Merge pull request #405 from ansible-lockdown/pub_oct25

workflow and audit improvements

.github/workflows/devel_pipeline_validation.yml

@@ -17,12 +17,6 @@
     # Allow manual running of workflow
     workflow_dispatch:
 
-  # Allow permissions for AWS auth
-  permissions:
-    id-token: write
-    contents: read
-    pull-requests: read
-
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
@@ -30,6 +24,10 @@
     welcome:
       runs-on: ubuntu-latest
 
+      permissions:
+        issues: write
+        pull-requests: write
+
       steps:
         - uses: actions/first-interaction@main
           with:
@@ -45,6 +43,13 @@
     playbook-test:
       # The type of runner that the job will run on
       runs-on: self-hosted
+
+      # Allow permissions for AWS auth
+      permissions:
+        id-token: write
+        contents: read
+        pull-requests: read
+
       env:
         ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
         # Imported as a variable by terraform

Changelog.md

@@ -10,6 +10,7 @@
 - Added max-concurrent options for audit
 - work flow updates
 - audit logic improvements
+- auditd template 2.19 compatible
 
 ## 2.0.3 - Based on CIS v2.0.0
 - addressed issue #387, thank you @fragglexarmy

defaults/main.yml

@@ -94,8 +94,6 @@ audit_max_concurrent: 50
 ## Only run Audit do not remediate
 audit_only: false
 ### As part of audit_only ###
-# This will enable files to be copied back to control node in audit_only mode
-fetch_audit_files: false
 # Path to copy the files to will create dir structure in audit_only mode
 audit_capture_files_dir: /some/location to copy to on control node
 #############################

tasks/pre_remediation_audit.yml

@@ -85,6 +85,7 @@
     - name: Pre Audit | Capture audit data if json format
       ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
       changed_when: false
+      failed_when: pre_audit_summary.stderr | length > 0
       register: pre_audit_summary
 
     - name: Pre Audit | Set Fact for audit summary
@@ -97,6 +98,7 @@
     - name: Pre Audit | Capture audit data if documentation format
       ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}"  | tac | tr '\n' ' '
       changed_when: false
+      failed_when: pre_audit_summary.stderr | length > 0
       register: pre_audit_summary
 
     - name: Pre Audit | Set Fact for audit summary

templates/ansible_vars_goss.yml.j2

@@ -37,7 +37,7 @@ rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }}
 ## Benchmark name used by auditing control role
 # The audit variable found at the base
 ## metadata for Audit benchmark
-benchmark_version: 'v2.0.0'
+benchmark_version: {{ benchmark_version }}
 
 benchmark: RHEL9-CIS
 

templates/audit/99_auditd.rules.j2

@@ -10,12 +10,7 @@
 {% endif %}
 {% if rhel9cis_rule_6_3_3_2 %}
 {% set syscalls = ["execve"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{%- for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor -%}
 -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
 -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
 {% endif %}
@@ -24,33 +19,18 @@
 {% endif %}
 {% if rhel9cis_rule_6_3_3_4 %}
 {% set syscalls = ["adjtimex","settimeofday"]  %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
 {% set syscalls = ["clock_settime"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
-{% endif %}
-{% endfor %}
 -w /etc/localtime -p wa -k time-change
 {% endif %}
 {% if rhel9cis_rule_6_3_3_5 %}
 {% set syscalls = ["sethostname","setdomainname"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
 -w /etc/issue -p wa -k system-locale
@@ -68,12 +48,7 @@
 {% endif %}
 {% if rhel9cis_rule_6_3_3_7 %}
 {% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
@@ -91,62 +66,27 @@
 {% endif %}
 {% if rhel9cis_rule_6_3_3_9 %}
 {% set syscalls = ["chmod","fchmod","fchmodat"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
 {% set syscalls = ["chown","fchown","lchown","fchownat"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
 {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
 {% set syscalls = ["chmod","fchmod","fchmodat"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
 {% set syscalls = ["chown","fchown","lchown","fchownat"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
 {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
 {% endif %}
 {% if rhel9cis_rule_6_3_3_10 %}
 {% set syscalls = ["mount"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append(syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
 {% endif %}
@@ -161,12 +101,7 @@
 {% endif %}
 {% if rhel9cis_rule_6_3_3_13 %}
 {% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
 {% endif %}
@@ -189,12 +124,7 @@
 {% if rhel9cis_rule_6_3_3_19 %}
 -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
 {% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
-{% set arch_syscalls = [] %}
+{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
 {% endif %}
 {% if rhel9cis_rule_6_3_3_20 %}