ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Updated audit steps and added ARM support

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-13 08:25:10 +01:00
parent 671ba154e7
commit 5f94f60e69
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
4 changed files with 9 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tasks/LE_audit_setup.yml
View file

@ -3,16 +3,17 @@
- name: Pre Audit Setup | Set audit package name - name: Pre Audit Setup | Set audit package name
block: block:
- name: Pre Audit Setup | Set audit package name | 64bit - name: Pre Audit Setup | Set audit package name | 64bit
when: ansible_facts.machine == "x86_64"
ansible.builtin.set_fact: ansible.builtin.set_fact:
audit_pkg_arch_name: AMD64 audit_pkg_arch_name: AMD64
when: ansible_facts.machine == "x86_64"
- name: Pre Audit Setup | Set audit package name | ARM64 - name: Pre Audit Setup | Set audit package name | ARM64
when: ansible_facts.machine == "aarch64"
ansible.builtin.set_fact: ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64 audit_pkg_arch_name: ARM64
when: ansible_facts.machine == "arm64"
- name: Pre Audit Setup | Download audit binary - name: Pre Audit Setup | Download audit binary
when: get_audit_binary_method == 'download'
ansible.builtin.get_url: ansible.builtin.get_url:
url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
dest: "{{ audit_bin }}" dest: "{{ audit_bin }}"
@ -20,15 +21,12 @@
group: root group: root
checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
mode: '0555' mode: '0555'
when:
- get_audit_binary_method == 'download'
- name: Pre Audit Setup | Copy audit binary - name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy'
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}" src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}" dest: "{{ audit_bin }}"
mode: '0555' mode: '0555'
owner: root owner: root
group: root group: root
when:
- get_audit_binary_method == 'copy'

2
tasks/post_remediation_audit.yml
View file

@ -35,7 +35,7 @@
- audit_format == "documentation" - audit_format == "documentation"
block: block:
- name: Post Audit | Capture audit data if documentation format - name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
register: post_audit_summary register: post_audit_summary
changed_when: false changed_when: false

2
tasks/pre_remediation_audit.yml
View file

@ -105,7 +105,7 @@
- audit_format == "documentation" - audit_format == "documentation"
block: block:
- name: Pre Audit | Capture audit data if documentation format - name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
register: pre_audit_summary register: pre_audit_summary
changed_when: false changed_when: false

5
vars/audit.yml
View file

@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma
### Audit binary settings ### ### Audit binary settings ###
audit_bin_version: audit_bin_version:
release: v0.4.4 release: v0.4.8
AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f'
ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d'
audit_bin_path: /usr/local/bin/ audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss" audit_bin: "{{ audit_bin_path }}goss"
audit_format: json audit_format: json