Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit only enhancement and goss update #120

Merged
merged 7 commits into from
Nov 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# Changes to rhel9CIS

## 1.1.3 - Based on CIS v1.0.0

- updated goss binary to 0.4.4
- moved majority of audit variables to vars/audit.yml
- new function to enable audit_only using remediation
- removed some dupes in audit config

## 1.1.2 - Based on CIS v1.0.0

- updated audit binary versions - aligned with rhel9-cis-audit
Expand Down
89 changes: 35 additions & 54 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,28 +45,53 @@ skip_reboot: true
# default value will change to true but wont reboot if not enabled but will error
change_requires_reboot: false

#### Basic external goss audit enablement settings ####
#### Precise details - per setting can be found at the bottom of this file ####
##########################################
### Goss is required on the remote host ###
## Refer to vars/auditd.yml for any other settings ##

### Goss is required on the remote host
# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false
# How to retrive goss

# enable audits to run - this runs the audit and get the latest content
run_audit: false

# Only run Audit do not remediate
audit_only: false
# As part of audit_only
# This will enable files to be copied back to control node
fetch_audit_files: false
# Path to copy the files to will create dir structure
audit_capture_files_dir: /some/location to copy to on control node

# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded
get_audit_binary_method: download

## if get_audit_binary_method - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
audit_bin_copy_location: /some/accessible/path

# how to get audit files onto host options
# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly)
# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# archive or copy:
audit_conf_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true

# Timeout for those cmds that take longer to run where timeout set
audit_cmd_timeout: 60000
# This variable specifies the timeout (in ms) for audit commands that
# take a very long time: if a command takes too long to complete,
# it will be forcefully terminated after the specified duration.
audit_cmd_timeout: 120000

### End Goss enablements ####
#### Detailed settings found at the end of this document ####

# These variables correspond with the CIS rule IDs or paragraph numbers defined in
# the CIS benchmark documents.
Expand Down Expand Up @@ -663,47 +688,3 @@ audit_run_script_environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_FILE: 'goss.yml'
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"

### Goss binary settings ###
audit_bin_release: v0.4.2
audit_bin_version:
AMD64_checksum: 'sha256:e50e43d75c47c731f5fdff176f5abeb8aca35f17aea60f85ebc28f6110cb6945'
ARM64_checksum: 'sha256:6da14a98f12d1929ea719d4cfe96087c8e3a37b29d91b72fbe6edc7f8a580784 '
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json

# if get_goss_file == download change accordingly
audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_release }}/goss-linux-"

## if get_goss_file - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node
## e.g copy from ansible control node to remote host
copy_goss_from_path: /some/accessible/path

### Goss Audit Benchmark file ###
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: "benchmark_{{ benchmark_version }}"

# copy:
audit_local_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

## Goss configuration information
# Where the goss configs and outputs are stored
audit_out_dir: '/opt'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"

## The following should not need changing
goss_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}.
Full breakdown can be found in {{ audit_out_dir }}
2 changes: 1 addition & 1 deletion tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
when:
- get_audit_binary_method == 'download'

- name: Pre Audit Setup | copy audit binary
- name: Pre Audit Setup | Copy audit binary
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
Expand Down
30 changes: 30 additions & 0 deletions tasks/audit_only.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---

- name: Audit_Only | Create local Directories for hosts
ansible.builtin.file:
mode: '0755'
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
recurse: true
state: directory
when: fetch_audit_files
delegate_to: localhost
become: false

- name: Audit_only | Get audits from systems and put in group dir
ansible.builtin.fetch:
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
flat: true
mode: '0644'
src: "{{ pre_audit_outfile }}"
when: fetch_audit_files

- name: Audit_only | Show Audit Summary
when:
- audit_only
ansible.builtin.debug:
msg: "The Audit results are: {{ pre_audit_summary }}."

- name: Audit_only | Stop Playbook Audit Only selected
when:
- audit_only
ansible.builtin.meta: end_play
17 changes: 14 additions & 3 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -133,11 +133,22 @@
- prelim_tasks
- always

- name: run pre_remediation audit
ansible.builtin.include_tasks:
file: pre_remediation_audit.yml
- name: Include audit specific variables
when:
- run_audit or audit_only
- setup_audit
tags:
- setup_audit
- run_audit
ansible.builtin.include_vars: audit.yml

- name: Include pre-remediation audit tasks
when:
- run_audit or audit_only
- setup_audit
tags:
- run_audit
ansible.builtin.import_tasks: pre_remediation_audit.yml

- name: run Section 1 tasks
ansible.builtin.import_tasks:
Expand Down
22 changes: 11 additions & 11 deletions tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
---

- name: "Post Audit | Run post_remediation {{ benchmark }} audit"
- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
AUDIT_FILE: "goss.yml"
AUDIT_FILE: goss.yml

- name: Post Audit | ensure audit files readable by users
ansible.builtin.file:
Expand All @@ -18,29 +18,29 @@
- "{{ pre_audit_outfile }}"

- name: Post Audit | Capture audit data if json format
when:
- audit_format == "json"
block:
- name: "capture data {{ post_audit_outfile }}"
ansible.builtin.shell: "cat {{ post_audit_outfile }}"
- name: capture data {{ post_audit_outfile }}
ansible.builtin.shell: cat {{ post_audit_outfile }}
register: post_audit
changed_when: false

- name: Capture post-audit result
ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: 'summary."summary-line"'
when:
- audit_format == "json"
summary: summary."summary-line"

- name: Post Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
block:
- name: "Post Audit | capture data {{ post_audit_outfile }}"
ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
- name: Post Audit | capture data {{ post_audit_outfile }}
ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
register: post_audit
changed_when: false

- name: Post Audit | Capture post-audit result
ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout_lines }}"
when:
- audit_format == "documentation"
73 changes: 39 additions & 34 deletions tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,113 +1,118 @@
---

- name: Pre Audit Binary Setup | Setup the LE audit
ansible.builtin.include_tasks: LE_audit_setup.yml
- name: Pre Audit Setup | Setup the LE audit
when:
- setup_audit
tags:
- setup_audit
ansible.builtin.include_tasks: LE_audit_setup.yml

- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists"
- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
ansible.builtin.file:
path: "{{ audit_conf_dir }}"
state: directory
mode: '0755'

- name: Pre Audit Setup | If using git for content set up
when:
- audit_content == 'git'
block:
- name: Pre Audit Setup | Install git
ansible.builtin.package:
name: git
state: present

- name: Pre Audit Setup | retrieve audit content files from git
- name: Pre Audit Setup | Retrieve audit content files from git
ansible.builtin.git:
repo: "{{ audit_file_git }}"
dest: "{{ audit_conf_dir }}"
version: "{{ audit_git_version }}"
when:
- audit_content == 'git'

- name: Pre Audit Setup | copy to audit content files to server
- name: Pre Audit Setup | Copy to audit content files to server
when:
- audit_content == 'copy'
ansible.builtin.copy:
src: "{{ audit_local_copy }}"
dest: "{{ audit_conf_dest }}"
mode: preserve
when:
- audit_content == 'copy'

- name: Pre Audit Setup | unarchive audit content files on server
- name: Pre Audit Setup | Unarchive audit content files on server
when:
- audit_content == 'archived'
ansible.builtin.unarchive:
src: "{{ audit_conf_copy }}"
dest: "{{ audit_conf_dir }}"
when:
- audit_content == 'archived'

- name: Pre Audit Setup | get audit content from url
- name: Pre Audit Setup | Get audit content from url
when:
- audit_content == 'get_url'
ansible.builtin.get_url:
url: "{{ audit_files_url }}"
dest: "{{ audit_conf_dir }}"
when:
- audit_content == 'get_url'

- name: Pre Audit Setup | Check Goss is available
when:
- run_audit
block:
- name: Pre Audit Setup | Check for goss file
ansible.builtin.stat:
path: "{{ audit_bin }}"
register: goss_available

- name: Pre Audit Setup | If audit ensure goss is available
ansible.builtin.assert:
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
when:
- not goss_available.stat.exists
when:
- run_audit
ansible.builtin.assert:
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"

- name: Pre Audit Setup | Copy ansible default vars values to test audit
tags:
- goss_template
- run_audit
when:
- run_audit
ansible.builtin.template:
src: ansible_vars_goss.yml.j2
dest: "{{ audit_vars_path }}"
mode: '0600'
when:
- run_audit
tags:
- goss_template
- always

- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
AUDIT_FILE: "goss.yml"
AUDIT_FILE: goss.yml

- name: Pre Audit | Capture audit data if json format
when:
- audit_format == "json"
block:
- name: "capture data {{ pre_audit_outfile }}"
ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
- name: capture data {{ pre_audit_outfile }}
ansible.builtin.shell: cat {{ pre_audit_outfile }}
register: pre_audit
changed_when: false

- name: Pre Audit | Capture pre-audit result
ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: 'summary."summary-line"'
when:
- audit_format == "json"
summary: summary."summary-line"

- name: Pre Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format"
ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
- name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format
ansible.builtin.shell: tail -2 {{ pre_audit_outfile }}
register: pre_audit
changed_when: false

- name: Pre Audit | Capture pre-audit result | documentation format
ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout_lines }}"

- name: Audit_Only | Run Audit Only
when:
- audit_format == "documentation"
- audit_only
ansible.builtin.import_tasks: audit_only.yml
Loading