forked from ansible-lockdown/RHEL9-CIS
updated
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
06a1f2997c
commit
42aa624d50
4 changed files with 36 additions and 25 deletions
|
|
@ -1,30 +1,30 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Audit_Only | Create local Directories for hosts
|
- name: Audit_Only | Create local Directories for hosts
|
||||||
ansible.builtin.file:
|
|
||||||
mode: '0755'
|
|
||||||
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
|
|
||||||
recurse: true
|
|
||||||
state: directory
|
|
||||||
when: fetch_audit_files
|
when: fetch_audit_files
|
||||||
|
ansible.builtin.file:
|
||||||
|
mode: '0755'
|
||||||
|
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
|
||||||
|
recurse: true
|
||||||
|
state: directory
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
become: false
|
become: false
|
||||||
|
|
||||||
- name: Audit_only | Get audits from systems and put in group dir
|
- name: Audit_only | Get audits from systems and put in group dir
|
||||||
ansible.builtin.fetch:
|
|
||||||
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
|
|
||||||
flat: true
|
|
||||||
mode: '0644'
|
|
||||||
src: "{{ pre_audit_outfile }}"
|
|
||||||
when: fetch_audit_files
|
when: fetch_audit_files
|
||||||
|
ansible.builtin.fetch:
|
||||||
|
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
|
||||||
|
flat: true
|
||||||
|
mode: '0644'
|
||||||
|
src: "{{ pre_audit_outfile }}"
|
||||||
|
|
||||||
- name: Audit_only | Show Audit Summary
|
- name: Audit_only | Show Audit Summary
|
||||||
when:
|
when:
|
||||||
- audit_only
|
- audit_only
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "The Audit results are: {{ pre_audit_summary }}."
|
msg: "{{ audit_results.split('\n') }}"
|
||||||
|
|
||||||
- name: Audit_only | Stop Playbook Audit Only selected
|
- name: Audit_only | Stop Playbook Audit Only selected
|
||||||
when:
|
when:
|
||||||
- audit_only
|
- audit_only
|
||||||
ansible.builtin.meta: end_play
|
ansible.builtin.meta: end_play
|
||||||
|
|
|
||||||
|
|
@ -63,16 +63,17 @@
|
||||||
register: goss_available
|
register: goss_available
|
||||||
|
|
||||||
- name: Pre Audit Setup | If audit ensure goss is available
|
- name: Pre Audit Setup | If audit ensure goss is available
|
||||||
|
when:
|
||||||
|
- not goss_available.stat.exists
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that: goss_available.stat.exists
|
|
||||||
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
|
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
|
||||||
|
|
||||||
- name: Pre Audit Setup | Copy ansible default vars values to test audit
|
- name: Pre Audit Setup | Copy ansible default vars values to test audit
|
||||||
|
when:
|
||||||
|
- run_audit
|
||||||
tags:
|
tags:
|
||||||
- goss_template
|
- goss_template
|
||||||
- run_audit
|
- run_audit
|
||||||
when:
|
|
||||||
- run_audit
|
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: ansible_vars_goss.yml.j2
|
src: ansible_vars_goss.yml.j2
|
||||||
dest: "{{ audit_vars_path }}"
|
dest: "{{ audit_vars_path }}"
|
||||||
|
|
|
||||||
|
|
@ -26,8 +26,8 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma
|
||||||
|
|
||||||
### Audit binary settings ###
|
### Audit binary settings ###
|
||||||
audit_bin_version:
|
audit_bin_version:
|
||||||
release: v0.4.4
|
release: v0.4.4
|
||||||
AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
|
AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
|
||||||
audit_bin_path: /usr/local/bin/
|
audit_bin_path: /usr/local/bin/
|
||||||
audit_bin: "{{ audit_bin_path }}goss"
|
audit_bin: "{{ audit_bin_path }}goss"
|
||||||
audit_format: json
|
audit_format: json
|
||||||
|
|
|
||||||
|
|
@ -3,18 +3,28 @@
|
||||||
|
|
||||||
min_ansible_version: 2.10.1
|
min_ansible_version: 2.10.1
|
||||||
rhel9cis_allowed_crypto_policies:
|
rhel9cis_allowed_crypto_policies:
|
||||||
- 'DEFAULT'
|
- 'DEFAULT'
|
||||||
- 'FUTURE'
|
- 'FUTURE'
|
||||||
- 'FIPS'
|
- 'FIPS'
|
||||||
|
|
||||||
rhel9cis_allowed_crypto_policies_modules:
|
rhel9cis_allowed_crypto_policies_modules:
|
||||||
- 'OSPP'
|
- 'OSPP'
|
||||||
- 'AD-SUPPORT'
|
- 'AD-SUPPORT'
|
||||||
- 'AD-SUPPORT-LEGACY'
|
- 'AD-SUPPORT-LEGACY'
|
||||||
- 'NO-SHA1'
|
- 'NO-SHA1'
|
||||||
|
- 'NO-SSHCBC'
|
||||||
|
- 'NO-SSHETM'
|
||||||
|
- 'NO-SSHWEAKCIPHER'
|
||||||
|
- 'NO-SSHWEAKMAC'
|
||||||
|
- 'NO-WEAKMAC'
|
||||||
|
|
||||||
# Used to control warning summary
|
# Used to control warning summary
|
||||||
warn_control_list: ""
|
warn_control_list: ""
|
||||||
warn_count: 0
|
warn_count: 0
|
||||||
|
|
||||||
gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
|
gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
|
||||||
|
|
||||||
|
## Control 6.3.3.x - Audit template
|
||||||
|
# This variable governs if the auditd logic should be executed(if value is true).
|
||||||
|
# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').
|
||||||
|
update_audit_template: false
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue