colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: colin:09562855b3fb0861cb9b45f7ac3b3f95506b4892
Branches Tags
colin:devel
colin:pre-commit-ci-update-config
colin:main
colin:1.0.2
colin:1.0.1
colin:1.0.0
..
compare: colin:7d5187fc430e98d05f426e36dc0877e1d8c19ee3
Branches Tags
colin:pre-commit-ci-update-config
colin:devel
colin:main
colin:1.0.2
colin:1.0.1
colin:1.0.0

No commits in common. "09562855b3fb0861cb9b45f7ac3b3f95506b4892" and "7d5187fc430e98d05f426e36dc0877e1d8c19ee3" have entirely different histories.
09562855b3 ... 7d5187fc43

5 changed files with 17 additions and 7 deletions
Show Stats Expand all files Collapse all files

2
.github/workflows/devel_pipeline_validation.yml vendored
View File

@ -7,7 +7,6 @@
types: [opened, reopened, synchronize] types: [opened, reopened, synchronize]
branches: branches:
- devel - devel
- benchmark*
paths: paths:
- '**.yml' - '**.yml'
- '**.sh' - '**.sh'
@ -71,6 +70,7 @@
echo IAC_BRANCH=main >> $GITHUB_ENV echo IAC_BRANCH=main >> $GITHUB_ENV
fi fi
# Pull in terraform code for linux servers # Pull in terraform code for linux servers
- name: Clone GitHub IaC plan - name: Clone GitHub IaC plan
uses: actions/checkout@v4 uses: actions/checkout@v4

12
.github/workflows/main_pipeline_validation.yml vendored
View File

@ -7,7 +7,6 @@
types: [opened, reopened, synchronize] types: [opened, reopened, synchronize]
branches: branches:
- main - main
- latest
paths: paths:
- '**.yml' - '**.yml'
- '**.sh' - '**.sh'
@ -24,6 +23,17 @@
# A workflow run is made up of one or more jobs # A workflow run is made up of one or more jobs
# that can run sequentially or in parallel # that can run sequentially or in parallel
jobs: jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: self-hosted
steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
# This workflow contains a single job that tests the playbook # This workflow contains a single job that tests the playbook
playbook-test: playbook-test:

2
.gitignore vendored
View File

@ -44,5 +44,5 @@ benchparse/
# GitHub Action/Workflow files # GitHub Action/Workflow files
.github/ .github/
# ansible-lint cache # Precommit
.ansible/ .ansible/

2
.pre-commit-config.yaml
View File

@ -46,7 +46,7 @@ repos:
- id: gitleaks - id: gitleaks
- repo: https://github.com/ansible-community/ansible-lint - repo: https://github.com/ansible-community/ansible-lint
rev: v25.2.1 rev: v25.1.3
hooks: hooks:
- id: ansible-lint - id: ansible-lint
name: Ansible-lint name: Ansible-lint

2
templates/audit/99_auditd.rules.j2
View File

@ -99,7 +99,7 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} {% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %} {% set arch_syscalls = [] %}
{% for syscall in syscalls %} {% for syscall in syscalls %}
{% if syscall in supported_syscalls %} {% if syscall in supported_syscalls %}