Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V3R14 to main release #477

Merged
merged 111 commits into from
Nov 14, 2024
Merged
Changes from 1 commit
Commits
Show all changes
111 commits
Select commit Hold shift + click to select a range
f117074
Specify missing state parameter for package
anzoman Sep 15, 2023
130e021
Correct with_items indentation for package
anzoman Sep 15, 2023
601ef18
Replace inline strings with module parameters
anzoman Sep 15, 2023
b53d7be
Merge pull request #437 from anzoman/steampunk-spotter-fixes
uk-bolly Sep 15, 2023
dfb9791
updated link
uk-bolly Sep 15, 2023
5108506
lint updates
uk-bolly Sep 15, 2023
223624e
removed old
uk-bolly Sep 15, 2023
20a720a
added new defined secrets file
uk-bolly Sep 15, 2023
5956a0f
added precommit
uk-bolly Sep 15, 2023
395956a
Merge pull request #438 from ansible-lockdown/discord_updates
uk-bolly Sep 15, 2023
aa000e8
lint updates
uk-bolly Oct 9, 2023
d14af2e
updated
uk-bolly Oct 9, 2023
1dc0f9b
added pragma allow list
uk-bolly Oct 9, 2023
6098b02
updated due to galaxy changes
uk-bolly Oct 9, 2023
197f961
moved file
uk-bolly Oct 9, 2023
d49469b
updated path
uk-bolly Oct 9, 2023
5aae574
removed quality badge since galaxy-ng
uk-bolly Oct 9, 2023
32fe8c1
Merge pull request #439 from ansible-lockdown/collections_lint
uk-bolly Oct 10, 2023
fb6f4fe
Adding additional condition for rhel7stig_grub2_user_cfg for task
layluke Oct 18, 2023
5e47e97
Merge pull request #441 from layluke/440-Grub_Handler_Fix
uk-bolly Oct 25, 2023
88f570b
updated version
uk-bolly Oct 25, 2023
ea14041
quoted version
uk-bolly Oct 25, 2023
c48ab81
updated rule id 020230
uk-bolly Oct 25, 2023
d602fd9
rule ids and inactive variable added
uk-bolly Oct 25, 2023
f480204
updated
uk-bolly Oct 25, 2023
6a7137f
updated the workflow version and galaxy setup
uk-bolly Oct 31, 2023
b3f3248
updated the workflow version and galaxy setup
uk-bolly Oct 31, 2023
d26e104
Merge pull request #442 from ansible-lockdown/workflow_galaxy
uk-bolly Nov 1, 2023
d687371
removed file
uk-bolly Nov 1, 2023
9dd216c
updated
uk-bolly Nov 1, 2023
388f850
updated
uk-bolly Nov 1, 2023
22f7dab
lint update
uk-bolly Nov 1, 2023
51b2df3
fix typo
uk-bolly Nov 1, 2023
9943f97
Merge pull request #444 from ansible-lockdown/tidyup
uk-bolly Nov 1, 2023
fb58a03
lint
uk-bolly Nov 2, 2023
ad96dd7
updated precommit files
uk-bolly Nov 2, 2023
444074d
rhel7stig_boot_part variable now discovered
uk-bolly Nov 14, 2023
6276776
tidy up of rhel7stig_boot_part variable
uk-bolly Nov 14, 2023
ad3b174
changed logic on 20620
uk-bolly Nov 15, 2023
617e008
updated logic for uuid
uk-bolly Nov 20, 2023
6e7329b
removed extra line
uk-bolly Nov 21, 2023
212f524
Merge pull request #445 from ansible-lockdown/fix_021350
uk-bolly Nov 21, 2023
207be13
removed doc dir
uk-bolly Jan 11, 2024
4e0554f
Merge pull request #449 from ansible-lockdown/nodocs
uk-bolly Jan 11, 2024
3901021
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jan 22, 2024
c294efb
Merge pull request #447 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Jan 26, 2024
594ece9
Issue #446 tag update to always - thanks to @prestonSeaman2
uk-bolly Jan 26, 2024
e401d83
conditional updated 021000 & 021010 #448 thanks @erosen03
uk-bolly Jan 26, 2024
9f52057
Merge branch 'jan_24_updates' into stig_v3r13
uk-bolly Jan 26, 2024
3ce0e42
Merge pull request #450 from ansible-lockdown/jan_24_updates
uk-bolly Jan 26, 2024
1f997b7
[pre-commit.ci] pre-commit autoupdate (#451)
pre-commit-ci[bot] Feb 14, 2024
dfe8425
[pre-commit.ci] pre-commit autoupdate (#454)
pre-commit-ci[bot] Mar 5, 2024
df38ef9
Feb 24 updates (#455)
uk-bolly Mar 6, 2024
da5270f
Merge branch 'main' into devel
uk-bolly Mar 6, 2024
82abd51
incorporated Feb_24 fixes
uk-bolly Mar 14, 2024
e277b23
v3r14 ref updated
uk-bolly Mar 14, 2024
09e75c8
v3r14 update
uk-bolly Mar 14, 2024
82d5761
associated rule updated v3r14
uk-bolly Mar 14, 2024
6d800a4
Stig v3r13 into devel (#457)
uk-bolly Mar 14, 2024
8911cbd
updated meta
uk-bolly Mar 19, 2024
91fd0d9
[pre-commit.ci] pre-commit autoupdate (#458)
pre-commit-ci[bot] Apr 10, 2024
16f3465
prelim.yml fixes on when conditions on cronie passwd_tasks
frederickw082922 Apr 11, 2024
94964ab
Merge pull request #460 from ansible-lockdown/2024_APRIL_UPDATE
frederickw082922 Apr 11, 2024
c7ebdb0
audit rewrite and logic improvements
uk-bolly Apr 15, 2024
4edeb2a
added prelim to includes
uk-bolly Apr 15, 2024
509fa41
added prelim to includes quoted
uk-bolly Apr 15, 2024
3508dfc
[pre-commit.ci] pre-commit autoupdate (#461)
pre-commit-ci[bot] Apr 22, 2024
2db15ef
Excluding non-interactive logins shells from being parsed
layluke May 2, 2024
c0c0ba5
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jun 17, 2024
3026fd9
Merge pull request #468 from ansible-lockdown/pre-commit-ci-update-co…
georgenalen Jun 18, 2024
a57f56e
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jul 15, 2024
c5936ff
21350 improvements
uk-bolly Jul 17, 2024
ebaefbd
moved audit to prelim
uk-bolly Jul 17, 2024
bb6ed8d
Audit updates
uk-bolly Jul 17, 2024
6a1dd5c
moved var from site to vars/main.yml
uk-bolly Jul 17, 2024
a85ccc0
Merge pull request #466 from layluke/462
uk-bolly Jul 17, 2024
a501c7f
Merge pull request #469 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Jul 17, 2024
1e000ce
reorder
uk-bolly Jul 17, 2024
aeef574
quotes on mode items
uk-bolly Jul 17, 2024
e00e54b
added update repo url for centos option
uk-bolly Jul 18, 2024
150a6b6
removed notify not required
uk-bolly Jul 18, 2024
ddd17c7
Updated
uk-bolly Jul 18, 2024
98d768f
Merge pull request #470 from ansible-lockdown/workflow_audit
uk-bolly Jul 18, 2024
d1ef065
Updated workflow
uk-bolly Jul 18, 2024
41a3edf
Merge pull request #471 from ansible-lockdown/workflow_audit
uk-bolly Jul 18, 2024
a25e8bf
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Sep 16, 2024
f697cfc
Merge pull request #472 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Sep 17, 2024
2b1804d
Merge branch 'devel' into stig_v3r14
uk-bolly Sep 17, 2024
b51cdf4
added solution for gui and X11 for 040730
uk-bolly Sep 17, 2024
f2baee2
updated default var to use discovered value
uk-bolly Sep 17, 2024
b38ce35
Alignment
uk-bolly Sep 17, 2024
cbeab4a
remove jmespath on the way mountspoints are check
uk-bolly Sep 19, 2024
594c50f
removed breaking dupe line
uk-bolly Sep 19, 2024
c6d2e06
Updated goss version and added ARM
uk-bolly Sep 19, 2024
a94da63
updated mount and wireless checks
uk-bolly Sep 19, 2024
272ce78
aligned benchmark git version name
uk-bolly Sep 19, 2024
6304b8d
Merge branch 'devel' into stig_v3r14
uk-bolly Sep 23, 2024
06d5a34
removed empty line
uk-bolly Sep 23, 2024
df0e444
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Sep 23, 2024
5b6660e
Merge pull request #474 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Sep 24, 2024
ebad8d3
Merge pull request #473 from ansible-lockdown/stig_v3r14
uk-bolly Sep 24, 2024
0b0049a
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Oct 21, 2024
2e45c3d
Merge pull request #475 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 22, 2024
e904997
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Oct 28, 2024
3623e05
Merge pull request #476 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Oct 29, 2024
75bd5e6
Merge branch 'main' into devel
uk-bolly Oct 29, 2024
0e839b7
updated layout 21350
uk-bolly Oct 30, 2024
18f123f
fixed layout 041010
uk-bolly Oct 30, 2024
aa0be1c
moved check_mode
uk-bolly Nov 1, 2024
744f42e
moved check_mode
uk-bolly Nov 1, 2024
b223ae5
Merge pull request #478 from ansible-lockdown/Oct24
uk-bolly Nov 1, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
audit rewrite and logic improvements
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
  • Loading branch information
uk-bolly committed Apr 15, 2024
commit c7ebdb09be3a1d45f837790622e0d45117b83e14
4 changes: 4 additions & 0 deletions ChangeLog.md
Original file line number Diff line number Diff line change
@@ -2,6 +2,10 @@

## 3.2 STIG v3R14 24th Jan 2024

- Audit updated
- moved audit into prelim
- updates to audit logic for copy and archive options

- RHEL-07-020019 - title and ruleid update
- RHEL-07-020022 - ruleid update
- RHEL-07-020210 - ruleid update
102 changes: 39 additions & 63 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -18,27 +18,56 @@ benchmark_version: 'v3r14'
# Whether to skip the reboot
rhel7stig_skip_reboot: true

### Audit Binary is required on the remote host
###########################################
### Goss is required on the remote host ###
### vars/auditd.yml for other settings ###

# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true

## Only run Audit do not remediate
audit_only: false
### As part of audit_only ###
# This will enable files to be copied back to control node in audit_only mode
fetch_audit_files: false
# Path to copy the files to will create dir structure in audit_only mode
audit_capture_files_dir: /some/location to copy to on control node
#############################

# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_audit_binary_method: download

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

# how to get audit files onto host options
# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# If using either archive, copy, get_url:
## Note will work with .tar files - zip will require extra configuration
### If using get_url this is expecting github url in tar.gz format e.g.
### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
audit_conf_source: "some path or url to copy from"

# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true
# Timeout for those cmds that take longer to run where timeout set
audit_cmd_timeout: 60000
# Destination for the audit content to be placed on managed node
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
audit_conf_dest: "/opt"

# Where the audit logs are stored
audit_log_dir: '/opt'

### End Audit enablements ####
#### Detailed settings found at the end of this document ####
### Goss Settings ##
####### END ########

# We've defined complexity-high to mean that we cannot automatically remediate
# the rule in question. In the future this might mean that the remediation
@@ -737,56 +766,3 @@ rhel7stig_world_write_files_owner_root: false
# The value given to Defaults timestamp timeout= in the sudo file.
# Value must be greater than 0 to conform to STIG standards
rhel7stig_sudo_timestamp_timeout: 1

#### Audit Configuration Settings ####
# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_run_script_environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_FILE: 'goss.yml'
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"

### Audit binary settings ###
audit_bin_version:
release: v0.3.21
checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json

# if get_audit_binary_method == download change accordingly
audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64"

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

### Goss Audit Benchmark file ###
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: "benchmark_{{ benchmark_version }}_rh7"

# copy:
audit_local_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

## Goss configuration information
# Where the goss configs and outputs are stored
audit_out_dir: '/opt'
# Where the goss audit configuration will be stored
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"

# If changed these can affect other products
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"

## The following should not need changing
audit_control_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}.
Full breakdown can be found in {{ audit_out_dir }}
24 changes: 18 additions & 6 deletions tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
@@ -1,21 +1,33 @@
---

- name: Download audit binary
- name: Pre Audit Setup | Set audit package name
block:
- name: Pre Audit Setup | Set audit package name | 64bit
ansible.builtin.set_fact:
audit_pkg_arch_name: AMD64
when: ansible_facts.machine == "x86_64"

- name: Pre Audit Setup | Set audit package name | ARM64
ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64
when: ansible_facts.machine == "arm64"

- name: Pre Audit Setup | Download audit binary
ansible.builtin.get_url:
url: "{{ audit_bin_url }}"
url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
dest: "{{ audit_bin }}"
owner: root
group: root
checksum: "{{ audit_bin_version.checksum }}"
mode: 0555
checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
mode: '0555'
when:
- get_audit_binary_method == 'download'

- name: copy audit binary
- name: Pre Audit Setup | Copy audit binary
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
mode: 0555
mode: '0555'
owner: root
group: root
when:
30 changes: 30 additions & 0 deletions tasks/audit_only.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---

- name: Audit_Only | Create local Directories for hosts
ansible.builtin.file:
mode: '0755'
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
recurse: true
state: directory
when: fetch_audit_files
delegate_to: localhost
become: false

- name: Audit_only | Get audits from systems and put in group dir
ansible.builtin.fetch:
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
flat: true
mode: '0644'
src: "{{ pre_audit_outfile }}"
when: fetch_audit_files

- name: Audit_only | Show Audit Summary
when:
- audit_only
ansible.builtin.debug:
msg: "The Audit results are: {{ pre_audit_summary }}."

- name: Audit_only | Stop Playbook Audit Only selected
when:
- audit_only
ansible.builtin.meta: end_play
32 changes: 17 additions & 15 deletions tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,44 +1,46 @@
---

- name: "Post Audit | Run post_remediation {{ benchmark }} audit"
ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment | default({}) }}"
changed_when: false
register: audit_run_post_remediation
- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
AUDIT_FILE: goss.yml

- name: Post Audit | ensure audit files readable by users
ansible.builtin.file:
path: "{{ item }}"
mode: 0644
mode: '0644'
state: file
loop:
- "{{ post_audit_outfile }}"
- "{{ pre_audit_outfile }}"

- name: Post Audit | Capture audit data if json format
when:
- audit_format == "json"
block:
- name: "Post Audit | capture data {{ post_audit_outfile }} | JSON format"
- name: capture data {{ post_audit_outfile }}
ansible.builtin.shell: "cat {{ post_audit_outfile }}"
register: post_audit
changed_when: false

- name: PostAudit | Capture post-audit result | JSON format
- name: Capture post-audit result
ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: 'summary."summary-line"'
when:
- audit_format == "json"
summary: summary."summary-line"

- name: Post Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
block:
- name: "Post Audit | capture data {{ post_audit_outfile }} | documentation format"
- name: Post Audit | capture data {{ post_audit_outfile }}
ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
register: post_audit
changed_when: false

- name: Post Audit | Capture post-audit result | documentation format
- name: Post Audit | Capture post-audit result
ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout_lines }}"
when:
- audit_format == "documentation"
Loading