update of audit components

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
ansible-lockdown · Jun 13, 2024 · 0c79715 · 0c79715
1 parent 28aeb76
commit 0c79715
Show file tree

Hide file tree

Showing 8 changed files with 100 additions and 83 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -29,23 +29,30 @@ benchmark_version: v4.0.0
 ## Level are used heavily in audit
 rhel7cis_level_1: true
 rhel7cis_level_2: true
-##########################################
+###
+### Settings for associated Audit role using Goss
+###
+
+###########################################
 ### Goss is required on the remote host ###
-## Refer to vars/auditd.yml for any other settings ##
+### vars/auditd.yml for other settings  ###
 
 # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
 
 # enable audits to run - this runs the audit and get the latest content
 run_audit: false
+# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
+audit_run_heavy_tests: true
 
-# Only run Audit do not remediate
+## Only run Audit do not remediate
 audit_only: false
-# As part of audit_only
-# This will enable files to be copied back to control node
+### As part of audit_only ###
+# This will enable files to be copied back to control node in audit_only mode
 fetch_audit_files: false
-# Path to copy the files to will create dir structure
+# Path to copy the files to will create dir structure in audit_only mode
 audit_capture_files_dir: /some/location to copy to on control node
+#############################
 
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
@@ -58,19 +65,25 @@ get_audit_binary_method: download
 audit_bin_copy_location: /some/accessible/path
 
 # how to get audit files onto host options
-# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
+# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# archive or copy:
-audit_conf_copy: "some path to copy from"
+# If using either archive, copy, get_url:
+## Note will work with .tar files - zip will require extra configuration
+### If using get_url this is expecting github url in tar.gz format e.g.
+### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
+audit_conf_source: "some path or url to copy from"
 
-# get_url:
-audit_files_url: "some url maybe s3?"
+# Destination for the audit content to be placed on managed node
+# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
+audit_conf_dest: "/opt"
 
-# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
-audit_run_heavy_tests: true
+# Where the audit logs are stored
+audit_log_dir: '/opt'
+
+### Goss Settings ##
+####### END ########
 
-### End Goss enablements ####
 #### Detailed settings found at the end of this document ####
 
 # Place to find the container yml file for your environment - /vars/... This can be adjusted for your requirements.

diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml
@@ -3,32 +3,32 @@
 - name: Pre Audit Setup | Set audit package name
   block:
       - name: Pre Audit Setup | Set audit package name | 64bit
+        when: ansible_facts.machine == "x86_64"
         ansible.builtin.set_fact:
             audit_pkg_arch_name: AMD64
-        when: ansible_facts.machine == "x86_64"
 
       - name: Pre Audit Setup | Set audit package name | ARM64
+        when: ansible_facts.machine == "arm64"
         ansible.builtin.set_fact:
             audit_pkg_arch_name: ARM64
-        when: ansible_facts.machine == "arm64"
 
 - name: Pre Audit Setup | Download audit binary
+  when:
+      - get_audit_binary_method == 'download'
   ansible.builtin.get_url:
       url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
       dest: "{{ audit_bin }}"
       owner: root
       group: root
       checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
       mode: '0555'
-  when:
-      - get_audit_binary_method == 'download'
 
 - name: Pre Audit Setup | Copy audit binary
+  when:
+      - get_audit_binary_method == 'copy'
   ansible.builtin.copy:
       src: "{{ audit_bin_copy_location }}"
       dest: "{{ audit_bin }}"
       mode: '0555'
       owner: root
       group: root
-  when:
-      - get_audit_binary_method == 'copy'
diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml
@@ -1,28 +1,28 @@
 ---
 
 - name: Audit_Only | Create local Directories for hosts
+  when: fetch_audit_files
   ansible.builtin.file:
       mode: '0755'
       path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
       recurse: true
       state: directory
-  when: fetch_audit_files
   delegate_to: localhost
   become: false
 
 - name: Audit_only | Get audits from systems and put in group dir
+  when: fetch_audit_files
   ansible.builtin.fetch:
       dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
       flat: true
       mode: '0644'
       src: "{{ pre_audit_outfile }}"
-  when: fetch_audit_files
 
 - name: Audit_only | Show Audit Summary
   when:
       - audit_only
   ansible.builtin.debug:
-      msg: "The Audit results are: {{ pre_audit_summary }}."
+      msg: "{{ audit_results.split('\n') }}"
 
 - name: Audit_only | Stop Playbook Audit Only selected
   when:

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -90,25 +90,6 @@
   ansible.builtin.import_tasks:
       file: prelim.yml
 
-- name: Include audit specific variables
-  when:
-      - run_audit or audit_only
-      - setup_audit
-  tags:
-      - setup_audit
-      - run_audit
-  ansible.builtin.include_vars:
-      file: audit.yml
-
-- name: Include pre-remediation audit tasks
-  when:
-      - run_audit or audit_only
-      - setup_audit
-  tags:
-      - run_audit
-  ansible.builtin.import_tasks:
-      file: pre_remediation_audit.yml
-
 - name: Gather the package facts
   tags:
       - always

diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
@@ -5,10 +5,10 @@
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"
-      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
+      AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
       AUDIT_FILE: goss.yml
 
-- name: Post Audit | ensure audit files readable by users
+- name: Post Audit | Ensure audit files readable by users
   ansible.builtin.file:
       path: "{{ item }}"
       mode: '0644'
@@ -21,14 +21,14 @@
   when:
       - audit_format == "json"
   block:
-      - name: capture data {{ post_audit_outfile }}
-        ansible.builtin.shell: cat {{ post_audit_outfile }}
-        register: post_audit
+      - name: Post Audit | Capture data {{ post_audit_outfile }}
+        ansible.builtin.shell: "cat {{ post_audit_outfile }}"
+        register: discovered_post_audit
         changed_when: false
 
-      - name: Capture post-audit result
+      - name: Post Audit | Capture post-audit result
         ansible.builtin.set_fact:
-            post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
+            post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}"
         vars:
             summary: summary."summary-line"
 
@@ -37,10 +37,10 @@
       - audit_format == "documentation"
   block:
       - name: Post Audit | Capture data {{ post_audit_outfile }}
-        ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
-        register: post_audit
+        ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
+        register: discovered_post_audit
         changed_when: false
 
       - name: Post Audit | Capture post-audit result
         ansible.builtin.set_fact:
-            post_audit_summary: "{{ post_audit.stdout_lines }}"
+            post_audit_summary: "{{ discovered_post_audit.stdout_lines }}"
diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
@@ -5,7 +5,8 @@
       - setup_audit
   tags:
       - setup_audit
-  ansible.builtin.include_tasks: LE_audit_setup.yml
+  ansible.builtin.include_tasks:
+      file: LE_audit_setup.yml
 
 - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
   ansible.builtin.file:
@@ -32,23 +33,25 @@
   when:
       - audit_content == 'copy'
   ansible.builtin.copy:
-      src: "{{ audit_local_copy }}"
+      src: "{{ audit_conf_source }}"
       dest: "{{ audit_conf_dest }}"
       mode: preserve
 
 - name: Pre Audit Setup | Unarchive audit content files on server
   when:
-      - audit_content == 'archived'
+      - audit_content == 'archive'
   ansible.builtin.unarchive:
-      src: "{{ audit_conf_copy  }}"
-      dest: "{{ audit_conf_dir }}"
+      src: "{{ audit_conf_source }}"
+      dest: "{{ audit_conf_dest }}"
 
 - name: Pre Audit Setup | Get audit content from url
   when:
       - audit_content == 'get_url'
-  ansible.builtin.get_url:
-      url: "{{ audit_files_url }}"
-      dest: "{{ audit_conf_dir }}"
+  ansible.builtin.unarchive:
+      src: "{{ audit_conf_source }}"
+      dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
+      remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
+      extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"
 
 - name: Pre Audit Setup | Check Goss is available
   when:
@@ -57,20 +60,19 @@
       - name: Pre Audit Setup | Check for goss file
         ansible.builtin.stat:
             path: "{{ audit_bin }}"
-        register: goss_available
+        register: discovered_goss_available
 
       - name: Pre Audit Setup | If audit ensure goss is available
-        when:
-            - not goss_available.stat.exists
         ansible.builtin.assert:
+            that: discovered_goss_available.stat.exists
             msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
 
 - name: Pre Audit Setup | Copy ansible default vars values to test audit
+  when:
+      - run_audit
   tags:
       - goss_template
       - run_audit
-  when:
-      - run_audit
   ansible.builtin.template:
       src: ansible_vars_goss.yml.j2
       dest: "{{ audit_vars_path }}"
@@ -81,21 +83,21 @@
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"
-      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
+      AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
       AUDIT_FILE: goss.yml
 
 - name: Pre Audit | Capture audit data if json format
   when:
       - audit_format == "json"
   block:
-      - name: capture data {{ pre_audit_outfile }}
-        ansible.builtin.shell: cat {{ pre_audit_outfile }}
-        register: pre_audit
+      - name: Pre Audit | Capture data {{ pre_audit_outfile }}
+        ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
+        register: discovered_pre_audit
         changed_when: false
 
       - name: Pre Audit | Capture pre-audit result
         ansible.builtin.set_fact:
-            pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
+            pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}"
         vars:
             summary: summary."summary-line"
 
@@ -104,15 +106,16 @@
       - audit_format == "documentation"
   block:
       - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format
-        ansible.builtin.shell: tail -2 {{ pre_audit_outfile }}
-        register: pre_audit
+        ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
+        register: discovered_pre_audit
         changed_when: false
 
       - name: Pre Audit | Capture pre-audit result | documentation format
         ansible.builtin.set_fact:
-            pre_audit_summary: "{{ pre_audit.stdout_lines }}"
+            pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}"
 
 - name: Audit_Only | Run Audit Only
   when:
       - audit_only
-  ansible.builtin.import_tasks: audit_only.yml
+  ansible.builtin.import_tasks:
+      file: audit_only.yml
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -71,6 +71,25 @@
             grub2_path: /etc/grub2-efi.cfg
             rhel7cis_boot_path: "/boot/efi/EFI/{{ansible_facts.distribution | lower }}/"
 
+- name: Include audit specific variables
+  when:
+      - run_audit or audit_only
+      - setup_audit
+  tags:
+      - setup_audit
+      - run_audit
+  ansible.builtin.include_vars:
+      file: audit.yml
+
+- name: Include pre-remediation audit tasks
+  when:
+      - run_audit or audit_only
+      - setup_audit
+  tags:
+      - run_audit
+  ansible.builtin.import_tasks:
+      file: pre_remediation_audit.yml
+
 - name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats"
   tags:
       - always

diff --git a/vars/audit.yml b/vars/audit.yml
@@ -1,5 +1,7 @@
 ---
 
+#### Audit Configuration Settings ####
+
 # Timeout for those cmds that take longer to run where timeout set
 audit_cmd_timeout: 120000
 
@@ -13,14 +15,12 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
 audit_git_version: "benchmark_{{ benchmark_version }}"
 
 ## Goss configuration information
-# Where the goss configs and outputs are stored
-audit_out_dir: '/opt'
-# Where the goss audit configuration will be stored
-audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"
+# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected
+audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit"
 
 # If changed these can affect other products
-pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
-post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
+pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
+post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
 
 ## The following should not need changing
 
@@ -34,6 +34,7 @@ audit_format: json
 
 audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
 audit_results: |
-      The pre remediation results are: {{ pre_audit_summary }}.
-      The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ audit_out_dir }}
+      The audit results are: {{ pre_audit_summary }}
+      {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %}
+
+      Full breakdown can be found in {{ audit_log_dir }}