diff --git a/.ansible-lint b/.ansible-lint index 057c65e0..b717f678 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 3ddd0a0c..11bdb467 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -113,70 +109,11 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" ] } ], - "results": { - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", - "is_verified": false, - "line_number": 382, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", - "is_verified": false, - "line_number": 22, - "is_secret": false - } - ], - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ], - "vars/CentOS.yml": [ - { - "type": "Hex High Entropy String", - "filename": "vars/CentOS.yml", - "hashed_secret": "2baa4bd2c505f21a0e48d6c17a174a0c8b6f3c3b", - "is_verified": false, - "line_number": 6, - "is_secret": false - } - ], - "vars/OracleLinux.yml": [ - { - "type": "Hex High Entropy String", - "filename": "vars/OracleLinux.yml", - "hashed_secret": "260c8f0806148cd568435cd3d7647f43150efdbb", - "is_verified": false, - "line_number": 9, - "is_secret": false - } - ], - "vars/is_container.yml": [ - { - "type": "Secret Keyword", - "filename": "vars/is_container.yml", - "hashed_secret": "b92ce9d4aeed417acfd85f0f9bc7cdb5e6d05c5d", - "is_verified": false, - "line_number": 377, - "is_secret": false - } - ] - }, - "generated_at": "2023-09-13T08:05:26Z" + "results": {}, + "generated_at": "2023-10-09T15:14:50Z" } diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48a..dba39dc0 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c79434..873f2757 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint diff --git a/.yamllint b/.yamllint index ec469292..65faae6c 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/README.md b/README.md index a1a652b8..844c60a6 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,6 @@ ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) @@ -39,7 +38,7 @@ ### Community -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users --- @@ -169,6 +168,10 @@ uses: pre-commit run ``` -## Credits +## Credits and Thanks -This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig) +Massive thanks to the fantastic community and all its members. + +This includes a huge thanks and credit to the original authors and maintainers. + +Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell diff --git a/ansible.cfg b/ansible.cfg index 39399065..c7c4ec86 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -22,4 +22,4 @@ transfer_method=scp [colors] -[diff] \ No newline at end of file +[diff] diff --git a/collections/requirements.yml b/collections/requirements.yml index 23596ec0..8ebc6180 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,7 +2,13 @@ collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index 9c3f8670..42ea0764 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -26,25 +26,46 @@ python2_bin: /bin/python2.7 benchmark: RHEL7-CIS benchmark_version: v3.1.1 -#### Basic external goss audit enablement settings #### -#### Precise details - per setting can be found at the bottom of this file #### +########################################## +### Goss is required on the remote host ### +## Refer to vars/auditd.yml for any other settings ## -### Goss is required on the remote host +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false -# How to retrive goss + +# enable audits to run - this runs the audit and get the latest content +run_audit: false + +# Only run Audit do not remediate +audit_only: false +# As part of audit_only +# This will enable files to be copied back to control node +fetch_audit_files: false +# Path to copy the files to will create dir structure +audit_capture_files_dir: /some/location to copy to on control node + +# How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded -get_goss_file: download +get_audit_binary_method: download + +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options -# options are git/copy/get_url +# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 30000 +# archive or copy: +audit_conf_copy: "some path to copy from" -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# get_url: +audit_files_url: "some url maybe s3?" + +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -379,7 +400,7 @@ rhel7cis_rhnsd_required: false # 1.4.2 Bootloader password rhel7cis_set_boot_pass: false -rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' +rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret # System network parameters (host only OR host and router) rhel7cis_is_router: false @@ -565,55 +586,3 @@ rhel7cis_dotperm_ansiblemanaged: true # RHEL-07-6.2.18 Clear users from shadow group rhel7cis_remove_shadow_grp_usrs: true - -#### Goss Configuration Settings #### -audit_run_script_environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_FILE: 'goss.yml' - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Goss binary settings ### -goss_version: - release: v0.3.23 - checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_goss_file == download change accordingly -goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" - -## if get_goss_file - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -copy_goss_from_path: /some/accessible/path - -### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}" - -# copy: -audit_local_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -# Where the goss audit configuration will be stored -audit_files: "/opt/{{ benchmark }}-Audit/" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -goss_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/meta/main.yml b/meta/main.yml index abb0ca71..7221686c 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: - author: "Sam Doran, Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, Mark Bolwell, George Nalen" + author: "MindPoint group" description: "Apply the CIS RHEL7 role" company: "MindPoint Group" license: MIT diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 6c8ae374..7ef94b4a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,22 +1,34 @@ --- -- name: Download goss binary +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_facts.machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_facts.machine == "arm64" + +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ goss_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ goss_version.checksum }}" - mode: 0555 + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" + mode: '0555' when: - - get_goss_file == 'download' + - get_audit_binary_method == 'download' -- name: Copy goss binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: - src: "{{ copy_goss_from_path }}" + src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 + mode: '0555' owner: root group: root when: - - get_goss_file == 'copy' + - get_audit_binary_method == 'copy' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 00000000..864f5bbe --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + when: fetch_audit_files + delegate_to: localhost + become: false + +- name: Audit_only | Get audits from systems and put in group dir + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + when: fetch_audit_files + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "The Audit results are: {{ pre_audit_summary }}." + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 09a1b670..8bb53ab0 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -2,11 +2,10 @@ - name: "PREREQ | Check required packages installed | Python2" ansible.builtin.package: - list: "{{ item }}" + name: + - rpm-python + - libselinux-python state: present - loop: - - rpm-python - - libselinux-python when: ansible_python.version.major == 2 vars: ansible_python_interpreter: "{{ python2_bin }}" diff --git a/tasks/main.yml b/tasks/main.yml index 05209d0e..159110d4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -19,8 +19,8 @@ - name: Check rhel7cis_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel7cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispart' - msg: "This role will not be able to run single user password commands as rhel7cis_bootloader_password_hash variable has not been set" + that: rhel7cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel7cis_bootloader_password_hash variable has not been set" # pragma: allowlist secret when: - ansible_distribution_version >= '7.2' - rhel7cis_set_boot_pass @@ -47,7 +47,8 @@ - rule_5.6 - name: Import prereq checks - ansible.builtin.import_tasks: check_prereqs.yml + ansible.builtin.import_tasks: + file: check_prereqs.yml tags: - always - prereqs @@ -75,15 +76,28 @@ - always - name: Import preliminary tasks - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - always -- name: Import pre remediation audit - ansible.builtin.import_tasks: pre_remediation_audit.yml +- name: Include audit specific variables + ansible.builtin.include_vars: + file: audit.yml when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit - run_audit + +- name: Include pre-remediation audit tasks + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml + when: + - run_audit or audit_only + - setup_audit tags: - run_audit @@ -94,48 +108,56 @@ - always - name: Include OS specific variables - ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: + file: "{{ ansible_distribution }}.yml" tags: - always - name: Run parse etc password for user variables - ansible.builtin.import_tasks: parse_etc_password.yml + ansible.builtin.import_tasks: + file: parse_etc_password.yml when: - rhel7cis_section5 or rhel7cis_section6 - name: Import section 1 tasks - ansible.builtin.import_tasks: section_1/main.yml + ansible.builtin.import_tasks: + file: section_1/main.yml when: rhel7cis_section1 tags: - rhel7cis_section1 - name: Import section 2 tasks - ansible.builtin.import_tasks: section_2/main.yml + ansible.builtin.import_tasks: + file: section_2/main.yml tags: - rhel7cis_section2 when: rhel7cis_section2 - name: Import section 3 tasks - ansible.builtin.import_tasks: section_3/main.yml + ansible.builtin.import_tasks: + file: section_3/main.yml when: rhel7cis_section3 tags: - rhel7cis_section3 - name: Import section 4 tasks - ansible.builtin.import_tasks: section_4/main.yml + ansible.builtin.import_tasks: + file: section_4/main.yml when: rhel7cis_section4 tags: - rhel7cis_section4 - name: Import section 5 tasks - ansible.builtin.import_tasks: section_5/main.yml + ansible.builtin.import_tasks: + file: section_5/main.yml when: rhel7cis_section5 tags: - rhel7cis_section5 - name: Import section 6 tasks - ansible.builtin.import_tasks: section_6/main.yml + ansible.builtin.import_tasks: + file: section_6/main.yml when: rhel7cis_section6 tags: - rhel7cis_section6 @@ -144,17 +166,17 @@ ansible.builtin.meta: flush_handlers - name: Post Task - ansible.builtin.import_tasks: post.yml + ansible.builtin.import_tasks: + file: post.yml tags: - post_tasks - always -- name: Import post remediation task - ansible.builtin.import_tasks: post_remediation_audit.yml +- name: Run post audit + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit - tags: - - run_audit - name: Show Audit Summary ansible.builtin.debug: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 95c26a64..2c51bbb0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,24 +1,28 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: false - register: audit_run_post_remediation +- name: Post Audit | Run post_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" - mode: 0644 + mode: '0644' state: file loop: - "{{ post_audit_outfile }}" - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ post_audit_outfile }}" - ansible.builtin.command: "cat {{ post_audit_outfile }}" + - name: capture data {{ post_audit_outfile }} + ansible.builtin.shell: cat {{ post_audit_outfile }} register: post_audit changed_when: false @@ -26,19 +30,17 @@ ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "Post Audit | capture data {{ post_audit_outfile }}" - ansible.builtin.command: "tail -2 {{ post_audit_outfile }}" + - name: Post Audit | capture data {{ post_audit_outfile }} + ansible.builtin.shell: tail -2 {{ post_audit_outfile }} register: post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 6109d5ca..7bf3d991 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,63 +1,58 @@ --- -- name: Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - - name: Pre Audit Setup | Install git (rh8 python3) - ansible.builtin.package: - name: git - state: present - register: git_audit - when: ansible_distribution_major_version == '8' - - - name: Pre Audit Setup | Install git (rh7 python2) + - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - register: git_audit - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == '7' - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server +- name: Pre Audit Setup | Copy to audit content files to server + when: + - audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + dest: "{{ audit_conf_dest }}" + mode: preserve + +- name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'copy' + - audit_content == 'archived' + ansible.builtin.unarchive: + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" -- name: Pre Audit Setup | get audit content from url +- name: Pre Audit Setup | Get audit content from url + when: + - audit_content == 'get_url' ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - owner: root - group: root - mode: 0755 - when: - - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -65,33 +60,36 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available - ansible.builtin.assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: - not goss_available.stat.exists - when: - - run_audit + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 - when: - - run_audit - tags: - - goss_template + mode: '0600' -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - ansible.builtin.shell: "{{ audit_conf_dir }}run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: false - register: audit_run_pre_remediation +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.command: "cat {{ pre_audit_outfile }}" + - name: capture data {{ pre_audit_outfile }} + ansible.builtin.shell: cat {{ pre_audit_outfile }} register: pre_audit changed_when: false @@ -99,19 +97,22 @@ ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.command: "tail -2 {{ pre_audit_outfile }}" + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} register: pre_audit changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" + +- name: Audit_Only | Run Audit Only when: - - audit_format == "documentation" + - audit_only + ansible.builtin.import_tasks: audit_only.yml diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 179e73dc..8b4a1f37 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -74,7 +74,7 @@ - rule_1.2.4 - name: "1.2.5 | PATCH | Disable the rhnsd Daemon" - ansible.builtin.service: + ansible.builtin.systemd: name: rhnsd state: stopped enabled: false diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 32bd6d88..4851f703 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,33 +1,43 @@ --- - name: "SECTION | 1.1.1 | FileSystem Configurations" - ansible.builtin.import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.1.x.yml - name: "SECTION | 1.1 | Partition Configurations" - ansible.builtin.import_tasks: cis_1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - ansible.builtin.import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity" - ansible.builtin.import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.3.x.yml when: rhel7cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" - ansible.builtin.import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - ansible.builtin.import_tasks: cis_1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.6.x.yml when: not rhel7cis_selinux_disable - name: "SECTION | 1.7 | Warning Banners" - ansible.builtin.import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.7.x.yml - name: "SECTION | 1.8 | GDM Login" - ansible.builtin.import_tasks: cis_1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.8.x.yml - name: "SECTION | 1.9 | Updated and Patches" - ansible.builtin.import_tasks: cis_1.9.x.yml + ansible.builtin.import_tasks: + file: cis_1.9.x.yml diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 7c208c68..196c5502 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,16 +1,21 @@ --- - name: "SECTION | 2.1 | inetd Services" - ansible.builtin.import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.x.yml - name: "SECTION | 2.2.1 | Time Synchronization" - ansible.builtin.import_tasks: cis_2.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - ansible.builtin.import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - ansible.builtin.import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential Services" - ansible.builtin.import_tasks: cis_2.4.x.yml + ansible.builtin.import_tasks: + file: cis_2.4.x.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 8fff24c3..9f073ae1 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,26 +1,32 @@ --- - name: "SECTION | 3.1 | Disable unused network protocols and devices" - ansible.builtin.import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.1.x.yml - name: "SECTION | 3.2 | Network Parameters (Host Only)" - ansible.builtin.import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.2.x.yml - name: "SECTION | 3.3 | Network Parameters (Host and Router)" - ansible.builtin.import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.3.x.yml - name: "SECTION | 3.4 | Uncommon Network Protocols" - ansible.builtin.import_tasks: cis_3.4.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.x.yml - name: "SECTION | 3.5.1 | Configure firewalld" - ansible.builtin.import_tasks: cis_3.5.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.5.1.x.yml when: - rhel7cis_firewall == "firewalld" tags: - firewalld - name: "SECTION | 3.5.2 | Configure nftables" - ansible.builtin.import_tasks: cis_3.5.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.5.2.x.yml when: - rhel7cis_firewall == "nftables" tags: @@ -29,16 +35,19 @@ - name: "SECTION | 3.5.3.x.x | Configure iptables" block: - name: "SECTION | 3.5.3.1.x | Configure iptables" - ansible.builtin.import_tasks: cis_3.5.3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.5.3.1.x.yml - name: "SECTION | 3.5.3.2.x | Configure iptables" - ansible.builtin.import_tasks: cis_3.5.3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.5.3.2.x.yml when: - rhel7cis_firewall == "iptables" tags: - iptables - name: "SECTION | 3.5.3.3.x | Configure ip6tables" - ansible.builtin.import_tasks: cis_3.5.3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.5.3.3.x.yml when: - not rhel7cis_ipv6_required - rhel7cis_firewall == "iptables" diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index d0da9e9c..354361be 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,16 +1,21 @@ --- - name: "SECTION | 4.1| Configure System Accounting (auditd)" - ansible.builtin.import_tasks: cis_4.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.1.x.yml - name: "SECTION | 4.1.2.x| Configure Data Retention" - ansible.builtin.import_tasks: cis_4.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.2.x.yml - name: "SECTION | 4.2.x| Configure Logging" - ansible.builtin.import_tasks: cis_4.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.1.x.yml - name: "SECTION | 4.2.2.x| Configure journald" - ansible.builtin.import_tasks: cis_4.2.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.2.x.yml - name: "SECTION | 4.2.x | logfile configuration" - ansible.builtin.import_tasks: cis_4.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.x.yml diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 4e9481f2..23eb9d21 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -3,7 +3,7 @@ - name: "5.5.2 | PATCH | Ensure system accounts are secured" block: - name: "5.5.2 | PATCH | Ensure system accounts are secured | Set nologin" - user: + ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin loop: "{{ rhel7cis_passwd }}" @@ -19,7 +19,7 @@ - item.shell != " /usr/sbin/nologin" - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts" - user: + ansible.builtin.user: name: "{{ item.id }}" password_lock: true loop: "{{ rhel7cis_passwd }}" @@ -42,7 +42,7 @@ - rule_5.5.2 - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0" - shell: usermod -g 0 root + ansible.builtin.shell: usermod -g 0 root changed_when: false failed_when: false when: diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml index 04709c86..b3c467fd 100644 --- a/tasks/section_5/cis_5.7.yml +++ b/tasks/section_5/cis_5.7.yml @@ -10,7 +10,7 @@ line: 'auth required pam_wheel.so use_uid {% if rhel7cis_sugroup is defined %}group={{ rhel7cis_sugroup }}{% endif %}' - name: "5.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - ansible.builtin.group: + ansible.builtin.user: name: root groups: "{{ rhel7cis_sugroup }}" when: diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index dd373019..190bf4e9 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,25 +1,33 @@ --- - name: "SECTION | 5.1 | Configure time-based job schedulers" - ansible.builtin.import_tasks: cis_5.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure Sudo" - ansible.builtin.import_tasks: cis_5.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.x.yml - name: "SECTION | 5.3 | Configure SSH Server" - ansible.builtin.import_tasks: cis_5.3.x.yml + ansible.builtin.import_tasks: + file: cis_5.3.x.yml - name: "SECTION | 5.4 | Configure PAM" - ansible.builtin.import_tasks: cis_5.4.x.yml + ansible.builtin.import_tasks: + file: cis_5.4.x.yml - name: "SECTION | 5.5.1 | Set Shadow Password Suite Parameters" - ansible.builtin.import_tasks: cis_5.5.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.5.1.x.yml - name: "SECTION | 5.5 | User Accounts and Environment" - ansible.builtin.import_tasks: cis_5.5.x.yml + ansible.builtin.import_tasks: + file: cis_5.5.x.yml - name: "SECTION | 5.6 | User Accounts and Environment" - ansible.builtin.import_tasks: cis_5.6.yml + ansible.builtin.import_tasks: + file: cis_5.6.yml - name: "SECTION | 5.7 | User Accounts and Environment" - ansible.builtin.import_tasks: cis_5.7.yml + ansible.builtin.import_tasks: + file: cis_5.7.yml diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 08eb8b28..89fb7297 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -10,7 +10,7 @@ - rhel7cis_passwd | selectattr('password', '!=', 'x') - name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords | Good News" - debug: + ansible.builtin.debug: msg: "Good News!! No Unshadowed passwords have been found" when: rhel7_6_2_1_shadow is not changed when: diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 35328e5f..b194fdc8 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,9 @@ --- - name: "SECTION | 6.1 | System File Permissions" - ansible.builtin.import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - ansible.builtin.import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: + file: cis_6.2.x.yml diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index a9a43ace..ba9ffa85 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -24,7 +24,7 @@ rhel7cis_selinux_state: {{ rhel7cis_selinux_state }} rhel7cis_level1: true rhel7cis_level2: true # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy -run_heavy_tests: true +run_heavy_tests: {{ audit_run_heavy_tests }} rhel7cis_legacy_boot: {{ rhel7cis_legacy_boot }} diff --git a/templates/audit/access.rules.j2 b/templates/audit/access.rules.j2 index d877a3b9..1a86703a 100644 --- a/templates/audit/access.rules.j2 +++ b/templates/audit/access.rules.j2 @@ -1,4 +1,4 @@ --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access +-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access diff --git a/templates/audit/logins.rules.j2 b/templates/audit/logins.rules.j2 index c47bf6e5..092a053c 100644 --- a/templates/audit/logins.rules.j2 +++ b/templates/audit/logins.rules.j2 @@ -1,3 +1,3 @@ --w /var/log/faillog -p wa -k logins +-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/faillock/ -p wa -k logins diff --git a/templates/audit/priv_commands.rules.j2 b/templates/audit/priv_commands.rules.j2 index 92eb78eb..ed65a428 100644 --- a/templates/audit/priv_commands.rules.j2 +++ b/templates/audit/priv_commands.rules.j2 @@ -1,4 +1,4 @@ -{% for proc in priv_procs.stdout_lines -%} +{% for proc in priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged {% endfor %} diff --git a/templates/audit/session.rules.j2 b/templates/audit/session.rules.j2 index ea5c4894..51d7254f 100644 --- a/templates/audit/session.rules.j2 +++ b/templates/audit/session.rules.j2 @@ -1,3 +1,3 @@ --w /var/run/utmp -p wa -k session --w /var/log/wtmp -p wa -k logins +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins diff --git a/templates/audit/system_local.rules.j2 b/templates/audit/system_local.rules.j2 index 32fb3083..63d590ed 100644 --- a/templates/audit/system_local.rules.j2 +++ b/templates/audit/system_local.rules.j2 @@ -1,5 +1,5 @@ --a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale --a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale +-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale diff --git a/templates/audit/time_change.rules.j2 b/templates/audit/time_change.rules.j2 index 625a117c..e39a529d 100644 --- a/templates/audit/time_change.rules.j2 +++ b/templates/audit/time_change.rules.j2 @@ -1,6 +1,6 @@ -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -{% if ansible_architecture == 'x86_64' -%} +{% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change {% endif %} diff --git a/vars/CentOS.yml b/vars/CentOS.yml index 1b6f75a1..e16bbcb6 100644 --- a/vars/CentOS.yml +++ b/vars/CentOS.yml @@ -3,4 +3,4 @@ rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 rpm_packager: "CentOS BuildSystem" -rpm_key: "24c6a8a7f4a80eb5" # found on https://www.centos.org/keys/ +rpm_key: "24c6a8a7f4a80eb5" # found on https://www.centos.org/keys/ # pragma: allowlist secret diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index 960a47a7..b7c1d32a 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -6,4 +6,4 @@ rpm_packager: "(none)" # found on https://linux.oracle.com/security/gpg/ -rpm_key: "72f97b74ec551f03" +rpm_key: "72f97b74ec551f03" # pragma: allowlist secret diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 00000000..a85db5d3 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,39 @@ +--- + +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark_{{ benchmark_version }}" + +## Goss configuration information +# Where the goss configs and outputs are stored +audit_out_dir: '/opt' +# Where the goss audit configuration will be stored +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.3.23 + AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The pre remediation results are: {{ pre_audit_summary }}. + The post remediation results are: {{ post_audit_summary }}. + Full breakdown can be found in {{ audit_out_dir }} diff --git a/vars/is_container.yml b/vars/is_container.yml index bb45e082..7c7f57a4 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -374,7 +374,7 @@ rhel7cis_rhnsd_required: false # 1.4.2 Bootloader password rhel7cis_set_boot_pass: false -rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' +rhel7cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispart' # pragma: allowlist secret # System network parameters (host only OR host and router) rhel7cis_is_router: false