Merge pull request #10 from ansible-lockdown/devel

Readme and Contributing updates Signed-off-by: George Nalen <[email protected]>
ansible-lockdown · Mar 29, 2021 · b003ec3 · b003ec3
2 parents 25d925c + 7cb905f
commit b003ec3
Show file tree

Hide file tree

Showing 2 changed files with 112 additions and 103 deletions.
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
@@ -0,0 +1,66 @@
+Contributing to MindPoint Group Projects
+========================================
+
+Rules
+-----
+1) All commits must be GPG signed (details in Signing section)
+2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <[email protected]>) in the commit message (details in Signing section)
+3) All work is done in your own branch
+4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
+5) Be open and nice to eachother
+
+Workflow
+--------
+- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
+- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
+Signing your contribution
+-------------------------
+
+We've chosen to use the Developer's Certificate of Origin (DCO) method
+that is employed by the Linux Kernel Project, which provides a simple
+way to contribute to MindPoint Group projects.
+
+The process is to certify the below DCO 1.1 text
+::
+
+    Developer's Certificate of Origin 1.1
+
+    By making a contribution to this project, I certify that:
+
+    (a) The contribution was created in whole or in part by me and I
+        have the right to submit it under the open source license
+        indicated in the file; or
+
+    (b) The contribution is based upon previous work that, to the best
+        of my knowledge, is covered under an appropriate open source
+        license and I have the right under that license to submit that
+        work with modifications, whether created in whole or in part
+        by me, under the same open source license (unless I am
+        permitted to submit under a different license), as indicated
+        in the file; or
+
+    (c) The contribution was provided directly to me by some other
+        person who certified (a), (b) or (c) and I have not modified
+        it.
+
+    (d) I understand and agree that this project and the contribution
+        are public and that a record of the contribution (including all
+        personal information I submit with it, including my sign-off) is
+        maintained indefinitely and may be redistributed consistent with
+        this project or the open source license(s) involved.
+::
+
+Then, when it comes time to submit a contribution, include the
+following text in your contribution commit message:
+
+::
+
+   Signed-off-by: Joan Doe <[email protected]>
+
+::
+
+
+This message can be entered manually, or if you have configured git
+with the correct `user.name` and `user.email`, you can use the `-s`
+option to `git commit` to automatically include the signoff message.
diff --git a/README.md b/README.md
@@ -2,125 +2,68 @@
 Ubuntu 20 CIS
 =========
 
+![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/UBUNTU20-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic)
+![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/UBUNTU20-CIS/DevelToMaster?label=Main%20Build%20Status&style=plastic)
+![Release](https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU20-CIS?style=plastic)
+
+
 Configure Ubuntu 20 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix
 
+Caution(s)
+-------
 This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
 
+This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
+
+To use release version please point to main branch
 Based on [CIS Ubuntu Linux 20.04 LTS Benchmark ](https://community.cisecurity.org/collab/public/index.php).
 
 
+Documentation
+-------------
+[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)<br>
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)<br>
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)<br>
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)<br>
+[Wiki](https://github.com/ansible-lockdown/UBUNTU20-CIS/wiki)<br>
+[Repo GitHub Page](https://ansible-lockdown.github.io/UBUNTU20-CIS/)<br>
+
 Requirements
 ------------
 
-You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook.
-If you want to do a dry run without changing anything, set the below sections (rhel8cis_section1-6) to false. 
+**General:**
+- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
+  - [Main Ansible documentation page](https://docs.ansible.com)
+  - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
+  - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
+  - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
+- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. 
+- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/UBUNTU20-CIS/wiki/Main-Variables).
+
+**Technical Dependencies:**
+- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
+- Python3 Ansible run environment
 
 Role Variables
 --------------
 
-There are many role variables defined in defaults/main.yml. This list shows the most important.
-
-**ubtu20cis_disruption_high**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false)
-
-**ubtu20cis_section1_patch**: CIS - Iniitial setup (Section 1) (Default: true)
-
-**ubtu20cis_section2_patch**: CIS - Services settings (Section 2) (Default: true)
-
-**ubtu20cis_section3_patch**: CIS - Network Configuration (Section 3) (Default: true)
-
-**ubtu20cis_section4_patch**: CIS - Logging and Auditing settings (Section 4) (Default: true)
-
-**ubtu20cis_section5_patch**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true)
-
-**ubtu20cis_section6_patch**: CIS - System Maintenance settings (Section 6) (Default: true) 
-
-
-##### Service variables:
-###### These control whether a server should or should not be allowed to continue to run these services
-
-```
-ubtu20cis_allow_autofs: false
-ubtu20cis_allow_usb_storage: false
-ubtu20cis_avahi_server: false
-ubtu20cis_cups_server: false
-ubtu20cis_dhcp_server: false
-ubtu20cis_ldap_server: false
-ubtu20cis_nfs_server: false
-ubtu20cis_dns_server: false
-ubtu20cis_vsftpd_server: false
-ubtu20cis_httpd_server: false
-ubtu20cis_dovecot_server: false
-ubtu20cis_smb_server: false
-ubtu20cis_squid_server: fase
-ubtu20cis_snmp_server: false
-ubtu20cis_rsync_server: false
-ubtu20cis_nis_server: false
-ubtu20cis_rpc_required: false
-```
-
-##### Client variables:
-###### These control whether a client should or should not be allowed to continue to run these services
-```
-ubtu20cis_nis_required: false
-ubtu20cis_rsh_required: false
-ubtu20cis_talk_required: false
-ubtu20cis_telnet_required: false
-ubtu20cis_ldap_clients_required: false
-ubtu20cis_is_router: false
-```
-
-##### IPv4 required
-`ubtu20cis_ipv4_required`
-
-##### IPv6 required
-`ubtu20cis_ipv6_required`
-
-##### X-Windows required
-`ubtu20cis_xwindows_required`
-
-##### Is system a container
-`ubtu20cis_system_is_container:`
-
-Dependencies
-------------
-
-Ansible > 2.6.5
-
-Example Playbook
-----------------
-
-This sample playbook should be run in a folder that is above the main UBUNTU-18-CIS folder.
-
-```
-- hosts: all
-  become: true
-  vars:
-      is_container: false
-
-  roles:
-
-      - role: "{{ playbook_dir }}"
-        ubtu20cis_skip_for_travis: false
-        ubtu20cis_oscap_scan: yes
-
-License
--------
-
-BSD
+This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/UBUNTU20-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions.
 
-Author Information
-------------------
+Branches
+--------
 
-An optional section for the role authors to include contact information, or a website (HTML is not allowed).
-```
+- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch
+- **main** - This is the release branch
+- **reports** - This is a protected branch for our scoring reports, no code should ever go here
+- **gh-pages** - This is the github pages branch
+- **all other branches** - Individual community member branches
 
-Tags
-----
-Many tags are available for precise control of what is and is not changed.
+Community Contribution
+----------------------
 
-Some examples of using tags:
+We encourage you (the community) to contribute to this role. Please read the rules below.
 
-```
-    # Audit and patch the site
-    ansible-playbook site.yml --tags="patch"
-```
+- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
+- All community Pull Requests are pulled into the devel branch
+- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
+- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release