ansible-lockdown · uk-bolly · Jul 18, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 3.2 STIG V3R13 25th Oct 2023
+
+- updated workflow to use new methods
+  - new ami being used as old obsolete
+- Updated the audit layout
+- New options if using CentOS to update repo files to vaulted.repo
+  - rhel7stig_add_updated_repo
+
 ## 3.1 STIG V3R13 25th Oct 2023
 
 - RHEL_07_010310 - ruleid updated and INACTIVE var created

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -18,26 +18,65 @@ benchmark_version: 'v3r13'
 # Whether to skip the reboot
 rhel7stig_skip_reboot: true
 
-### Audit Binary is required on the remote host
+# With CentOS being EoL many mirrors no longer exist and fail for updates
+# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo
+# It will add the new vaulted location where it is possible to get updates and package
+rhel7stig_add_updated_repo: false
+
+###
+### Settings for associated Audit role using Goss
+###
+
+###########################################
+### Goss is required on the remote host ###
+### vars/auditd.yml for other settings  ###
+
+# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
+
+# enable audits to run - this runs the audit and get the latest content
+run_audit: false
+# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
+audit_run_heavy_tests: true
+
+## Only run Audit do not remediate
+audit_only: false
+### As part of audit_only ###
+# This will enable files to be copied back to control node in audit_only mode
+fetch_audit_files: false
+# Path to copy the files to will create dir structure in audit_only mode
+audit_capture_files_dir: /some/location to copy to on control node
+#############################
+
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
 # you will need to access to either github or the file already dowmloaded
 get_audit_binary_method: download
 
+## if get_audit_binary_method - copy the following needs to be updated for your environment
+## it is expected that it will be copied from somewhere accessible to the control node
+## e.g copy from ansible control node to remote host
+audit_bin_copy_location: /some/accessible/path
+
 # how to get audit files onto host options
-# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
+# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# enable audits to run - this runs the audit and get the latest content
-run_audit: false
+# If using either archive, copy, get_url:
+## Note will work with .tar files - zip will require extra configuration
+### If using get_url this is expecting github url in tar.gz format e.g.
+### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
+audit_conf_source: "some path or url to copy from"
 
-# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
-audit_run_heavy_tests: true
-# Timeout for those cmds that take longer to run where timeout set
-audit_cmd_timeout: 60000
+# Destination for the audit content to be placed on managed node
+# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
+audit_conf_dest: "/opt"
 
-### End Audit enablements ####
+# Where the audit logs are stored
+audit_log_dir: '/opt'
+
+### Goss Settings ##
+####### END ########
 #### Detailed settings found at the end of this document ####
 
 # We've defined complexity-high to mean that we cannot automatically remediate
@@ -737,56 +776,3 @@ rhel7stig_world_write_files_owner_root: false
 # The value given to Defaults timestamp timeout= in the sudo file.
 # Value must be greater than 0 to conform to STIG standards
 rhel7stig_sudo_timestamp_timeout: 1
-
-#### Audit Configuration Settings ####
-# Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_run_script_environment:
-    AUDIT_BIN: "{{ audit_bin }}"
-    AUDIT_FILE: 'goss.yml'
-    AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-
-### Audit binary settings ###
-audit_bin_version:
-    release: v0.3.21
-    checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
-audit_bin_path: /usr/local/bin/
-audit_bin: "{{ audit_bin_path }}goss"
-audit_format: json
-
-# if get_audit_binary_method == download change accordingly
-audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-amd64"
-
-## if get_audit_binary_method - copy the following needs to be updated for your environment
-## it is expected that it will be copied from somewhere accessible to the control node
-## e.g copy from ansible control node to remote host
-audit_bin_copy_location: /some/accessible/path
-
-### Goss Audit Benchmark file ###
-## managed by the control audit_content
-# git
-audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: "benchmark_{{ benchmark_version }}_rh7"
-
-# copy:
-audit_local_copy: "some path to copy from"
-
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-## Goss configuration information
-# Where the goss configs and outputs are stored
-audit_out_dir: '/opt'
-# Where the goss audit configuration will be stored
-audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
-
-# If changed these can affect other products
-pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-
-## The following should not need changing
-audit_control_file: "{{ audit_conf_dir }}goss.yml"
-audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml"
-audit_results: |
-      The pre remediation results are: {{ pre_audit_summary }}.
-      The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ audit_out_dir }}
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -37,7 +37,7 @@
       src: "{{ rhel7stig_bootloader_path }}/{{ item }}"
       dest: "{{ rhel7stig_not_boot_path }}/{{ item }}"
       remote_src: true
-      mode: 0600
+      mode: '0600'
   with_items:
       - grub.cfg
       - user.cfg

diff --git a/site.yml b/site.yml
@@ -1,10 +1,6 @@
 ---
-- hosts: all  # noqa: name[play]
+- name: Ansible Lockdown Remediation Role
+  hosts: all
   become: true
-  vars:
-      is_container: false
-
   roles:
-  - role: "{{ playbook_dir }}"
-    rhel7stig_system_is_container: "{{ is_container | default(false) }}"
-    rhel7stig_skip_for_travis: false
+      - role: "{{ playbook_dir }}"
diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml
@@ -1,22 +1,32 @@
 ---
 
-- name: Download audit binary
+- name: Pre Audit Setup | Set audit package name
+  block:
+      - name: Pre Audit Setup | Set audit package name | 64bit
+        when: ansible_facts.machine == "x86_64"
+        ansible.builtin.set_fact:
+            audit_pkg_arch_name: AMD64
+
+      - name: Pre Audit Setup | Set audit package name | ARM64
+        when: ansible_facts.machine == "arm64"
+        ansible.builtin.set_fact:
+            audit_pkg_arch_name: ARM64
+
+- name: Pre Audit Setup | Download audit binary
+  when: get_audit_binary_method == 'download'
   ansible.builtin.get_url:
-      url: "{{ audit_bin_url }}"
+      url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
       dest: "{{ audit_bin }}"
       owner: root
       group: root
-      checksum: "{{ audit_bin_version.checksum }}"
-      mode: 0555
-  when:
-      - get_audit_binary_method == 'download'
+      checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
+      mode: '0555'
 
-- name: copy audit binary
+- name: Pre Audit Setup | Copy audit binary
+  when: get_audit_binary_method == 'copy'
   ansible.builtin.copy:
       src: "{{ audit_bin_copy_location }}"
       dest: "{{ audit_bin }}"
-      mode: 0555
+      mode: '0555'
       owner: root
       group: root
-  when:
-      - get_audit_binary_method == 'copy'
diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml
@@ -0,0 +1,30 @@
+---
+
+- name: Audit_Only | Create local Directories for hosts
+  when: fetch_audit_files
+  delegate_to: localhost
+  become: false
+  ansible.builtin.file:
+      mode: '0755'
+      path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
+      recurse: true
+      state: directory
+
+- name: Audit_only | Get audits from systems and put in group dir
+  when: fetch_audit_files
+  ansible.builtin.fetch:
+      dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
+      flat: true
+      mode: '0644'
+      src: "{{ pre_audit_outfile }}"
+
+- name: Audit_only | Show Audit Summary
+  when:
+      - audit_only
+  ansible.builtin.debug:
+      msg: "{{ audit_results.split('\n') }}"
+
+- name: Audit_only | Stop Playbook Audit Only selected
+  when:
+      - audit_only
+  ansible.builtin.meta: end_play