updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/audit_only.yml

@@ -1,30 +1,30 @@
 ---
 
 - name: Audit_Only | Create local Directories for hosts
-  ansible.builtin.file:
-      mode: '0755'
-      path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
-      recurse: true
-      state: directory
   when: fetch_audit_files
+  ansible.builtin.file:
+    mode: '0755'
+    path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
+    recurse: true
+    state: directory
   delegate_to: localhost
   become: false
 
 - name: Audit_only | Get audits from systems and put in group dir
-  ansible.builtin.fetch:
-      dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
-      flat: true
-      mode: '0644'
-      src: "{{ pre_audit_outfile }}"
   when: fetch_audit_files
+  ansible.builtin.fetch:
+    dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
+    flat: true
+    mode: '0644'
+    src: "{{ pre_audit_outfile }}"
 
 - name: Audit_only | Show Audit Summary
   when:
-      - audit_only
+    - audit_only
   ansible.builtin.debug:
-      msg: "The Audit results are: {{ pre_audit_summary }}."
+    msg: "{{ audit_results.split('\n') }}"
 
 - name: Audit_only | Stop Playbook Audit Only selected
   when:
-      - audit_only
+    - audit_only
   ansible.builtin.meta: end_play

tasks/pre_remediation_audit.yml

@@ -63,16 +63,17 @@
       register: goss_available
 
     - name: Pre Audit Setup | If audit ensure goss is available
+      when:
+        - not goss_available.stat.exists
       ansible.builtin.assert:
-        that: goss_available.stat.exists
         msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
 
 - name: Pre Audit Setup | Copy ansible default vars values to test audit
+  when:
+    - run_audit
   tags:
     - goss_template
     - run_audit
-  when:
-    - run_audit
   ansible.builtin.template:
     src: ansible_vars_goss.yml.j2
     dest: "{{ audit_vars_path }}"

vars/audit.yml

@@ -26,8 +26,8 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma
 
 ### Audit binary settings ###
 audit_bin_version:
-    release: v0.4.4
+  release: v0.4.4
-    AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
+  AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
 audit_bin_path: /usr/local/bin/
 audit_bin: "{{ audit_bin_path }}goss"
 audit_format: json

vars/main.yml

@@ -3,18 +3,28 @@
 
 min_ansible_version: 2.10.1
 rhel9cis_allowed_crypto_policies:
-    - 'DEFAULT'
+  - 'DEFAULT'
-    - 'FUTURE'
+  - 'FUTURE'
-    - 'FIPS'
+  - 'FIPS'
 
 rhel9cis_allowed_crypto_policies_modules:
-    - 'OSPP'
+  - 'OSPP'
-    - 'AD-SUPPORT'
+  - 'AD-SUPPORT'
-    - 'AD-SUPPORT-LEGACY'
+  - 'AD-SUPPORT-LEGACY'
-    - 'NO-SHA1'
+  - 'NO-SHA1'
+  - 'NO-SSHCBC'
+  - 'NO-SSHETM'
+  - 'NO-SSHWEAKCIPHER'
+  - 'NO-SSHWEAKMAC'
+  - 'NO-WEAKMAC'
 
 # Used to control warning summary
 warn_control_list: ""
 warn_count: 0
 
 gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
+
+## Control 6.3.3.x - Audit template
+# This variable governs if the auditd logic should be executed(if value is true).
+# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').
+update_audit_template: false