Skip to content

Commit

Permalink
Merge pull request #252 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
Final v1.0 release to main
  • Loading branch information
uk-bolly authored Nov 14, 2024
2 parents 89821b8 + 719efaf commit 383c057
Show file tree
Hide file tree
Showing 6 changed files with 29 additions and 27 deletions.
6 changes: 3 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ ci:

repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.6.0
rev: v5.0.0
hooks:
# Safety
- id: detect-aws-credentials
Expand Down Expand Up @@ -36,13 +36,13 @@ repos:
args: [ '--baseline', '.config/.secrets.baseline' ]

- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
rev: v8.21.2
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v24.7.0
rev: v24.9.2
hooks:
- id: ansible-lint
name: Ansible-lint
Expand Down
39 changes: 18 additions & 21 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -138,35 +138,32 @@
- always

- name: "PRELIM | PATCH | Ensure auditd is installed"
block:
- name: "PRELIM | PATCH | Ensure auditd is installed"
ansible.builtin.package:
name: ['auditd', 'audispd-plugins']
state: present
when:
- "'auditd' not in ansible_facts.packages or
'auditd-plugins' not in ansible_facts.packages"

- name: "PRELIM | AUDIT | Audit conf and rules files | list files"
ansible.builtin.find:
path: /etc/audit/
file_type: file
recurse: true
patterns: '*.conf,*.rules'
register: auditd_conf_files

ansible.builtin.package:
name: ['auditd', 'audispd-plugins']
state: present
when:
- ubtu22cis_rule_4_1_1_1 or
ubtu22cis_rule_4_1_4_5 or
ubtu22cis_rule_4_1_4_6 or
ubtu22cis_rule_4_1_4_7
- "'auditd' not in ansible_facts.packages or
'auditd-plugins' not in ansible_facts.packages"
- ubtu22cis_rule_4_1_1_1
tags:
- level2-server
- level2-workstation
- patch
- auditd
- always

- name: "PRELIM | AUDIT | Audit conf and rules files | list files"
ansible.builtin.find:
path: /etc/audit/
file_type: file
recurse: true
patterns: '*.conf,*.rules'
register: auditd_conf_files
tags:
- patch
- auditd
- always

- name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
ansible.builtin.shell: auditctl -l | grep -c '-e 2'
changed_when: false
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_4/cis_4.1.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout }}"
mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}"
mode: 'u-x,g-wx,o-rwx'
owner: root
group: root
when:
Expand Down
2 changes: 2 additions & 0 deletions tasks/section_4/cis_4.2.3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@
ansible.builtin.file:
path: "{{ item.path }}"
mode: '0640'
failed_when: logfiles_perms_update.state not in '[ file, absent ]'
register: logfiles_perms_update
loop: "{{ logfiles.files }}"
loop_control:
label: "{{ item.path }}"
Expand Down
2 changes: 2 additions & 0 deletions tasks/section_6/cis_6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@
owner: root
group: root
mode: '0644'
failed_when: discovered_file_exists.state not in '[ file, absent ]'
register: discovered_file_exists
when:
- ubtu22cis_rule_6_1_2
tags:
Expand Down
5 changes: 3 additions & 2 deletions vars/audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma

### Audit binary settings ###
audit_bin_version:
release: v0.4.4
AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
release: v0.4.8
AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f'
ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json
Expand Down

0 comments on commit 383c057

Please sign in to comment.