From 42aa624d50dad0a526d4c4cd7bab016d710f1ee1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 24 Jul 2024 14:01:40 +0100 Subject: [PATCH] updated Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 26 +++++++++++++------------- tasks/pre_remediation_audit.yml | 7 ++++--- vars/audit.yml | 4 ++-- vars/main.yml | 24 +++++++++++++++++------- 4 files changed, 36 insertions(+), 25 deletions(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 864f5bb..b7dad08 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,30 +1,30 @@ --- - name: Audit_Only | Create local Directories for hosts - ansible.builtin.file: - mode: '0755' - path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" - recurse: true - state: directory when: fetch_audit_files + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory delegate_to: localhost become: false - name: Audit_only | Get audits from systems and put in group dir - ansible.builtin.fetch: - dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" - flat: true - mode: '0644' - src: "{{ pre_audit_outfile }}" when: fetch_audit_files + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" - name: Audit_only | Show Audit Summary when: - - audit_only + - audit_only ansible.builtin.debug: - msg: "The Audit results are: {{ pre_audit_summary }}." + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: - - audit_only + - audit_only ansible.builtin.meta: end_play diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 266603e..4dc7c49 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -63,16 +63,17 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists ansible.builtin.assert: - that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + when: + - run_audit tags: - goss_template - run_audit - when: - - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" diff --git a/vars/audit.yml b/vars/audit.yml index 9dc666a..151e9eb 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,8 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.4 - AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' + release: v0.4.4 + AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json diff --git a/vars/main.yml b/vars/main.yml index 68fe21d..bbc105f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,18 +3,28 @@ min_ansible_version: 2.10.1 rhel9cis_allowed_crypto_policies: - - 'DEFAULT' - - 'FUTURE' - - 'FIPS' + - 'DEFAULT' + - 'FUTURE' + - 'FIPS' rhel9cis_allowed_crypto_policies_modules: - - 'OSPP' - - 'AD-SUPPORT' - - 'AD-SUPPORT-LEGACY' - - 'NO-SHA1' + - 'OSPP' + - 'AD-SUPPORT' + - 'AD-SUPPORT-LEGACY' + - 'NO-SHA1' + - 'NO-SSHCBC' + - 'NO-SSHETM' + - 'NO-SSHWEAKCIPHER' + - 'NO-SSHWEAKMAC' + - 'NO-WEAKMAC' # Used to control warning summary warn_control_list: "" warn_count: 0 gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys" + +## Control 6.3.3.x - Audit template +# This variable governs if the auditd logic should be executed(if value is true). +# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules'). +update_audit_template: false