From 009c9fc498f37c360d5764f122f213d20fe06520 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:16:50 +0100 Subject: [PATCH] updated audit vars naming, AMD & ARM binaries Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 +-- tasks/LE_audit_setup.yml | 34 ++++---- tasks/post_remediation_audit.yml | 10 ++- tasks/pre_remediation_audit.yml | 132 ++++++++++++++++--------------- 4 files changed, 99 insertions(+), 88 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 81df6a1..2cc4700 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -52,7 +52,7 @@ setup_audit: false # How to retrive goss # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded -get_goss_file: download +get_audit_binary_method: download # how to get audit files onto host options # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) @@ -663,15 +663,16 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -goss_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_release: v0.3.23 +audit_bin_version: + AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' + ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_goss_file == download change accordingly -goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_release }}/goss-linux-" ## if get_goss_file - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index bc929ae..29f8960 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,30 +1,34 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_machine == "arm64" + +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ goss_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ goss_version.checksum }}" + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: 0555 when: - - get_goss_file == 'download' + - get_audit_binary_method == 'download' -- name: Copy audit binary +- name: Pre Audit Setup | copy audit binary ansible.builtin.copy: - src: + src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 owner: root group: root when: - - get_goss_file == 'copy' - -- name: Install git if not present - ansible.builtin.package: - name: git - state: present - register: git_installed - when: - - '"git" not in ansible_facts.packages' + - get_audit_binary_method == 'copy' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0eb7608..f0a7664 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,9 +2,11 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_post_remediation.rc == 0 - register: audit_run_post_remediation + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -17,7 +19,7 @@ - name: Post Audit | Capture audit data if json format block: - - name: "Capture data {{ post_audit_outfile }}" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 2947e6a..711f59b 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,109 +1,113 @@ --- -- name: Pre Audit | Setup the audit +- name: Pre Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit -- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" +- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' -- name: Pre Audit | retrieve audit content files from git - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" +- name: Pre Audit Setup | If using git for content set up + block: + - name: Pre Audit Setup | Install git + ansible.builtin.package: + name: git + state: present + + - name: Pre Audit Setup | retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' -- name: Pre Audit | confirm audit branch vs benchmark version - ansible.builtin.debug: - msg: "Audit will run the branch {{ audit_git_version }} for this Benchmark {{ benchmark_version }}" - -- name: Pre Audit | copy to audit content files to server +- name: Pre Audit Setup | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + dest: "{{ audit_conf_dest }}" + mode: preserve when: - - audit_content == 'copy' + - audit_content == 'copy' -- name: Pre Audit | get audit content from url +- name: Pre Audit Setup | unarchive audit content files on server + ansible.builtin.unarchive: + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" + when: + - audit_content == 'archived' + +- name: Pre Audit Setup | get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - owner: root - group: root - mode: 0755 when: - - audit_content == 'get_url' + - audit_content == 'get_url' -- name: Pre Audit | Check Goss is available +- name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit | Check for goss file - ansible.builtin.stat: - path: "{{ audit_bin }}" - register: goss_available + - name: Pre Audit Setup | Check for goss file + ansible.builtin.stat: + path: "{{ audit_bin }}" + register: goss_available - - name: Pre Audit | Alert if goss not available - ansible.builtin.assert: - that: goss_available.stat.exists - fail_msg: "Audit binary file {{ audit_bin }} does not exist" + - name: Pre Audit Setup | If audit ensure goss is available + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit -- name: "Pre Audit | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel9_efi_boot - tags: - - goss_template - -- name: Pre Audit | Copy ansible default vars values to test audit +- name: Pre Audit Setup | Copy ansible default vars values to test audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template + - goss_template + - always - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_pre_remediation.rc == 0 - register: audit_run_pre_remediation + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Pre Audit | Capture audit data if json format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "capture data {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: 'summary."summary-line"' + - name: Pre Audit | Capture pre-audit result + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + vars: + summary: 'summary."summary-line"' when: - - audit_format == "json" + - audit_format == "json" - name: Pre Audit | Capture audit data if documentation format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + - name: Pre Audit | Capture pre-audit result | documentation format + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - - audit_format == "documentation" + - audit_format == "documentation"