Merge pull request #70 from anthcourtney/build

changes for v1.1.8

.gitignore

@@ -1,7 +1,8 @@
 **/*.retry
 **/*.swp
 **/*.vagrant
-*.output
+**/*.pyc
+**/*.output
 tests/tmp
 tests/roles
 .idea

.travis.yml

@@ -4,7 +4,7 @@ branches:
   only:
     - master
     - build
-    
+
 group: stable
 dist: amazonlinux
 
@@ -34,10 +34,13 @@ env:
 # Make sure we have the latest package list and OS
 before_install:
   - sudo apt update
-  
+
 install:
   # Install ansible and ansible-review
-  - pip install ansible==$ANSIBLE_INSTALL_VERSION ansible-review
+  - pip install ansible==$ANSIBLE_INSTALL_VERSION \
+    ansible-review \
+    yamllint \
+    git+https://github.com/ansible/ansible-lint.git
 
   # Check ansible version
   - ansible --version

Makefile

@@ -2,32 +2,32 @@ ANSIBLE_TEST_PLAYBOOK_FILE = playbook.yml
 ANSIBLE_CONTAINER_PLAYBOOK_FILE = container.yml
 
 symlink-role:
-	@mkdir -p tests/roles 
+	@mkdir -p tests/roles
 	@rsync -a . tests/roles/ansible-role-cis-amazon-linux --exclude 'tests/' --exclude '.git'
 
 test: symlink-role syntax test-ansible
 
 test-ansible-2.5:
 	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.5.9"
 
-test-ansible-2.6:
+test-ansible-2.6.5:
 	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.6.5"
 
 test-ansible-2.7:
 	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.7"
-	
+
 test-ansible-travis:
 	cd tests && ansible-playbook -i localhost, $(ANSIBLE_TEST_PLAYBOOK_FILE)
 
 test-ansible-2.3.3:
 	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.3.3"
-	
-test-ansible-2.4.5:
-	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.4.5"
-	
-test-ansible-2.5.5:
-	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.5.5"
-	
+
+test-ansible-2.4.6:
+	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.4.6"
+
+test-ansible-2.5.9:
+	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.5.9"
+
 test-ansible-2.6:
 	cd tests && ansible-playbook -i localhost, $(ANSIBLE_CONTAINER_PLAYBOOK_FILE) --e "test_ansible_version=2.6"
 
@@ -40,3 +40,7 @@ review:
 	git ls-files meta/ | xargs ansible-review -c tests/ansible-review/config.ini
 	git ls-files vars/ | xargs ansible-review -c tests/ansible-review/config.ini
 	git ls-files tasks/ | xargs ansible-review -c tests/ansible-review/config.ini
+
+lint:
+	ansible-lint -x 204 tests/$(ANSIBLE_TEST_PLAYBOOK_FILE) # Ignore Rule 204: Lines should be no longer than 160 chars
+	yamllint -c tests/yamllint.yaml tasks/

README.md

@@ -189,6 +189,9 @@ The following tests have been flagged but are not yet implemented:
 
 * Test application of the role against the Vagrant ```mvbcoding/awslinux``` image, using the ansible provisioner.
 
+### Lint
+ Please run ```make lint``` to make sure we are following ansible standards.
+
 License
 -------
 

facts/all_mounts.py

@@ -0,0 +1,75 @@
+#!/usr/bin/python
+
+##
+# all_mounts.fact
+# This is a custom fact that will gather all
+# mounts into a fact, ansible_mounts will only
+# get mounts that are tied to a physical device
+# that will leave out many mounts
+##
+
+import os
+import json
+
+##
+# get_file_content
+# gets the content of a file
+# path - the path to the file
+# default - the default return
+# strip - strip out whitespace
+##
+def get_file_content(path, default=None, strip=True):
+    data = default
+    if os.path.exists(path) and os.access(path, os.R_OK):
+        try:
+            try:
+                datafile = open(path)
+                data = datafile.read()
+                if strip:
+                    data = data.strip()
+                if len(data) == 0:
+                    data = default
+            finally:
+                datafile.close()
+        except:
+            pass
+    return data
+
+##
+# get_mtab_entries
+# gets the mtab entries to use
+##
+def get_mtab_entries():
+
+    mtab_file = '/etc/mtab'
+    if not os.path.exists(mtab_file):
+        mtab_file = '/proc/mounts'
+
+    mtab = get_file_content(mtab_file, '')
+    mtab_entries = []
+    for line in mtab.splitlines():
+        fields = line.split()
+        if len(fields) < 4:
+            continue
+        mtab_entries.append(fields)
+    return mtab_entries
+
+## Main ##
+
+mtab_entries = get_mtab_entries()
+
+mounts = []
+
+for fields in mtab_entries:
+    device, mount, fstype, options = fields[0], fields[1], fields[2], fields[3]
+
+    mount_info = {
+        'mount': mount,
+        'device': device,
+        'fstype': fstype,
+        'options': options
+    }
+
+    mounts.append(mount_info)
+
+print json.dumps(mounts)

meta/main.yml

@@ -15,5 +15,5 @@ galaxy_info:
     - "2017.09"
     - "2017.12"
     - Candidate
-  galaxy_tags: ['CIS','Linux','Amazon','hardening','benchmark','PCIDSS','compliance']
+  galaxy_tags: ['CIS', 'Linux', 'Amazon', 'hardening', 'benchmark', 'PCIDSS', 'compliance']
 dependencies: []

tasks/level-1/1.1.1.1.yml

@@ -35,4 +35,3 @@
     - section-1
     - "1.1.1.1"
     - scored
-

tasks/level-1/1.1.1.2.yml

@@ -35,4 +35,3 @@
     - section-1
     - "1.1.1.2"
     - scored
-

tasks/level-1/1.1.1.5.yml

@@ -35,4 +35,3 @@
     - section-1
     - "1.1.1.5"
     - scored
-

tasks/level-1/1.1.1.6.yml

@@ -35,4 +35,3 @@
     - section-1
     - "1.1.1.6"
     - scored
-

tasks/level-1/1.1.1.7.yml

@@ -35,4 +35,3 @@
     - section-1
     - "1.1.1.7"
     - scored
-

tasks/level-1/1.1.11.yml

@@ -7,12 +7,14 @@
   mount:
     name: "{{ item.mountpoint }}"
     state: present
-    fstype: "{{item.fstype}}"
-    src: "{{item.device}}"
+    fstype: "{{ item.fstype }}"
+    src: "{{ item.device }}"
   with_items:
-    - { mountpoint: "{{cis_partition_mnt_val_log}}", device: "{{cis_partition_dev_val_log}}", fstype: "{{cis_partition_fs_val_log}}" }
+    - {mountpoint: "{{ cis_partition_mnt_val_log }}",
+       device: "{{ cis_partition_dev_val_log }}",
+       fstype: "{{ cis_partition_fs_val_log }}"}
   tags:
-      - level-1
-      - section-1
-      - "1.1.11"
-      - scored
+    - level-1
+    - section-1
+    - "1.1.11"
+    - scored

tasks/level-1/1.1.13.yml

@@ -7,12 +7,14 @@
   mount:
     name: "{{ item.mountpoint }}"
     state: present
-    fstype: "{{item.fstype}}"
-    src: "{{item.device}}"
+    fstype: "{{ item.fstype }}"
+    src: "{{ item.device }}"
   with_items:
-    - { mountpoint: "{{cis_partition_mnt_home}}", device: "{{cis_partition_dev_home}}", fstype: "{{cis_partition_fs_home}}" }
+    - {mountpoint: "{{ cis_partition_mnt_home }}",
+       device: "{{ cis_partition_dev_home }}",
+       fstype: "{{ cis_partition_fs_home }}"}
   tags:
-      - level-1
-      - section-1
-      - "1.1.11"
-      - scored
+    - level-1
+    - section-1
+    - "1.1.11"
+    - scored

tasks/level-1/1.1.15.yml

@@ -3,6 +3,13 @@
 
 # 1.1.15 Ensure nodev option set on /dev/shm partition
 
+- include: all_mounts_facts.yml
+  tags:
+    - level-1
+    - section-1
+    - "1.1.15"
+    - scored
+
 - name: 1.1.15 - Ensure nodev option set on /dev/shm partition
   mount:
     name: "{{ item.mount }}"
@@ -11,7 +18,7 @@
     src: "{{ item.device }}"
     opts: "{{ item.options.split(',') | union(['nodev']) | join(',') }}"
   when: item.mount == '/dev/shm'
-  with_items: "{{ ansible_mounts }}"
+  with_items: "{{ all_mounts.stdout | default('{}') | from_json }}"
   tags:
     - level-1
     - section-1

tasks/level-1/1.1.16.yml

@@ -3,6 +3,13 @@
 
 # 1.1.16 Ensure nosuid option set on /dev/shm partition
 
+- include: all_mounts_facts.yml
+  tags:
+    - level-1
+    - section-1
+    - "1.1.16"
+    - scored
+
 - name: 1.1.16 - Ensure nosuid option set on /dev/shm partition
   mount:
     name: "{{ item.mount }}"
@@ -11,7 +18,7 @@
     src: "{{ item.device }}"
     opts: "{{ item.options.split(',') | union(['nosuid']) | join(',') }}"
   when: item.mount == '/dev/shm'
-  with_items: "{{ ansible_mounts }}"
+  with_items: "{{ all_mounts.stdout | default('{}') | from_json }}"
   tags:
     - level-1
     - section-1

tasks/level-1/1.1.17.yml

@@ -3,6 +3,13 @@
 
 # 1.1.17 Ensure noexec option set on /dev/shm partition
 
+- include: all_mounts_facts.yml
+  tags:
+    - level-1
+    - section-1
+    - "1.1.17"
+    - scored
+
 - name: 1.1.17 - Ensure noexec option set on /dev/shm partition
   mount:
     name: "{{ item.mount }}"
@@ -11,10 +18,9 @@
     src: "{{ item.device }}"
     opts: "{{ item.options.split(',') | union(['noexec']) | join(',') }}"
   when: item.mount == '/dev/shm'
-  with_items: "{{ ansible_mounts }}"
+  with_items: "{{ all_mounts.stdout | default('{}') | from_json }}"
   tags:
     - level-1
     - section-1
     - "1.1.17"
     - scored
-

tasks/level-1/1.2.2.yml

@@ -11,4 +11,3 @@
     - level-1
     - "1.2.2"
     - scored
-

tasks/level-1/1.3.1.yml

@@ -35,4 +35,3 @@
     - section-1
     - "1.3.1"
     - scored
-

tasks/level-1/1.4.2.yml

@@ -32,4 +32,3 @@
     - level-1
     - "1.4.2"
     - scored
-

tasks/level-1/1.4.3.yml

@@ -32,4 +32,3 @@
     - level-1
     - "1.4.3"
     - scored
-

tasks/level-1/1.5.1.yml

@@ -45,4 +45,3 @@
     - level-1
     - "1.5.1"
     - scored
-

tasks/level-1/1.5.2.yml

@@ -35,4 +35,3 @@
     - level-1
     - "1.5.2"
     - not-scored
-

tasks/level-1/2.2.15.yml

@@ -33,4 +33,3 @@
     - level-1
     - "2.2.15"
     - scored
-

tasks/level-1/3.5.2.yml

@@ -35,4 +35,3 @@
     - section-3
     - "3.5.2"
     - not-scored
-

tasks/level-1/4.2.1.5.yml

@@ -35,4 +35,3 @@
     - section-4
     - "4.2.1.5"
     - scored
-