colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #30 from ansible-lockdown/updates_march25 

Updates march25
This commit is contained in:
uk-bolly 2025-03-31 13:45:47 +01:00 committed by GitHub
parent b32cd33fcb c1684508f6
commit 85acc99536
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 6 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/devel_pipeline_validation.yml vendored
View File

@ -7,6 +7,7 @@
types: [opened, reopened, synchronize] types: [opened, reopened, synchronize]
branches: branches:
- devel - devel
- benchmark*
paths: paths:
- '**.yml' - '**.yml'
- '**.sh' - '**.sh'
@ -70,7 +71,6 @@
echo IAC_BRANCH=main >> $GITHUB_ENV echo IAC_BRANCH=main >> $GITHUB_ENV
fi fi
# Pull in terraform code for linux servers # Pull in terraform code for linux servers
- name: Clone GitHub IaC plan - name: Clone GitHub IaC plan
uses: actions/checkout@v4 uses: actions/checkout@v4

12
.github/workflows/main_pipeline_validation.yml vendored
View File

@ -7,6 +7,7 @@
types: [opened, reopened, synchronize] types: [opened, reopened, synchronize]
branches: branches:
- main - main
- latest
paths: paths:
- '**.yml' - '**.yml'
- '**.sh' - '**.sh'
@ -23,17 +24,6 @@
# A workflow run is made up of one or more jobs # A workflow run is made up of one or more jobs
# that can run sequentially or in parallel # that can run sequentially or in parallel
jobs: jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: self-hosted
steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
# This workflow contains a single job that tests the playbook # This workflow contains a single job that tests the playbook
playbook-test: playbook-test:

2
.gitignore vendored
View File

@ -44,5 +44,5 @@ benchparse/
# GitHub Action/Workflow files # GitHub Action/Workflow files
.github/ .github/
# Precommit # ansible-lint cache
.ansible/ .ansible/

6
templates/audit/99_auditd.rules.j2
View File

@ -43,8 +43,8 @@
{{ arch_syscalls.append( syscall) }} {{ arch_syscalls.append( syscall) }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
-w /etc/issue -p wa -k system-locale -w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/hosts -p wa -k system-locale
@ -99,7 +99,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
{% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %} {% set arch_syscalls = [] %}
{% for syscall in syscalls %} {% for syscall in syscalls %}
{% if syscall in supported_syscalls %} {% if syscall in supported_syscalls %}