Merge pull request #351 from ansible-lockdown/audit_only_fetch

Audit only fetch

Changelog.md

@@ -1,5 +1,12 @@
 # Changes to rhel9CIS
 
+## Based on CIS v2.0.0
+
+Update to audit_only to allow fetching results
+resolved false warning for fetch audit
+fix root user check
+Improved documentation and variable compilation for crypto policies
+
 ## 2.0.1 - Based on CIS v2.0.0
 
 - Thanks to @polski-g several issues and improvements added

defaults/main.yml

@@ -580,8 +580,8 @@ rhel9cis_crypto_policy: 'DEFAULT'
 ## Control 1.6
 # This variable contains the value of the crypto policy module(combinations of policies and
 # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
-# using 'rhel9cis_allowed_crypto_policies_modules' variable.
-rhel9cis_crypto_policy_module: ''
+# using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable.
+rhel9cis_additional_crypto_policy_module: ''
 
 ## Controls:
 # - 1.7.1 - Ensure message of the day is configured properly

handlers/main.yml

@@ -186,7 +186,7 @@
 
 - name: Update Crypto Policy
   ansible.builtin.set_fact:
-    rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}"
+    rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}{% if rhel9cis_additional_crypto_policy_module | length > 0 %}:{{ rhel9cis_additional_crypto_policy_module }}{% endif %}"
   notify: Set Crypto Policy
 
 - name: Set Crypto Policy

tasks/audit_only.yml

@@ -1,19 +1,17 @@
 ---
-- name: Audit_Only | Create local Directories for hosts
-  when: fetch_audit_files
-  ansible.builtin.file:
-    mode: 'u+x,go-w'
-    path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
-    recurse: true
-    state: directory
-  delegate_to: localhost
-  become: false
+
+- name: Audit_only | Fetch audit files
+  when:
+    - fetch_audit_output
+    - audit_only
+  ansible.builtin.import_tasks:
+    file: fetch_audit_output.yml
 
 - name: Audit_only | Show Audit Summary
   when: audit_only
   ansible.builtin.debug:
     msg: "{{ audit_results.split('\n') }}"
 
-- name: Audit_only | Stop Playbook Audit Only selected
+- name: Audit_only | Stop task for host as audit_only selected
   when: audit_only
-  ansible.builtin.meta: end_play
+  ansible.builtin.meta: end_host

tasks/fetch_audit_output.yml

@@ -8,6 +8,7 @@
     src: "{{ item }}"
     dest: "{{ audit_output_destination }}"
     flat: true
+  changed_when: true
   failed_when: false
   register: discovered_audit_fetch_state
   loop:

tasks/main.yml

@@ -61,7 +61,7 @@
     - crypto
     - NIST800-53R5_SC-6
   ansible.builtin.assert:
-    that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
+    that: rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
     fail_msg: "Crypto policy module is not a permitted version"
     success_msg: "Crypto policy module is a permitted version"
 

vars/main.yml

@@ -7,10 +7,16 @@ rhel9cis_allowed_crypto_policies:
   - 'FUTURE'
   - 'FIPS'
 
+# Following is left blank for ability to build string
+rhel9cis_crypto_policy_module: ''
+
+# Do not adjust these are recognized as part of the CIS benchmark and used during testing
 rhel9cis_allowed_crypto_policies_modules:
+  # Recognized by CIS as possible extra options
   - 'OSPP'
   - 'AD-SUPPORT'
   - 'AD-SUPPORT-LEGACY'
+  # The following are already included in 1.6.x controls
   - 'NO-SHA1'
   - 'NO-SSHCBC'
   - 'NO-SSHETM'