Skip to content

Commit

Permalink
Merge pull request #345 from ansible-lockdown/centos_audit_updates
Browse files Browse the repository at this point in the history
Centos audit updates
  • Loading branch information
uk-bolly authored Jul 18, 2024
2 parents d3e304b + e937580 commit 76e1148
Show file tree
Hide file tree
Showing 8 changed files with 86 additions and 35 deletions.
10 changes: 10 additions & 0 deletions ChangeLog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
# Release CIS RedHat Enterprise Linux 7 Benchmark

## CIS v4.0.0 21-12-2023

- updated workflows files
- updated audit and layout
- audit_only option added
- added new option for centos to update to archived repo for packages if required
if set to true will update and backup the CentOS-Base file to use new url
- rhel7cis_add_updated_repo
- rule 5.14 updated to remove jmespath reqirement

## v4.0.0 - 21-12-2023

- Rewrite to address v4.0.0 changes - refer to full changelog in release
Expand Down
6 changes: 6 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,12 @@ benchmark_version: v4.0.0
## Level are used heavily in audit
rhel7cis_level_1: true
rhel7cis_level_2: true

# With CentOS being EoL many mirrors no longer exist and fail for updates
# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo
# It will add the new vaulted location where it is possible to get updates and package
rhel7cis_add_updated_repo: false

###
### Settings for associated Audit role using Goss
###
Expand Down
12 changes: 12 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,18 @@
when:
- system_is_container

- name: Update CentOS repo for packages - Use vaulted/archive URL - backup original
ansible.builtin.template:
src: etc/yum.repos.d/CentOS-Base.repo.j2
dest: /etc/yum.repos.d/CentOS-Base.repo
owner: root
group: root
mode: '0644'
backup: true
when:
- rhel7cis_add_updated_repo
- ansible_distribution == "CentOS"

- name: Run pre-reqs
tags:
- always
Expand Down
22 changes: 10 additions & 12 deletions tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,26 +21,24 @@
when:
- audit_format == "json"
block:
- name: Post Audit | Capture data {{ post_audit_outfile }}
ansible.builtin.shell: "cat {{ post_audit_outfile }}"
register: discovered_post_audit
- name: Post Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
changed_when: false
register: post_audit_summary

- name: Post Audit | Capture post-audit result
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: summary."summary-line"
post_audit_results: "{{ post_audit_summary.stdout }}"

- name: Post Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
block:
- name: Post Audit | Capture data {{ post_audit_outfile }}
ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
register: discovered_post_audit
- name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation"
changed_when: false
register: post_audit_summary

- name: Post Audit | Capture post-audit result
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_summary: "{{ discovered_post_audit.stdout_lines }}"
post_audit_results: "{{ post_audit_summary.stdout }}"
22 changes: 10 additions & 12 deletions tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,29 +90,27 @@
when:
- audit_format == "json"
block:
- name: Pre Audit | Capture data {{ pre_audit_outfile }}
ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
register: discovered_pre_audit
- name: Pre Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
changed_when: false
register: pre_audit_summary

- name: Pre Audit | Capture pre-audit result
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: summary."summary-line"
pre_audit_results: "{{ pre_audit_summary.stdout }}"

- name: Pre Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
block:
- name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format
ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
register: discovered_pre_audit
- name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false
register: pre_audit_summary

- name: Pre Audit | Capture pre-audit result | documentation format
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}"
pre_audit_results: "{{ pre_audit_summary.stdout }}"

- name: Audit_Only | Run Audit Only
when:
Expand Down
11 changes: 2 additions & 9 deletions tasks/section_5/cis_5.1.4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,13 @@
failed_when: false
register: rhel7cis_5_1_4_logfiles

- name: "5.1.4 | AUDIT | Ensure all logfiles have appropriate access configured | set_fact"
ansible.builtin.set_fact:
rhel7cis_4_2_3_logfiles_flattened: "{{ rhel7cis_5_1_4_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid]
when:
- rhel7cis_5_1_4_logfiles.stdout_lines | length > 0
- rhel7cis_5_1_4_logfiles is defined

- name: "5.1.4 | PATCH | Ensure all logfiles have appropriate access configured | change permissions"
ansible.builtin.file:
path: "{{ item }}"
mode: '0640'
loop: "{{ rhel7cis_5_1_4_logfiles_flattened }}"
loop: "{{ rhel7cis_5_1_4_logfiles.stdout_lines }}"
when:
- rhel7cis_5_1_4_logfiles_flattened is defined
- rhel7cis_5_1_4_logfiles.stdout_lines | length > 0
- item != "/var/log/btmp"
- item != "/var/log/utmp"
- item != "/var/log/wtmp"
34 changes: 34 additions & 0 deletions templates/etc/yum.repos.d/CentOS-Base.repo.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Note the BaseUrl Changes
## This is due to CentOS being End Of Life
# This will now use the legacy archived path
# Original paths
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
# #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/

[base]
name=CentOS-$releasever - Base
baseurl=https://vault.centos.org/7.9.2009/os/$basearch
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=https://vault.centos.org/7.9.2009/updates/$basearch
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=https://vault.centos.org/7.9.2009/extras/$basearch
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=https://vault.centos.org/7.9.2009/centosplus/$basearch
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
4 changes: 2 additions & 2 deletions vars/audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ audit_format: json

audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: |
The audit results are: {{ pre_audit_summary }}
{% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %}
The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
{% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
Full breakdown can be found in {{ audit_log_dir }}

0 comments on commit 76e1148

Please sign in to comment.