From 6be41416ecce57928339a6f35e3f247333f85c9d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 14:51:22 +0100 Subject: [PATCH 1/7] updated workflow permissions Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index deac4d7..8fd728a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -17,12 +17,6 @@ # Allow manual running of workflow workflow_dispatch: - # Allow permissions for AWS auth - permissions: - id-token: write - contents: read - pull-requests: read - # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: @@ -30,6 +24,10 @@ welcome: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + steps: - uses: actions/first-interaction@main with: @@ -45,6 +43,13 @@ playbook-test: # The type of runner that the job will run on runs-on: self-hosted + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + env: ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} # Imported as a variable by terraform From 727ae4515b1c2cd028167d41f3761af7803af23e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 14:57:24 +0100 Subject: [PATCH 2/7] updated auditd variables Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0c95ee9..5264dd0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -87,8 +87,6 @@ audit_max_concurrent: 50 ## Only run Audit do not remediate audit_only: false ### As part of audit_only ### -# This will enable files to be copied back to control node in audit_only mode -fetch_audit_files: false # Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node ############################# From a525e4a2fbeb5b61f7302b84c69f422dbae9d07b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 14:58:06 +0100 Subject: [PATCH 3/7] Added extra failure for no data Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index dd9efb4..410473e 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -85,6 +85,7 @@ - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 changed_when: false + failed_when: pre_audit_summary.stderr | length > 0 register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary @@ -97,6 +98,7 @@ - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false + failed_when: pre_audit_summary.stderr | length > 0 register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary From 45018f30cb5101063273102492970c56a06a882c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 14:58:52 +0100 Subject: [PATCH 4/7] updated Signed-off-by: Mark Bolwell --- .yamllint | 1 + 1 file changed, 1 insertion(+) diff --git a/.yamllint b/.yamllint index fa7b697..af0d9ab 100644 --- a/.yamllint +++ b/.yamllint @@ -1,4 +1,5 @@ --- + extends: default ignore: | tests/ From 25d3e897fe84f58f935b4572f50de607cb17ff2f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:01:57 +0100 Subject: [PATCH 5/7] updated to latest version Signed-off-by: Mark Bolwell --- .../benchmark_tracking_controller.yml | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/benchmark_tracking_controller.yml b/.github/workflows/benchmark_tracking_controller.yml index 0d9f515..039ec0d 100644 --- a/.github/workflows/benchmark_tracking_controller.yml +++ b/.github/workflows/benchmark_tracking_controller.yml @@ -1,8 +1,22 @@ --- # GitHub schedules all cron jobs in UTC. -# This expression will run the job every day at 9 AM Eastern Time during Daylight Saving Time (mid-March to early November). -# This expression will run the job every day at 8 AM Eastern Time during Standard Time (early November to mid-March). +# ────────────────────────────────────────────────────────────────────────────── +# Schedule: +# - '0 13 * * *' runs at 13:00 UTC every day. +# - This corresponds to: +# • 9:00 AM Eastern **during Daylight Saving Time** (mid-Mar → early-Nov) +# • 8:00 AM Eastern **during Standard Time** (early-Nov → mid-Mar) +# +# Job routing: +# - call-benchmark-tracker: +# • Runs on manual dispatch, and on pushes to the 'latest' branch. +# - call-monitor-promotions: +# • Runs on schedule or manual dispatch **only in repos named ansible-lockdown/Private-***. +# • Skips automatically in public repos (e.g., Windows-2022-CIS) to avoid false failures. +# +# Defense-in-depth: +# - The called promotion workflow may still keep its own guard to ensure only Private-* repos execute it. name: Central Benchmark Orchestrator @@ -11,11 +25,12 @@ on: branches: - latest schedule: - - cron: '0 6 * * *' # Runs daily at 9 AM ET + - cron: '0 13 * * *' # 13:00 UTC → 9 AM ET (DST) / 8 AM ET (Standard Time) workflow_dispatch: jobs: call-benchmark-tracker: + # Run on manual dispatch OR when 'latest' branch receives a push if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest') name: Start Benchmark Tracker uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_track.yml@self_hosted @@ -27,7 +42,8 @@ jobs: DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} call-monitor-promotions: - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + # Run on schedule or manual dispatch, but only for Private-* repos + if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && startsWith(github.repository, 'ansible-lockdown/Private-') name: Monitor Promotions and Auto-Promote uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_promote.yml@self_hosted with: From ec7226377b73267148b630ee2c36dda3bcbafad7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:18:15 +0100 Subject: [PATCH 6/7] updated template logic for 2.19 Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 98 +++++------------------------- 1 file changed, 14 insertions(+), 84 deletions(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 4fa4516..c3c2b6c 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -10,12 +10,7 @@ {% endif %} {% if rhel9cis_rule_6_3_3_2 %} {% set syscalls = ["execve"] %} -{% set arch_syscalls = [] %} -{%- for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor -%} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation {% endif %} @@ -24,33 +19,18 @@ {% endif %} {% if rhel9cis_rule_6_3_3_4 %} {% set syscalls = ["adjtimex","settimeofday"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change {% set syscalls = ["clock_settime"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change -{% endif %} -{% endfor %} -w /etc/localtime -p wa -k time-change {% endif %} {% if rhel9cis_rule_6_3_3_5 %} {% set syscalls = ["sethostname","setdomainname"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale -w /etc/issue -p wa -k system-locale @@ -68,12 +48,7 @@ {% endif %} {% if rhel9cis_rule_6_3_3_7 %} {% set syscalls = ["creat","open","openat","truncate","ftruncate"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access @@ -91,62 +66,27 @@ {% endif %} {% if rhel9cis_rule_6_3_3_9 %} {% set syscalls = ["chmod","fchmod","fchmodat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chmod","fchmod","fchmodat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% endif %} {% if rhel9cis_rule_6_3_3_10 %} {% set syscalls = ["mount"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts {% endif %} @@ -161,12 +101,7 @@ {% endif %} {% if rhel9cis_rule_6_3_3_13 %} {% set syscalls = ["unlink","unlinkat","rename","renameat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete {% endif %} @@ -189,12 +124,7 @@ {% if rhel9cis_rule_6_3_3_19 %} -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} {% if rhel9cis_rule_6_3_3_20 %} From cd66f4b76fe9865055790eb5496351ae2fb54032 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:20:39 +0100 Subject: [PATCH 7/7] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 5fca72d..9287a24 100644 --- a/Changelog.md +++ b/Changelog.md @@ -9,6 +9,7 @@ Audit improvements and max-concurrent option added Benchmark version variable in audit template fixed typo thanks to @fragglexarmy #393 fixed typo thanks to @trumbaut #397 & #399 +updated auditd template to be 2.19 complaint ## 2.0.3 - Based on CIS v2.0.0