Merge pull request #33 from ansible-lockdown/audit_only_fetch

Audit only fetch

Changelog.md

@@ -1,6 +1,12 @@
 # Changes to rhel9CIS
 
 
+## Based on CIS v2.0.0
+
+Update to audit_only to allow fetching results
+resolved false warning for fetch audit
+Improved documentation and variable compilation for crypto policies
+
 ## 2.0.1 - Based on CIS v2.0.0
 
 - Thanks to @polski-g several issues and improvements added

defaults/main.yml

@@ -12,7 +12,7 @@ os_check: true
 # Disruption is high
 ## Run tests that are considered higher risk and could have a system impact if not properly tested
 ## Default false
-## Will be fine if clean new un configured build
+## Will be fine if clean new un-configured build
 rhel9cis_disruption_high: false
 
 ## Switching on/off specific baseline sections
@@ -37,6 +37,7 @@ rhel9cis_level_2: true
 # Create managed not custom local_facts files
 create_benchmark_facts: true
 ansible_facts_path: /etc/ansible/facts.d
+
 ## Section 1.6 - Mandatory Access Control
 # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting
 # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed.
@@ -111,7 +112,7 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'
 
-## Ability to collect and take audit files moving to a centralised location
+## Ability to collect and take audit files moving to a centralized location
 # This enables the collection of the files from the host
 fetch_audit_output: false
 
@@ -238,7 +239,7 @@ rhel9cis_rule_1_8_8: true
 rhel9cis_rule_1_8_9: true
 rhel9cis_rule_1_8_10: true
 
-# Section 2 rules are controlling Services (Special Purpose Services, and service clients)
+# Section 2 rules are controling Services (Special Purpose Services, and service clients)
 ## Configure Server Services
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
@@ -579,8 +580,8 @@ rhel9cis_crypto_policy: 'DEFAULT'
 ## Control 1.6
 # This variable contains the value of the crypto policy module(combinations of policies and
 # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
-# using 'rhel9cis_allowed_crypto_policies_modules' variable.
+# using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
-rhel9cis_crypto_policy_module: ''
+rhel9cis_additional_crypto_policy_module: ''
 
 ## Controls:
 # - 1.7.1 - Ensure message of the day is configured properly
@@ -1046,14 +1047,14 @@ rhel9cis_bash_umask: '0027'  # 0027 or more restrictive
 # These are discovered via logins.def if set true
 rhel9cis_discover_int_uid: true
 # This variable sets the minimum number from which to search for UID
-# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
+# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has
 # been set to `true`.
 min_int_uid: 1000
 ### Controls:
 # - Ensure local interactive user home directories exist
 # - Ensure local interactive users own their home directories
 # This variable sets the maximum number at which the search stops for UID
-# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
+# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has
 # been set to `true`.
 max_int_uid: 65533
 

handlers/main.yml

@@ -186,7 +186,7 @@
 
 - name: Update Crypto Policy
   ansible.builtin.set_fact:
-    rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}"
+    rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}{% if rhel9cis_additional_crypto_policy_module | length > 0 %}:{{ rhel9cis_additional_crypto_policy_module }}{% endif %}"
   notify: Set Crypto Policy
 
 - name: Set Crypto Policy

tasks/audit_only.yml

@@ -1,10 +1,17 @@
 ---
 
+- name: Audit_only | Fetch audit files
+  when:
+    - fetch_audit_output
+    - audit_only
+  ansible.builtin.import_tasks:
+    file: fetch_audit_output.yml
+
 - name: Audit_only | Show Audit Summary
   when: audit_only
   ansible.builtin.debug:
     msg: "{{ audit_results.split('\n') }}"
 
-- name: Audit_only | Stop Playbook Audit Only selected
+- name: Audit_only | Stop task for host as audit_only selected
   when: audit_only
-  ansible.builtin.meta: end_play
+  ansible.builtin.meta: end_host

tasks/fetch_audit_output.yml

@@ -8,6 +8,7 @@
     src: "{{ item }}"
     dest: "{{ audit_output_destination }}"
     flat: true
+  changed_when: true
   failed_when: false
   register: discovered_audit_fetch_state
   loop:

tasks/main.yml

@@ -61,7 +61,7 @@
     - crypto
     - NIST800-53R5_SC-6
   ansible.builtin.assert:
-    that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
+    that: rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
     fail_msg: "Crypto policy module is not a permitted version"
     success_msg: "Crypto policy module is a permitted version"
 
@@ -132,9 +132,8 @@
     - rule_5.4.2.4
   block:
     - name: "Ensure root password is set"
-      ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
       changed_when: false
-      failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
       register: prelim_root_passwd_set
 
     - name: "Ensure root password is set"

vars/main.yml

@@ -7,10 +7,16 @@ rhel9cis_allowed_crypto_policies:
   - 'FUTURE'
   - 'FIPS'
 
+# Following is left blank for ability to build string
+rhel9cis_crypto_policy_module: ''
+
+# Do not adjust these are recognized as part of the CIS benchmark and used during testing
 rhel9cis_allowed_crypto_policies_modules:
+  # Recognized by CIS as possible extra options
   - 'OSPP'
   - 'AD-SUPPORT'
   - 'AD-SUPPORT-LEGACY'
+  # The following are already included in 1.6.x controls
   - 'NO-SHA1'
   - 'NO-SSHCBC'
   - 'NO-SSHETM'