Skip to content

Commit

Permalink
updated audit components
Browse files Browse the repository at this point in the history
Signed-off-by: Mark Bolwell <[email protected]>
  • Loading branch information
uk-bolly committed Jul 9, 2024
1 parent 1522209 commit df3812f
Show file tree
Hide file tree
Showing 5 changed files with 56 additions and 48 deletions.
46 changes: 26 additions & 20 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,23 +18,30 @@ benchmark: UBUNTU20-CIS
## metadata for Audit benchmark
benchmark_version: 'v2.0.1'

##########################################
###
### Settings for associated Audit role using Goss
###

###########################################
### Goss is required on the remote host ###
## Refer to vars/auditd.yml for any other settings ##
### vars/auditd.yml for other settings ###

# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
setup_audit: false

# enable audits to run - this runs the audit and get the latest content
run_audit: false
# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true

# Only run Audit do not remediate
## Only run Audit do not remediate
audit_only: false
# As part of audit_only
# This will enable files to be copied back to control node
### As part of audit_only ###
# This will enable files to be copied back to control node in audit_only mode
fetch_audit_files: false
# Path to copy the files to will create dir structure
# Path to copy the files to will create dir structure in audit_only mode
audit_capture_files_dir: /some/location to copy to on control node
#############################

# How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file
Expand All @@ -47,25 +54,24 @@ get_audit_binary_method: download
audit_bin_copy_location: /some/accessible/path

# how to get audit files onto host options
# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
audit_content: git

# archive or copy:
audit_conf_copy: "some path to copy from"

# get_url:
audit_files_url: "some url maybe s3?"

# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
audit_run_heavy_tests: true
# If using either archive, copy, get_url:
## Note will work with .tar files - zip will require extra configuration
### If using get_url this is expecting github url in tar.gz format e.g.
### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
audit_conf_source: "some path or url to copy from"

# This variable specifies the timeout (in ms) for audit commands that
# take a very long time: if a command takes too long to complete,
# it will be forcefully terminated after the specified duration.
audit_cmd_timeout: 120000
# Destination for the audit content to be placed on managed node
# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
audit_conf_dest: "/opt"

### End Goss enablements ####
# Where the audit logs are stored
audit_log_dir: '/opt'

### Goss Settings ##
####### END ########
# We've defined complexity-high to mean that we cannot automatically remediate
# the rule in question. In the future this might mean that the remediation
# may fail in some cases.
Expand Down
2 changes: 1 addition & 1 deletion tasks/audit_only.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
when:
- audit_only
ansible.builtin.debug:
msg: "The Audit results are: {{ pre_audit_summary }}."
msg: "{{ audit_results.split('\n') }}"

- name: Audit_only | Stop Playbook Audit Only selected
when:
Expand Down
8 changes: 4 additions & 4 deletions tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
---

- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
AUDIT_FILE: goss.yml

- name: Post Audit | ensure audit files readable by users
Expand All @@ -22,7 +22,7 @@
- audit_format == "json"
block:
- name: capture data {{ post_audit_outfile }}
ansible.builtin.shell: cat {{ post_audit_outfile }}
ansible.builtin.shell: "cat {{ post_audit_outfile }}"
register: post_audit
changed_when: false

Expand All @@ -37,7 +37,7 @@
- audit_format == "documentation"
block:
- name: Post Audit | capture data {{ post_audit_outfile }}
ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
register: post_audit
changed_when: false

Expand Down
31 changes: 17 additions & 14 deletions tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
- setup_audit
tags:
- setup_audit
ansible.builtin.include_tasks: LE_audit_setup.yml
ansible.builtin.include_tasks:
file: LE_audit_setup.yml

- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
ansible.builtin.file:
Expand All @@ -32,23 +33,25 @@
when:
- audit_content == 'copy'
ansible.builtin.copy:
src: "{{ audit_local_copy }}"
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}"
mode: preserve

- name: Pre Audit Setup | Unarchive audit content files on server
when:
- audit_content == 'archived'
- audit_content == 'archive'
ansible.builtin.unarchive:
src: "{{ audit_conf_copy }}"
dest: "{{ audit_conf_dir }}"
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}"

- name: Pre Audit Setup | Get audit content from url
when:
- audit_content == 'get_url'
ansible.builtin.get_url:
url: "{{ audit_files_url }}"
dest: "{{ audit_conf_dir }}"
ansible.builtin.unarchive:
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"

- name: Pre Audit Setup | Check Goss is available
when:
Expand Down Expand Up @@ -77,19 +80,19 @@
mode: '0600'

- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
AUDIT_FILE: goss.yml

- name: Pre Audit | Capture audit data if json format
when:
- audit_format == "json"
block:
- name: capture data {{ pre_audit_outfile }}
ansible.builtin.shell: cat {{ pre_audit_outfile }}
- name: Pre Audit | Capture data {{ pre_audit_outfile }}
ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
register: pre_audit
changed_when: false

Expand All @@ -103,8 +106,8 @@
when:
- audit_format == "documentation"
block:
- name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format
ansible.builtin.shell: tail -2 {{ pre_audit_outfile }}
- name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format
ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
register: pre_audit
changed_when: false

Expand Down
17 changes: 8 additions & 9 deletions vars/audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,12 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: "benchmark_{{ benchmark_version }}"

## Goss configuration information
# Where the goss configs and outputs are stored
audit_out_dir: '/opt'
# Where the goss audit configuration will be stored
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit"
# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected
audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit"

# If changed these can affect other products
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}"

## The following should not need changing

Expand All @@ -36,6 +34,7 @@ audit_format: json

audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: |
The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}.
Full breakdown can be found in {{ audit_out_dir }}
The audit results are: {{ pre_audit_summary }}
{% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %}
Full breakdown can be found in {{ audit_log_dir }}

0 comments on commit df3812f

Please sign in to comment.