diff --git a/.github/images/setup_domain_final_state.png b/.github/images/setup_domain_final_state.png new file mode 100644 index 000000000..b2088510f Binary files /dev/null and b/.github/images/setup_domain_final_state.png differ diff --git a/.github/images/setup_domain_workflow.png b/.github/images/setup_domain_workflow.png new file mode 100644 index 000000000..9f1a16ab4 Binary files /dev/null and b/.github/images/setup_domain_workflow.png differ diff --git a/.github/images/setup_domain_workflow_domain.png b/.github/images/setup_domain_workflow_domain.png new file mode 100644 index 000000000..4cbc6855a Binary files /dev/null and b/.github/images/setup_domain_workflow_domain.png differ diff --git a/.github/images/setup_domain_workflow_inventory.png b/.github/images/setup_domain_workflow_inventory.png new file mode 100644 index 000000000..7d7db57d4 Binary files /dev/null and b/.github/images/setup_domain_workflow_inventory.png differ diff --git a/.gitignore b/.gitignore index fc9639e33..da93076ac 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,6 @@ choose_demo_example_aws.yml .ansible.cfg *.gz *artifact*.json -**/roles/* -!**/roles/requirements.yml +roles/* +!roles/requirements.yml .deployment_id diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 196f849ee..7a17953b6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,10 @@ repos: rev: v4.4.0 hooks: - id: end-of-file-fixer + exclude: rhel[89]STIG/.*$ + - id: trailing-whitespace + exclude: rhel[89]STIG/.*$ - id: check-yaml exclude: \.j2.(yaml|yml)$|\.(yaml|yml).j2$ @@ -26,4 +29,5 @@ repos: rev: 23.11.0 hooks: - id: black + exclude: rhel[89]STIG/.*$ ... diff --git a/CHANGELOG.md b/CHANGELOG.md deleted file mode 100644 index d0f5fca9a..000000000 --- a/CHANGELOG.md +++ /dev/null @@ -1,12 +0,0 @@ -# Changelog - -All notable changes to this project will be documented in this file. - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), -and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - -## [v-0.0.1](https://github.com/ansible/product-demos/-/tree/v-0.0.1) - 2024-01-12 - -### Added - -- Initial release ([1af584b4ea6d77812bfcb2f6474fee6ee1b13666](https://github.com/ansible/product-demos/-/commit/1af584b4ea6d77812bfcb2f6474fee6ee1b13666)) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d787d2935..7f3bc6f09 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -18,6 +18,7 @@ This document aims to outline the requirements for the various forms of contribu - PRs should be rebased against the `main` branch to avoid conflicts. - PRs should not impact more than a single directory/demo section. - PRs should not rely on external infrastructure or configuration unless the dependency is automated or specified in the `user_message` of `setup.yml`. +- PR titles should describe the work done in the PR. Titles should not be generic ("Added new demo") and should not refer to an issue number ("Fix for issue #123"). ## Adding a New Demo 1) Create a new branch based on main. (eg. `git checkout -b `) @@ -31,7 +32,7 @@ This document aims to outline the requirements for the various forms of contribu 1) You can copy paste an existing one and edit it. 2) Ensure you edit the name, playbook path, survey etc. 5) Add any needed roles/collections to the [requirements.yml](/collections/requirements.yml) -6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?item=babylon-catalog-prod/sandboxes-gpte.aap-product-demos.prod&utm_source=webapp&utm_medium=share-link), specify your branch name within the project configuration. +6) Test via [demo.redhat.com](https://demo.redhat.com/catalog?search=product&item=babylon-catalog-prod%2Fopenshift-cnv.aap-product-demos-cnv.prod), specifying your branch name within the project configuration. > NOTE: demo.redhat.com is available to Red Hat Associates and Partners with a valid account. @@ -43,13 +44,10 @@ This document aims to outline the requirements for the various forms of contribu --- user_message: '' - controller_components: - - job_templates - controller_templates: ... ``` - - `controller_components` can be any of the roles defined [here](https://github.com/redhat-cop/controller_configuration/tree/devel/roles) + - Configuration variables can be from any of the roles defined in the [infra.controller_configuration collection](https://github.com/redhat-cop/controller_configuration/tree/devel/roles) - Add variables for each component listed 3) Include a README.md in the subdirectory @@ -72,76 +70,3 @@ Copy the token value and execute the following command: ```bash export ANSIBLE_GALAXY_SERVER_AH_TOKEN= ``` - -## Release Process - -We follow a structured release process for this project. Here are the steps involved: - -1. **Create a Release Branch:** - - Start by creating a new release branch from the `main` branch. - - ```bash - git checkout -b release/v- - ``` - -2. **Update Changelog:** - - Open the `CHANGELOG.md` file to manually add your change to the appropriate section. - - Our changelog follows the [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) format and includes the following categories of changes: - - - `Added` for new features. - - `Changed` for changes in existing functionality. - - `Deprecated` for features that will be removed in upcoming releases. - - `Fixed` for bug fixes. - - `Removed` for deprecated features that were removed. - - `Security` for security-related changes. - - - Add a new entry under the relevant category. Include a brief summary of the change and the merge request commit tag. - - ```markdown - ## [Unreleased] - - ### Added - - - New feature or enhancement ([Merge Request Commit](https://github.com/ansible/product-demos/-/commit/)) - ``` - - - Replace `` with the actual commit hash from the merge request. - -3. **Commit Changes:** - - Commit the changes made to the `CHANGELOG.md` file. - - ```bash - git add CHANGELOG.md - git commit -m "Update CHANGELOG for release " - ``` - -4. **Create a Pull Request:** - - Open a pull request from the release branch to the `main` branch. - -5. **Review and Merge:** - - Review the pull request and merge it into the `main` branch. - -6. **Tag the Release:** - - Once the pull request is merged, tag the release with the version number. - - ```bash - git tag -a v- -m "Release " - git push origin v- - ``` - -7. **Publish the Release:** - - After the successful completion of the pull request and merging into the `main` branch, an automatic GitHub Action will be triggered to publish the release. - - The GitHub Action will perform the following steps: - - Parse the `CHANGELOG.md` file. - - Generate a release note based on the changes. - - Attach relevant files (such as `LICENSE`, `CHANGELOG.md`, and the generated `CHANGELOG.txt`) to the GitHub Release. - - No manual intervention is required for this step; the GitHub Action will handle the release process automatically. - -8. **Cleanup:** - - Delete the release branch. - - ```bash - git branch -d release/v- - ``` diff --git a/cloud/aws_key.yml b/cloud/aws_key.yml index e4ffcee29..7f7f29604 100644 --- a/cloud/aws_key.yml +++ b/cloud/aws_key.yml @@ -23,3 +23,8 @@ state: present tags: owner: "{{ aws_keypair_owner }}" + + - name: Set VPC stats + ansible.builtin.set_stats: + data: + stat_aws_key_pair: '{{ aws_key_name }}' diff --git a/cloud/create_vpc.yml b/cloud/create_vpc.yml index 4afd4e704..19c546e7d 100644 --- a/cloud/create_vpc.yml +++ b/cloud/create_vpc.yml @@ -122,3 +122,12 @@ Name: "{{ aws_rt_name }}" owner: "{{ aws_owner_tag }}" purpose: "{{ aws_purpose_tag }}" + + - name: Set VPC stats + ansible.builtin.set_stats: + data: + stat_aws_region: '{{ create_vm_aws_region }}' + stat_aws_vpc_id: '{{ aws_vpc.vpc.id }}' + stat_aws_vpc_cidr: '{{ aws_vpc_cidr_block }}' + stat_aws_subnet_id: '{{ aws_subnet.subnet.id }}' + stat_aws_subnet_cidr: '{{ aws_subnet_cidr }}' diff --git a/cloud/display-ec2-stats.yml b/cloud/display-ec2-stats.yml new file mode 100644 index 000000000..a20bce683 --- /dev/null +++ b/cloud/display-ec2-stats.yml @@ -0,0 +1,18 @@ +--- +- name: Display EC2 stats + hosts: localhost + gather_facts: false + + tasks: + - name: Display stats for EC2 VPC and key pair + ansible.builtin.debug: + var: '{{ item }}' + loop: + - stat_aws_region + - stat_aws_key_pair + - stat_aws_vpc_id + - stat_aws_vpc_cidr + - stat_aws_subnet_id + - stat_aws_subnet_cidr + +... diff --git a/cloud/setup.yml b/cloud/setup.yml index 7c9c08be8..d3293ef6d 100644 --- a/cloud/setup.yml +++ b/cloud/setup.yml @@ -15,6 +15,13 @@ controller_projects: scm_url: https://github.com/ansible-content-lab/aws.infrastructure_config_demos.git default_environment: Cloud Services Execution Environment + - name: Ansible Cloud AWS Demos + organization: Default + scm_type: git + wait: true + scm_url: https://github.com/ansible-cloud/aws_demos.git + default_environment: Cloud Services Execution Environment + controller_credentials: - name: AWS credential_type: Amazon Web Services @@ -140,168 +147,34 @@ controller_templates: extra_vars: aws_region: us-east-1 - - name: Cloud / AWS / Create VPC - job_type: run - organization: Default - credentials: - - AWS - project: Ansible official demo project - playbook: cloud/create_vpc.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Owner - type: text - variable: aws_owner_tag - required: true - - - name: Cloud / AWS / Create VM - job_type: run - organization: Default - credentials: - - AWS - - Demo Credential - project: Ansible Cloud Content Lab - AWS - playbook: playbooks/create_vm.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - allow_simultaneous: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Name - type: text - variable: create_vm_vm_name - required: true - - question_name: Owner - type: text - variable: create_vm_vm_owner - required: true - - question_name: Deployment - type: text - variable: create_vm_vm_deployment - required: true - - question_name: Environment - type: multiplechoice - variable: create_vm_vm_environment - required: true - choices: - - Dev - - QA - - Prod - - question_name: Blueprint - type: multiplechoice - variable: vm_blueprint - required: true - choices: - - windows_core - - windows_full - - rhel9 - - rhel8 - - rhel7 - - al2023 - - question_name: Subnet - type: text - variable: create_vm_aws_vpc_subnet_name - required: true - default: aws-test-subnet - - question_name: Security Group - type: text - variable: create_vm_aws_securitygroup_name - required: true - default: aws-test-sg - - question_name: SSH Keypair - type: text - variable: create_vm_aws_keypair_name - required: true - default: aws-test-key - - question_name: AWS Instance Type (defaults to blueprint value) - type: text - variable: create_vm_aws_instance_size - required: false - - question_name: AWS Image Filter (defaults to blueprint value) - type: text - variable: create_vm_aws_image_filter - required: false - - - name: Cloud / AWS / Delete VM - job_type: run - organization: Default - credentials: - - AWS - - Demo Credential - project: Ansible Cloud Content Lab - AWS - playbook: playbooks/delete_inventory_vm.yml - inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: Name or Pattern - type: text - variable: _hosts - required: true - - name: Cloud / AWS / VPC Report job_type: run organization: Default credentials: - AWS - project: Ansible Cloud Content Lab - AWS - playbook: playbooks/create_reports.yml + project: Ansible Cloud AWS Demos + playbook: playbooks/cloud_report.yml inventory: Demo Inventory - notification_templates_started: Telemetry - notification_templates_success: Telemetry - notification_templates_error: Telemetry - extra_vars: - aws_report: vpc - reports_aws_bucket_name: reports-pd-{{ _deployment_id }} - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: create_vm_aws_region - required: true - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 + # notification_templates_started: Telemetry + # notification_templates_success: Telemetry + # notification_templates_error: Telemetry + # extra_vars: + # aws_report: vpc + # reports_aws_bucket_name: reports-pd-{{ _deployment_id }} + # survey_enabled: true + # survey: + # name: '' + # description: '' + # spec: + # - question_name: AWS Region + # type: multiplechoice + # variable: create_vm_aws_region + # required: true + # choices: + # - us-east-1 + # - us-east-2 + # - us-west-1 + # - us-west-2 - name: Cloud / AWS / Tags Report job_type: run @@ -332,13 +205,13 @@ controller_templates: - us-west-1 - us-west-2 - - name: Cloud / AWS / Create Keypair + - name: Cloud / AWS / Snapshot EC2 job_type: run organization: Default credentials: - AWS project: Ansible official demo project - playbook: cloud/aws_key.yml + playbook: cloud/snapshot_ec2.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry @@ -350,34 +223,26 @@ controller_templates: spec: - question_name: AWS Region type: multiplechoice - variable: create_vm_aws_region + variable: aws_region required: true + default: us-east-1 choices: - us-east-1 - us-east-2 - us-west-1 - us-west-2 - - question_name: Keypair Name - type: text - variable: aws_key_name - required: true - default: aws-test-key - - question_name: Keypair Public Key - type: textarea - variable: aws_public_key - required: true - - question_name: Owner + - question_name: Specify target hosts type: text - variable: aws_keypair_owner - required: true + variable: _hosts + required: false - - name: Cloud / AWS / Snapshot EC2 + - name: Cloud / AWS / Restore EC2 from Snapshot job_type: run organization: Default credentials: - AWS project: Ansible official demo project - playbook: cloud/snapshot_ec2.yml + playbook: cloud/restore_ec2.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry @@ -402,36 +267,17 @@ controller_templates: variable: _hosts required: false - - name: Cloud / AWS / Restore EC2 from Snapshot + - name: Cloud / AWS / Display EC2 Stats job_type: run organization: Default credentials: - AWS project: Ansible official demo project - playbook: cloud/restore_ec2.yml + playbook: cloud/display-ec2-stats.yml inventory: Demo Inventory notification_templates_started: Telemetry notification_templates_success: Telemetry notification_templates_error: Telemetry - survey_enabled: true - survey: - name: '' - description: '' - spec: - - question_name: AWS Region - type: multiplechoice - variable: aws_region - required: true - default: us-east-1 - choices: - - us-east-1 - - us-east-2 - - us-west-1 - - us-west-2 - - question_name: Specify target hosts - type: text - variable: _hosts - required: false - name: "LINUX / Patching" job_type: check @@ -503,19 +349,24 @@ controller_workflows: - identifier: Create Keypair unified_job_template: Cloud / AWS / Create Keypair success_nodes: - - VPC Report + - EC2 Stats failure_nodes: - Ticket - Keypair Failed - identifier: Create VPC unified_job_template: Cloud / AWS / Create VPC success_nodes: - - VPC Report + - EC2 Stats failure_nodes: - Ticket - VPC Failed - identifier: Ticket - Keypair Failed unified_job_template: 'SUBMIT FEEDBACK' extra_data: feedback: Failed to create AWS keypair + - identifier: EC2 Stats + unified_job_template: Cloud / AWS / Display EC2 Stats + all_parents_must_converge: true + always_nodes: + - VPC Report - identifier: VPC Report unified_job_template: Cloud / AWS / VPC Report all_parents_must_converge: true @@ -570,10 +421,6 @@ controller_workflows: - Update Inventory failure_nodes: - Ticket - Instance Failed - - identifier: Ticket - VPC Failed - unified_job_template: 'SUBMIT FEEDBACK' - extra_data: - feedback: Failed to create AWS VPC - identifier: Update Inventory unified_job_template: AWS Inventory success_nodes: @@ -584,6 +431,10 @@ controller_workflows: feedback: Failed to create AWS instance - identifier: Tag Report unified_job_template: Cloud / AWS / Tags Report + - identifier: Ticket - VPC Failed + unified_job_template: 'SUBMIT FEEDBACK' + extra_data: + feedback: Failed to create AWS VPC - name: Cloud / AWS / Patch EC2 Workflow description: A workflow to patch ec2 instances with snapshot and restore on failure. diff --git a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml index 896cb1e34..a3aabd8ca 100644 --- a/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/iosxeSTIG/tasks/main.yml @@ -137,14 +137,14 @@ - (cmd_result.stdout|join('\n')).find('ip dns server') != -1 - iosxeSTIG_stigrule_215823_Manage # R-215823 CISC-ND-000470 -- name : stigrule_215823_disable_identd - ignore_errors: "{{ ignore_all_errors }}" - notify: "save configuration" - ios_config: - defaults: yes - lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}" - when: - - iosxeSTIG_stigrule_215823_Manage +# - name : stigrule_215823_disable_identd +# ignore_errors: "{{ ignore_all_errors }}" +# notify: "save configuration" +# ios_config: +# defaults: yes +# lines: "{{ iosxeSTIG_stigrule_215823_disable_identd_Lines }}" +# when: +# - iosxeSTIG_stigrule_215823_Manage # R-215823 CISC-ND-000470 - name : stigrule_215823_disable_finger ignore_errors: "{{ ignore_all_errors }}" @@ -378,9 +378,9 @@ - name : stigrule_215837_host ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_logging: - dest: host - name: "{{ iosxeSTIG_stigrule_215837_host_Name }}" + ios_config: + lines: + - "logging {{ iosxeSTIG_stigrule_215837_host_Name }}" when: iosxeSTIG_stigrule_215837_Manage # R-215837 CISC-ND-001000 # Please configure name IP address to a valid one. @@ -397,16 +397,18 @@ - name : stigrule_215838_ntp_server_1 ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_ntp: - server: "{{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}" + cisco.ios.ios_config: + lines: + - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_1_Server }}" when: iosxeSTIG_stigrule_215838_Manage # R-215838 CISC-ND-001030 # Replace ntp servers' IP address before enabling. - name : stigrule_215838_ntp_server_2 ignore_errors: "{{ ignore_all_errors }}" notify: "save configuration" - ios_ntp: - server: "{{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}" + cisco.ios.ios_config: + lines: + - "ntp server {{ iosxeSTIG_stigrule_215838_ntp_server_2_Server }}" when: iosxeSTIG_stigrule_215838_Manage # R-215840 CISC-ND-001050 # service timestamps log datetime localtime is set in 215817. diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py index 5474b8316..cfff078b2 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/callback_plugins/stig_xml.py @@ -1,5 +1,4 @@ -from __future__ import absolute_import, division, print_function - +from __future__ import (absolute_import, division, print_function) __metaclass__ = type from ansible.plugins.callback import CallbackBase @@ -12,82 +11,76 @@ import xml.etree.ElementTree as ET import xml.dom.minidom - class CallbackModule(CallbackBase): CALLBACK_VERSION = 2.0 - CALLBACK_TYPE = "xml" - CALLBACK_NAME = "stig_xml" + CALLBACK_TYPE = 'xml' + CALLBACK_NAME = 'stig_xml' CALLBACK_NEEDS_WHITELIST = True def _get_STIG_path(self): - cwd = os.path.abspath(".") + cwd = os.path.abspath('.') for dirpath, dirs, files in os.walk(cwd): - if os.path.sep + "files" in dirpath and ".xml" in files[0]: + if os.path.sep + 'files' in dirpath and '.xml' in files[0]: return os.path.join(cwd, dirpath, files[0]) def __init__(self): super(CallbackModule, self).__init__() self.rules = {} - self.stig_path = os.environ.get("STIG_PATH") - self.XML_path = os.environ.get("XML_PATH") + self.stig_path = os.environ.get('STIG_PATH') + self.XML_path = os.environ.get('XML_PATH') if self.stig_path is None: self.stig_path = self._get_STIG_path() - self._display.display("Using STIG_PATH: {}".format(self.stig_path)) + self._display.display('Using STIG_PATH: {}'.format(self.stig_path)) if self.XML_path is None: self.XML_path = tempfile.mkdtemp() + "/xccdf-results.xml" - self._display.display("Using XML_PATH: {}".format(self.XML_path)) + self._display.display('Using XML_PATH: {}'.format(self.XML_path)) print("Writing: {}".format(self.XML_path)) STIG_name = os.path.basename(self.stig_path) - ET.register_namespace("cdf", "http://checklists.nist.gov/xccdf/1.2") - self.tr = ET.Element("{http://checklists.nist.gov/xccdf/1.2}TestResult") - self.tr.set( - "id", - "xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}".format(STIG_name), - ) + ET.register_namespace('cdf', 'http://checklists.nist.gov/xccdf/1.2') + self.tr = ET.Element('{http://checklists.nist.gov/xccdf/1.2}TestResult') + self.tr.set('id', 'xccdf_mil.disa.stig_testresult_scap_mil.disa_comp_{}'.format(STIG_name)) endtime = strftime("%Y-%m-%dT%H:%M:%S", gmtime()) - self.tr.set("end-time", endtime) - tg = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}target") + self.tr.set('end-time', endtime) + tg = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}target') tg.text = platform.node() def _get_rev(self, nid): - with open(self.stig_path, "r") as f: - r = "SV-{}r(?P\d+)_rule".format(nid) + with open(self.stig_path, 'r') as f: + r = 'SV-{}r(?P\d+)_rule'.format(nid) m = re.search(r, f.read()) if m: - rev = m.group("rev") + rev = m.group('rev') else: - rev = "0" + rev = '0' return rev def v2_runner_on_ok(self, result): name = result._task.get_name() - m = re.search("stigrule_(?P\d+)", name) + m = re.search('stigrule_(?P\d+)', name) if m: - nid = m.group("id") + nid = m.group('id') else: return rev = self._get_rev(nid) key = "{}r{}".format(nid, rev) - if self.rules.get(key, "Unknown") != False: + if self.rules.get(key, 'Unknown') != False: self.rules[key] = result.is_changed() def v2_playbook_on_stats(self, stats): for rule, changed in self.rules.items(): - state = "fail" if changed else "pass" - rr = ET.SubElement( - self.tr, "{http://checklists.nist.gov/xccdf/1.2}rule-result" - ) - rr.set("idref", "xccdf_mil.disa.stig_rule_SV-{}_rule".format(rule)) - rs = ET.SubElement(rr, "{http://checklists.nist.gov/xccdf/1.2}result") + state = 'fail' if changed else 'pass' + rr = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}rule-result') + rr.set('idref', 'xccdf_mil.disa.stig_rule_SV-{}_rule'.format(rule)) + rs = ET.SubElement(rr, '{http://checklists.nist.gov/xccdf/1.2}result') rs.text = state passing = len(self.rules) - sum(self.rules.values()) - sc = ET.SubElement(self.tr, "{http://checklists.nist.gov/xccdf/1.2}score") - sc.set("maximum", str(len(self.rules))) - sc.set("system", "urn:xccdf:scoring:flat-unweighted") + sc = ET.SubElement(self.tr, '{http://checklists.nist.gov/xccdf/1.2}score') + sc.set('maximum', str(len(self.rules))) + sc.set('system', 'urn:xccdf:scoring:flat-unweighted') sc.text = str(passing) - with open(self.XML_path, "wb") as f: + with open(self.XML_path, 'wb') as f: out = ET.tostring(self.tr) - pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding="utf-8") + pretty = xml.dom.minidom.parseString(out).toprettyxml(encoding='utf-8') f.write(pretty) diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml index f11ea0983..994d04ba5 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/defaults/main.yml @@ -142,9 +142,6 @@ rhel8STIG_stigrule_230347__etc_dconf_db_local_d_00_screensaver_Value: 'true' rhel8STIG_stigrule_230348_Manage: True rhel8STIG_stigrule_230348_ensure_tmux_is_installed_State: installed rhel8STIG_stigrule_230348__etc_tmux_conf_Line: 'set -g lock-command vlock' -# R-230349 RHEL-08-020041 -rhel8STIG_stigrule_230349_Manage: True -rhel8STIG_stigrule_230349__etc_bashrc_Line: '[ -n "$PS1" -a -z "$TMUX" ] && exec tmux' # R-230352 RHEL-08-020060 rhel8STIG_stigrule_230352_Manage: True rhel8STIG_stigrule_230352__etc_dconf_db_local_d_00_screensaver_Value: 'uint32 900' @@ -232,9 +229,6 @@ rhel8STIG_stigrule_230394__etc_audit_auditd_conf_Line: 'name_format = hostname' # R-230395 RHEL-08-030063 rhel8STIG_stigrule_230395_Manage: True rhel8STIG_stigrule_230395__etc_audit_auditd_conf_Line: 'log_format = ENRICHED' -# R-230396 RHEL-08-030070 -rhel8STIG_stigrule_230396_Manage: True -rhel8STIG_stigrule_230396__etc_audit_auditd_conf_Line: 'log_group = root' # R-230398 RHEL-08-030090 # A duplicate of 230396 # duplicate of 230396 @@ -569,3 +563,6 @@ rhel8STIG_stigrule_244553_net_ipv4_conf_all_accept_redirects_Value: 0 # R-244554 RHEL-08-040286 rhel8STIG_stigrule_244554_Manage: True rhel8STIG_stigrule_244554__etc_sysctl_d_99_sysctl_conf_Line: 'net.core.bpf_jit_harden = 2' +# R-256974 RHEL-08-010358 +rhel8STIG_stigrule_256974_Manage: True +rhel8STIG_stigrule_256974_mailx_State: installed diff --git a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml similarity index 84% rename from collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml rename to collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml index 31c877d32..78a900c30 100644 --- a/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R9_Manual-xccdf.xml +++ b/collections/ansible_collections/demo/compliance/roles/rhel8STIG/files/U_RHEL_8_STIG_V1R13_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 9 Benchmark Date: 26 Jan 20233.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. +acceptedRed Hat Enterprise Linux 8 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 13 Benchmark Date: 24 Jan 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>