Merge to main

.pre-commit-config.yaml

@@ -40,7 +40,7 @@ repos:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.6.0
+  rev: v24.7.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint

ChangeLog.md

@@ -1,5 +1,15 @@
 # Release CIS RedHat Enterprise Linux 7 Benchmark
 
+## CIS v4.0.0 21-12-2023
+
+- updated workflows files
+- updated audit and layout
+  - audit_only option added
+- added new option for centos to update to archived repo for packages if required
+  if set to true will update and backup the CentOS-Base file to use new url
+  - rhel7cis_add_updated_repo
+- rule 5.14 updated to remove jmespath reqirement
+
 ## v4.0.0 - 21-12-2023
 
 - Rewrite to address v4.0.0 changes - refer to full changelog in release

defaults/main.yml

@@ -29,6 +29,12 @@ benchmark_version: v4.0.0
 ## Level are used heavily in audit
 rhel7cis_level_1: true
 rhel7cis_level_2: true
+
+# With CentOS being EoL many mirrors no longer exist and fail for updates
+# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo
+# It will add the new vaulted location where it is possible to get updates and package
+rhel7cis_add_updated_repo: false
+
 ###
 ### Settings for associated Audit role using Goss
 ###

tasks/main.yml

@@ -76,6 +76,18 @@
         when:
             - system_is_container
 
+- name: Update CentOS repo for packages - Use vaulted/archive URL - backup original
+  ansible.builtin.template:
+      src: etc/yum.repos.d/CentOS-Base.repo.j2
+      dest: /etc/yum.repos.d/CentOS-Base.repo
+      owner: root
+      group: root
+      mode: '0644'
+      backup: true
+  when:
+      - rhel7cis_add_updated_repo
+      - ansible_distribution == "CentOS"
+
 - name: Run pre-reqs
   tags:
       - always

tasks/post_remediation_audit.yml

@@ -21,26 +21,24 @@
   when:
       - audit_format == "json"
   block:
-      - name: Post Audit | Capture data {{ post_audit_outfile }}
-        ansible.builtin.shell: "cat {{ post_audit_outfile }}"
-        register: discovered_post_audit
+      - name: Post Audit | Capture audit data if json format
+        ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
         changed_when: false
+        register: post_audit_summary
 
-      - name: Post Audit | Capture post-audit result
+      - name: Post Audit | Set Fact for audit summary
         ansible.builtin.set_fact:
-            post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}"
-        vars:
-            summary: summary."summary-line"
+            post_audit_results: "{{ post_audit_summary.stdout }}"
 
 - name: Post Audit | Capture audit data if documentation format
   when:
       - audit_format == "documentation"
   block:
-      - name: Post Audit | Capture data {{ post_audit_outfile }}
-        ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
-        register: discovered_post_audit
+      - name: Post Audit | Capture audit data if documentation format
+        ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation"
         changed_when: false
+        register: post_audit_summary
 
-      - name: Post Audit | Capture post-audit result
+      - name: Post Audit | Set Fact for audit summary
         ansible.builtin.set_fact:
-            post_audit_summary: "{{ discovered_post_audit.stdout_lines }}"
+            post_audit_results: "{{ post_audit_summary.stdout }}"

tasks/pre_remediation_audit.yml

@@ -90,29 +90,27 @@
   when:
       - audit_format == "json"
   block:
-      - name: Pre Audit | Capture data {{ pre_audit_outfile }}
-        ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
-        register: discovered_pre_audit
+      - name: Pre Audit | Capture audit data if json format
+        ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
         changed_when: false
+        register: pre_audit_summary
 
-      - name: Pre Audit | Capture pre-audit result
+      - name: Pre Audit | Set Fact for audit summary
         ansible.builtin.set_fact:
-            pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}"
-        vars:
-            summary: summary."summary-line"
+            pre_audit_results: "{{ pre_audit_summary.stdout }}"
 
 - name: Pre Audit | Capture audit data if documentation format
   when:
       - audit_format == "documentation"
   block:
-      - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format
-        ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
-        register: discovered_pre_audit
+      - name: Pre Audit | Capture audit data if documentation format
+        ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}"  | tac | tr '\n' ' '
         changed_when: false
+        register: pre_audit_summary
 
-      - name: Pre Audit | Capture pre-audit result | documentation format
+      - name: Pre Audit | Set Fact for audit summary
         ansible.builtin.set_fact:
-            pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}"
+            pre_audit_results: "{{ pre_audit_summary.stdout }}"
 
 - name: Audit_Only | Run Audit Only
   when:

tasks/section_5/cis_5.1.4.yml

@@ -18,20 +18,13 @@
         failed_when: false
         register: rhel7cis_5_1_4_logfiles
 
-      - name: "5.1.4 | AUDIT | Ensure all logfiles have appropriate access configured | set_fact"
-        ansible.builtin.set_fact:
-            rhel7cis_4_2_3_logfiles_flattened: "{{ rhel7cis_5_1_4_logfiles | json_query('stdout_lines[*]') | flatten }}"  # noqa: jinja[invalid]
-        when:
-            - rhel7cis_5_1_4_logfiles.stdout_lines | length > 0
-            - rhel7cis_5_1_4_logfiles is defined
-
       - name: "5.1.4 | PATCH | Ensure all logfiles have appropriate access configured | change permissions"
         ansible.builtin.file:
             path: "{{ item }}"
             mode: '0640'
-        loop: "{{ rhel7cis_5_1_4_logfiles_flattened }}"
+        loop: "{{ rhel7cis_5_1_4_logfiles.stdout_lines }}"
         when:
-            - rhel7cis_5_1_4_logfiles_flattened is defined
+            - rhel7cis_5_1_4_logfiles.stdout_lines | length > 0
             - item != "/var/log/btmp"
             - item != "/var/log/utmp"
             - item != "/var/log/wtmp"

templates/etc/yum.repos.d/CentOS-Base.repo.j2

@@ -0,0 +1,34 @@
+# Note the BaseUrl Changes
+## This is due to CentOS being End Of Life
+# This will now use the legacy archived path
+# Original paths
+# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
+# #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
+
+[base]
+name=CentOS-$releasever - Base
+baseurl=https://vault.centos.org/7.9.2009/os/$basearch
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+#released updates
+[updates]
+name=CentOS-$releasever - Updates
+baseurl=https://vault.centos.org/7.9.2009/updates/$basearch
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+#additional packages that may be useful
+[extras]
+name=CentOS-$releasever - Extras
+baseurl=https://vault.centos.org/7.9.2009/extras/$basearch
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
+
+#additional packages that extend functionality of existing packages
+[centosplus]
+name=CentOS-$releasever - Plus
+baseurl=https://vault.centos.org/7.9.2009/centosplus/$basearch
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

vars/audit.yml

@@ -34,7 +34,7 @@ audit_format: json
 
 audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
 audit_results: |
-      The audit results are: {{ pre_audit_summary }}
-      {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %}
+      The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
+      {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
 
       Full breakdown can be found in {{ audit_log_dir }}