Merge pull request #36 from ansible-lockdown/pre-commit-ci-update-config

[pre-commit.ci] pre-commit autoupdate
2025-04-15 14:39:47 -05:00 · 2025-04-14 17:22:18 +00:00 · 2025-04-14 11:39:49 -04:00 · 2025-04-14 11:55:35 +01:00 · 2025-04-14 11:53:22 +01:00 · 2025-04-11 18:07:16 +01:00
17 changed files with 259 additions and 93 deletions
--- a/.github/workflows/devel_pipeline_validation.yml
+++ b/.github/workflows/devel_pipeline_validation.yml
@ -7,6 +7,7 @@
        types: [opened, reopened, synchronize]
        branches:
            - devel
+            - benchmark*
        paths:
            - '**.yml'
            - '**.sh'
@ -70,7 +71,6 @@
                 echo IAC_BRANCH=main >> $GITHUB_ENV
              fi

-
          # Pull in terraform code for linux servers
          - name: Clone GitHub IaC plan
            uses: actions/checkout@v4
--- a/.github/workflows/main_pipeline_validation.yml
+++ b/.github/workflows/main_pipeline_validation.yml
@ -7,6 +7,7 @@
        types: [opened, reopened, synchronize]
        branches:
            - main
+            - latest
        paths:
            - '**.yml'
            - '**.sh'
@ -23,17 +24,6 @@
  # A workflow run is made up of one or more jobs
  # that can run sequentially or in parallel
  jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: self-hosted
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.

      # This workflow contains a single job that tests the playbook
      playbook-test:
--- a/.gitignore
+++ b/.gitignore
@ -44,5 +44,5 @@ benchparse/
 # GitHub Action/Workflow files
 .github/

-# Precommit
+# ansible-lint cache
 .ansible/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -41,12 +41,12 @@ repos:
  - id: detect-secrets

 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.24.0
+  rev: v8.24.3
  hooks:
  - id: gitleaks

 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.1.3
+  rev: v25.2.1
  hooks:
  - id: ansible-lint
    name: Ansible-lint
@ -65,7 +65,7 @@ repos:
    # - ansible-core>=2.10.1

 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.36.2  # or higher tag
+  rev: v1.37.0  # or higher tag
  hooks:
  - id: yamllint
    name: Check YAML Lint
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -21,6 +21,10 @@ skip_reboot: true
 benchmark: UBUNTU24-CIS
 benchmark_version: v1.0.0

+# Create managed not custom local_facts files
+create_benchmark_facts: true
+ansible_facts_path: /etc/ansible/facts.d
+
 # Used for audit
 ubtu24cis_level_1: true
 ubtu24cis_level_2: true
@ -102,6 +106,18 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'

+# Method of getting,uploading the summary files
+## Enable the collection of audit files
+fetch_audit_output: false
+## Ensure access and permissions are available for these to occur.
+## options are
+# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
+# copy - copies file to a location available to the managed node
+audit_output_collection_method: fetch
+
+# Location to put the audit files
+audit_output_destination: /opt/audit_summaries/
+
 ### Goss Settings ##
 ####### END ########

@ -628,7 +644,7 @@ ubtu24cis_purge_apt: false

 ## Ignore change_when for apt update task
 # Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes
-ignore_apt_update_changed_when: false
+ubtu24cis_ignore_apt_update_changed_when: false

 ##
 ## Section 1 Control Variables
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -257,7 +257,7 @@
  listen: Restart auditd

 - name: Start auditd process
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: auditd
    state: started
  listen: Restart auditd
--- a/tasks/audit_only.yml
+++ b/tasks/audit_only.yml
@ -10,14 +10,6 @@
  delegate_to: localhost
  become: false

- name: Audit_only | Get audits from systems and put in group dir
-  when: fetch_audit_files
-  ansible.builtin.fetch:
-    dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
-    flat: true
-    mode: 'go-wx'
-    src: "{{ pre_audit_outfile }}"
-
 - name: Audit_only | Show Audit Summary
  when: audit_only
  ansible.builtin.debug:
--- a/tasks/fetch_audit_output.yml
+++ b/tasks/fetch_audit_output.yml
@ -0,0 +1,46 @@
+---
+
+# Stage to copy audit output to a centralised location
+
+- name: "POST | FETCH | Fetch files and copy to controller"
+  when: audit_output_collection_method == "fetch"
+  ansible.builtin.fetch:
+    src: "{{ item }}"
+    dest: "{{ audit_output_destination }}"
+    flat: true
+  failed_when: false
+  register: discovered_audit_fetch_state
+  loop:
+    - "{{ pre_audit_outfile }}"
+    - "{{ post_audit_outfile }}"
+  become: false
+
+# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
+# Allowing backup to one location
+- name: "POST | FETCH | Copy files to location available to managed node"
+  when: audit_output_collection_method == "copy"
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ audit_output_destination }}"
+    mode: 'u-x,go-wx'
+    flat: true
+  failed_when: false
+  register: discovered_audit_copy_state
+  loop:
+    - "{{ pre_audit_outfile }}"
+    - "{{ post_audit_outfile }}"
+
+- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+  when:
+    - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
+      (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
+  block:
+    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+      ansible.builtin.debug:
+        msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
+
+    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+      vars:
+        warn_control_id: "FETCH_AUDIT_FILES"
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -65,7 +65,8 @@
 - name: Setup rules if container
  when:
    - ansible_connection == 'docker' or
-      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+      (ansible_facts.virtualization_type is defined and
+       ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"])
  tags: always
  block:
    - name: Discover and set container variable if required
@ -169,6 +170,39 @@
  ansible.builtin.import_tasks:
    file: post_remediation_audit.yml

+- name: Add ansible file showing Benchmark and levels applied if audit details not present
+  when:
+    - create_benchmark_facts
+    - (post_audit_summary is defined) or
+      (ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined)
+  tags:
+    - always
+    - benchmark
+  block:
+    - name: Create ansible facts directory if audit facts not present
+      ansible.builtin.file:
+        path: "{{ ansible_facts_path }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 'u=rwx,go=rx'
+
+    - name: Create ansible facts file and levels applied if audit facts not present
+      ansible.builtin.template:
+        src: etc/ansible/compliance_facts.j2
+        dest: "{{ ansible_facts_path }}/compliance_facts.fact"
+        owner: root
+        group: root
+        mode: 'u-x,go=r'
+
+- name: Fetch audit files
+  when:
+    - fetch_audit_output
+    - run_audit
+  tags: always
+  ansible.builtin.import_tasks:
+    file: fetch_audit_output.yml
+
 - name: Show Audit Summary
  when: run_audit
  tags: run_audit
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -55,7 +55,7 @@
  tags: always
  ansible.builtin.package:
    update_cache: true
-  changed_when: not ignore_apt_update_changed_when
+  changed_when: not ubtu24cis_ignore_apt_update_changed_when

 - name: Include audit specific variables
  when:
@ -150,6 +150,41 @@
        max_int_uid: "{{ prelim_uid_max_id.stdout }}"
        min_int_gid: "{{ prelim_gid_min_id.stdout }}"

+- name: "PRELIM | AUDIT | Capture pam configs related files"
+  tags: always
+  ansible.builtin.find:
+    paths:
+      - '/usr/share/pam-configs/'
+      - '/etc/pam.d/'
+  register: prelim_pam_conf_files
+
+- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x
+  when:
+    - ubtu24cis_rule_5_3_3_2_1 or
+      ubtu24cis_rule_5_3_3_2_6
+  tags: always
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: "{{ item.state }}"
+    owner: root
+    group: root
+    mode: 'g-w,o-rwx'
+    modification_time: preserve
+    access_time: preserve
+  register: prelim_pwquality_dummy
+  changed_when: prelim_pwquality_dummy.diff == "absent"
+  loop:
+    - { path: '/etc/security/pwquality.conf.d', state: 'directory' }
+    - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }
+
+- name: "PRELIM | AUDIT | Capture pam security related files"
+  tags: always
+  ansible.builtin.find:
+    paths:
+      - /etc/security/pwquality.conf.d/
+    patterns: '*.conf'
+  register: prelim_pam_pwquality_confs
+
 - name: "PRELIM | AUDIT | Interactive Users"
  tags: always
  ansible.builtin.shell: >
@ -243,6 +278,22 @@
    name: acl
    state: present

+- name: "PRELIM | PATCH | Install cron"
+  when: ubtu24cis_rule_2_4_1_1
+  tags: always
+  ansible.builtin.package:
+    name: cron
+    state: present
+
+- name: "PRELIM | PATCH | Install UFW"
+  when:
+    - ubtu24cis_rule_2_4_1_1
+    - ubtu24cis_firewall_package == "ufw"
+  tags: always
+  ansible.builtin.package:
+    name: ufw
+    state: present
+
 ## Optional

 - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings"
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@ -46,7 +46,7 @@
      when:
        - not ubtu24cis_avahi_server
        - not ubtu24cis_avahi_mask
-        - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
+        - "'avahi' in ansible_facts.packages or 'avahi-autoipd' in ansible_facts.packages"
      ansible.builtin.package:
        name:
          - avahi-autoipd
--- a/tasks/section_5/cis_5.3.3.1.x.yml
+++ b/tasks/section_5/cis_5.3.3.1.x.yml
@ -28,12 +28,10 @@
    - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files"
      when: discovered_faillock_deny_files.stdout | length > 0
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)'
        replace: \1\2
-      with_fileglob:
-        - '/usr/share/pam-configs/*'
-        - '/etc/pam.d/*'
+      loop: "{{ prelim_pam_conf_files.files }}"

 - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
  when: ubtu24cis_rule_5_3_3_1_2
@ -63,12 +61,10 @@
    - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files"
      when: discovered_faillock_unlock_files.stdout | length > 0
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)'
        replace: \1\2
-      with_fileglob:
-        - '/usr/share/pam-configs/*'
-        - '/etc/pam.d/*'
+      loop: "{{ prelim_pam_conf_files.files }}"

 - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
  when: ubtu24cis_rule_5_3_3_1_3
@ -98,9 +94,7 @@
    - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files"
      when: discovered_faillock_rootlock_files.stdout | length > 0
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)'
        replace: \1\3
-      with_fileglob:
-        - '/usr/share/pam-configs/*'
-        - '/etc/pam.d/*'
+      loop: "{{ prelim_pam_conf_files.files }}"
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -11,15 +11,15 @@
    - pam
  block:
    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
-      when: item != ubtu24cis_passwd_difok_file
+      when: "ubtu24cis_passwd_difok_file not in item.path"
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: 'difok\s*=\s*\d+\b'
        replace: ''
-      with_fileglob:
-        - '/etc/security/pwquality.conf'
-        - '/etc/security/pwquality.conf.d/*.conf'
-        - '/etc/pam.d/common-password'
+      with_items:
+        - "{{ prelim_pam_pwquality_confs.files }}"
+        - { path: '/etc/security/pwquality.conf'}
+        - { path: '/etc/pam.d/common-password' }

    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
      ansible.builtin.template:
@ -40,15 +40,15 @@
    - pam
  block:
    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
-      when: item != ubtu24cis_passwd_minlen_file
+      when: "ubtu24cis_passwd_minlen_file not in item.path"
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: 'minlen\s*=\s*\d+\b'
        replace: ''
-      with_fileglob:
-        - '/etc/security/pwquality.conf'
-        - '/etc/security/pwquality.conf.d/*.conf'
-        - '/etc/pam.d/common-password'
+      with_items:
+        - "{{ prelim_pam_pwquality_confs.files }}"
+        - { path: '/etc/security/pwquality.conf'}
+        - { path: '/etc/pam.d/common-password' }

    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
      ansible.builtin.template:
@ -69,15 +69,15 @@
    - pam
  block:
    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_complex_file
+      when: "ubtu24cis_passwd_complex_file not in item.path"
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
        replace: ''
-      with_fileglob:
-        - '/etc/security/pwquality.conf'
-        - '/etc/security/pwquality.conf.d/*.conf'
-        - '/etc/pam.d/common-password'
+      with_items:
+        - "{{ prelim_pam_pwquality_confs.files }}"
+        - { path: '/etc/security/pwquality.conf'}
+        - { path: '/etc/pam.d/common-password' }

    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
      ansible.builtin.template:
@ -98,15 +98,15 @@
    - pam
  block:
    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_maxrepeat_file
+      when: "ubtu24cis_passwd_maxrepeat_file not in item.path"
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: 'maxrepeat\s*=\s*\d+\b'
        replace: ''
-      with_fileglob:
-        - '/etc/security/pwquality.conf'
-        - '/etc/security/pwquality.conf.d/*.conf'
-        - '/etc/pam.d/common-password'
+      with_items:
+        - "{{ prelim_pam_pwquality_confs.files }}"
+        - { path: '/etc/security/pwquality.conf'}
+        - { path: '/etc/pam.d/common-password' }

    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
      ansible.builtin.template:
@ -127,15 +127,15 @@
    - pam
  block:
    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_maxsequence_file
+      when: "ubtu24cis_passwd_maxsequence_file not in item.path"
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: 'maxsequence\s*=\s*\d+\b'
        replace: ''
-      with_fileglob:
-        - '/etc/security/pwquality.conf'
-        - '/etc/security/pwquality.conf.d/*.conf'
-        - '/etc/pam.d/common-password'
+      with_items:
+        - "{{ prelim_pam_pwquality_confs.files }}"
+        - { path: '/etc/security/pwquality.conf'}
+        - { path: '/etc/pam.d/common-password' }

    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
      ansible.builtin.template:
@ -156,15 +156,15 @@
    - pam
  block:
    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_dictcheck_file
+      when: "ubtu24cis_passwd_dictcheck_file not in item.path"
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: 'dictcheck\s*=\s*\d+\b'
        replace: ''
-      with_fileglob:
-        - '/etc/security/pwquality.conf'
-        - '/etc/security/pwquality.conf.d/*.conf'
-        - '/etc/pam.d/common-password'
+      with_items:
+        - "{{ prelim_pam_pwquality_confs.files }}"
+        - { path: '/etc/security/pwquality.conf'}
+        - { path: '/etc/pam.d/common-password' }

    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
      ansible.builtin.template:
@ -185,15 +185,15 @@
    - pam
  block:
    - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_quality_enforce_file
+      when: "ubtu24cis_passwd_quality_enforce_file not in item.path"
      ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
        regexp: 'enforcing\s*=\s*\d+\b'
        replace: ''
-      with_fileglob:
-        - '/etc/security/pwquality.conf'
-        - '/etc/security/pwquality.conf.d/*.conf'
-        - '/etc/pam.d/common-password'
+      with_items:
+        - "{{ prelim_pam_pwquality_confs.files }}"
+        - { path: '/etc/security/pwquality.conf'}
+        - { path: '/etc/pam.d/common-password' }

    - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists"
      ansible.builtin.template:
--- a/tasks/section_6/cis_6.1.4.1.yml
+++ b/tasks/section_6/cis_6.1.4.1.yml
@ -30,11 +30,14 @@
      loop: "{{ discovered_logfiles.stdout_lines }}"

    - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
+      when:
+        - discovered_system_logfiles.stdout_lines is defined
+        - item == "/var/log/btmp"
+        - item == "/var/log/utmp"
+        - item == "/var/log/wtmp"
+        - item == "/var/log/lastlog"
+        - "'sssd' in item or 'SSSD' in item"
      ansible.builtin.file:
        path: "{{ item }}"
        mode: 'ug-x,o-wx'
-      with_fileglob:
-        - "/var/log/*tmp"
-        - "/var/log/lastlog*"
-        - "/var/log/sssd*"
-        - "/var/log/SSSD*"
+      loop: "{{ discovered_system_logfiles.stdout_lines }}"
--- a/tasks/section_6/cis_6.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.1.x.yml
@ -4,7 +4,7 @@
  when:
    - ubtu24cis_rule_6_2_1_1
    - "'auditd' not in ansible_facts.packages or
-      'audisd-plugins' not in ansible_facts.packages"
+      'audispd-plugins' not in ansible_facts.packages"
  tags:
    - level2-server
    - level2-workstation
@ -30,7 +30,7 @@
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - auditd
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: auditd
    state: started
    enabled: true
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -43,8 +43,8 @@
 {{ arch_syscalls.append( syscall) }}
 {% endif %}
 {% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }}  -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@ -99,7 +99,7 @@
 {% endif %}
 {% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
-{% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
+{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
 {% set arch_syscalls = [] %}
 {% for syscall in syscalls  %}
 {% if syscall in supported_syscalls %}
--- a/templates/etc/ansible/compliance_facts.j2
+++ b/templates/etc/ansible/compliance_facts.j2
@ -0,0 +1,40 @@
+# CIS Hardening Carried out
+# Added as part of ansible-lockdown CIS baseline
+# provided by Mindpoint Group - A Tyto Athene Company
+
+[lockdown_details]
+# Benchmark release
+Benchmark_release = CIS-{{ benchmark_version }}
+Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
+# If options set (doesn't mean it ran all controls)
+level_1_hardening_enabled = {{ ubtu24cis_level_1 }}
+level_2_hardening_enabled = {{ ubtu24cis_level_2 }}
+
+{% if ansible_run_tags | length > 0 %}
+# If tags used to stipulate run level
+{% if 'level1-server' in ansible_run_tags %}
+Level_1_Server_tag_run = true
+{% endif %}
+{% if 'level2-server' in ansible_run_tags %}
+Level_2_Server_tag_run = true
+{% endif %}
+{% if 'level1-workstation' in ansible_run_tags %}
+Level_1_workstation_tag_run = true
+{% endif %}
+{% if 'level2-workstation' in ansible_run_tags %}
+Level_2_workstation_tag_run = true
+{% endif %}
+{% endif %}
+
+[lockdown_audit_details]
+{% if run_audit %}
+# Audit run
+audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
+audit_file_local_location = {{ audit_log_dir }}
+{% if not audit_only %}
+audit_summary = {{ post_audit_results }}
+{% endif %}
+{% if fetch_audit_output %}
+audit_files_centralized_location = {{ audit_output_destination }}
+{% endif %}
+{% endif %}
Author	SHA1	Message	Date
George Nalen	f90b698a57	Merge pull request #36 from ansible-lockdown/pre-commit-ci-update-config [pre-commit.ci] pre-commit autoupdate	2025-04-15 14:39:47 -05:00
pre-commit-ci[bot]	f3f3622ae8	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.24.2 → v8.24.3](https://github.com/gitleaks/gitleaks/compare/v8.24.2...v8.24.3)	2025-04-14 17:22:18 +00:00
Fred W.	371a35d4bf	Merge pull request #35 from ansible-lockdown/tidy_up updated fetch default settings and tidy	2025-04-14 11:39:49 -04:00
Mark Bolwell	b4239f6aef	improve notes for fetch Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-14 11:55:35 +01:00
Mark Bolwell	86a14fdc78	updated fetch default settings and tidy Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-14 11:53:22 +01:00
uk-bolly	7da19e8106	Merge pull request #34 from ansible-lockdown/fileglob_update Fileglob update	2025-04-11 18:07:16 +01:00
Mark Bolwell	b6fb3c7dcc	remove fileglob Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-11 11:40:11 +01:00
Mark Bolwell	7f0291fbf2	improve container checks Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-11 11:40:04 +01:00
Mark Bolwell	9ac5740127	updated features facts and audit fetch Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-11 11:20:44 +01:00
uk-bolly	c755e9ed71	Merge pull request #31 from ansible-lockdown/updates_march25 Updates march25	2025-04-09 14:48:41 +01:00
uk-bolly	9d62bba61e	Merge pull request #32 from ansible-lockdown/pre-commit-ci-update-config [pre-commit.ci] pre-commit autoupdate	2025-04-09 10:39:49 +01:00
pre-commit-ci[bot]	09562855b3	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/ansible-community/ansible-lint: v25.1.3 → v25.2.1](https://github.com/ansible-community/ansible-lint/compare/v25.1.3...v25.2.1)	2025-04-07 17:34:16 +00:00
Mark Bolwell	7e3ae1d0a8	added apt cache update prelim Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-01 11:16:30 +01:00
Mark Bolwell	38831269c9	fix typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-01 11:00:08 +01:00
Mark Bolwell	6dfa7564be	updated template Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-01 10:48:25 +01:00
Mark Bolwell	20cb8001e5	addressed #28 thanks to @guba-elleschr Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-01 08:22:56 +01:00
Mark Bolwell	84f4a69c2d	renamed moduel from ansible.builtin.systemd_service Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-01 08:20:25 +01:00
Mark Bolwell	a931c60b5c	lint updates Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-01 08:14:51 +01:00
Mark Bolwell	f7b504afba	Added options for fetch_audit and ansible facts Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-01 08:10:33 +01:00
Mark Bolwell	36945eb561	added package when minimal install Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-04-01 07:59:49 +01:00
uk-bolly	85acc99536	Merge pull request #30 from ansible-lockdown/updates_march25 Updates march25	2025-03-31 13:45:47 +01:00
Mark Bolwell	c1684508f6	updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-03-31 09:07:09 +01:00
Mark Bolwell	62c67740e4	typo fixes Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-03-31 08:41:38 +01:00
Mark Bolwell	2611117b33	Updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-03-31 08:40:25 +01:00
Mark Bolwell	ecfee57c60	updated workflow files Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>	2025-03-31 08:38:59 +01:00
uk-bolly	b32cd33fcb	Merge pull request #27 from ansible-lockdown/pre-commit-ci-update-config [pre-commit.ci] pre-commit autoupdate	2025-03-25 11:23:30 +00:00
pre-commit-ci[bot]	7d5187fc43	[pre-commit.ci] pre-commit autoupdate updates: - [github.com/gitleaks/gitleaks: v8.24.0 → v8.24.2](https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2) - [github.com/adrienverge/yamllint.git: v1.36.2 → v1.37.0](https://github.com/adrienverge/yamllint.git/compare/v1.36.2...v1.37.0)	2025-03-24 17:26:14 +00:00