Merge pull request #151 from ansible-lockdown/audit_script

Audit script Overall Review of Changes: Addition of audit script Many issues resolved and added to the release Issue Fixes: #138 #139 #140 #141 #142 #143 #144 #146 #147 Enhancements: Addition of audit updates Now consistent metadata Inline with other os agnostic variables for audit if run manually or via ansible removal of included goss module no longer required
ansible-lockdown · Dec 21, 2021 · 6818bbd · 6818bbd
2 parents b026b7e + c6554b8
commit 6818bbd
Show file tree

Hide file tree

Showing 15 changed files with 89 additions and 239 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,6 @@
+# adding github settings to show correct language
+*.sh linguist-detectable=true
+*.yml linguist-detectable=true
+*.ps1 linguist-detectable=true
+*.j2 linguist-detectable=true
+*.md linguist-documentation
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,24 @@
 # Changes to rhel8CIS
 
+## 1.3.3
+
+- update to audit script
+ - variable for audit OS agnostic
+ - removal of included library module (not required)
+
+- Issues included
+ - #135 - running levels - upadted tags
+ - #138 - auditd immutable
+ - #139 - 5.2.13 valus updated
+ - #140
+ - #141 - check mode update
+ - #142
+ - #143 - labels added
+ - #144
+ - #146 - undefined variable added
+ - #147 - removed warn statement
+ - #149 - shell timeout
+
 ## 1.3.2
 
 - issues with crypto policies on ec2 - added skip for rules if system_is_ec2 variable

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -487,8 +487,8 @@ rhel8cis_system_is_log_server: false
 ## Section5 vars
 
 rhel8cis_sshd:
- clientalivecountmax: 3
- clientaliveinterval: 300
+ clientalivecountmax: 0
+ clientaliveinterval: 900
  ciphers: "aes256-ctr,aes192-ctr,aes128-ctr"
  macs: "[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]"
  logingracetime: 60
@@ -592,19 +592,19 @@ goss_url: "https:/aelsabbahy/goss/releases/download/{{ goss_version.
 copy_goss_from_path: /some/accessible/path
 
 ### Goss Audit Benchmark file ###
-## managed by the control rhel8cis_audit_content
+## managed by the control audit_content
 # git
-rhel8cis_audit_file_git: "https:/ansible-lockdown/{{ benchmark }}-Audit.git"
-rhel8cis_audit_git_version: main
+audit_file_git: "https:/ansible-lockdown/{{ benchmark }}-Audit.git"
+audit_git_version: main
 
 # copy:
-rhel8cis_audit_local_copy: "some path to copy from"
+audit_local_copy: "some path to copy from"
 
 # get_url:
-rhel8cis_audit_files_url: "some url maybe s3?"
+audit_files_url: "some url maybe s3?"
 
 # Where the goss audit configuration will be stored
-rhel8cis_audit_files: "/var/tmp/{{ benchmark }}-Audit/"
+audit_files: "/var/tmp/{{ benchmark }}-Audit/"
 
 ## Goss configuration information
 # Where the goss configs and outputs are stored

diff --git a/library/goss.py b/library/goss.py
diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml
@@ -1,14 +1,14 @@
 ---
 
-- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 6.2.20 | Parse /etc/passwd"
+- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
  block:
- - name: "PRELIM | {{ rhel8cis_passwd_tasks }} | Parse /etc/passwd"
+ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
  command: cat /etc/passwd
  changed_when: no
  check_mode: no
  register: rhel8cis_passwd_file_audit
 
- - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 6.2.20 | Split passwd entries"
+ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"
  set_fact:
  rhel8cis_passwd: "{{ rhel8cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
  with_items: "{{ rhel8cis_passwd_file_audit.stdout_lines }}"

diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
@@ -1,17 +1,11 @@
 ---
 
-- name: "Run post_remediation {{ benchmark }} audit"
- goss:
- goss_path: "{{ audit_bin }}"
- path: "{{ goss_file }}"
- vars_path: "{{ audit_vars_path }}"
- format: "{{ audit_format }}"
- output_file: "{{ post_audit_outfile }}"
- failed_when: false
- environment:
- GOSS_FMT_OPTIONS: Pretty
+- name: "Post Audit | Run post_remediation {{ benchmark }} audit"
+ shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
+ vars:
+ warn: false
 
-- name: ensure audit files readable by users
+- name: Post Audit | ensure audit files readable by users
  file:
  path: "{{ item }}"
  mode: 0644
@@ -20,7 +14,7 @@
  - "{{ post_audit_outfile }}"
  - "{{ pre_audit_outfile }}"
 
-- name: Capture audit data if json format
+- name: Post Audit | Capture audit data if json format
  block:
  - name: "capture data {{ post_audit_outfile }}"
  command: "cat {{ post_audit_outfile }}"
@@ -35,14 +29,14 @@
  when:
  - audit_format == "json"
 
-- name: Capture audit data if documentation format
+- name: Post Audit | Capture audit data if documentation format
  block:
- - name: "capture data {{ post_audit_outfile }}"
+ - name: "Post Audit | capture data {{ post_audit_outfile }}"
  command: "tail -2 {{ post_audit_outfile }}"
  register: post_audit
  changed_when: false
 
- - name: Capture post-audit result
+ - name: Post Audit | Capture post-audit result
  set_fact:
  post_audit_summary: "{{ post_audit.stdout_lines }}"
  when: