Skip to content

Commit

Permalink
Merge pull request #470 from ansible-lockdown/workflow_audit
Browse files Browse the repository at this point in the history
Workflow audit
  • Loading branch information
uk-bolly authored Jul 18, 2024
2 parents a501c7f + ddd17c7 commit 98d768f
Showing 16 changed files with 520 additions and 353 deletions.
8 changes: 8 additions & 0 deletions ChangeLog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,13 @@
# Changelog

## 3.2 STIG V3R13 25th Oct 2023

- updated workflow to use new methods
- new ami being used as old obsolete
- Updated the audit layout
- New options if using CentOS to update repo files to vaulted.repo
- rhel7stig_add_updated_repo

## 3.1 STIG V3R13 25th Oct 2023

- RHEL_07_010310 - ruleid updated and INACTIVE var created
110 changes: 48 additions & 62 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -18,26 +18,65 @@ benchmark_version: 'v3r13'
# Whether to skip the reboot
rhel7stig_skip_reboot: true

### Audit Binary is required on the remote host
# With CentOS being EoL many mirrors no longer exist and fail for updates
# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo
# It will add the new vaulted location where it is possible to get updates and package
rhel7stig_add_updated_repo: false

###
### Settings for associated Audit role using Goss
###

###########################################
### Goss is required on the remote host ###
### vars/auditd.yml for other settings ###

# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true

## Only run Audit do not remediate
audit_only: false
### As part of audit_only ###
# This will enable files to be copied back to control node in audit_only mode
fetch_audit_files: false
# Path to copy the files to will create dir structure in audit_only mode
audit_capture_files_dir: /some/location to copy to on control node
#############################

# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_audit_binary_method: download

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

# how to get audit files onto host options
# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# If using either archive, copy, get_url:
## Note will work with .tar files - zip will require extra configuration
### If using get_url this is expecting github url in tar.gz format e.g.
### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
audit_conf_source: "some path or url to copy from"

# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true
# Timeout for those cmds that take longer to run where timeout set
audit_cmd_timeout: 60000
# Destination for the audit content to be placed on managed node
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
audit_conf_dest: "/opt"

### End Audit enablements ####
# Where the audit logs are stored
audit_log_dir: '/opt'

### Goss Settings ##
####### END ########
#### Detailed settings found at the end of this document ####

# We've defined complexity-high to mean that we cannot automatically remediate
@@ -737,56 +776,3 @@ rhel7stig_world_write_files_owner_root: false
# The value given to Defaults timestamp timeout= in the sudo file.
# Value must be greater than 0 to conform to STIG standards
rhel7stig_sudo_timestamp_timeout: 1

#### Audit Configuration Settings ####
# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_run_script_environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_FILE: 'goss.yml'
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"

### Audit binary settings ###
audit_bin_version:
release: v0.3.21
checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json

# if get_audit_binary_method == download change accordingly
audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64"

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

### Goss Audit Benchmark file ###
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: "benchmark_{{ benchmark_version }}_rh7"

# copy:
audit_local_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

## Goss configuration information
# Where the goss configs and outputs are stored
audit_out_dir: '/opt'
# Where the goss audit configuration will be stored
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"

# If changed these can affect other products
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"

## The following should not need changing
audit_control_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}.
Full breakdown can be found in {{ audit_out_dir }}
2 changes: 1 addition & 1 deletion handlers/main.yml
Original file line number Diff line number Diff line change
@@ -37,7 +37,7 @@
src: "{{ rhel7stig_bootloader_path }}/{{ item }}"
dest: "{{ rhel7stig_not_boot_path }}/{{ item }}"
remote_src: true
mode: 0600
mode: '0600'
with_items:
- grub.cfg
- user.cfg
10 changes: 3 additions & 7 deletions site.yml
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
---
- hosts: all # noqa: name[play]
- name: Ansible Lockdown Remediation Role
hosts: all
become: true
vars:
is_container: false

roles:
- role: "{{ playbook_dir }}"
rhel7stig_system_is_container: "{{ is_container | default(false) }}"
rhel7stig_skip_for_travis: false
- role: "{{ playbook_dir }}"
30 changes: 20 additions & 10 deletions tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
@@ -1,22 +1,32 @@
---

- name: Download audit binary
- name: Pre Audit Setup | Set audit package name
block:
- name: Pre Audit Setup | Set audit package name | 64bit
when: ansible_facts.machine == "x86_64"
ansible.builtin.set_fact:
audit_pkg_arch_name: AMD64

- name: Pre Audit Setup | Set audit package name | ARM64
when: ansible_facts.machine == "arm64"
ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64

- name: Pre Audit Setup | Download audit binary
when: get_audit_binary_method == 'download'
ansible.builtin.get_url:
url: "{{ audit_bin_url }}"
url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
dest: "{{ audit_bin }}"
owner: root
group: root
checksum: "{{ audit_bin_version.checksum }}"
mode: 0555
when:
- get_audit_binary_method == 'download'
checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
mode: '0555'

- name: copy audit binary
- name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy'
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
mode: 0555
mode: '0555'
owner: root
group: root
when:
- get_audit_binary_method == 'copy'
30 changes: 30 additions & 0 deletions tasks/audit_only.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---

- name: Audit_Only | Create local Directories for hosts
when: fetch_audit_files
delegate_to: localhost
become: false
ansible.builtin.file:
mode: '0755'
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
recurse: true
state: directory

- name: Audit_only | Get audits from systems and put in group dir
when: fetch_audit_files
ansible.builtin.fetch:
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
flat: true
mode: '0644'
src: "{{ pre_audit_outfile }}"

- name: Audit_only | Show Audit Summary
when:
- audit_only
ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}"

- name: Audit_only | Stop Playbook Audit Only selected
when:
- audit_only
ansible.builtin.meta: end_play
Loading

0 comments on commit 98d768f

Please sign in to comment.