search

florianutz / Ubuntu1804-CIS

Ubuntu CIS Hardening Ansible Role
MIT License
212 stars 128 forks source link

ansible module update firewalld #91

Closed yarick closed 3 years ago

yarick commented 3 years ago

Ansible fails to locate the firewalld module/plugin due to the restructuring of the Ansible Modules by moving them into collections.

https://groups.google.com/g/ansible-project/c/eXsoOKEd0Mk/m/XTgbnPWbCAAJ?pli=1

aaronlippold commented 3 years ago

This PR address a variety of issues - in truth PR creep - which started with the ansible 2.10.x transition to collections. On inspection, we also noticed that Travis builds were having linting issues, updates to ansible-lint were causing semi-random failures. We migrated the build process over to GitHub Actions since it's free now and it was easier to get molecule stable there. The separateAnsible Lint' workflow could be removed as I have it stable in the molecule process. Lastly, we migrated the Playbook to point generally to the new POSIX collection in the meta area and updated the meta main file to follow the new Galaxy standards in the galaxy docs.

aaronlippold commented 3 years ago

If you would like to see the GH Actions results - not sure why they are not triggering here - you can see the passing results here: https://github.com/yarick/Ubuntu1804-CIS/actions

aaronlippold commented 3 years ago

todo #93

florianutz commented 3 years ago

can't see anything related to firewalld

aaronlippold commented 3 years ago

The issue with firewalld is addressed in the meta/main.yml. Link to the file below.

This allows ansible to resolve the module given the new collection pattern.

On Sun, Mar 7, 2021, 1:52 PM Florian Utz notifications@github.com wrote:

Closed #91 https://github.com/florianutz/Ubuntu1804-CIS/pull/91.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/florianutz/Ubuntu1804-CIS/pull/91#event-4418348362, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42D3VWXYMW5S67VPT63TCPDNVANCNFSM4YHOMIQQ .

aaronlippold commented 3 years ago

I'm on my phone at the moment. Once I get back to my computer I will send you the links to where you needed to change the scope so that you can load the firewalld module

On Sun, Mar 7, 2021, 5:28 PM Aaron Lippold notifications@github.com wrote:

I open this issue too connect to a pull request I submitted

On Sun, Mar 7, 2021, 1:52 PM Florian Utz notifications@github.com wrote:

Closed #91 https://github.com/florianutz/Ubuntu1804-CIS/pull/91.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/florianutz/Ubuntu1804-CIS/pull/91#event-4418348362, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AALK42D3VWXYMW5S67VPT63TCPDNVANCNFSM4YHOMIQQ

.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/florianutz/Ubuntu1804-CIS/pull/91#issuecomment-792365141, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42CPVSRGM46TWEDAPWTTCP4XJANCNFSM4YHOMIQQ .

aaronlippold commented 3 years ago

https://github.com/yarick/Ubuntu1804-CIS/blob/879dc5d125e99fc2e455223950344d3dff912b31/meta/main.yml#L24-L25 is the specific line that addresses the posix collection ( as of ansible 2.10.x ) firewalld module issue - as described here - https://groups.google.com/g/ansible-project/c/eXsoOKEd0Mk/m/XTgbnPWbCAAJ?pli=1

aaronlippold commented 3 years ago

can't see anything related to firewalld

See the comments below. Does that clear up the question?

The firewalld module was moved into the postfix collection

florianutz commented 3 years ago

Hi Aaron, I will check it again. Why did you also remove my CI/CD?

florianutz commented 3 years ago

@yarick and @aaronlippold sorry for my confusing. I understand the things now. Can you tell me why you have selected the versions ansible==2.7 ansible-lint==4.2.0 ?

aaronlippold commented 3 years ago

These were the versions you documented in your supports on your read me

aaronlippold commented 3 years ago

I also replaced the CICD given that a separate service is not required now that github actions are free for any public repos.

This seems like a more integrated solution, and it seems to be much simpler.

florianutz commented 3 years ago

thank you for your comments. I have no experience with the github actions but we should give it a try :) I will merge the change and be happy to get more contributions if there is something to improve

aaronlippold commented 3 years ago

Hi,

I am happy to do a quick zoom with you as - truth be told - the MITRE SAF will likely use your CIS hardening as great source of community guidance along with our InSpec validation profiles.

I hope this becomes an ongoing partnership which we can both help the community.

Have a great weekend.

Yours,

Aaron Lippold

@.***

260-255-4779

twitter/aim/yahoo,etc. 'aaronlippold'

On Sun, Mar 14, 2021 at 1:43 PM Florian Utz @.***> wrote:

Merged #91 https://github.com/florianutz/Ubuntu1804-CIS/pull/91 into master.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/florianutz/Ubuntu1804-CIS/pull/91#event-4455518527, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALK42FV4N5LL6ZDNKPGVRDTDTYV5ANCNFSM4YHOMIQQ .