From 44ca73e5893bd18e5e8641969192f4a52df32e94 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Tue, 19 Mar 2024 17:37:28 +0000 Subject: [PATCH 01/17] Updated to audit and issues (#218) * issue #216 addressed Signed-off-by: Mark Bolwell * moved audit to prelim Signed-off-by: Mark Bolwell * fixed issue with documentation format Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- Changelog.md | 5 ++ handlers/main.yml | 2 +- tasks/main.yml | 17 ------- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 6 +-- tasks/prelim.yml | 83 ++++++++++++++++++++------------ 6 files changed, 61 insertions(+), 54 deletions(-) diff --git a/Changelog.md b/Changelog.md index ff0aae1..33bd857 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,11 @@ ## Based on CIS V1.0.0 +### 1.1.0 + +- #216 thanks to @txsastre +- moved the audit to run prior to any changes taking place on the system (exception of required) + ### 1.0.9 - updated audit command to allow multiple groups from inventory diff --git a/handlers/main.yml b/handlers/main.yml index 23f1ca4..1f415fd 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -113,7 +113,7 @@ - name: Auditd rules reload ansible.builtin.shell: augenrules --load when: - - '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' + - not auditd_immutable_check or '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' - name: Audit_immutable_fact ansible.builtin.debug: diff --git a/tasks/main.yml b/tasks/main.yml index 1107673..44b716f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -119,23 +119,6 @@ tags: - always -- name: Include audit specific variables - ansible.builtin.include_vars: audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - -- name: Include pre-remediation audit tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - - name: Run parse /etc/passwd ansible.builtin.import_tasks: file: parse_etc_password.yml diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 2c51bbb..d58fc09 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index e3a261e..682ae11 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -77,7 +77,7 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" @@ -88,7 +88,7 @@ when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} ansible.builtin.shell: cat {{ pre_audit_outfile }} register: pre_audit changed_when: false @@ -103,7 +103,7 @@ when: - audit_format == "documentation" block: - - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index cb3f867..8a51c95 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,11 +1,11 @@ --- -- name: "PRELIM | Set default values for facts" +- name: "PRELIM | AUDIT | Set default values for facts" ansible.builtin.set_fact: control_1_6_1_4_was_run: false ubtu22cis_apparmor_enforce_only: false changed_when: false -- name: "PRELIM | Register if snap being used" +- name: "PRELIM | AUDIT | Register if snap being used" ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false failed_when: snap_pkg_mgr.rc not in [ 0, 1 ] @@ -16,7 +16,7 @@ when: - ubtu22cis_rule_1_1_1_2 -- name: "PRELIM | Register if squashfs is built into the kernel" +- name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false failed_when: squashfs_builtin.rc not in [ 0, 1 ] @@ -27,26 +27,26 @@ when: - ubtu22cis_rule_1_1_1_2 -- name: "PRELIM | Section 1.1 | Create list of mount points" +- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" tags: - always -- name: PRELIM | Capture tmp mount type | discover mount tmp type +- name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type block: - - name: PRELIM | Capture tmp mount type | discover mount tmp type + - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type ansible.builtin.shell: systemctl is-enabled tmp.mount register: discover_tmp_mnt_type changed_when: false failed_when: discover_tmp_mnt_type.rc not in [ 0, 1 ] - - name: PRELIM | Capture tmp mount type | Set to expected_tmp_mnt variable + - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable ansible.builtin.set_fact: tmp_mnt_type: "{{ expected_tmp_mnt }}" when: "'generated' in discover_tmp_mnt_type.stdout" - - name: PRELIM | Capture tmp mount type | Set systemd service + - name: PRELIM | AUDIT | Capture tmp mount type | Set systemd service ansible.builtin.set_fact: tmp_mnt_type: tmp_systemd when: "'generated' not in discover_tmp_mnt_type.stdout" @@ -59,16 +59,7 @@ tags: - always -- name: "PRELIM | Run apt update" - ansible.builtin.package: - update_cache: true - when: - - ubtu22cis_rule_1_3_1 or - ubtu22cis_rule_1_9 - tags: - - always - -- name: "PRELIM | Check for autofs service" +- name: "PRELIM | AUDIT | Check for autofs service" ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" register: ubtu22cis_autofs_service_status changed_when: false @@ -80,7 +71,7 @@ - section1 - always -- name: "PRELIM | Check for avahi-daemon service" +- name: "PRELIM | AUDIT | Check for avahi-daemon service" ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" register: avahi_service_status changed_when: false @@ -91,7 +82,33 @@ - skip_ansible_lint - always -- name: "PRELIM | Install Network-Manager" +- name: Include audit specific variables + ansible.builtin.include_vars: audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + +- name: Include pre-remediation audit tasks + ansible.builtin.import_tasks: pre_remediation_audit.yml + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + +- name: "PRELIM | PATCH | Run apt update" + ansible.builtin.package: + update_cache: true + when: + - ubtu22cis_rule_1_3_1 or + ubtu22cis_rule_1_9 + tags: + - always + +- name: "PRELIM | PATCH | Install Network-Manager" ansible.builtin.package: name: network-manager state: present @@ -133,7 +150,7 @@ - auditd - always -- name: "PRELIM | Check if auditd is immutable before changes" +- name: "PRELIM | AUDIT | Check if auditd is immutable before changes" ansible.builtin.shell: auditctl -l | grep -c '-e 2' changed_when: false failed_when: auditd_immutable_check.rc not in [ 0, 1 ] @@ -142,7 +159,7 @@ tags: - always -- name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files." +- name: "PRELIM | PATCH | 5.3.4/5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false @@ -154,24 +171,24 @@ tags: - always -- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" +- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" block: - - name: "PRELIM | Capture UID_MIN information from logins.def" + - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - - name: "PRELIM | Capture UID_MAX information from logins.def" + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_max_id - - name: "PRELIM | Capture GID_MIN information from logins.def" + - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: gid_min_id - - name: "PRELIM | set_facts for interactive uid/gid" + - name: "PRELIM | AUDIT | Set_facts for interactive uid/gid" ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" @@ -181,7 +198,7 @@ tags: - always -- name: "PRELIM | Interactive User accounts" +- name: "PRELIM | AUDIT | Interactive User accounts" ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }' changed_when: false @@ -195,7 +212,7 @@ tags: - always -- name: "PRELIM | Install ACL" +- name: "PRELIM | PATCH | Install ACL" ansible.builtin.package: name: acl state: present @@ -205,7 +222,7 @@ tags: - always -- name: "PRELIM | Gather UID 0 accounts other than root" +- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false @@ -217,7 +234,7 @@ - users - always -- name: "PRELIM | List users accounts" +- name: "PRELIM | AUDIT | List users accounts" ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" changed_when: false check_mode: false @@ -225,7 +242,9 @@ tags: - always -- name: "Optional | Patch | UFW firewall force to use /etc/sysctl.conf settings" +## Optional + +- name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings" ansible.builtin.lineinfile: path: /etc/default/ufw regexp: ^IPT_SYSCTL=.* From 0888d2d84f06ec62528d3100bdc3e5051bd4d741 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 20 Mar 2024 08:05:12 +0000 Subject: [PATCH 02/17] [pre-commit.ci] pre-commit autoupdate (#217) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](https://github.com/ansible-community/ansible-lint/compare/v24.2.0...v24.2.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 82858b5..7b11fe7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.0 + rev: v24.2.1 hooks: - id: ansible-lint name: Ansible-lint From 7a8b4df7e300c3b6fe02605f631dba7d6d8a9ee9 Mon Sep 17 00:00:00 2001 From: Eduardo Gonzalez F Date: Wed, 10 Apr 2024 10:54:21 +0100 Subject: [PATCH 03/17] add missing ubtu22cis_rule_6_2_10 (#221) Signed-off-by: Eduardo Gonzalez Fisher --- tasks/prelim.yml | 2 ++ tasks/section_6/cis_6.2.x.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8a51c95..0c44baf 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -227,6 +227,8 @@ changed_when: false check_mode: false register: ubtu22cis_uid_zero_accounts_except_root + when: + - ubtu22cis_rule_6_2_10 tags: - rule_6.2.10 - level1-server diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index d60e667..46c0638 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -309,8 +309,8 @@ failed_when: false loop: "{{ ubtu22cis_uid_zero_accounts_except_root.stdout_lines }}" when: - - ubtu22cis_uid_zero_accounts_except_root.rc - ubtu22cis_rule_6_2_10 + - ubtu22cis_uid_zero_accounts_except_root.rc tags: - level1-server - level1-workstation From 84850fde7553c605d0b03d3dd2b307c4bf1c28ec Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 10:54:40 +0100 Subject: [PATCH 04/17] [pre-commit.ci] pre-commit autoupdate (#222) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.5.0...v4.6.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7b11fe7..5f7e3c0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: # Safety - id: detect-aws-credentials From ec9745a871639f584659d1e72e4dfdb89318d0c4 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Thu, 18 Apr 2024 16:17:31 +0100 Subject: [PATCH 05/17] April 24 updates (#224) * updated audit varaiblea and logic Signed-off-by: Mark Bolwell * lint tidy up Signed-off-by: Mark Bolwell * removed unused vars Signed-off-by: Mark Bolwell * standard quotes around mode Signed-off-by: Mark Bolwell * Added unused filesystem type to skip if container Signed-off-by: Mark Bolwell * changed true to false Signed-off-by: Mark Bolwell * Added nfs client back in error Signed-off-by: Mark Bolwell * updated ansible version Signed-off-by: Mark Bolwell * updated readme Signed-off-by: Mark Bolwell * updated copy, archive, get_url options Signed-off-by: Mark Bolwell * tidy up - lint Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- Changelog.md | 11 ++++- README.md | 4 +- defaults/main.yml | 46 +++++++++---------- handlers/main.yml | 13 ++---- meta/main.yml | 2 +- tasks/LE_audit_setup.yml | 2 +- tasks/audit_only.yml | 2 +- tasks/auditd.yml | 2 +- tasks/main.yml | 2 +- tasks/post_remediation_audit.yml | 6 +-- tasks/pre_remediation_audit.yml | 25 +++++----- tasks/section_1/main.yml | 1 + tasks/section_5/cis_5.2.x.yml | 44 +++++++++--------- tasks/section_6/cis_6.2.x.yml | 4 +- vars/audit.yml | 17 ++++--- vars/is_container.yml | 78 ++++++++++++++++---------------- vars/main.yml | 2 +- 17 files changed, 133 insertions(+), 128 deletions(-) diff --git a/Changelog.md b/Changelog.md index 33bd857..73fe3e7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,8 +4,15 @@ ### 1.1.0 -- #216 thanks to @txsastre -- moved the audit to run prior to any changes taking place on the system (exception of required) +- #223 thanks to feedback @txsastre +- audit + - moved the audit to run prior to any changes taking place on the system (exception of required) + - improvements to copy/archive/get_url content methods incl notes in defaults/main.yml + - tidy up and logic of var naming +- lint and tidy up +- ansible version update +- unused filesystem added to skip if container list +- unused vars removed ### 1.0.9 diff --git a/README.md b/README.md index a7e66ce..af7225c 100644 --- a/README.md +++ b/README.md @@ -67,9 +67,9 @@ This role was developed against a clean install of the Operating System. If you **Technical Dependencies:** -- Running Ansible/Tower setup (this role is tested against Ansible version 2.10.1 and newer) +- Running Ansible/Tower setup (this role is tested against Ansible version 2.12.1 and newer) - Python3 Ansible run environment -- goss >= 0.4.0 (If using for audit) +- goss >= 0.4.4 (If using for audit) ## Auditing (new) diff --git a/defaults/main.yml b/defaults/main.yml index 7066536..6903d18 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -52,23 +52,26 @@ ubtu22cis_uses_root: false ### Settings for associated Audit role using Goss ### -########################################## +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## +### vars/auditd.yml for other settings ### # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false # enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file @@ -81,29 +84,24 @@ get_audit_binary_method: download audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# archive or copy: -audit_conf_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# This variable specifies the timeout (in ms) for audit commands that -# take a very long time: if a command takes too long to complete, -# it will be forcefully terminated after the specified duration. -audit_cmd_timeout: 120000 +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -### End Goss enablements #### +# Where the audit logs are stored +audit_log_dir: '/opt' -## Running role under chroot -# Tweak role to run in a chroot, such as in a kickstart %post script. -# The correct value of this variable is auto-determined. -ubtu22cis_system_is_chroot: "{{ ansible_is_chroot | default(False) }}" +### Goss Settings ## +####### END ######## ## Running in EC2 pipeline # Skip events for EC2 instance testing pipeline. diff --git a/handlers/main.yml b/handlers/main.yml index 1f415fd..be0968e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,7 +2,7 @@ - name: Update_Initramfs ansible.builtin.shell: update-initramfs -u - notify: change_requires_reboot + notify: set_reboot_required - name: Remount tmp ansible.posix.mount: @@ -43,7 +43,7 @@ - name: Grub update ansible.builtin.shell: update-grub failed_when: false - notify: change_requires_reboot + notify: set_reboot_required - name: Restart timeservice ansible.builtin.systemd: @@ -118,7 +118,7 @@ - name: Audit_immutable_fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" - notify: change_requires_reboot + notify: set_reboot_required when: - audit_rules_updated.changed - auditd_immutable_check is defined @@ -130,14 +130,11 @@ tags: - skip_ansible_lint -- name: restart sshd +- name: Restart sshd ansible.builtin.systemd: name: sshd state: restarted -- name: reload gdm - ansible.builtin.shell: dpkg-reconfigure gdm3 - -- name: change_requires_reboot +- name: set_reboot_required ansible.builtin.set_fact: change_requires_reboot: true diff --git a/meta/main.yml b/meta/main.yml index 7327b59..514dc70 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: license: MIT namespace: mindpointgroup role_name: ubuntu22_cis - min_ansible_version: 2.10.1 + min_ansible_version: 2.12.1 platforms: - name: Ubuntu versions: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 08d047d..7ef94b4 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -10,7 +10,7 @@ - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "aarch64" + when: ansible_facts.machine == "arm64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 864f5bb..ab5a573 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -22,7 +22,7 @@ when: - audit_only ansible.builtin.debug: - msg: "The Audit results are: {{ pre_audit_summary }}." + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: diff --git a/tasks/auditd.yml b/tasks/auditd.yml index d753add..4078d85 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -12,7 +12,7 @@ - Auditd rules reload - Audit_immutable_fact - Restart auditd - - change_requires_reboot + - set_reboot_required when: update_audit_template - name: POST | Set up auditd user logging exceptions diff --git a/tasks/main.yml b/tasks/main.yml index 44b716f..5d138b4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -175,7 +175,7 @@ tags: - section6 -- name: run auditd logic +- name: Run auditd logic ansible.builtin.import_tasks: file: auditd.yml when: update_audit_template diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index d58fc09..b3111c8 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -5,7 +5,7 @@ changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users @@ -22,7 +22,7 @@ - audit_format == "json" block: - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false @@ -37,7 +37,7 @@ - audit_format == "documentation" block: - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 682ae11..d0137e8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" + src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -81,7 +84,7 @@ changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format @@ -89,7 +92,7 @@ - audit_format == "json" block: - name: Pre Audit | Capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false @@ -104,7 +107,7 @@ - audit_format == "documentation" block: - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index d8ac800..aebcb18 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -3,6 +3,7 @@ - name: "SECTION | 1.1.1 | Disable Unused Filesystems" ansible.builtin.import_tasks: file: cis_1.1.1.x.yml + when: not system_is_container - name: "SECTION | 1.1.2 | configure /tmp" ansible.builtin.import_tasks: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 68ac2c8..bb7a35d 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -80,7 +80,7 @@ regexp: '^AllowUsers|^#AllowUsers' line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 " - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add allowed groups" @@ -89,7 +89,7 @@ regexp: '^AllowGroups|^#AllowGroups' line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: "ubtu22cis_sshd['allow_groups']| default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny users" @@ -98,7 +98,7 @@ regexp: '^DenyUsers|^#DenyUsers' line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} ' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: "ubtu22cis_sshd['deny_users']| default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny groups" @@ -107,7 +107,7 @@ regexp: '^DenyGroups|^#DenyGroups' line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: "ubtu22cis_sshd['deny_groups']| default('') | length > 0" when: - ubtu22cis_rule_5_2_4 @@ -126,7 +126,7 @@ line: "LogLevel {{ ubtu22cis_sshd.log_level }}" insertafter: '^# Logging' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_5 tags: @@ -144,7 +144,7 @@ line: 'UsePAM yes' insertafter: '^# and ChallengeResponseAuthentication' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_6 tags: @@ -162,7 +162,7 @@ regexp: '^PermitRootLogin|^#PermitRootLogin' line: 'PermitRootLogin no' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_7 tags: @@ -179,7 +179,7 @@ regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' line: 'HostbasedAuthentication no' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_8 tags: @@ -197,7 +197,7 @@ line: 'PermitEmptyPasswords no' insertafter: '# To disable tunneled clear text passwords' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_9 tags: @@ -214,7 +214,7 @@ regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' line: 'PermitUserEnvironment no' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_10 tags: @@ -231,7 +231,7 @@ regexp: '^IgnoreRhosts|^#IgnoreRhosts' line: 'IgnoreRhosts yes' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_11 tags: @@ -248,7 +248,7 @@ regexp: '^X11Forwarding|^#X11Forwarding' line: 'X11Forwarding no' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_12 tags: @@ -266,7 +266,7 @@ line: "Ciphers {{ ubtu22cis_sshd.ciphers | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_13 tags: @@ -284,7 +284,7 @@ line: "MACs {{ ubtu22cis_sshd.macs | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_14 tags: @@ -302,7 +302,7 @@ line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_15 tags: @@ -319,7 +319,7 @@ regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' line: 'AllowTcpForwarding no' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_16 tags: @@ -337,7 +337,7 @@ line: Banner /etc/issue.net insertafter: '^# no default banner path' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_17 tags: @@ -355,7 +355,7 @@ line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_18 tags: @@ -372,7 +372,7 @@ regexp: '^MaxStartups|^#MaxStartups' line: 'MaxStartups 10:30:60' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_19 tags: @@ -390,7 +390,7 @@ line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_20 tags: @@ -408,7 +408,7 @@ line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_21 tags: @@ -428,7 +428,7 @@ with_items: - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval }}' } - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max }}' } - notify: restart sshd + notify: Restart sshd when: - ubtu22cis_rule_5_2_22 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 46c0638..ed3166a 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -283,7 +283,7 @@ state: directory owner: root group: root - mode: "0755" + mode: '0755' follow: false loop: "{{ root_path_perms.results }}" loop_control: @@ -394,7 +394,7 @@ ansible.builtin.file: path: "{{ item.stat.path }}" state: directory - mode: "0750" + mode: '0750' loop: "{{ rhel_09_6_2_13_home_dir_perms.results }}" loop_control: label: "{{ item }}" diff --git a/vars/audit.yml b/vars/audit.yml index d6f5030..e425229 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -15,14 +15,12 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark-{{ benchmark_version }}" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -36,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} diff --git a/vars/is_container.yml b/vars/is_container.yml index 4c93d6b..dd4b3e3 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -27,47 +27,47 @@ ubtu22cis_rule_2_1_1_1: false ubtu22cis_rule_2_2_1_2: false # Auditd -ubtu22cis_rule_4_1_1_1: true -ubtu22cis_rule_4_1_1_2: true -ubtu22cis_rule_4_1_1_3: true -ubtu22cis_rule_4_1_1_4: true -ubtu22cis_rule_4_1_2_1: true -ubtu22cis_rule_4_1_2_2: true -ubtu22cis_rule_4_1_2_3: true +ubtu22cis_rule_4_1_1_1: false +ubtu22cis_rule_4_1_1_2: false +ubtu22cis_rule_4_1_1_3: false +ubtu22cis_rule_4_1_1_4: false +ubtu22cis_rule_4_1_2_1: false +ubtu22cis_rule_4_1_2_2: false +ubtu22cis_rule_4_1_2_3: false # Auditd rules -ubtu22cis_rule_4_1_3_1: true -ubtu22cis_rule_4_1_3_2: true -ubtu22cis_rule_4_1_3_3: true -ubtu22cis_rule_4_1_3_4: true -ubtu22cis_rule_4_1_3_5: true -ubtu22cis_rule_4_1_3_6: true -ubtu22cis_rule_4_1_3_7: true -ubtu22cis_rule_4_1_3_8: true -ubtu22cis_rule_4_1_3_9: true -ubtu22cis_rule_4_1_3_10: true -ubtu22cis_rule_4_1_3_11: true -ubtu22cis_rule_4_1_3_12: true -ubtu22cis_rule_4_1_3_13: true -ubtu22cis_rule_4_1_3_14: true -ubtu22cis_rule_4_1_3_15: true -ubtu22cis_rule_4_1_3_16: true -ubtu22cis_rule_4_1_3_17: true -ubtu22cis_rule_4_1_3_18: true -ubtu22cis_rule_4_1_3_19: true -ubtu22cis_rule_4_1_3_20: true -ubtu22cis_rule_4_1_3_21: true +ubtu22cis_rule_4_1_3_1: false +ubtu22cis_rule_4_1_3_2: false +ubtu22cis_rule_4_1_3_3: false +ubtu22cis_rule_4_1_3_4: false +ubtu22cis_rule_4_1_3_5: false +ubtu22cis_rule_4_1_3_6: false +ubtu22cis_rule_4_1_3_7: false +ubtu22cis_rule_4_1_3_8: false +ubtu22cis_rule_4_1_3_9: false +ubtu22cis_rule_4_1_3_10: false +ubtu22cis_rule_4_1_3_11: false +ubtu22cis_rule_4_1_3_12: false +ubtu22cis_rule_4_1_3_13: false +ubtu22cis_rule_4_1_3_14: false +ubtu22cis_rule_4_1_3_15: false +ubtu22cis_rule_4_1_3_16: false +ubtu22cis_rule_4_1_3_17: false +ubtu22cis_rule_4_1_3_18: false +ubtu22cis_rule_4_1_3_19: false +ubtu22cis_rule_4_1_3_20: false +ubtu22cis_rule_4_1_3_21: false # Auditd file access -ubtu22cis_rule_4_1_4_1: true -ubtu22cis_rule_4_1_4_2: true -ubtu22cis_rule_4_1_4_3: true -ubtu22cis_rule_4_1_4_4: true -ubtu22cis_rule_4_1_4_5: true -ubtu22cis_rule_4_1_4_6: true -ubtu22cis_rule_4_1_4_7: true -ubtu22cis_rule_4_1_4_8: true -ubtu22cis_rule_4_1_4_9: true -ubtu22cis_rule_4_1_4_10: true -ubtu22cis_rule_4_1_4_11: true +ubtu22cis_rule_4_1_4_1: false +ubtu22cis_rule_4_1_4_2: false +ubtu22cis_rule_4_1_4_3: false +ubtu22cis_rule_4_1_4_4: false +ubtu22cis_rule_4_1_4_5: false +ubtu22cis_rule_4_1_4_6: false +ubtu22cis_rule_4_1_4_7: false +ubtu22cis_rule_4_1_4_8: false +ubtu22cis_rule_4_1_4_9: false +ubtu22cis_rule_4_1_4_10: false +ubtu22cis_rule_4_1_4_11: false # cron ubtu22cis_rule_5_1_1: false diff --git a/vars/main.yml b/vars/main.yml index e36495f..9368d8c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,6 +1,6 @@ --- -min_ansible_version: 2.10.1 +min_ansible_version: 2.12.1 # Set default value for reboot value change_requires_reboot: false # The role discovers dynamically (in tasks/main.yml) whether it From 711377f896675bd13fcf17d7eca147bd478e4d5e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Apr 2024 08:21:06 +0100 Subject: [PATCH 06/17] [pre-commit.ci] pre-commit autoupdate (#225) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](https://github.com/ansible-community/ansible-lint/compare/v24.2.1...v24.2.2) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5f7e3c0..976cd4a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.1 + rev: v24.2.2 hooks: - id: ansible-lint name: Ansible-lint From ae114101de695b8ee0c779cb23ff97adce7d0a40 Mon Sep 17 00:00:00 2001 From: DanAtWRS Date: Mon, 22 Apr 2024 00:21:48 -0700 Subject: [PATCH 07/17] Fixes 4.1.3.6 to match CIS v1.0.0 benchmark (#226) Signed-off-by: Dan D --- tasks/section_4/cis_4.1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index a0d8570..6c1018d 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -70,7 +70,7 @@ - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done | grep -vw '/snap' + ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: false check_mode: false From 3e4c49e8c58c9192066abcc0ac223433d708c6ba Mon Sep 17 00:00:00 2001 From: DanAtWRS Date: Mon, 22 Apr 2024 00:22:40 -0700 Subject: [PATCH 08/17] Fixes syntax error in CIS benchmark causing control to never work (#227) Signed-off-by: Dan D --- tasks/section_5/cis_5.5.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index d5492f5..ada449c 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -114,7 +114,7 @@ when: ubtu22cis_5_5_1_4_inactive_setting.stdout != ubtu22cis_pass.inactive | string - name: "5.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Get Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\\\s*$|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass.inactive }}))) {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass.inactive }}))) {print $1}' /etc/shadow" changed_when: false failed_when: false register: ubtu22cis_5_5_1_4_inactive_users From d63c5b6886587bb4e9dde0d3ede6bd3b2be05a77 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Mon, 22 Apr 2024 15:55:45 +0100 Subject: [PATCH 09/17] Enhancements (#228) * issue #175 thanks to @rostskadat Signed-off-by: Mark Bolwell * issue #200 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * updated name for mount options variables Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- Changelog.md | 8 +++ defaults/main.yml | 66 ++++++++++-------- handlers/main.yml | 37 ++++++++++ tasks/prelim.yml | 17 +++++ tasks/section_1/cis_1.1.2.x.yml | 82 ++++++++++------------- tasks/section_5/cis_5.2.x.yml | 18 ++--- templates/etc/systemd/system/tmp.mount.j2 | 3 +- 7 files changed, 146 insertions(+), 85 deletions(-) diff --git a/Changelog.md b/Changelog.md index 73fe3e7..798a150 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,14 @@ ## Based on CIS V1.0.0 +### 1.1.1 + +- Huge thanks to + - @rostskadat + - #175 - Allowing changes to the ssh default variables + - @DianaMariaDDM + - #200 - new approach to tmp mount options + ### 1.1.0 - #223 thanks to feedback @txsastre diff --git a/defaults/main.yml b/defaults/main.yml index 6903d18..a7e6665 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -837,6 +837,35 @@ ubtu22cis_rsyslog_ansible_managed: true ## ## Controls 5.2.4/5/13/14/15/18/20/21/22 -- various sshd settings +ubtu22cis_sshd_default_log_level: "INFO" +ubtu22cis_sshd_default_ciphers: + - chacha20-poly1305@openssh.com + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr +ubtu22cis_sshd_default_macs: + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com + - hmac-sha2-512 + - hmac-sha2-256 +ubtu22cis_sshd_default_kex_algorithms: + - curve25519-sha256 + - curve25519-sha256@libssh.org + - diffie-hellman-group14-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 + - ecdh-sha2-nistp521 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp256 + - diffie-hellman-group-exchange-sha256 +ubtu22cis_sshd_default_max_auth_tries: 4 +ubtu22cis_sshd_default_max_sessions: 8 +ubtu22cis_sshd_default_login_grace_time: 60 +ubtu22cis_sshd_default_client_alive_interval: 300 +ubtu22cis_sshd_default_client_alive_count_max: 3 + ubtu22cis_sshd: # This variable is used to control the verbosity of the logging produced by the SSH server. # The options for setting it are as follows: @@ -846,51 +875,32 @@ ubtu22cis_sshd: # - `INFO`: logs informational messages in addition to errors; # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; # - `DEBUG`: generates very detailed debugging information including sensitive information. - log_level: "INFO" + log_level: "{{ubtu22cis_sshd_default_log_level}}" # This variable specifies the maximum number of authentication attempts that are # allowed for a single SSH session. - max_auth_tries: 4 + max_auth_tries: "{{ubtu22cis_sshd_default_max_auth_tries}}" # This variable specifies the encryption algorithms that can be used for securing # data transmission. - ciphers: - - chacha20-poly1305@openssh.com - - aes256-gcm@openssh.com - - aes128-gcm@openssh.com - - aes256-ctr - - aes192-ctr - - aes128-ctr + ciphers: "{{ubtu22cis_sshd_default_ciphers}}" # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying # the integrity of data exchanged. - macs: - - hmac-sha2-512-etm@openssh.com - - hmac-sha2-256-etm@openssh.com - - hmac-sha2-512 - - hmac-sha2-256 + macs: "{{ubtu22cis_sshd_default_macs}}" # This variable is used to state the key exchange algorithms used to establish secure encryption # keys during the initial connection setup. - kex_algorithms: - - curve25519-sha256 - - curve25519-sha256@libssh.org - - diffie-hellman-group14-sha256 - - diffie-hellman-group16-sha512 - - diffie-hellman-group18-sha512 - - ecdh-sha2-nistp521 - - ecdh-sha2-nistp384 - - ecdh-sha2-nistp256 - - diffie-hellman-group-exchange-sha256 + kex_algorithms: "{{ubtu22cis_sshd_default_kex_algorithms}}" # This variable sets the time interval in seconds between sending "keep-alive" # messages from the server to the client. These types of messages are intended to # keep the connection alive and prevent it being terminated due to inactivity. - client_alive_interval: 300 + client_alive_interval: "{{ubtu22cis_sshd_default_client_alive_interval}}" # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered # inactive and thus, closed. - client_alive_count_max: 3 + client_alive_count_max: "{{ubtu22cis_sshd_default_client_alive_count_max}}" # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. - login_grace_time: 60 + login_grace_time: "{{ubtu22cis_sshd_default_login_grace_time}}" # This variables is used to set the maximum number of open sessions per connection. - max_sessions: 8 + max_sessions: "{{ubtu22cis_sshd_default_max_sessions}}" # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH # access for users whose user name matches one of the patterns. This is done # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. diff --git a/handlers/main.yml b/handlers/main.yml index be0968e..6499d4b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,39 @@ --- +- name: Writing the tmp file | tmp_systemd + ansible.builtin.template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: '0644' + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - "'/tmp' in mount_names" + - item.mount == "/tmp" + - tmp_mnt_type == 'tmp_systemd' + listen: Writing and remounting tmp + +- name: Writing the tmp file | fstab + ansible.posix.mount: + path: /tmp + src: "{{ item.device }}" + state: present + fstype: "{{ item.fstype }}" + opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - "'/tmp' in mount_names" + - tmp_mnt_type == 'fstab' + - item.mount == "/tmp" + listen: Writing and remounting tmp + - name: Update_Initramfs ansible.builtin.shell: update-initramfs -u notify: set_reboot_required @@ -8,6 +42,9 @@ ansible.posix.mount: path: /tmp state: remounted + when: + - "'/tmp' in mount_names" + listen: Writing and remounting tmp - name: Remount var ansible.posix.mount: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 0c44baf..e307520 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -59,6 +59,23 @@ tags: - always +- name: PRELIM | Initialize the mount options variable + block: + - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact + ansible.builtin.set_fact: + tmp_partition_mount_options: [] + when: "'/tmp' not in mount_names" + + - name: PRELIM | Initializing the var if there is a /tmp mount | set_fact + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ item.options.split(',') }}" + loop: "{{ ansible_facts.mounts }}" + when: + - item.mount == "/tmp" + - "'/tmp' in mount_names" + tags: + - always + - name: "PRELIM | AUDIT | Check for autofs service" ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" register: ubtu22cis_autofs_service_status diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5e5f9d2..9d2b903 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -23,68 +23,56 @@ - rule_1.1.2.1 - tmp -- name: | - "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | tmp_systemd" - "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | tmp_systemd" - "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | tmp_systemd" - ansible.builtin.template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: '0644' - notify: Remount tmp - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" +- name: "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" + changed_when: true + notify: Writing and remounting tmp + vars: + required_mount: '/tmp' when: - - "'/tmp' in mount_names" - - item.mount == "/tmp" - - tmp_mnt_type == 'tmp_systemd' - - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 + - required_mount in mount_names + - ubtu22cis_rule_1_1_2_2 tags: - level1-server - level1-workstation - automated - patch - rule_1.1.2.2 - - rule_1.1.2.3 - - rule_1.1.2.4 - tmp -- name: | - "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | fstab" - "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | fstab" - "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | fstab" - ansible.posix.mount: - path: /tmp - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %} - notify: Remount tmp - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" +- name: "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" + changed_when: true + notify: Writing and remounting tmp + vars: + required_mount: '/tmp' when: - - "'/tmp' in mount_names" - - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" - - ubtu22cis_rule_1_1_2_1 or - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 + - required_mount in mount_names + - ubtu22cis_rule_1_1_2_3 tags: - level1-server - level1-workstation - automated - patch - - rule_1.1.2.2 - - rule_1.1.2.2 - rule_1.1.2.3 + - tmp + +- name: "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" + changed_when: true + notify: Writing and remounting tmp + vars: + required_mount: '/tmp' + when: + - required_mount in mount_names + - ubtu22cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch - rule_1.1.2.4 - tmp diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index bb7a35d..d0b0f04 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -123,7 +123,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LogLevel|^#LogLevel' - line: "LogLevel {{ ubtu22cis_sshd.log_level }}" + line: 'LogLevel {{ ubtu22cis_sshd.log_level | default(ubtu22cis_sshd_default_log_level) }}' insertafter: '^# Logging' validate: 'sshd -t -f %s' notify: Restart sshd @@ -263,7 +263,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^Ciphers|^#Ciphers' - line: "Ciphers {{ ubtu22cis_sshd.ciphers | join(',') }}" + line: "Ciphers {{ ubtu22cis_sshd.ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd @@ -281,7 +281,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MACs|^#MACs' - line: "MACs {{ ubtu22cis_sshd.macs | join(',') }}" + line: "MACs {{ ubtu22cis_sshd.macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd @@ -299,7 +299,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^KexAlgorithms|^#KexAlgorithms' - line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | join(',') }}" + line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd @@ -352,7 +352,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxAuthTries|^#MaxAuthTries' - line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries }}' + line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd @@ -387,7 +387,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxSessions|^#MaxSessions' - line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions }}' + line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd @@ -405,7 +405,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LoginGraceTime|^#LoginGraceTime' - line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time }}' + line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd @@ -426,8 +426,8 @@ line: "{{ item.line }}" validate: 'sshd -t -f %s' with_items: - - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval }}' } - - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max }}' } + - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } + - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } notify: Restart sshd when: - ubtu22cis_rule_5_2_22 diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index fb5df69..72490e3 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -10,7 +10,8 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options: {% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %} + +Options: {{ tmp_partition_mount_options | unique | join(',') }} [Install] WantedBy=local-fs.target From c2221fd467ac358211697cd470c7155c891fbae0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 10:37:02 +0100 Subject: [PATCH 10/17] [pre-commit.ci] pre-commit autoupdate (#230) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](https://github.com/Yelp/detect-secrets/compare/v1.4.0...v1.5.0) - [github.com/gitleaks/gitleaks: v8.18.2 → v8.18.3](https://github.com/gitleaks/gitleaks/compare/v8.18.2...v8.18.3) - [github.com/ansible-community/ansible-lint: v24.2.2 → v24.5.0](https://github.com/ansible-community/ansible-lint/compare/v24.2.2...v24.5.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 976cd4a..c1498ef 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -30,19 +30,19 @@ repos: # Scan for passwords - repo: https://github.com/Yelp/detect-secrets - rev: v1.4.0 + rev: v1.5.0 hooks: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.2 + rev: v8.18.3 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.2 + rev: v24.5.0 hooks: - id: ansible-lint name: Ansible-lint From ca23d86abf6ec10a11bd503da7e244cffa744e19 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 13 Jun 2024 13:16:21 +0100 Subject: [PATCH 11/17] [pre-commit.ci] pre-commit autoupdate (#233) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.5.0 → v24.6.0](https://github.com/ansible-community/ansible-lint/compare/v24.5.0...v24.6.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c1498ef..d85e471 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.5.0 + rev: v24.6.0 hooks: - id: ansible-lint name: Ansible-lint From 1c8c40feac5b2d8ea9c13e94ad34cb41ed054c9b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 25 Jun 2024 08:38:11 +0100 Subject: [PATCH 12/17] [pre-commit.ci] pre-commit autoupdate (#237) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.3 → v8.18.4](https://github.com/gitleaks/gitleaks/compare/v8.18.3...v8.18.4) - [github.com/ansible-community/ansible-lint: v24.6.0 → v24.6.1](https://github.com/ansible-community/ansible-lint/compare/v24.6.0...v24.6.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d85e471..3942a46 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.3 + rev: v8.18.4 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.6.0 + rev: v24.6.1 hooks: - id: ansible-lint name: Ansible-lint From 543a53c99eedcb31aed7e70083c6543827664e90 Mon Sep 17 00:00:00 2001 From: Damian Poddebniak Date: Tue, 4 Jun 2024 13:58:17 +0200 Subject: [PATCH 13/17] docs: fix and align section names Signed-off-by: Damian Poddebniak --- tasks/section_1/main.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index aebcb18..5ae3027 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -5,46 +5,46 @@ file: cis_1.1.1.x.yml when: not system_is_container -- name: "SECTION | 1.1.2 | configure /tmp" +- name: "SECTION | 1.1.2 | Configure /tmp" ansible.builtin.import_tasks: file: cis_1.1.2.x.yml when: not system_is_container -- name: "SECTION | 1.1.3 | configure /var" +- name: "SECTION | 1.1.3 | Configure /var" ansible.builtin.import_tasks: file: cis_1.1.3.x.yml when: not system_is_container -- name: "SECTION | 1.1.4 | configure /var/tmp" +- name: "SECTION | 1.1.4 | Configure /var/tmp" ansible.builtin.import_tasks: file: cis_1.1.4.x.yml -- name: "SECTION | 1.1.5 | configure /var/log" +- name: "SECTION | 1.1.5 | Configure /var/log" ansible.builtin.import_tasks: file: cis_1.1.5.x.yml when: not system_is_container -- name: "SECTION | 1.1.6 | configure /var/log/audit" +- name: "SECTION | 1.1.6 | Configure /var/log/audit" ansible.builtin.import_tasks: file: cis_1.1.6.x.yml when: not system_is_container -- name: "SECTION | 1.1.7 | configure /home" +- name: "SECTION | 1.1.7 | Configure /home" ansible.builtin.import_tasks: file: cis_1.1.7.x.yml when: not system_is_container -- name: "SECTION | 1.1.8 | configure /dev/shm" +- name: "SECTION | 1.1.8 | Configure /dev/shm" ansible.builtin.import_tasks: file: cis_1.1.8.x.yml when: not system_is_container -- name: "SECTION | 1.1.9 | configure software updates" +- name: "SECTION | 1.1.9 | Disable Automounting" ansible.builtin.import_tasks: file: cis_1.1.9.yml when: not system_is_container -- name: "SECTION | 1.1.10 | Disable USB storage" +- name: "SECTION | 1.1.10 | Disable USB Storage" ansible.builtin.import_tasks: file: cis_1.1.10.yml when: not system_is_container From e22edb358da104fb74f7deed88ae2c50baa260ec Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 17:49:57 +0000 Subject: [PATCH 14/17] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.6.1 → v24.7.0](https://github.com/ansible-community/ansible-lint/compare/v24.6.1...v24.7.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3942a46..9b4a326 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.6.1 + rev: v24.7.0 hooks: - id: ansible-lint name: Ansible-lint From f60e47257712f6a1728ed9bfc9db55baf5f3bbbf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 16 Jul 2024 13:44:11 +0100 Subject: [PATCH 15/17] updated audit components no jmespath required Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 22 ++++++++++------------ tasks/pre_remediation_audit.yml | 25 ++++++++++++------------- vars/audit.yml | 4 ++-- 3 files changed, 24 insertions(+), 27 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index b3111c8..d58e921 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -21,26 +21,24 @@ when: - audit_format == "json" block: - - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: "cat {{ post_audit_outfile }}" - register: post_audit + - name: Post Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 + register: post_audit_summary changed_when: false - - name: Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: post_audit + - name: Post Audit | Capture audit data if documentation format + ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" + register: post_audit_summary changed_when: false - - name: Post Audit | Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" + post_audit_results: "{{ post_audit_summary.stdout }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index d0137e8..a745826 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -91,31 +91,30 @@ when: - audit_format == "json" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit + - name: Pre Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit + - name: Pre Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result | documentation format + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only when: - audit_only - ansible.builtin.import_tasks: audit_only.yml + ansible.builtin.import_tasks: + file: audit_only.yml diff --git a/vars/audit.yml b/vars/audit.yml index e425229..371cb60 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -34,7 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The audit results are: {{ pre_audit_summary }} - {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }} From 7d362073726e4c8c2a3ae7649b84524e7f774f32 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 16 Jul 2024 13:45:18 +0100 Subject: [PATCH 16/17] updated workflow Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 292 ++++++++++-------- .../workflows/main_pipeline_validation.yml | 277 +++++++++-------- .github/workflows/update_galaxy.yml | 30 +- 3 files changed, 324 insertions(+), 275 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 134973f..e02fe1f 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,139 +1,159 @@ --- - name: Devel pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + # Allow manual running of workflow + workflow_dispatch: + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - ANSIBLE_INJECT_FACT_VARS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 8ded701..4a5adc9 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,127 +1,156 @@ --- - name: Main pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index f935280..b6ee6a1 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,19 +1,19 @@ --- -name: update galaxy + name: update galaxy -on: - push: - branches: - - main -jobs: - update_role: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 + on: + push: + branches: + - main + jobs: + update_role: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 - - name: Action Ansible Galaxy Release ${{ github.ref_name }} - uses: ansible-actions/ansible-galaxy-action@main - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From 139c0e460a68b8d0540f05be7fe70114942b1003 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Aug 2024 13:25:26 +0100 Subject: [PATCH 17/17] tidy up layout and titles Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 4 ++-- tasks/prelim.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index ab5a573..4f60834 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -2,8 +2,8 @@ - name: Audit_Only | Create local Directories for hosts ansible.builtin.file: - mode: '0755' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + mode: '0755' recurse: true state: directory when: fetch_audit_files @@ -13,9 +13,9 @@ - name: Audit_only | Get audits from systems and put in group dir ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + src: "{{ pre_audit_outfile }}" flat: true mode: '0644' - src: "{{ pre_audit_outfile }}" when: fetch_audit_files - name: Audit_only | Show Audit Summary diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e307520..c72db65 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -99,7 +99,7 @@ - skip_ansible_lint - always -- name: Include audit specific variables +- name: "PRELIM | Include audit specific variables" ansible.builtin.include_vars: audit.yml when: - run_audit or audit_only @@ -108,7 +108,7 @@ - setup_audit - run_audit -- name: Include pre-remediation audit tasks +- name: "PRELIM | Include pre-remediation audit tasks" ansible.builtin.import_tasks: pre_remediation_audit.yml when: - run_audit or audit_only