
rhel9STIG_stigrule_257836_Manage: True
rhel9STIG_stigrule_257836_quagga_State: removed
@@ -302,6 +302,10 @@ rhel9STIG_stigrule_257916__var_log_messages_owner_Owner: root
rhel9STIG_stigrule_257917_Manage: True
rhel9STIG_stigrule_257917__var_log_messages_group_owner_Dest: /var/log/messages
rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group: root
# R-257933 RHEL-09-232265
rhel9STIG_stigrule_257933_Manage: True
rhel9STIG_stigrule_257933__etc_crontab_mode_Dest: /etc/crontab
rhel9STIG_stigrule_257933__etc_crontab_mode_Mode: '0600'
# R-257934 RHEL-09-232270
rhel9STIG_stigrule_257934_Manage: True
rhel9STIG_stigrule_257934__etc_shadow_mode_Dest: /etc/shadow
@@ -451,6 +455,9 @@ rhel9STIG_stigrule_257985_PermitRootLogin_Line: PermitRootLogin no
# R-257986 RHEL-09-255050
rhel9STIG_stigrule_257986_Manage: True
rhel9STIG_stigrule_257986_UsePAM_Line: UsePAM yes
# R-257989 RHEL-09-255065
rhel9STIG_stigrule_257989_Manage: True
rhel9STIG_stigrule_257989__etc_crypto_policies_back_ends_openssh_config_Line: 'Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr'
# R-257992 RHEL-09-255080
rhel9STIG_stigrule_257992_Manage: True
rhel9STIG_stigrule_257992_HostbasedAuthentication_Line: HostbasedAuthentication no
@@ -502,6 +509,9 @@ rhel9STIG_stigrule_258008_StrictModes_Line: StrictModes yes
# R-258009 RHEL-09-255165
rhel9STIG_stigrule_258009_Manage: True
rhel9STIG_stigrule_258009_PrintLastLog_Line: PrintLastLog yes
# R-258010 RHEL-09-255170
rhel9STIG_stigrule_258010_Manage: True
rhel9STIG_stigrule_258010_UsePrivilegeSeparation_Line: UsePrivilegeSeparation sandbox
# R-258011 RHEL-09-255175
rhel9STIG_stigrule_258011_Manage: True
rhel9STIG_stigrule_258011_X11UseLocalhost_Line: X11UseLocalhost yes
@@ -550,9 +560,10 @@ rhel9STIG_stigrule_258026__etc_dconf_db_local_d_locks_session_lock_delay_Line: '
# R-258027 RHEL-09-271085
rhel9STIG_stigrule_258027_Manage: True
rhel9STIG_stigrule_258027__etc_dconf_db_local_d_00_security_settings_Value: "''"
# R-258027 RHEL-09-271085
rhel9STIG_stigrule_258027_Manage: True
rhel9STIG_stigrule_258027__etc_dconf_db_local_d_locks_00_security_settings_lock_picture_uri_Line: '/org/gnome/desktop/screensaver/picture-uri'
# R-258029 RHEL-09-271095
rhel9STIG_stigrule_258029_Manage: True
rhel9STIG_stigrule_258029__etc_dconf_db_local_d_00_security_settings_Value: "'true'"
# R-258030 RHEL-09-271100
rhel9STIG_stigrule_258030_Manage: True
rhel9STIG_stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons_Line: '/org/gnome/login-screen/disable-restart-buttons'
@@ -572,8 +583,6 @@ rhel9STIG_stigrule_258034__etc_modprobe_d_usb_storage_conf_blacklist_usb_storage
# R-258035 RHEL-09-291015
rhel9STIG_stigrule_258035_Manage: True
rhel9STIG_stigrule_258035_usbguard_State: installed
rhel9STIG_stigrule_258035_usbguard_enable_Enabled: yes
rhel9STIG_stigrule_258035_usbguard_start_State: started
# R-258036 RHEL-09-291020
rhel9STIG_stigrule_258036_Manage: True
rhel9STIG_stigrule_258036_usbguard_enable_Enabled: yes
@@ -612,6 +621,12 @@ rhel9STIG_stigrule_258057__etc_security_faillock_conf_Line: 'unlock_time = 0'
# R-258060 RHEL-09-411105
rhel9STIG_stigrule_258060_Manage: True
rhel9STIG_stigrule_258060__etc_security_faillock_conf_Line: 'dir = /var/log/faillock'
# R-258063 RHEL-09-412010
rhel9STIG_stigrule_258063_Manage: True
rhel9STIG_stigrule_258063_tmux_State: installed
# R-258066 RHEL-09-412025
rhel9STIG_stigrule_258066_Manage: True
rhel9STIG_stigrule_258066__etc_tmux_conf_Line: 'set -g lock-after-time 900'
# R-258069 RHEL-09-412040
rhel9STIG_stigrule_258069_Manage: True
rhel9STIG_stigrule_258069__etc_security_limits_conf_Line: '* hard maxlogins 10'
@@ -673,6 +688,9 @@ rhel9STIG_stigrule_258104__etc_login_defs_Line: 'PASS_MIN_DAYS 1'
# R-258107 RHEL-09-611090
rhel9STIG_stigrule_258107_Manage: True
rhel9STIG_stigrule_258107__etc_security_pwquality_conf_Line: 'minlen = 15'
# R-258108 RHEL-09-611095
rhel9STIG_stigrule_258108_Manage: True
rhel9STIG_stigrule_258108__etc_login_defs_Line: 'PASS_MIN_LEN 15'
# R-258109 RHEL-09-611100
rhel9STIG_stigrule_258109_Manage: True
rhel9STIG_stigrule_258109__etc_security_pwquality_conf_Line: 'ocredit = -1'
@@ -700,6 +718,9 @@ rhel9STIG_stigrule_258116__etc_libuser_conf_Value: 'sha512'
# R-258117 RHEL-09-611140
rhel9STIG_stigrule_258117_Manage: True
rhel9STIG_stigrule_258117__etc_login_defs_Line: 'ENCRYPT_METHOD SHA512'
# R-258119 RHEL-09-611150
rhel9STIG_stigrule_258119_Manage: True
rhel9STIG_stigrule_258119__etc_login_defs_Line: 'SHA_CRYPT_MIN_ROUNDS 5000'
# R-258121 RHEL-09-611160
rhel9STIG_stigrule_258121_Manage: True
rhel9STIG_stigrule_258121__etc_opensc_conf_Line: 'card_drivers = cac;'
@@ -738,6 +759,9 @@ rhel9STIG_stigrule_258142_rsyslog_start_State: started
# R-258144 RHEL-09-652030
rhel9STIG_stigrule_258144_Manage: True
rhel9STIG_stigrule_258144__etc_rsyslog_conf_Line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
# R-258145 RHEL-09-652035
rhel9STIG_stigrule_258145_Manage: True
rhel9STIG_stigrule_258145__etc_audit_plugins_d_syslog_conf_Line: 'active = yes'
# R-258146 RHEL-09-652040
rhel9STIG_stigrule_258146_Manage: True
rhel9STIG_stigrule_258146__etc_rsyslog_conf_Line: '$ActionSendStreamDriverAuthMode x509/name'
@@ -976,9 +1000,12 @@ rhel9STIG_stigrule_258228__etc_audit_rules_d_audit_rules_loginuid_immutable_Line
# R-258229 RHEL-09-654275
rhel9STIG_stigrule_258229_Manage: True
rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line: '-e 2'
# R-258234 RHEL-09-215100
# R-258234 RHEL-09-672010
rhel9STIG_stigrule_258234_Manage: True
rhel9STIG_stigrule_258234_crypto_policies_State: installed
# R-272488 RHEL-09-215101
rhel9STIG_stigrule_272488_Manage: True
rhel9STIG_stigrule_272488_postfix_State: installed
# R-258239 RHEL-09-672035
rhel9STIG_stigrule_258239_Manage: True
rhel9STIG_stigrule_258239__etc_pki_tls_openssl_cnf_Line: '.include = /etc/crypto-policies/back-ends/opensslcnf.config'
# R-258240 RHEL-09-672040
rhel9STIG_stigrule_258240_Manage: True
rhel9STIG_stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config_Line: 'TLS.MinProtocol = TLSv1.2'

3648
collections/ansible_collections/demo/compliance/roles/rhel9STIG/files/U_RHEL_9_STIG_V2R4_Manual-xccdf.xml → collections/ansible_collections/demo/compliance/roles/rhel9STIG/files/U_RHEL_9_STIG_V1R2_Manual-xccdf.xml
View File

File diff suppressed because one or more lines are too long

141
collections/ansible_collections/demo/compliance/roles/rhel9STIG/tasks/main.yml
View File

@@ -474,10 +474,10 @@
state: "{{ rhel9STIG_stigrule_257834_tuned_State }}"
when: rhel9STIG_stigrule_257834_Manage
# R-257835 RHEL-09-215060
- name: stigrule_257835_tftp_server
- name: stigrule_257835_tftp
yum:
name: tftp-server
state: "{{ rhel9STIG_stigrule_257835_tftp_server_State }}"
name: tftp
state: "{{ rhel9STIG_stigrule_257835_tftp_State }}"
when: rhel9STIG_stigrule_257835_Manage
# R-257836 RHEL-09-215065
- name: stigrule_257836_quagga
@@ -764,6 +764,13 @@
group: "{{ rhel9STIG_stigrule_257917__var_log_messages_group_owner_Group }}"
when:
- rhel9STIG_stigrule_257917_Manage
# R-257933 RHEL-09-232265
- name: stigrule_257933__etc_crontab_mode
file:
dest: "{{ rhel9STIG_stigrule_257933__etc_crontab_mode_Dest }}"
mode: "{{ rhel9STIG_stigrule_257933__etc_crontab_mode_Mode }}"
when:
- rhel9STIG_stigrule_257933_Manage
# R-257934 RHEL-09-232270
- name: stigrule_257934__etc_shadow_mode
file:
@@ -1230,6 +1237,16 @@
when:
- rhel9STIG_stigrule_257986_Manage
- "'openssh-server' in packages"
# R-257989 RHEL-09-255065
- name: stigrule_257989__etc_crypto_policies_back_ends_openssh_config
lineinfile:
path: /etc/crypto-policies/back-ends/openssh.config
regexp: '^\s*Ciphers\s+\S+\s*$'
line: "{{ rhel9STIG_stigrule_257989__etc_crypto_policies_back_ends_openssh_config_Line }}"
create: yes
notify: do_reboot
when:
- rhel9STIG_stigrule_257989_Manage
# R-257992 RHEL-09-255080
- name: stigrule_257992_HostbasedAuthentication
lineinfile:
@@ -1381,6 +1398,16 @@
when:
- rhel9STIG_stigrule_258009_Manage
- "'openssh-server' in packages"
# R-258010 RHEL-09-255170
- name: stigrule_258010_UsePrivilegeSeparation
lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^\s*UsePrivilegeSeparation\s+'
line: "{{ rhel9STIG_stigrule_258010_UsePrivilegeSeparation_Line }}"
notify: ssh_restart
when:
- rhel9STIG_stigrule_258010_Manage
- "'openssh-server' in packages"
# R-258011 RHEL-09-255175
- name: stigrule_258011_X11UseLocalhost
lineinfile:
@@ -1567,6 +1594,18 @@
when:
- rhel9STIG_stigrule_258027_Manage
- "'dconf' in packages"
# R-258029 RHEL-09-271095
- name: stigrule_258029__etc_dconf_db_local_d_00_security_settings
ini_file:
path: /etc/dconf/db/local.d/00-security-settings
section: org/gnome/login-screen
option: disable-restart-buttons
value: "{{ rhel9STIG_stigrule_258029__etc_dconf_db_local_d_00_security_settings_Value }}"
no_extra_spaces: yes
notify: dconf_update
when:
- rhel9STIG_stigrule_258029_Manage
- "'dconf' in packages"
# R-258030 RHEL-09-271100
- name: stigrule_258030__etc_dconf_db_local_d_locks_session_disable_restart_buttons
lineinfile:
@@ -1635,34 +1674,6 @@
name: usbguard
state: "{{ rhel9STIG_stigrule_258035_usbguard_State }}"
when: rhel9STIG_stigrule_258035_Manage
# R-258035 RHEL-09-291015
- name: check if usbguard.service is installed
shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_258035_usbguard_enable
service:
name: usbguard.service
enabled: "{{ rhel9STIG_stigrule_258035_usbguard_enable_Enabled }}"
when:
- rhel9STIG_stigrule_258035_Manage
- result.rc == 0
# R-258035 RHEL-09-291015
- name: check if usbguard.service is installed
shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
changed_when: False
check_mode: no
register: result
failed_when: result.rc > 1
- name: stigrule_258035_usbguard_start
service:
name: usbguard.service
state: "{{ rhel9STIG_stigrule_258035_usbguard_start_State }}"
when:
- rhel9STIG_stigrule_258035_Manage
- result.rc == 0
# R-258036 RHEL-09-291020
- name: check if usbguard.service is installed
shell: ! systemctl list-unit-files | grep "^usbguard.service[ \t]\+"
@@ -1810,6 +1821,20 @@
notify: with_faillock_enable
when:
- rhel9STIG_stigrule_258060_Manage
# R-258063 RHEL-09-412010
- name: stigrule_258063_tmux
yum:
name: tmux
state: "{{ rhel9STIG_stigrule_258063_tmux_State }}"
when: rhel9STIG_stigrule_258063_Manage
# R-258066 RHEL-09-412025
- name: stigrule_258066__etc_tmux_conf
lineinfile:
path: /etc/tmux.conf
line: "{{ rhel9STIG_stigrule_258066__etc_tmux_conf_Line }}"
create: yes
when:
- rhel9STIG_stigrule_258066_Manage
# R-258069 RHEL-09-412040
- name: stigrule_258069__etc_security_limits_conf
lineinfile:
@@ -2000,6 +2025,15 @@
create: yes
when:
- rhel9STIG_stigrule_258107_Manage
# R-258108 RHEL-09-611095
- name: stigrule_258108__etc_login_defs
lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_LEN'
line: "{{ rhel9STIG_stigrule_258108__etc_login_defs_Line }}"
create: yes
when:
- rhel9STIG_stigrule_258108_Manage
# R-258109 RHEL-09-611100
- name: stigrule_258109__etc_security_pwquality_conf
lineinfile:
@@ -2082,6 +2116,15 @@
create: yes
when:
- rhel9STIG_stigrule_258117_Manage
# R-258119 RHEL-09-611150
- name: stigrule_258119__etc_login_defs
lineinfile:
path: /etc/login.defs
regexp: '^SHA_CRYPT_MIN_ROUNDS'
line: "{{ rhel9STIG_stigrule_258119__etc_login_defs_Line }}"
create: yes
when:
- rhel9STIG_stigrule_258119_Manage
# R-258121 RHEL-09-611160
- name: stigrule_258121__etc_opensc_conf
lineinfile:
@@ -2221,6 +2264,16 @@
notify: rsyslog_restart
when:
- rhel9STIG_stigrule_258144_Manage
# R-258145 RHEL-09-652035
- name: stigrule_258145__etc_audit_plugins_d_syslog_conf
lineinfile:
path: /etc/audit/plugins.d/syslog.conf
regexp: '^\s*active\s*='
line: "{{ rhel9STIG_stigrule_258145__etc_audit_plugins_d_syslog_conf_Line }}"
create: yes
notify: auditd_restart
when:
- rhel9STIG_stigrule_258145_Manage
# R-258146 RHEL-09-652040
- name: stigrule_258146__etc_rsyslog_conf
lineinfile:
@@ -2976,15 +3029,27 @@
line: "{{ rhel9STIG_stigrule_258229__etc_audit_rules_d_audit_rules_e2_Line }}"
notify: auditd_restart
when: rhel9STIG_stigrule_258229_Manage
# R-258234 RHEL-09-215100
# R-258234 RHEL-09-672010
- name: stigrule_258234_crypto_policies
yum:
name: crypto-policies
state: "{{ rhel9STIG_stigrule_258234_crypto_policies_State }}"
when: rhel9STIG_stigrule_258234_Manage
# R-272488 RHEL-09-215101
- name: stigrule_272488_postfix
yum:
name: postfix
state: "{{ rhel9STIG_stigrule_272488_postfix_State }}"
when: rhel9STIG_stigrule_272488_Manage
# R-258239 RHEL-09-672035
- name: stigrule_258239__etc_pki_tls_openssl_cnf
lineinfile:
path: /etc/pki/tls/openssl.cnf
line: "{{ rhel9STIG_stigrule_258239__etc_pki_tls_openssl_cnf_Line }}"
create: yes
when:
- rhel9STIG_stigrule_258239_Manage
# R-258240 RHEL-09-672040
- name: stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config
lineinfile:
path: /etc/crypto-policies/back-ends/opensslcnf.config
regexp: '^\s*TLS.MinProtocol\s*='
line: "{{ rhel9STIG_stigrule_258240__etc_crypto_policies_back_ends_opensslcnf_config_Line }}"
create: yes
notify: do_reboot
when:
- rhel9STIG_stigrule_258240_Manage

4
collections/ansible_collections/demo/patching/roles/report_linux/tasks/main.yml
View File

@@ -31,7 +31,3 @@
- name: Display link to inventory report
ansible.builtin.debug:
msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"
- name: Display link with a new path
ansible.builtin.debug:
msg: "Please go to http://{{ hostvars[report_server]['ansible_host'] }}/reports/linux.html"

45
common/setup.yml
View File

@@ -60,8 +60,7 @@ controller_inventory_sources:
prefix: purpose
- key: tags.deployment
prefix: deployment
- key: tags.Compliance
separator: ''
controller_groups:
- name: cloud_aws
inventory: Demo Inventory
@@ -277,44 +276,6 @@ controller_templates:
variable: _hosts
required: true
- name: Cloud / AWS / Resize EC2
job_type: run
organization: Default
credentials:
- AWS
- Controller Credential
project: Ansible Product Demos
playbook: cloud/resize_ec2.yml
inventory: Demo Inventory
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: AWS Region
type: multiplechoice
variable: aws_region
required: true
default: us-east-1
choices:
- us-east-1
- us-east-2
- us-west-1
- us-west-2
- question_name: Specify target hosts
type: text
variable: _hosts
required: true
- question_name: Specify target instance type
type: text
variable: instance_type
default: t3a.medium
required: true
controller_notifications:
- name: Telemetry
organization: Default
@@ -324,6 +285,4 @@ controller_notifications:
http_method: POST
headers: {}
controller_settings:
- name: SESSION_COOKIE_AGE
value: 180000
...

3
execution_environments/apd-ee-25.yml
View File

@@ -3,10 +3,9 @@ version: 3
images:
base_image:
name: registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel9:latest
dependencies:
galaxy: requirements-25.yml
system:
- python3.11-devel [platform:rpm]
python:
- pywinrm>=0.4.3
python_interpreter:

2
execution_environments/requirements-25.yml
View File

@@ -27,8 +27,6 @@ collections:
- name: redhat.rhel_system_roles
version: ">=1.23.0"
# windows demos
- name: microsoft.ad
version: "1.9"
- name: ansible.windows
version: ">=2.3.0"
- name: chocolatey.chocolatey

2
execution_environments/requirements.yml
View File

@@ -20,8 +20,6 @@ collections:
- name: redhat.rhel_system_roles
version: ">=1.23.0"
# windows
- name: microsoft.ad
version: "1.9"
- name: ansible.windows
version: ">=2.3.0"
- name: chocolatey.chocolatey

1
linux/multi_profile_compliance.yml → linux/compliance-enforce.yml
View File

@@ -13,3 +13,4 @@
- name: Run Compliance Profile
ansible.builtin.include_role:
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
...

27
linux/multi_profile_compliance_report.yml → linux/compliance-report.yml
View File

@@ -9,17 +9,9 @@
- openscap-utils
- scap-security-guide
compliance_profile: ospp
# install httpd and use it to host compliance report
use_httpd: true
tasks:
- name: Assert memory meets minimum requirements
ansible.builtin.assert:
that:
- ansible_memfree_mb >= 1000
- ansible_memtotal_mb >= 2000
fail_msg: "OpenSCAP is a memory intensive operation, the specified enepoint does not meet minimum requirements. See https://access.redhat.com/articles/6999111 for details."
- name: Get our facts straight
ansible.builtin.set_fact:
_profile: '{{ compliance_profile | replace("pci_dss", "pci-dss") }}'
@@ -88,28 +80,11 @@
group: root
mode: 0644
- name: Debug output for report
ansible.builtin.debug:
msg: "http://{{ ansible_host }}/oscap-reports/{{ _profile }}/report-{{ ansible_date_time.iso8601 }}.html"
when: use_httpd | bool
- name: Tag instance as {{ compliance_profile | upper }}_OUT_OF_COMPLIANCE # noqa name[template]
delegate_to: localhost
amazon.aws.ec2_tag:
region: "{{ placement.region }}"
resource: "{{ instance_id }}"
state: present
tags:
Compliance: "{{ compliance_profile | upper }}_OUT_OF_COMPLIANCE"
when:
- _oscap.rc == 2
- instance_id is defined
become: false
handlers:
- name: Restart httpd
ansible.builtin.service:
name: httpd
state: restarted
enabled: true
...

0
linux/disa_stig.yml → linux/compliance.yml
View File

13
linux/remediate_out_of_compliance.yml
View File

@@ -1,13 +0,0 @@
---
- name: Apply compliance profile as part of workflow.
hosts: "{{ compliance_profile | default('stig') | upper }}_OUT_OF_COMPLIANCE"
become: true
tasks:
- name: Check os type
ansible.builtin.assert:
that: "ansible_os_family == 'RedHat'"
- name: Run Compliance Profile
ansible.builtin.include_role:
name: "redhatofficial.rhel{{ ansible_distribution_major_version }}-{{ compliance_profile }}"
...

78
linux/setup.yml
View File

@@ -334,33 +334,11 @@ controller_templates:
- full
required: true
- name: "LINUX / Compliance Enforce"
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "linux/remediate_out_of_compliance.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
extra_vars:
sudo_remove_nopasswd: false
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
variable: _hosts
required: true
- name: "LINUX / DISA STIG"
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "linux/disa_stig.yml"
playbook: "linux/compliance.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
@@ -382,13 +360,12 @@ controller_templates:
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "linux/multi_profile_compliance.yml"
playbook: "linux/compliance-enforce.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
- "AWS"
extra_vars:
# used by CIS profile role
sudo_require_authentication: false
@@ -429,13 +406,12 @@ controller_templates:
job_type: run
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "linux/multi_profile_compliance_report.yml"
playbook: "linux/compliance-report.yml"
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
credentials:
- "Demo Credential"
- "AWS"
survey_enabled: true
survey:
name: ''
@@ -516,52 +492,4 @@ controller_templates:
variable: application
required: true
controller_workflows:
- name: "Linux / Compliance Workflow"
description: A workflow to generate a SCAP report and run enforce on findings
organization: Default
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
survey_enabled: true
survey:
name: ''
description: ''
spec:
- question_name: Server Name or Pattern
type: text
default: aws_rhel*
variable: _hosts
required: true
- question_name: Compliance Profile
type: multiplechoice
variable: compliance_profile
required: true
choices:
- cis
- cjis
- cui
- hipaa
- ospp
- pci_dss
- stig
- question_name: Use httpd on the target host(s) to access reports locally?
type: multiplechoice
variable: use_httpd
required: true
choices:
- "true"
- "false"
default: "true"
simplified_workflow_nodes:
- identifier: Compliance Report
unified_job_template: "LINUX / Multi-profile Compliance Report"
success_nodes:
- Update Inventory
- identifier: Update Inventory
unified_job_template: AWS Inventory
success_nodes:
- Compliance Enforce
- identifier: Compliance Enforce
unified_job_template: "LINUX / Compliance Enforce"
...

7
openshift/devspaces.yml
View File

@@ -90,6 +90,13 @@
containerBuildConfiguration:
openShiftSecurityContextConstraint: container-build
disableContainerBuildCapabilities: true
defaultEditor: che-incubator/che-code/insiders
defaultComponents:
- container:
image: >-
registry.redhat.io/devspaces/udi-rhel8@sha256:aa39ede33bcbda6aa2723d271c79ab8d8fd388c7dfcbc3d4ece745b7e9c84193
sourceMapping: /projects
name: universal-developer-image
defaultNamespace:
autoProvision: true
template: <username>-devspaces

32
openshift/gitlab.yml
View File

@@ -101,21 +101,6 @@
retries: 10
delay: 30
- name: Get available charts from gitlab operator repo
register: gitlab_chart_versions
ansible.builtin.uri:
url: https://gitlab.com/gitlab-org/cloud-native/gitlab-operator/-/raw/master/CHART_VERSIONS?ref_type=heads
method: GET
return_content: true
- name: Debug gitlab_chart_versions
ansible.builtin.debug:
var: gitlab_chart_versions.content | from_yaml
- name: Get latest chart from available_chart_versions
ansible.builtin.set_fact:
gitlab_chart_version: "{{ (gitlab_chart_versions.content | split())[0] }}"
- name: Grab url for Gitlab spec
ansible.builtin.set_fact:
cluster_domain: "apps{{ lookup('ansible.builtin.env', 'K8S_AUTH_HOST') | regex_search('\\.[^:]*') }}"
@@ -148,20 +133,3 @@
route.openshift.io/termination: "edge"
certmanager-issuer:
email: "{{ cert_email | default('nobody@nowhere.nosite') }}"
- name: Print out warning and initial details about deployment
vars:
msg: |
If not immediately successful be aware that the Gitlab instance can take
a couple minutes to come up, so be patient.
URL for Gitlab instance:
https://gitlab.{{ cluster_domain }}
The initial login user is 'root', and the password can be found by logging
into the OpenShift cluster portal, and on the left hand side of the administrator
portal, under workloads, select Secrets and look for 'gitlab-gitlab-initial-root-password'
ansible.builtin.debug:
msg: "{{ msg.split('\n') }}"
...

2
tests/requirements.yml
View File

@@ -1 +1 @@
../execution_environments/requirements-25.yml
../execution_environments/requirements.yml

9
windows/create_ad_domain.yml
View File

@@ -12,17 +12,14 @@
- name: Update the hostname
ansible.windows.win_hostname:
name: "{{ inventory_hostname.split('.')[0] }}"
register: r_rename_hostname
- name: Reboot to apply new hostname
# noqa no-handler
when: r_rename_hostname is changed
ansible.windows.win_reboot:
reboot_timeout: 3600
- name: Create new domain in a new forest on the target host
register: r_create_domain
microsoft.ad.domain:
ansible.windows.win_domain:
dns_domain_name: ansible.local
safe_mode_password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}"
@@ -33,7 +30,7 @@
file: tasks/domain_services_check.yml
- name: Create some groups
microsoft.ad.group:
community.windows.win_domain_group:
name: "{{ item.name }}"
scope: global
loop:
@@ -44,7 +41,7 @@
delay: 10
- name: Create some users
microsoft.ad.user:
community.windows.win_domain_user:
name: "{{ item.name }}"
groups: "{{ item.groups }}"
password: "{{ lookup('community.general.random_string', min_lower=1, min_upper=1, min_special=1, min_numeric=1) }}"

2
windows/helpdesk_new_user_portal.yml
View File

@@ -10,7 +10,7 @@
# Example result: ['&Qw2|E[-']
- name: Create new user
microsoft.ad.user:
community.windows.win_domain_user:
name: "{{ firstname }} {{ surname }}"
firstname: "{{ firstname }}"
surname: "{{ surname }}"

4
windows/join_ad_domain.yml
View File

@@ -16,7 +16,7 @@
- name: Ensure Demo OU exists
run_once: true
delegate_to: "{{ domain_controller }}"
microsoft.ad.ou:
community.windows.win_domain_ou:
name: Demo
state: present
@@ -26,7 +26,7 @@
- name: Join ansible.local domain
register: r_domain_membership
microsoft.ad.membership:
ansible.windows.win_domain_membership:
dns_domain_name: ansible.local
hostname: "{{ inventory_hostname.split('.')[0] }}"
domain_admin_user: "{{ ansible_user }}@ansible.local"

6
windows/patching.yml
View File

@@ -5,12 +5,6 @@
report_server: aws_win1
tasks:
- name: Assert that host is in webservers group
ansible.builtin.assert:
that: "'{{ report_server }}' in groups.os_windows"
msg: "Please run the 'Deploy Cloud Stack in AWS' Workflow Job Template first"
- name: Patch windows server
ansible.builtin.include_role:
name: demo.patching.patch_windows

3
windows/setup.yml
View File

@@ -40,6 +40,7 @@ controller_templates:
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "windows/patching.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
@@ -85,6 +86,7 @@ controller_templates:
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "windows/rollback.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry
@@ -109,6 +111,7 @@ controller_templates:
inventory: "Demo Inventory"
project: "Ansible Product Demos"
playbook: "windows/connect.yml"
execution_environment: Default execution environment
notification_templates_started: Telemetry
notification_templates_success: Telemetry
notification_templates_error: Telemetry