From 22cd20c067de049a75e6647a7909113ff6bd577c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 16:20:14 +0100 Subject: [PATCH 1/9] updated for issue #226 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index c42f876..dcf8413 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -23,7 +23,7 @@ "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout }}" - mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}" + mode: 'u-x,g-rw,o-rwx' owner: root group: root when: @@ -50,7 +50,7 @@ ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: '0750' + mode: 'g-w,o-rwx' when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_4 @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: "{{ '0600' if item.mode == '0600' else '0640' }}" + mode: 'u-x,g-wx,u-rwx' loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -126,8 +126,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - mode: '0750' - + mode: 'go-w' loop: "{{ audit_bins.results }}" loop_control: label: "{{ item.item }}" From 44aa939e130bc4500ac07e68ed131d7687089b13 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 16:23:37 +0100 Subject: [PATCH 2/9] issue #227 resolved thanks @ckbaker10 Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index d58e921..ad5bcb5 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -35,7 +35,7 @@ - audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format - ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" + ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' ' register: post_audit_summary changed_when: false From 82119205b1d111326ba5ee65c13e7b9d24131fba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 17:21:36 +0100 Subject: [PATCH 3/9] issue #224 addressed thanks to @globalpayments-shoebsyed Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 6 ++++++ tasks/section_4/cis_4.2.3.yml | 2 ++ 2 files changed, 8 insertions(+) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index dcf8413..2312b03 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -65,6 +65,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: 'u-x,g-wx,u-rwx' + failed_when: rhel9cis_4_1_4_5_file_list.state not in '[ file, absent ]' + register: rhel9cis_4_1_4_5_file_list loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -81,6 +83,8 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root + failed_when: rhel9cis_4_1_4_6_file_list.state not in '[ file, absent ]' + register: rhel9cis_4_1_4_6_file_list loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" @@ -97,6 +101,8 @@ ansible.builtin.file: path: "{{ item.path }}" group: root + failed_when: rhel9cis_4_1_4_7_file_list.state not in '[ file, absent ]' + register: rhel9cis_4_1_4_7_file_list loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 823975a..42bb419 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -14,6 +14,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: "{{ '0600' if item.mode == '0600' else '0640' }}" + failed_when: rhel9cis_4_2_3_file_list.state not in '[ file, absent ]' + register: rhel9cis_4_2_3_file_list loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" From 3c08540062fba3c3764a0d8b2f85ee97df9cf25b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 17:21:47 +0100 Subject: [PATCH 4/9] improved 6.1.10 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index ef3d3b3..87c7a1a 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -150,7 +150,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist" block: - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser -not -fstype nfs changed_when: false failed_when: false check_mode: false @@ -162,26 +162,21 @@ - item['device'].startswith('/dev') - not 'bind' in item['options'] - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact" + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - rhel_09_6_1_10_unowned_files_found: true - loop: "{{ rhel_09_6_1_10_audit.results }}" - when: - - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - - item.stdout | length > 0 + discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit.stdout_lines }}" - when: rhel_09_6_1_10_unowned_files_found + msg: "Warning!! Missing owner on items in {{ discovered_unowned_files_flatten }}" + when: discovered_unowned_files_flatten | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.10' - when: rhel_09_6_1_10_unowned_files_found + when: discovered_unowned_files_flatten | length > 0 vars: rhel_09_6_1_10_unowned_files_found: false when: From 82c1137b94287abcbd4a1214571896ecf55ffe8b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 17:33:01 +0100 Subject: [PATCH 5/9] updated logic 6.1.11 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 87c7a1a..a0e8dd6 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -177,8 +177,6 @@ vars: warn_control_id: '6.1.10' when: discovered_unowned_files_flatten | length > 0 - vars: - rhel_09_6_1_10_unowned_files_found: false when: - rhel9cis_rule_6_1_10 tags: @@ -204,28 +202,21 @@ - item['device'].startswith('/dev') - not 'bind' in item['options'] - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact" + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - rhel_09_6_1_11_ungrouped_files_found: true - loop: "{{ rhel_09_6_1_11_audit.results }}" - when: - - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - - item.stdout | length > 0 + discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit.stdout_lines }}" - when: rhel_09_6_1_11_ungrouped_files_found + msg: "Warning!! Missing group on items in {{ discovered_ungrouped_files_flatten }}" + when: discovered_ungrouped_files_flatten | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.11' - when: rhel_09_6_1_11_ungrouped_files_found - vars: - rhel_09_6_1_11_ungrouped_files_found: false + when: discovered_ungrouped_files_flatten | length > 0 when: - rhel9cis_rule_6_1_11 tags: From a0fd194ef449cf6aebdf3c2bed0464f42ee82d30 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 Aug 2024 10:47:38 +0100 Subject: [PATCH 6/9] fixed typo on 4.1.4.5 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 2312b03..79c0f23 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: 'u-x,g-wx,u-rwx' + mode: 'u-x,g-wx,o-rwx' failed_when: rhel9cis_4_1_4_5_file_list.state not in '[ file, absent ]' register: rhel9cis_4_1_4_5_file_list loop: "{{ auditd_conf_files.files }}" From 8fe700fea79eb7dd429126d8e7567ea9eb7ce69e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 Aug 2024 21:38:52 +0100 Subject: [PATCH 7/9] removed jmespath reference Signed-off-by: Mark Bolwell --- .config/requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/.config/requirements.txt b/.config/requirements.txt index 52cb84d..ba7d83b 100644 --- a/.config/requirements.txt +++ b/.config/requirements.txt @@ -1,5 +1,4 @@ passlib lxml xmltodict -jmespath yamllint From 383d2d410cb8ba0c17869679c6fce887221f1507 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 Aug 2024 21:39:03 +0100 Subject: [PATCH 8/9] updated to fix output Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 864f5bb..ab5a573 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -22,7 +22,7 @@ when: - audit_only ansible.builtin.debug: - msg: "The Audit results are: {{ pre_audit_summary }}." + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: From e510607fb6a55bec1a41a2c80a5cb3ec36048321 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Aug 2024 11:12:38 +0100 Subject: [PATCH 9/9] updated audit and arm64 audit support Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- vars/audit.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4..08d047d 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -10,7 +10,7 @@ - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" + when: ansible_facts.machine == "aarch64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: diff --git a/vars/audit.yml b/vars/audit.yml index 9dc666a..e677d8e 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.4 - AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' + release: v0.4.8 + AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' + ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json