Added options for fetch_audit and ansible facts

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-04-01 08:10:33 +01:00 · 2025-04-01 08:10:33 +01:00 · f7b504afba
parent 36945eb561
commit f7b504afba
4 changed files with 133 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -21,6 +21,10 @@ skip_reboot: true
 benchmark: UBUNTU24-CIS
 benchmark_version: v1.0.0

+# Create managed not custom local_facts files
+create_benchmark_facts: true
+ansible_facts_path: /etc/ansible/facts.d
+
 # Used for audit
 ubtu24cis_level_1: true
 ubtu24cis_level_2: true
@ -102,6 +106,20 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'

+## Ability to collect and take audit files moving to a centralised location
+# This enables the collection of the files from the host
+fetch_audit_output: false
+
+# Method of getting,uploading the summary files
+## Ensure access and permissions are avaiable for these to occur.
+## options are
+# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
+# copy - copies file to a location available to the managed node
+audit_output_collection_method: fetch
+
+# Location to put the audit files
+audit_output_destination: /opt/audit_summaries/
+
 ### Goss Settings ##
 ####### END ########

--- a/tasks/fetch_audit_output.yml
+++ b/tasks/fetch_audit_output.yml
@ -0,0 +1,46 @@
+---
+
+# Stage to copy audit output to a centralised location
+
+- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller"
+  when: audit_output_collection_method == "fetch"
+  ansible.builtin.fetch:
+    src: "{{ item }}"
+    dest: "{{ audit_output_destination }}"
+    flat: true
+  failed_when: false
+  register: discovered_audit_fetch_state
+  loop:
+    - "{{ pre_audit_outfile }}"
+    - "{{ post_audit_outfile }}"
+  become: false
+
+# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
+# Allowing backup to one location
+- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node"
+  when: audit_output_collection_method == "copy"
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ audit_output_destination }}"
+    mode: 'u-x,go-wx'
+    flat: true
+  failed_when: false
+  register: discovered_audit_fetch_copy_state
+  loop:
+    - pre_audit_outfile
+    - post_audit_outfile
+
+- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+  when:
+    - (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or
+      (discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed)
+  block:
+    - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+      ansible.builtin.debug:
+        msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
+
+    - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+      vars:
+        warn_control_id: "FETCH_AUDIT_FILES"
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -169,6 +169,36 @@
  ansible.builtin.import_tasks:
    file: post_remediation_audit.yml

+- name: Add ansible file showing Benchmark and levels applied
+  when: create_benchmark_facts
+  tags:
+  - always
+  - benchmark
+  block:
+    - name: Create ansible facts directory
+      ansible.builtin.file:
+        path: "{{ ansible_facts_path }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 'u=rwx,go=rx'
+
+    - name: Create ansible facts file
+      ansible.builtin.template:
+        src: etc/ansible/compliance_facts.j2
+        dest: "{{ ansible_facts_path }}/compliance_facts.fact"
+        owner: root
+        group: root
+        mode: "u-x,go-wx"
+
+- name: Fetch audit files
+  when:
+    - fetch_audit_output
+    - run_audit
+  tags: always
+  ansible.builtin.import_tasks:
+    file: fetch_audit_output.yml
+
 - name: Show Audit Summary
  when: run_audit
  tags: run_audit
--- a/templates/etc/ansible/compliance_facts.j2
+++ b/templates/etc/ansible/compliance_facts.j2
@ -0,0 +1,39 @@
+# CIS Hardening Carried out
+# Added as part of ansible-lockdown CIS baseline
+# provided by Mindpoint Group - A Tyto Athene Company
+
+[lockdown_details]
+# Benchmark release
+Benchmark_release = CIS-{{ benchmark_version }}
+Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
+# If options set (doesn't mean it ran all controls)
+level_1_hardening_enabled = {{ rhel9cis_level_1 }}
+level_2_hardening_enabled = {{ rhel9cis_level_2 }}
+
+{% if ansible_run_tags | length > 0 %}
+# If tags used to stipulate run level
+{% if 'level1-server' in ansible_run_tags %}
+Level_1_Server_tag_run = true
+{% endif %}
+{% if 'level2-server' in ansible_run_tags %}
+Level_2_Server_tag_run = true
+{% endif %}
+{% if 'level1-workstation' in ansible_run_tags %}
+Level_1_workstation_tag_run = true
+{% endif %}
+{% if 'level2-workstation' in ansible_run_tags %}
+Level_2_workstation_tag_run = true
+{% endif %}
+{% endif %}
+
+[lockdown_audit_details]
+{% if run_audit %}
+# Audit run
+audit_file_local_location = {{ audit_log_dir }}
+{% if not audit_only %}
+audit_summary = {{ post_audit_results }}
+{% endif %}
+{% if fetch_audit_output %}
+audit_files_centralized_location = {{ audit_output_destination }}
+{% endif %}
+{% endif %}