From 05fee15cb429961cc8f0e8fcc0e8ceeba4afbe9c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 15 Apr 2024 09:29:19 +0100 Subject: [PATCH] updates for audit section Signed-off-by: Mark Bolwell --- defaults/main.yml | 76 ++++++++++++-------------------- tasks/post_remediation_audit.yml | 22 ++++----- tasks/pre_remediation_audit.yml | 42 +++++++++--------- tasks/section_1/cis_1.3.x.yml | 4 -- vars/audit.yml | 22 ++++----- 5 files changed, 74 insertions(+), 92 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a1e2e64..d48728a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -67,74 +67,56 @@ skip_reboot: true # default value will change to true but wont reboot if not enabled but will error change_requires_reboot: false -########################################## +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## -#### Basic external goss audit enablement settings #### -#### Precise details - per setting can be found at the bottom of this file #### +### vars/auditd.yml for other settings ### -## Audit setup -# Audits are carried out using Goss. This variable -# determines whether execution of the role prepares for auditing -# by installing the required binary. +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false -## Enable audits to run - this runs the audit and get the latest content -# This variable governs whether the audit using the -# separately maintained audit role using Goss -# is carried out. +# enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# This will enable files to be copied back to control node(part of audit_only) +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure(part of audit_only) +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# -## How to retrieve audit binary(Goss) -# Options are 'copy' or 'download' - detailed settings at the bottom of this file -# - if 'copy': -# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss -# - if 'download': -# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars +# How to retrieve audit binary +# Options are copy or download - detailed settings at the bottom of this file +# you will need to access to either github or the file already dowmloaded get_audit_binary_method: download -## if get_audit_binary_method is 'copy', the following var needs to be updated for your environment +## if get_audit_binary_method - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path -## How to retrieve the audit role -# The role for auditing is maintained separately. -# This variable specifies the method of how to get the audit role -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf -# onto the system. The options are as follows: -# - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and -# VERSION(e.g. branch, tag name), set up via `audit_git_version` var. -# - 'copy': copy from path as specified in variable `audit_conf_copy`. -# - 'archive': same as 'copy', only that the specified filepath needs to be unpacked. -# - 'get_url': Download from url as specified in variable `audit_files_url` +# how to get audit files onto host options +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# This variable(only used when 'audit_content' is 'copy' or 'archive') should -# contain the filepath with audit-content to be copied/unarchived on server: -audit_conf_copy: "some path to copy from" +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# This variable(only used when 'audit_content' is 'get_url') should -# contain the URL from where the audit-content must be downloaded on server: -audit_files_url: "some url maybe s3?" +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# Where the audit logs are stored +audit_log_dir: '/opt' -# Timeout for those cmds that take longer to run where timeout set -# This variable specifies the timeout (in ms) for audit commands that -# take a very long time: if a command takes too long to complete, -# it will be forcefully terminated after the specified duration. -audit_cmd_timeout: 120000 - -### End Goss enablements #### +### Goss Settings ## +####### END ######## # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 78c84e6..b3111c8 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -5,10 +5,10 @@ changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | Ensure audit files readable by users +- name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" mode: '0644' @@ -21,14 +21,14 @@ when: - audit_format == "json" block: - - name: Post Audit | Capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} - register: discovered_post_audit + - name: capture data {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" + register: post_audit changed_when: false - - name: Post Audit | Capture post-audit result + - name: Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}" + post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -36,11 +36,11 @@ when: - audit_format == "documentation" block: - - name: Post Audit | Capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} - register: discovered_post_audit + - name: Post Audit | capture data {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + register: post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ discovered_post_audit.stdout_lines }}" + post_audit_summary: "{{ post_audit.stdout_lines }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 75e4d15..d0137e8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -33,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -58,19 +60,20 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: discovered_goss_available + register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: discovered_goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit - when: - - run_audit tags: - goss_template - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -81,7 +84,7 @@ changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format @@ -89,13 +92,13 @@ - audit_format == "json" block: - name: Pre Audit | Capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} - register: discovered_pre_audit + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: - pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}" + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -104,16 +107,15 @@ - audit_format == "documentation" block: - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} - register: discovered_pre_audit + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: - pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}" + pre_audit_summary: "{{ pre_audit.stdout_lines }}" - name: Audit_Only | Run Audit Only when: - audit_only - ansible.builtin.import_tasks: - file: audit_only.yml + ansible.builtin.import_tasks: audit_only.yml diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index b3ae9e9..fa2d6a5 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -9,10 +9,6 @@ - name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" ansible.builtin.shell: /usr/sbin/aide --init - changed_when: false - failed_when: false - async: 45 - poll: 0 args: creates: /var/lib/aide/aide.db.new.gz when: not ansible_check_mode diff --git a/vars/audit.yml b/vars/audit.yml index 26e2b87..e425229 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -2,6 +2,9 @@ #### Audit Configuration Settings #### +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + # if get_audit_binary_method == download change accordingly audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" @@ -9,17 +12,15 @@ audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_ ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}" +audit_git_version: "benchmark-{{ benchmark_version }}" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -33,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }}