Merge pull request #333 from ansible-lockdown/audit_only

Audit only and lint

README.md

@@ -168,6 +168,10 @@ uses:
 pre-commit run
 ```
 
-## Credits
+## Credits and Thanks
 
-This repo originated from work done by [Sam Doran](https://github.com/samdoran/ansible-role-stig)
+Massive thanks to the fantastic community and all its members.
+
+This includes a huge thanks and credit to the original authors and maintainers.
+
+Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell

defaults/main.yml

@@ -26,25 +26,46 @@ python2_bin: /bin/python2.7
 benchmark: RHEL7-CIS
 benchmark_version: v3.1.1
 
-#### Basic external goss audit enablement settings ####
-#### Precise details - per setting can be found at the bottom of this file ####
+##########################################
+### Goss is required on the remote host ###
+## Refer to vars/auditd.yml for any other settings ##
 
-### Goss is required on the remote host
+# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
-# How to retrive goss
+
+# enable audits to run - this runs the audit and get the latest content
+run_audit: false
+
+# Only run Audit do not remediate
+audit_only: false
+# As part of audit_only
+# This will enable files to be copied back to control node
+fetch_audit_files: false
+# Path to copy the files to will create dir structure
+audit_capture_files_dir: /some/location to copy to on control node
+
+# How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
 # you will need to access to either github or the file already dowmloaded
-get_goss_file: download
+get_audit_binary_method: download
+
+## if get_audit_binary_method - copy the following needs to be updated for your environment
+## it is expected that it will be copied from somewhere accessible to the control node
+## e.g copy from ansible control node to remote host
+audit_bin_copy_location: /some/accessible/path
 
 # how to get audit files onto host options
-# options are git/copy/get_url
+# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# Timeout for those cmds that take longer to run where timeout set
-audit_cmd_timeout: 30000
+# archive or copy:
+audit_conf_copy: "some path to copy from"
 
-# enable audits to run - this  runs the audit and get the latest content
-run_audit: false
+# get_url:
+audit_files_url: "some url maybe s3?"
+
+# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
+audit_run_heavy_tests: true
 
 ### End Goss enablements ####
 #### Detailed settings found at the end of this document ####
@@ -565,55 +586,3 @@ rhel7cis_dotperm_ansiblemanaged: true
 
 # RHEL-07-6.2.18 Clear users from shadow group
 rhel7cis_remove_shadow_grp_usrs: true
-
-#### Goss Configuration Settings ####
-audit_run_script_environment:
-    AUDIT_BIN: "{{ audit_bin }}"
-    AUDIT_FILE: 'goss.yml'
-    AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
-
-### Goss binary settings ###
-goss_version:
-    release: v0.3.23
-    checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
-audit_bin_path: /usr/local/bin/
-audit_bin: "{{ audit_bin_path }}goss"
-audit_format: json
-
-# if get_goss_file == download change accordingly
-goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64"
-
-## if get_goss_file - copy the following needs to be updated for your environment
-## it is expected that it will be copied from somewhere accessible to the control node
-## e.g copy from ansible control node to remote host
-copy_goss_from_path: /some/accessible/path
-
-### Goss Audit Benchmark file ###
-## managed by the control audit_content
-# git
-audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
-audit_git_version: "benchmark_{{ benchmark_version }}"
-
-# copy:
-audit_local_copy: "some path to copy from"
-
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-# Where the goss audit configuration will be stored
-audit_files: "/opt/{{ benchmark }}-Audit/"
-
-## Goss configuration information
-# Where the goss configs and outputs are stored
-audit_out_dir: '/opt'
-audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
-pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
-
-## The following should not need changing
-goss_file: "{{ audit_conf_dir }}goss.yml"
-audit_vars_path: "{{ audit_conf_dir  }}/vars/{{ ansible_hostname }}.yml"
-audit_results: |
-      The pre remediation results are: {{ pre_audit_summary }}.
-      The post remediation results are: {{ post_audit_summary }}.
-      Full breakdown can be found in {{ audit_out_dir }}

meta/main.yml

@@ -1,7 +1,7 @@
 ---
 
 galaxy_info:
-    author: "Sam Doran, Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, Mark Bolwell, George Nalen"
+    author: "MindPoint group"
     description: "Apply the CIS RHEL7 role"
     company: "MindPoint Group"
     license: MIT

tasks/LE_audit_setup.yml

@@ -1,22 +1,34 @@
 ---
 
-- name: Download goss binary
+- name: Pre Audit Setup | Set audit package name
+  block:
+      - name: Pre Audit Setup | Set audit package name | 64bit
+        ansible.builtin.set_fact:
+            audit_pkg_arch_name: AMD64
+        when: ansible_facts.machine == "x86_64"
+
+      - name: Pre Audit Setup | Set audit package name | ARM64
+        ansible.builtin.set_fact:
+            audit_pkg_arch_name: ARM64
+        when: ansible_facts.machine == "arm64"
+
+- name: Pre Audit Setup | Download audit binary
   ansible.builtin.get_url:
-      url: "{{ goss_url }}"
+      url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
       dest: "{{ audit_bin }}"
       owner: root
       group: root
-      checksum: "{{ goss_version.checksum }}"
-      mode: 0555
+      checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
+      mode: '0555'
   when:
-      - get_goss_file == 'download'
+      - get_audit_binary_method == 'download'
 
-- name: Copy goss binary
+- name: Pre Audit Setup | Copy audit binary
   ansible.builtin.copy:
-      src: "{{ copy_goss_from_path }}"
+      src: "{{ audit_bin_copy_location }}"
       dest: "{{ audit_bin }}"
-      mode: 0555
+      mode: '0555'
       owner: root
       group: root
   when:
-      - get_goss_file == 'copy'
+      - get_audit_binary_method == 'copy'

tasks/audit_only.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Audit_Only | Create local Directories for hosts
+  ansible.builtin.file:
+      mode: '0755'
+      path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
+      recurse: true
+      state: directory
+  when: fetch_audit_files
+  delegate_to: localhost
+  become: false
+
+- name: Audit_only | Get audits from systems and put in group dir
+  ansible.builtin.fetch:
+      dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
+      flat: true
+      mode: '0644'
+      src: "{{ pre_audit_outfile }}"
+  when: fetch_audit_files
+
+- name: Audit_only | Show Audit Summary
+  when:
+      - audit_only
+  ansible.builtin.debug:
+      msg: "The Audit results are: {{ pre_audit_summary }}."
+
+- name: Audit_only | Stop Playbook Audit Only selected
+  when:
+      - audit_only
+  ansible.builtin.meta: end_play

tasks/main.yml

@@ -47,7 +47,8 @@
       - rule_5.6
 
 - name: Import prereq checks
-  ansible.builtin.import_tasks: check_prereqs.yml
+  ansible.builtin.import_tasks:
+      file: check_prereqs.yml
   tags:
       - always
       - prereqs
@@ -75,15 +76,28 @@
       - always
 
 - name: Import preliminary tasks
-  ansible.builtin.import_tasks: prelim.yml
+  ansible.builtin.import_tasks:
+      file: prelim.yml
   tags:
       - prelim_tasks
       - always
 
-- name: Import pre remediation audit
-  ansible.builtin.import_tasks: pre_remediation_audit.yml
+- name: Include audit specific variables
+  ansible.builtin.include_vars:
+      file: audit.yml
   when:
+      - run_audit or audit_only
+      - setup_audit
+  tags:
+      - setup_audit
       - run_audit
+
+- name: Include pre-remediation audit tasks
+  ansible.builtin.import_tasks:
+      file: pre_remediation_audit.yml
+  when:
+      - run_audit or audit_only
+      - setup_audit
   tags:
       - run_audit
 
@@ -94,48 +108,56 @@
       - always
 
 - name: Include OS specific variables
-  ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars:
+      file: "{{ ansible_distribution }}.yml"
   tags:
       - always
 
 - name: Run parse etc password for user variables
-  ansible.builtin.import_tasks: parse_etc_password.yml
+  ansible.builtin.import_tasks:
+      file: parse_etc_password.yml
   when:
       - rhel7cis_section5 or
         rhel7cis_section6
 
 - name: Import section 1 tasks
-  ansible.builtin.import_tasks: section_1/main.yml
+  ansible.builtin.import_tasks:
+      file: section_1/main.yml
   when: rhel7cis_section1
   tags:
       - rhel7cis_section1
 
 - name: Import section 2 tasks
-  ansible.builtin.import_tasks: section_2/main.yml
+  ansible.builtin.import_tasks:
+      file: section_2/main.yml
   tags:
       - rhel7cis_section2
   when: rhel7cis_section2
 
 - name: Import section 3 tasks
-  ansible.builtin.import_tasks: section_3/main.yml
+  ansible.builtin.import_tasks:
+      file: section_3/main.yml
   when: rhel7cis_section3
   tags:
       - rhel7cis_section3
 
 - name: Import section 4 tasks
-  ansible.builtin.import_tasks: section_4/main.yml
+  ansible.builtin.import_tasks:
+      file: section_4/main.yml
   when: rhel7cis_section4
   tags:
       - rhel7cis_section4
 
 - name: Import section 5 tasks
-  ansible.builtin.import_tasks: section_5/main.yml
+  ansible.builtin.import_tasks:
+      file: section_5/main.yml
   when: rhel7cis_section5
   tags:
       - rhel7cis_section5
 
 - name: Import section 6 tasks
-  ansible.builtin.import_tasks: section_6/main.yml
+  ansible.builtin.import_tasks:
+      file: section_6/main.yml
   when: rhel7cis_section6
   tags:
       - rhel7cis_section6
@@ -144,17 +166,17 @@
   ansible.builtin.meta: flush_handlers
 
 - name: Post Task
-  ansible.builtin.import_tasks: post.yml
+  ansible.builtin.import_tasks:
+      file: post.yml
   tags:
       - post_tasks
       - always
 
-- name: Import post remediation task
-  ansible.builtin.import_tasks: post_remediation_audit.yml
+- name: Run post audit
+  ansible.builtin.import_tasks:
+      file: post_remediation_audit.yml
   when:
       - run_audit
-  tags:
-      - run_audit
 
 - name: Show Audit Summary
   ansible.builtin.debug: