addition of audit_only config

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-11-21 09:49:36 +00:00 · 2023-11-21 09:49:36 +00:00 · 23a4386e95
commit 23a4386e95
parent 8784941179
5 changed files with 103 additions and 49 deletions
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@ -23,7 +23,7 @@
  when:
      - get_audit_binary_method == 'download'

- name: Pre Audit Setup | copy audit binary
+- name: Pre Audit Setup | Copy audit binary
  ansible.builtin.copy:
      src: "{{ audit_bin_copy_location }}"
      dest: "{{ audit_bin }}"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -133,11 +133,22 @@
      - prelim_tasks
      - always

- name: run pre_remediation audit
-  ansible.builtin.include_tasks:
-      file: pre_remediation_audit.yml
+- name: Include audit specific variables
  when:
+      - run_audit or audit_only
+      - setup_audit
+  tags:
+      - setup_audit
      - run_audit
+  ansible.builtin.include_vars: audit.yml
+
+- name: Include pre-remediation audit tasks
+  when:
+      - run_audit or audit_only
+      - setup_audit
+  tags:
+      - run_audit
+  ansible.builtin.import_tasks: pre_remediation_audit.yml

 - name: run Section 1 tasks
  ansible.builtin.import_tasks:
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@ -1,12 +1,12 @@
 ---

- name: "Post Audit | Run post_remediation {{ benchmark }} audit"
+- name: Post Audit | Run post_remediation {{ benchmark }} audit
  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
  changed_when: true
  environment:
      AUDIT_BIN: "{{ audit_bin }}"
      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-      AUDIT_FILE: "goss.yml"
+      AUDIT_FILE: goss.yml

 - name: Post Audit | ensure audit files readable by users
  ansible.builtin.file:
@ -18,9 +18,11 @@
      - "{{ pre_audit_outfile }}"

 - name: Post Audit | Capture audit data if json format
+  when:
+      - audit_format == "json"
  block:
-      - name: "capture data {{ post_audit_outfile }}"
-        ansible.builtin.shell: "cat {{ post_audit_outfile }}"
+      - name: capture data {{ post_audit_outfile }}
+        ansible.builtin.shell: cat {{ post_audit_outfile }}
        register: post_audit
        changed_when: false

@ -28,19 +30,17 @@
        ansible.builtin.set_fact:
            post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
        vars:
-            summary: 'summary."summary-line"'
-  when:
-      - audit_format == "json"
+            summary: summary."summary-line"

 - name: Post Audit | Capture audit data if documentation format
+  when:
+      - audit_format == "documentation"
  block:
-      - name: "Post Audit | capture data {{ post_audit_outfile }}"
-        ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
+      - name: Post Audit | capture data {{ post_audit_outfile }}
+        ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
        register: post_audit
        changed_when: false

      - name: Post Audit | Capture post-audit result
        ansible.builtin.set_fact:
            post_audit_summary: "{{ post_audit.stdout_lines }}"
-  when:
-      - audit_format == "documentation"
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@ -1,56 +1,58 @@
 ---

- name: Pre Audit Binary Setup | Setup the LE audit
-  ansible.builtin.include_tasks: LE_audit_setup.yml
+- name: Pre Audit Setup | Setup the LE audit
  when:
      - setup_audit
  tags:
      - setup_audit
+  ansible.builtin.include_tasks: LE_audit_setup.yml

- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists"
+- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
  ansible.builtin.file:
      path: "{{ audit_conf_dir }}"
      state: directory
      mode: '0755'

 - name: Pre Audit Setup | If using git for content set up
+  when:
+      - audit_content == 'git'
  block:
      - name: Pre Audit Setup | Install git
        ansible.builtin.package:
            name: git
            state: present

-      - name: Pre Audit Setup | retrieve audit content files from git
+      - name: Pre Audit Setup | Retrieve audit content files from git
        ansible.builtin.git:
            repo: "{{ audit_file_git }}"
            dest: "{{ audit_conf_dir }}"
            version: "{{ audit_git_version }}"
-  when:
-      - audit_content == 'git'

- name: Pre Audit Setup | copy to audit content files to server
+- name: Pre Audit Setup | Copy to audit content files to server
+  when:
+      - audit_content == 'copy'
  ansible.builtin.copy:
      src: "{{ audit_local_copy }}"
      dest: "{{ audit_conf_dest }}"
      mode: preserve
-  when:
-      - audit_content == 'copy'

- name: Pre Audit Setup | unarchive audit content files on server
+- name: Pre Audit Setup | Unarchive audit content files on server
+  when:
+      - audit_content == 'archived'
  ansible.builtin.unarchive:
      src: "{{ audit_conf_copy  }}"
      dest: "{{ audit_conf_dir }}"
-  when:
-      - audit_content == 'archived'

- name: Pre Audit Setup | get audit content from url
+- name: Pre Audit Setup | Get audit content from url
+  when:
+      - audit_content == 'get_url'
  ansible.builtin.get_url:
      url: "{{ audit_files_url }}"
      dest: "{{ audit_conf_dir }}"
-  when:
-      - audit_content == 'get_url'

 - name: Pre Audit Setup | Check Goss is available
+  when:
+      - run_audit
  block:
      - name: Pre Audit Setup | Check for goss file
        ansible.builtin.stat:
@ -58,36 +60,36 @@
        register: goss_available

      - name: Pre Audit Setup | If audit ensure goss is available
-        ansible.builtin.assert:
-            msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
        when:
            - not goss_available.stat.exists
-  when:
-      - run_audit
+        ansible.builtin.assert:
+            msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"

 - name: Pre Audit Setup | Copy ansible default vars values to test audit
+  tags:
+      - goss_template
+      - run_audit
+  when:
+      - run_audit
  ansible.builtin.template:
      src: ansible_vars_goss.yml.j2
      dest: "{{ audit_vars_path }}"
      mode: '0600'
-  when:
-      - run_audit
-  tags:
-      - goss_template
-      - always

- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
+- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
  changed_when: true
  environment:
      AUDIT_BIN: "{{ audit_bin }}"
      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-      AUDIT_FILE: "goss.yml"
+      AUDIT_FILE: goss.yml

 - name: Pre Audit | Capture audit data if json format
+  when:
+      - audit_format == "json"
  block:
-      - name: "capture data {{ pre_audit_outfile }}"
-        ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
+      - name: capture data {{ pre_audit_outfile }}
+        ansible.builtin.shell: cat {{ pre_audit_outfile }}
        register: pre_audit
        changed_when: false

@ -95,19 +97,22 @@
        ansible.builtin.set_fact:
            pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
        vars:
-            summary: 'summary."summary-line"'
-  when:
-      - audit_format == "json"
+            summary: summary."summary-line"

 - name: Pre Audit | Capture audit data if documentation format
+  when:
+      - audit_format == "documentation"
  block:
-      - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format"
-        ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
+      - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format
+        ansible.builtin.shell: tail -2 {{ pre_audit_outfile }}
        register: pre_audit
        changed_when: false

      - name: Pre Audit | Capture pre-audit result | documentation format
        ansible.builtin.set_fact:
            pre_audit_summary: "{{ pre_audit.stdout_lines }}"
+
+- name: Audit_Only | Run Audit Only
  when:
-      - audit_format == "documentation"
+      - audit_only
+  ansible.builtin.import_tasks: audit_only.yml
--- a/vars/audit.yml
+++ b/vars/audit.yml
@ -0,0 +1,38 @@
+---
+
+#### Audit Configuration Settings ####
+
+# if get_audit_binary_method == download change accordingly
+audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-"
+
+### Goss Audit Benchmark file ###
+## managed by the control audit_content
+# git
+audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
+audit_git_version: "benchmark-{{ benchmark_version }}"
+
+## Goss configuration information
+# Where the goss configs and outputs are stored
+audit_out_dir: '/opt'
+# Where the goss audit configuration will be stored
+audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"
+
+# If changed these can affect other products
+pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
+post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
+
+## The following should not need changing
+
+### Audit binary settings ###
+audit_bin_version:
+    release: v0.4.4
+    AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
+audit_bin_path: /usr/local/bin/
+audit_bin: "{{ audit_bin_path }}goss"
+audit_format: json
+
+audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
+audit_results: |
+      The pre remediation results are: {{ pre_audit_summary }}.
+      The post remediation results are: {{ post_audit_summary }}.
+      Full breakdown can be found in {{ audit_out_dir }}