diff --git a/defaults/main.yml b/defaults/main.yml index f94e1acc..ef25b496 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -29,23 +29,30 @@ benchmark_version: v4.0.0 ## Level are used heavily in audit rhel7cis_level_1: true rhel7cis_level_2: true -########################################## +### +### Settings for associated Audit role using Goss +### + +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## +### vars/auditd.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file @@ -58,19 +65,25 @@ get_audit_binary_method: download audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# archive or copy: -audit_conf_copy: "some path to copy from" +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# get_url: -audit_files_url: "some url maybe s3?" +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# Where the audit logs are stored +audit_log_dir: '/opt' + +### Goss Settings ## +####### END ######## -### End Goss enablements #### #### Detailed settings found at the end of this document #### # Place to find the container yml file for your environment - /vars/... This can be adjusted for your requirements. diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4a..70674142 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -3,16 +3,18 @@ - name: Pre Audit Setup | Set audit package name block: - name: Pre Audit Setup | Set audit package name | 64bit + when: ansible_facts.machine == "x86_64" ansible.builtin.set_fact: audit_pkg_arch_name: AMD64 - when: ansible_facts.machine == "x86_64" - name: Pre Audit Setup | Set audit package name | ARM64 + when: ansible_facts.machine == "arm64" ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" - name: Pre Audit Setup | Download audit binary + when: + - get_audit_binary_method == 'download' ansible.builtin.get_url: url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" @@ -20,15 +22,13 @@ group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: '0555' - when: - - get_audit_binary_method == 'download' - name: Pre Audit Setup | Copy audit binary + when: + - get_audit_binary_method == 'copy' ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: '0555' owner: root group: root - when: - - get_audit_binary_method == 'copy' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 864f5bbe..d34b90f0 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,28 +1,28 @@ --- - name: Audit_Only | Create local Directories for hosts + when: fetch_audit_files ansible.builtin.file: mode: '0755' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" recurse: true state: directory - when: fetch_audit_files delegate_to: localhost become: false - name: Audit_only | Get audits from systems and put in group dir + when: fetch_audit_files ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true mode: '0644' src: "{{ pre_audit_outfile }}" - when: fetch_audit_files - name: Audit_only | Show Audit Summary when: - audit_only ansible.builtin.debug: - msg: "The Audit results are: {{ pre_audit_summary }}." + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: diff --git a/tasks/main.yml b/tasks/main.yml index c6cfa600..01aeb340 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -90,25 +90,6 @@ ansible.builtin.import_tasks: file: prelim.yml -- name: Include audit specific variables - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - ansible.builtin.include_vars: - file: audit.yml - -- name: Include pre-remediation audit tasks - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - ansible.builtin.import_tasks: - file: pre_remediation_audit.yml - - name: Gather the package facts tags: - always diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 178570c9..19dff268 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -5,10 +5,10 @@ changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | ensure audit files readable by users +- name: Post Audit | Ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" mode: '0644' @@ -21,14 +21,14 @@ when: - audit_format == "json" block: - - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} - register: post_audit + - name: Post Audit | Capture data {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" + register: discovered_post_audit changed_when: false - - name: Capture post-audit result + - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" + post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -37,10 +37,10 @@ - audit_format == "documentation" block: - name: Post Audit | Capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} - register: post_audit + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + register: discovered_post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" + post_audit_summary: "{{ discovered_post_audit.stdout_lines }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 4f089523..fb6d709f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -57,20 +60,19 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: goss_available + register: discovered_goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not goss_available.stat.exists ansible.builtin.assert: + that: discovered_goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + when: + - run_audit tags: - goss_template - run_audit - when: - - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -81,21 +83,21 @@ changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} - register: pre_audit + - name: Pre Audit | Capture data {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: discovered_pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -104,15 +106,16 @@ - audit_format == "documentation" block: - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} - register: pre_audit + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: discovered_pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}" - name: Audit_Only | Run Audit Only when: - audit_only - ansible.builtin.import_tasks: audit_only.yml + ansible.builtin.import_tasks: + file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 3d2e8760..1bfc6dd5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -71,6 +71,25 @@ grub2_path: /etc/grub2-efi.cfg rhel7cis_boot_path: "/boot/efi/EFI/{{ansible_facts.distribution | lower }}/" +- name: Include audit specific variables + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + ansible.builtin.include_vars: + file: audit.yml + +- name: Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml + - name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" tags: - always diff --git a/vars/audit.yml b/vars/audit.yml index a4db0cab..bb50f6d3 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -1,5 +1,7 @@ --- +#### Audit Configuration Settings #### + # Timeout for those cmds that take longer to run where timeout set audit_cmd_timeout: 120000 @@ -13,14 +15,12 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -34,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }}