Conversation
jihan-lf
force-pushed
the
feature/stig-remediations
branch
from
2cb5730 to
f71b78e
Compare
| - import_playbook: 'repo_remi.yml' | ||
| - import_playbook: 'repo_rpmfusion.yml' | ||
| - import_playbook: 'repo_sury.yml' | ||
| - import_playbook: 'rl9_cis.yml |
There was a problem hiding this comment.
| - import_playbook: 'rl9_cis.yml | |
| - import_playbook: 'rl9_cis.yml' |
| @@ -0,0 +1,22 @@ | |||
| - name: 'Playbook linuxfabrik.lfops.rl9_cis' | |||
There was a problem hiding this comment.
i would like to call the playbook for cis differently (stig_cis_rocky9_v2_0_0), see https://github.com/Linuxfabrik/lfops/pull/206/changes#diff-dc630449c0998eae820ac4f10fb3ca9214dcd5a27f290ec074c2fe1f777559b8.
for now, rename this playbook to aide please. every role should have its own playbook
| - 'always' | ||
|
|
||
|
|
||
| roles: |
There was a problem hiding this comment.
please include a newline after roles (same as the other playbooks do):
| roles: | |
| roles: | |
|
|
||
| - name: 'Deploy /etc/systemd/system/acme-sh.service' | ||
| ansible.builtin.template: | ||
| backup: true |
There was a problem hiding this comment.
unrelated changes, undo these
| @@ -0,0 +1,10 @@ | |||
| aide__check_time_on_calendar: '05:00:00' #5 AM | |||
There was a problem hiding this comment.
generally don't add comments that are "user documentation" in the defaults file - comments for the developer are fine. these comments should be contained in the README (either in the table or in the examples section)
| # Linuxfabrik | ||
| # see https://bugzilla.redhat.com/show_bug.cgi?id=1304334 | ||
| !/opt/wildfly-22.0.1.Final/standalone/tmp | ||
| !/opt/wildfly/standalone/tmp | ||
| !/root/.cache/borg | ||
| !/root/.config/borg/security | ||
| !/var/log | ||
| !/var/spool No newline at end of file |
There was a problem hiding this comment.
these should be in the default aide__exclude_rules, so that the user can disable them. this also means that aide__exclude_rules and aide__include_rules should be combined vars, with a state subkey that determines if the rule lands in the template or not. have a look at the CONTRIBUTING.md for examples on how to do this
| | --- | ------------ | ---------------- | | ||
| | `aide` | Runs all tasks of the role | - | | ||
| | `aide:configure` | Deploys the `/etc/aide.conf` configuration file | - | | ||
| | `aide:install` | Installs the AIDE package and initializes the AIDE database if it does not exist yet | - | |
| # set in defaults/main.yml | ||
| # custom include rules | ||
| {% for rule in aide__include_rules %} | ||
| {{ rule }} |
There was a problem hiding this comment.
should we use more specific subkeys instead of just rule? eg path and attributes? how would we handle the =?
| | `aide__check_time_on_calendar` | Specifies at what time of the day the aide check runs. Have a look at [systemd.time(7)](https://www.freedesktop.org/software/systemd/man/systemd.time.html) for the format. | `'05:00:00'` | | ||
| | `aide__include_rules` | List of paths to monitor with their AIDE rule group. | `['/srv CONTENT_EX', '/opt/venv CONTENT']` | | ||
| | `aide__exclude_rules` | List of paths to exclude from monitoring. | `['/srv/app/tmp', '/srv/app/cache']` | |
There was a problem hiding this comment.
please sort them alphabetically
| aide__include_rules: | ||
| - '/srv CONTENT_EX' # Extended content + file type + access. | ||
| - '/opt/venv CONTENT' # Content + file type. | ||
|
|
||
| aide__exclude_rules: | ||
| - '/srv/app/tmp' | ||
| - '/srv/app/cache' |
There was a problem hiding this comment.
where do these default values come from?
|
also don't forget to update the CHANGELOG.md |
2 participants
I would suggest not to merge it but to collect all remediations and then squash the commit while merging