diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9b4a326..a679c82 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.21.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.7.0 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c72db65..50d73e0 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -138,28 +138,13 @@ - always - name: "PRELIM | PATCH | Ensure auditd is installed" - block: - - name: "PRELIM | PATCH | Ensure auditd is installed" - ansible.builtin.package: - name: ['auditd', 'audispd-plugins'] - state: present - when: - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" - - - name: "PRELIM | AUDIT | Audit conf and rules files | list files" - ansible.builtin.find: - path: /etc/audit/ - file_type: file - recurse: true - patterns: '*.conf,*.rules' - register: auditd_conf_files - + ansible.builtin.package: + name: ['auditd', 'audispd-plugins'] + state: present when: - - ubtu22cis_rule_4_1_1_1 or - ubtu22cis_rule_4_1_4_5 or - ubtu22cis_rule_4_1_4_6 or - ubtu22cis_rule_4_1_4_7 + - "'auditd' not in ansible_facts.packages or + 'auditd-plugins' not in ansible_facts.packages" + - ubtu22cis_rule_4_1_1_1 tags: - level2-server - level2-workstation @@ -167,6 +152,18 @@ - auditd - always +- name: "PRELIM | AUDIT | Audit conf and rules files | list files" + ansible.builtin.find: + path: /etc/audit/ + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: auditd_conf_files + tags: + - patch + - auditd + - always + - name: "PRELIM | AUDIT | Check if auditd is immutable before changes" ansible.builtin.shell: auditctl -l | grep -c '-e 2' changed_when: false diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index b97e9b7..98c9e19 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -23,7 +23,7 @@ "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout }}" - mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}" + mode: 'u-x,g-wx,o-rwx' owner: root group: root when: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index da72894..2ee735b 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -14,6 +14,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: '0640' + failed_when: logfiles_perms_update.state not in '[ file, absent ]' + register: logfiles_perms_update loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 9c4c677..9770898 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -21,6 +21,8 @@ owner: root group: root mode: '0644' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists when: - ubtu22cis_rule_6_1_2 tags: diff --git a/vars/audit.yml b/vars/audit.yml index 371cb60..a7076e9 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.4 - AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' + release: v0.4.8 + AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' + ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json