From 1d2adf4ad98597d3ac711007d4f67003efe2094c Mon Sep 17 00:00:00 2001 From: Dale Henries Date: Wed, 27 Jan 2021 10:25:23 -0500 Subject: [PATCH 1/3] Fixed readme version typo from 18 to 20. Signed-off-by: Dale Henries --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a281267f..2cff6769 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,7 @@ Ansible > 2.6.5 Example Playbook ---------------- -This sample playbook should be run in a folder that is above the main UBUNTU-18-CIS folder. +This sample playbook should be run in a folder that is above the main UBUNTU-20-CIS folder. ``` - hosts: all From f5472fdca313d56b65c12de1046dc7255d24119e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 29 Mar 2021 14:46:19 -0400 Subject: [PATCH 2/3] Updated README.md and added CONTRIBUTING.rst Signed-off-by: George Nalen --- CONTRIBUTING.rst | 66 +++++++++++++++++++++ README.md | 149 +++++++++++++++-------------------------------- 2 files changed, 112 insertions(+), 103 deletions(-) create mode 100644 CONTRIBUTING.rst diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst new file mode 100644 index 00000000..a5c4e034 --- /dev/null +++ b/CONTRIBUTING.rst @@ -0,0 +1,66 @@ +Contributing to MindPoint Group Projects +======================================== + +Rules +----- +1) All commits must be GPG signed (details in Signing section) +2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) +3) All work is done in your own branch +4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) +5) Be open and nice to eachother + +Workflow +-------- +- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge +- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release +Signing your contribution +------------------------- + +We've chosen to use the Developer's Certificate of Origin (DCO) method +that is employed by the Linux Kernel Project, which provides a simple +way to contribute to MindPoint Group projects. + +The process is to certify the below DCO 1.1 text +:: + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +:: + +Then, when it comes time to submit a contribution, include the +following text in your contribution commit message: + +:: + + Signed-off-by: Joan Doe + +:: + + +This message can be entered manually, or if you have configured git +with the correct `user.name` and `user.email`, you can use the `-s` +option to `git commit` to automatically include the signoff message. \ No newline at end of file diff --git a/README.md b/README.md index 2cff6769..7fc0f43a 100644 --- a/README.md +++ b/README.md @@ -2,125 +2,68 @@ Ubuntu 20 CIS ========= +![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/UBUNTU20-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) +![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/UBUNTU20-CIS/DevelToMaster?label=Main%20Build%20Status&style=plastic) +![Release](https://img.shields.io/github/v/release/ansible-lockdown/UBUNTU20-CIS?style=plastic) + + Configure Ubuntu 20 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix +Caution(s) +------- This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. +This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. + +To use release version please point to main branch Based on [CIS Ubuntu Linux 20.04 LTS Benchmark ](https://community.cisecurity.org/collab/public/index.php). +Documentation +------------- +[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
+[Wiki](https://github.com/ansible-lockdown/UBUNTU20-CIS/wiki)
+[Repo GitHub Page](https://ansible-lockdown.github.io/UBUNTU20/)
+ Requirements ------------ -You should carefully read through the tasks to make sure these changes will not break your systems before running this playbook. -If you want to do a dry run without changing anything, set the below sections (rhel8cis_section1-6) to false. +**General:** +- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible + - [Main Ansible documentation page](https://docs.ansible.com) + - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) + - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) + - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) +- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/UBUNTU20-CIS/wiki/Main-Variables). + +**Technical Dependencies:** +- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer) +- Python3 Ansible run environment Role Variables -------------- -There are many role variables defined in defaults/main.yml. This list shows the most important. - -**ubtu20cis_disruption_high**: Run CIS checks that we typically do NOT want to automate due to the high probability of breaking the system (Default: false) - -**ubtu20cis_section1_patch**: CIS - Iniitial setup (Section 1) (Default: true) - -**ubtu20cis_section2_patch**: CIS - Services settings (Section 2) (Default: true) - -**ubtu20cis_section3_patch**: CIS - Network Configuration (Section 3) (Default: true) - -**ubtu20cis_section4_patch**: CIS - Logging and Auditing settings (Section 4) (Default: true) - -**ubtu20cis_section5_patch**: CIS - Access, Authentication and Authorization settings (Section 5) (Default: true) - -**ubtu20cis_section6_patch**: CIS - System Maintenance settings (Section 6) (Default: true) - - -##### Service variables: -###### These control whether a server should or should not be allowed to continue to run these services - -``` -ubtu20cis_allow_autofs: false -ubtu20cis_allow_usb_storage: false -ubtu20cis_avahi_server: false -ubtu20cis_cups_server: false -ubtu20cis_dhcp_server: false -ubtu20cis_ldap_server: false -ubtu20cis_nfs_server: false -ubtu20cis_dns_server: false -ubtu20cis_vsftpd_server: false -ubtu20cis_httpd_server: false -ubtu20cis_dovecot_server: false -ubtu20cis_smb_server: false -ubtu20cis_squid_server: fase -ubtu20cis_snmp_server: false -ubtu20cis_rsync_server: false -ubtu20cis_nis_server: false -ubtu20cis_rpc_required: false -``` - -##### Client variables: -###### These control whether a client should or should not be allowed to continue to run these services -``` -ubtu20cis_nis_required: false -ubtu20cis_rsh_required: false -ubtu20cis_talk_required: false -ubtu20cis_telnet_required: false -ubtu20cis_ldap_clients_required: false -ubtu20cis_is_router: false -``` - -##### IPv4 required -`ubtu20cis_ipv4_required` - -##### IPv6 required -`ubtu20cis_ipv6_required` - -##### X-Windows required -`ubtu20cis_xwindows_required` - -##### Is system a container -`ubtu20cis_system_is_container:` - -Dependencies ------------- - -Ansible > 2.6.5 - -Example Playbook ----------------- - -This sample playbook should be run in a folder that is above the main UBUNTU-20-CIS folder. - -``` -- hosts: all - become: true - vars: - is_container: false - - roles: - - - role: "{{ playbook_dir }}" - ubtu20cis_skip_for_travis: false - ubtu20cis_oscap_scan: yes - -License -------- - -BSD +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/UBUNTU20-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. -Author Information ------------------- +Branches +-------- -An optional section for the role authors to include contact information, or a website (HTML is not allowed). -``` +- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch +- **main** - This is the release branch +- **reports** - This is a protected branch for our scoring reports, no code should ever go here +- **gh-pages** - This is the github pages branch +- **all other branches** - Individual community member branches -Tags ----- -Many tags are available for precise control of what is and is not changed. +Community Contribution +---------------------- -Some examples of using tags: +We encourage you (the community) to contribute to this role. Please read the rules below. -``` - # Audit and patch the site - ansible-playbook site.yml --tags="patch" -``` \ No newline at end of file +- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- All community Pull Requests are pulled into the devel branch +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release \ No newline at end of file From 3d53a05981cc30bdaa10c6b7be5dc7e117ebc1c8 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 29 Mar 2021 15:39:32 -0400 Subject: [PATCH 3/3] fixed link typo in readme Signed-off-by: George Nalen --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7fc0f43a..d96fb7ba 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Documentation [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
[Wiki](https://github.com/ansible-lockdown/UBUNTU20-CIS/wiki)
-[Repo GitHub Page](https://ansible-lockdown.github.io/UBUNTU20/)
+[Repo GitHub Page](https://ansible-lockdown.github.io/UBUNTU20-CIS/)
Requirements ------------