Merge pull request #6 from ansible-lockdown/georgenalen

Initial Release

.github/workflows/communitytodevel.yml

@@ -0,0 +1,102 @@
+# This is a basic workflow to help you get started with Actions
+
+name: CommunityToDevel
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+  pull_request:
+    branches: [ devel ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run RHEL 7 Pipeline (to devel)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f933cbcf9c74e86b1609c00
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-098f55b4287a885ba", "githubBranch": "${{ github.head_ref }}", "username": "centos" }'
+          # Refactr API base URL
+          api_url: # optional
+
+      - name: Refactr - Run RHEL 8 Pipeline (to devel)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f933cbcf9c74e86b1609c00
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-0ac4afbf945e5d64f", "githubBranch": "${{ github.head_ref }}", "username": "centos" }'
+          # Refactr API base URL
+          api_url: # optional
+
+      - name: Refactr - Run Ubuntu 16 Pipeline (to devel)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f933cbcf9c74e86b1609c00
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-0736e75ba7ca6b797", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }'
+          # Refactr API base URL
+          api_url: # optional
+
+      - name: Refactr - Run Ubuntu 18 Pipeline (to devel)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f933cbcf9c74e86b1609c00
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-0608f6bd6e0eec7cc", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }'
+          # Refactr API base URL
+          api_url: # optional
+
+      - name: Refactr - Run Ubuntu 20 Pipeline (to devel)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f933cbcf9c74e86b1609c00
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-0fe12c34e05228a69", "githubBranch": "${{ github.head_ref }}", "username": "ubuntu" }'
+          # Refactr API base URL
+          api_url: # optional

.github/workflows/develtomaster.yml

@@ -0,0 +1,106 @@
+# This is a basic workflow to help you get started with Actions
+
+name: DevelToMain
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+  pull_request:
+    branches: [ main ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run RHEL 7 Pipeline (to main)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f90ad90f9c74e6d1e606e33
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-098f55b4287a885ba", "username": "centos" }'
+          # Refactr API base URL
+          api_url: # optional
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run RHEL 8 Pipeline (to main)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f90ad90f9c74e6d1e606e33
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-0ac4afbf945e5d64f", "username": "centos" }'
+          # Refactr API base URL
+          api_url: # optional
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run Ubuntu 16 Pipeline (to main)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f90ad90f9c74e6d1e606e33
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-0736e75ba7ca6b797", "username": "ubuntu" }'
+          # Refactr API base URL
+          api_url: # optional
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run Ubuntu 18 Pipeline (to main)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f90ad90f9c74e6d1e606e33
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-0608f6bd6e0eec7cc", "username": "ubuntu" }'
+          # Refactr API base URL
+          api_url: # optional
+
+      # Refactr pipeline for devel pull request/merge
+      - name: Refactr - Run Ubuntu 20 Pipeline (to main)
+       # You may pin to the exact commit or the version.
+        # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+        uses: refactr/[email protected]
+        with:
+          # API token
+          api_token: '${{ secrets.REFACTR_KEY }}'
+          # Project ID
+          project_id: 5f47f0c4a13c7b18373e5556
+          # Job ID
+          job_id: 5f90ad90f9c74e6d1e606e33
+          # Variables
+          variables: '{ "gitrepo": "https://github.com/ansible-lockdown/TOMCAT-9-STIG.git", "image": "ami-0fe12c34e05228a69", "username": "ubuntu" }'
+          # Refactr API base URL
+          api_url: # optional

.gitignore

@@ -34,8 +34,11 @@ tramp
 *.swo
 rh-creds.env
 travis.env
-
-# Lockdown-specific
-benchparse/
-*xccdf.xml
-*.retry
+
+# Lockdown-specific
+benchparse/
+*xccdf.xml
+*.retry
+
+# GitHub Action/Workflow files
+.github/

LICENSE

@@ -1,21 +1,12 @@
-MIT License
-
-Copyright (c) 2020 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+*******************************************************
+* Copyright (C) 2015-2020 MindPoint Group, LLC
+*
+* Use of Lockdown Enterprise content is subject to and governed by the
+* MindPoint Group, LLC Terms and Conditions, including Appendices 1 and 2,
+* which can be found at https://www.mindpointgroup.com/legal/ .
+*
+* You may not copy and/or distribute without the express
+* permission of MindPoint Group, LLC
+*******************************************************
+
+Subject to Customer’s compliance with the terms and conditions of the Agreements [https://www.mindpointgroup.com/legal/], during the Lockdown Subscription Term (and subject to Customer’s payment of the applicable Fees), MindPoint Group hereby grants to Customer a non-exclusive, non-transferable, non-sublicenseable, non-assignable limited right to download and use the Lockdown Software in object code form (as applicable) or as automation source content exclusively for internal business purposes for Customer’s and its approved Affiliates’ own IT configuration management, deployment and orchestration of complex multi-tier workflows. The right to use the Lockdown Software is based upon and licensed for the number of unique Platforms being managed by Customer, and Customer shall be responsible for, and pay, for each such Platform being managed.  In the event Customer’s usage exceeds the number of Platforms purchased, Customer shall immediately notify MindPoint Group, and immediately pay the corresponding Fees for all additional Platforms (including any fees owed for prior use).

defaults/main.yml

@@ -36,6 +36,10 @@ tcat_privileged_context_need: false
 # This is the Variables for the tomcat home path. This is gathered from the tomcat.service config
 catalina_home_dir: "{{ catalina_find_home_dir.stdout }}"
 
+# This will allow the role to install Tomcat 9 before running the role, or just run the role against a host
+# tcat_install set to true will install Tomcat 9 before running, set to false will skip installing tasks
+tcat_install: true
+
 # CAT1 Rules
 TCAT_AS_000060: true
 TCAT_AS_000630: true
@@ -160,6 +164,49 @@ TCAT_AS_001710: true
 TCAT_AS_001720: true
 TCAT_AS_001730: true
 
+# Install Tomcat Variables
+# Below are the variables needed to install Tomcat via automation
+# Java is required for Tomcat 
+java_version: 'jdk-11.0.5+10'
+java_install_dir: '/opt/java'
+# Java home path for RedHat systmes. The task that sets this has an automated toggle for RedHat vs Ubuntu
+# this is only used when RedHat based systems are detected
+tomcat_java_home_rh: "/usr/lib/jvm/jre"
+#Java home path for Ubuntu systems. The task that sets this has an automated toggle for RedHat vs Ubuntu
+# This is only used when Ubuntu systems are detected
+tomcat_java_home_ub: "/usr/lib/jvm/java-8-openjdk-amd64/jre"
+
+tomcat_redis_filename: apache-tomcat-9.0.40.tar.gz
+tomcat_user: tomcat
+tomcat_group: tomcat
+
+tomcat_archive_name: "apache-tomcat-9.0.40"
+tomcat_archive_name_ext: ".tar.gz"
+tomcat_archive_url: "https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.40/bin/"
+tomcat_home_path: "/opt/tomcat"
+tomcat_archive_install_path: "{{tomcat_home_path}}/{{tomcat_archive_name}}"
+tomcat_install_link: "{{tomcat_home_path}}/current"
+tomcat_roles:
+  - manager-gui
+  - manager-script
+  - manager-jmx
+  - manager-status
+tomcat_users: []
+
+# System variables not related to installing Tomcat 
+# Directory to store files downloaded for Java installation on the remote box
+tomcat_download_dir: "{{ x_ansible_download_dir | default(ansible_env.HOME + '/.ansible/tmp/downloads') }}"
+
+# Location Tomcat installations packages can be found on the local box
+# local packages will be uses in preference to downloading new packages.
+tomcat_local_archive_dir: '{{ playbook_dir }}/files'
+
+# Wether to use installation packages in the local archive (if available)
+tomcat_use_local_archive: false
+
+# # File name for the Tomcat redistributable installation file
+# tomcat_redis_filename: apache-tomcat-8.5.54.tar.gz
+
 # CAT1 Variables
 
 # TCAT-AS-000060/TCAT-AS-000720

tasks/fix-cat2.yml

@@ -2,9 +2,25 @@
 - name: |
         "MEDIUM | TCAT-AS-001470 | PATCH | Tomcat server must be patched for security vulnerabilities."
         "MEDIUM | TCAT-AS-001550 | PATCH | Tomcat server must be patched for security vulnerabilities."
-  yum:
-      name: tomcat
-      state: present
+  block:
+      - name: |
+              "MEDIUM | TCAT-AS-001470 | PATCH | Tomcat server must be patched for security vulnerabilities. | Find Tomcat version"
+              "MEDIUM | TCAT-AS-001550 | PATCH | Tomcat server must be patched for security vulnerabilities. | Find Tomcat version"
+        shell: cat {{ catalina_home_dir }}/RELEASE-NOTES | grep "Aapche Tomcat Version" | sed 's/^[ \t]*//;s/[ \t]*$//'
+        # shell: "grep "Apache Tomcat Version" {{ catalina_home_dir }}/RELEASE-NOTES | sed 's/^[ \t]*//;s/[ \t]*$//"
+        changed_when: false
+        failed_when: false
+        register: tcat_001470_tomcat_version
+
+      - name: |
+              "MEDIUM | TCAT-AS-001470 | PATCH | Tomcat server must be patched for security vulnerabilities. | Alert Tomcat version"
+              "MEDIUM | TCAT-AS-001550 | PATCH | Tomcat server must be patched for security vulnerabilities. | Alert Tomcat version"
+        debug:
+            msg:
+                - "Alert!! Below is the currnetly installed version of Tomcat."
+                - "Please review to confirm this is the most currnet available"
+                - "{{ tcat_001470_tomcat_version.stdout }}"
+
   when:
       - tcat_automate_package_upgrades
       - TCAT_AS_001470
@@ -285,7 +301,7 @@
         "MEDIUM | TCAT-AS-000220 | PATCH | AccessLogValve must be configured per each virtual host."
         "MEDIUM | TCAT-AS-000230 | PATCH | AccessLogValve must be configured for Catalina engine."
         "MEDIUM | TCAT-AS-000280 | PATCH | AccessLogValve must be configured for each application context."
-        "MEDIUM | TCAT-AS-000290 | PATCH | AccessLogValve must be configured per each virtual host.
+        "MEDIUM | TCAT-AS-000290 | PATCH | AccessLogValve must be configured per each virtual host."
         "MEDIUM | TCAT-AS-000300 | PATCH | AccessLogValve must be configured for Catalina engine."
         "MEDIUM | TCAT-AS-000310 | PATCH | AccessLogValve must be configured for Catalina engine."
         "MEDIUM | TCAT-AS-001570 | PATCH | AccessLogValve must be configured for Catalina engine."
@@ -699,7 +715,7 @@
             xpath: /Context
             attribute: privileged
             value: "false"
-        when: not tcat_privilaged_context_need
+        when: not tcat_privileged_context_need
 
       - name: "MEDIUM | TCAT-AS-000590 | PATCH | Applications in privileged mode must be approved by the ISSO. | Set privileged in webapps"
         xml:
@@ -708,7 +724,7 @@
             attribute: privileged
             value: "false"
             pretty_print: yes
-        when: not tcat_privilaged_context_need
+        when: not tcat_privileged_context_need
         with_items:
             - "{{ tcat_000590_webapps_contextxml.files }}"
   when: