From 36945eb561ab4f784964a1485acb11bb11f7f494 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 07:59:49 +0100 Subject: [PATCH 1/8] added package when minimal install Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 9930ab5..5ee4773 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -243,6 +243,22 @@ name: acl state: present +- name: "PRELIM | PATCH | Install cron" + when: ubtu24cis_rule_2_4_1_1 + tags: always + ansible.builtin.package: + name: cron + state: present + +- name: "PRELIM | PATCH | Install UFW" + when: + - ubtu24cis_rule_2_4_1_1 + - ubtu24cis_firewall_package == "ufw" + tags: always + ansible.builtin.package: + name: ufw + state: present + ## Optional - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings" From f7b504afba16cf8ecfb18057e6eb24db924d147b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 08:10:33 +0100 Subject: [PATCH 2/8] Added options for fetch_audit and ansible facts Signed-off-by: Mark Bolwell --- defaults/main.yml | 18 +++++++++ tasks/fetch_audit_output.yml | 46 +++++++++++++++++++++++ tasks/main.yml | 30 +++++++++++++++ templates/etc/ansible/compliance_facts.j2 | 39 +++++++++++++++++++ 4 files changed, 133 insertions(+) create mode 100644 tasks/fetch_audit_output.yml create mode 100644 templates/etc/ansible/compliance_facts.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 79c677c..521b358 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -21,6 +21,10 @@ skip_reboot: true benchmark: UBUNTU24-CIS benchmark_version: v1.0.0 +# Create managed not custom local_facts files +create_benchmark_facts: true +ansible_facts_path: /etc/ansible/facts.d + # Used for audit ubtu24cis_level_1: true ubtu24cis_level_2: true @@ -102,6 +106,20 @@ audit_conf_dest: "/opt" # Where the audit logs are stored audit_log_dir: '/opt' +## Ability to collect and take audit files moving to a centralised location +# This enables the collection of the files from the host +fetch_audit_output: false + +# Method of getting,uploading the summary files +## Ensure access and permissions are avaiable for these to occur. +## options are +# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller) +# copy - copies file to a location available to the managed node +audit_output_collection_method: fetch + +# Location to put the audit files +audit_output_destination: /opt/audit_summaries/ + ### Goss Settings ## ####### END ######## diff --git a/tasks/fetch_audit_output.yml b/tasks/fetch_audit_output.yml new file mode 100644 index 0000000..c6f7b5e --- /dev/null +++ b/tasks/fetch_audit_output.yml @@ -0,0 +1,46 @@ +--- + +# Stage to copy audit output to a centralised location + +- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller" + when: audit_output_collection_method == "fetch" + ansible.builtin.fetch: + src: "{{ item }}" + dest: "{{ audit_output_destination }}" + flat: true + failed_when: false + register: discovered_audit_fetch_state + loop: + - "{{ pre_audit_outfile }}" + - "{{ post_audit_outfile }}" + become: false + +# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest +# Allowing backup to one location +- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node" + when: audit_output_collection_method == "copy" + ansible.builtin.copy: + src: "{{ item }}" + dest: "{{ audit_output_destination }}" + mode: 'u-x,go-wx' + flat: true + failed_when: false + register: discovered_audit_fetch_copy_state + loop: + - pre_audit_outfile + - post_audit_outfile + +- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + when: + - (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or + (discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed) + block: + - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + ansible.builtin.debug: + msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy" + + - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + vars: + warn_control_id: "FETCH_AUDIT_FILES" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/main.yml b/tasks/main.yml index cfdb641..fafd4e3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -169,6 +169,36 @@ ansible.builtin.import_tasks: file: post_remediation_audit.yml +- name: Add ansible file showing Benchmark and levels applied + when: create_benchmark_facts + tags: + - always + - benchmark + block: + - name: Create ansible facts directory + ansible.builtin.file: + path: "{{ ansible_facts_path }}" + state: directory + owner: root + group: root + mode: 'u=rwx,go=rx' + + - name: Create ansible facts file + ansible.builtin.template: + src: etc/ansible/compliance_facts.j2 + dest: "{{ ansible_facts_path }}/compliance_facts.fact" + owner: root + group: root + mode: "u-x,go-wx" + +- name: Fetch audit files + when: + - fetch_audit_output + - run_audit + tags: always + ansible.builtin.import_tasks: + file: fetch_audit_output.yml + - name: Show Audit Summary when: run_audit tags: run_audit diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 new file mode 100644 index 0000000..f313bec --- /dev/null +++ b/templates/etc/ansible/compliance_facts.j2 @@ -0,0 +1,39 @@ +# CIS Hardening Carried out +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company + +[lockdown_details] +# Benchmark release +Benchmark_release = CIS-{{ benchmark_version }} +Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} +# If options set (doesn't mean it ran all controls) +level_1_hardening_enabled = {{ rhel9cis_level_1 }} +level_2_hardening_enabled = {{ rhel9cis_level_2 }} + +{% if ansible_run_tags | length > 0 %} +# If tags used to stipulate run level +{% if 'level1-server' in ansible_run_tags %} +Level_1_Server_tag_run = true +{% endif %} +{% if 'level2-server' in ansible_run_tags %} +Level_2_Server_tag_run = true +{% endif %} +{% if 'level1-workstation' in ansible_run_tags %} +Level_1_workstation_tag_run = true +{% endif %} +{% if 'level2-workstation' in ansible_run_tags %} +Level_2_workstation_tag_run = true +{% endif %} +{% endif %} + +[lockdown_audit_details] +{% if run_audit %} +# Audit run +audit_file_local_location = {{ audit_log_dir }} +{% if not audit_only %} +audit_summary = {{ post_audit_results }} +{% endif %} +{% if fetch_audit_output %} +audit_files_centralized_location = {{ audit_output_destination }} +{% endif %} +{% endif %} From a931c60b5c1ac6634533c5f94428b8cc0ae5087e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 08:14:51 +0100 Subject: [PATCH 3/8] lint updates Signed-off-by: Mark Bolwell --- tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index fafd4e3..636ecc6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -172,8 +172,8 @@ - name: Add ansible file showing Benchmark and levels applied when: create_benchmark_facts tags: - - always - - benchmark + - always + - benchmark block: - name: Create ansible facts directory ansible.builtin.file: From 84f4a69c2d69d9861e996f734a56924bcb8fdb11 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 08:20:25 +0100 Subject: [PATCH 4/8] renamed moduel from ansible.builtin.systemd_service Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- tasks/section_6/cis_6.2.1.x.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 15636b6..57fd78a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -257,7 +257,7 @@ listen: Restart auditd - name: Start auditd process - ansible.builtin.systemd_service: + ansible.builtin.system: name: auditd state: started listen: Restart auditd diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 2580628..cb152a3 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -30,7 +30,7 @@ - NIST800-53R5_AU-3 - NIST800-53R5_AU-12 - auditd - ansible.builtin.systemd_service: + ansible.builtin.systemd: name: auditd state: started enabled: true From 20cb8001e563a131dbd2b2c30e8895598b0d4a02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 08:22:56 +0100 Subject: [PATCH 5/8] addressed #28 thanks to @guba-elleschr Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- tasks/section_6/cis_6.2.1.x.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 166cd5d..0a3ef25 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -46,7 +46,7 @@ when: - not ubtu24cis_avahi_server - not ubtu24cis_avahi_mask - - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + - "'avahi' in ansible_facts.packages or 'avahi-autoipd' in ansible_facts.packages" ansible.builtin.package: name: - avahi-autoipd diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index cb152a3..093e558 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -4,7 +4,7 @@ when: - ubtu24cis_rule_6_2_1_1 - "'auditd' not in ansible_facts.packages or - 'audisd-plugins' not in ansible_facts.packages" + 'audispd-plugins' not in ansible_facts.packages" tags: - level2-server - level2-workstation From 6dfa7564be8241f3fe38f95023e29a5f4bcd13c6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 10:48:25 +0100 Subject: [PATCH 6/8] updated template Signed-off-by: Mark Bolwell --- templates/etc/ansible/compliance_facts.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 index f313bec..4e105ff 100644 --- a/templates/etc/ansible/compliance_facts.j2 +++ b/templates/etc/ansible/compliance_facts.j2 @@ -7,8 +7,8 @@ Benchmark_release = CIS-{{ benchmark_version }} Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} # If options set (doesn't mean it ran all controls) -level_1_hardening_enabled = {{ rhel9cis_level_1 }} -level_2_hardening_enabled = {{ rhel9cis_level_2 }} +level_1_hardening_enabled = {{ ubtu24cis_level_1 }} +level_2_hardening_enabled = {{ ubtu24cis_level_2 }} {% if ansible_run_tags | length > 0 %} # If tags used to stipulate run level From 38831269c900492fee16c1283e4795f0216fd6be Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 11:00:08 +0100 Subject: [PATCH 7/8] fix typo Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 57fd78a..ea1076a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -257,7 +257,7 @@ listen: Restart auditd - name: Start auditd process - ansible.builtin.system: + ansible.builtin.systemd: name: auditd state: started listen: Restart auditd From 7e3ae1d0a8080c84174b0294e1e86fee0d5229e0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 11:16:30 +0100 Subject: [PATCH 8/8] added apt cache update prelim Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/prelim.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 521b358..1049208 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -646,7 +646,7 @@ ubtu24cis_purge_apt: false ## Ignore change_when for apt update task # Modifies behavior of 'changed_when' for 'apt update' task in prelim that always changes -ignore_apt_update_changed_when: false +ubtu24cis_ignore_apt_update_changed_when: false ## ## Section 1 Control Variables diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5ee4773..5206b22 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -55,7 +55,7 @@ tags: always ansible.builtin.package: update_cache: true - changed_when: not ignore_apt_update_changed_when + changed_when: not ubtu24cis_ignore_apt_update_changed_when - name: Include audit specific variables when: