Merge fe8c656c3c into 85acc99536

.pre-commit-config.yaml

@@ -46,7 +46,7 @@ repos:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.2.1
+  rev: v25.1.3
   hooks:
   - id: ansible-lint
     name: Ansible-lint

defaults/main.yml

@@ -21,10 +21,6 @@ skip_reboot: true
 benchmark: UBUNTU24-CIS
 benchmark_version: v1.0.0
 
-# Create managed not custom local_facts files
-create_benchmark_facts: true
-ansible_facts_path: /etc/ansible/facts.d
-
 # Used for audit
 ubtu24cis_level_1: true
 ubtu24cis_level_2: true
@@ -106,20 +102,6 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'
 
-## Ability to collect and take audit files moving to a centralised location
-# This enables the collection of the files from the host
-fetch_audit_output: false
-
-# Method of getting,uploading the summary files
-## Ensure access and permissions are avaiable for these to occur.
-## options are
-# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
-# copy - copies file to a location available to the managed node
-audit_output_collection_method: fetch
-
-# Location to put the audit files
-audit_output_destination: /opt/audit_summaries/
-
 ### Goss Settings ##
 ####### END ########
 
@@ -646,7 +628,7 @@ ubtu24cis_purge_apt: false
 
 ## Ignore change_when for apt update task
 # Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes
-ubtu24cis_ignore_apt_update_changed_when: false
+ignore_apt_update_changed_when: false
 
 ##
 ## Section 1 Control Variables

handlers/main.yml

@@ -257,7 +257,7 @@
   listen: Restart auditd
 
 - name: Start auditd process
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: auditd
     state: started
   listen: Restart auditd

tasks/fetch_audit_output.yml

@@ -1,46 +0,0 @@
----
-
-# Stage to copy audit output to a centralised location
-
-- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller"
-  when: audit_output_collection_method == "fetch"
-  ansible.builtin.fetch:
-    src: "{{ item }}"
-    dest: "{{ audit_output_destination }}"
-    flat: true
-  failed_when: false
-  register: discovered_audit_fetch_state
-  loop:
-    - "{{ pre_audit_outfile }}"
-    - "{{ post_audit_outfile }}"
-  become: false
-
-# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
-# Allowing backup to one location
-- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node"
-  when: audit_output_collection_method == "copy"
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "{{ audit_output_destination }}"
-    mode: 'u-x,go-wx'
-    flat: true
-  failed_when: false
-  register: discovered_audit_fetch_copy_state
-  loop:
-    - pre_audit_outfile
-    - post_audit_outfile
-
-- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-  when:
-    - (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or
-      (discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed)
-  block:
-    - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-      ansible.builtin.debug:
-        msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
-
-    - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-      vars:
-        warn_control_id: "FETCH_AUDIT_FILES"
-      ansible.builtin.import_tasks:
-        file: warning_facts.yml

tasks/main.yml

@@ -169,36 +169,6 @@
   ansible.builtin.import_tasks:
     file: post_remediation_audit.yml
 
-- name: Add ansible file showing Benchmark and levels applied
-  when: create_benchmark_facts
-  tags:
-    - always
-    - benchmark
-  block:
-    - name: Create ansible facts directory
-      ansible.builtin.file:
-        path: "{{ ansible_facts_path }}"
-        state: directory
-        owner: root
-        group: root
-        mode: 'u=rwx,go=rx'
-
-    - name: Create ansible facts file
-      ansible.builtin.template:
-        src: etc/ansible/compliance_facts.j2
-        dest: "{{ ansible_facts_path }}/compliance_facts.fact"
-        owner: root
-        group: root
-        mode: "u-x,go-wx"
-
-- name: Fetch audit files
-  when:
-    - fetch_audit_output
-    - run_audit
-  tags: always
-  ansible.builtin.import_tasks:
-    file: fetch_audit_output.yml
-
 - name: Show Audit Summary
   when: run_audit
   tags: run_audit

tasks/prelim.yml

@@ -55,7 +55,7 @@
   tags: always
   ansible.builtin.package:
     update_cache: true
-  changed_when: not ubtu24cis_ignore_apt_update_changed_when
+  changed_when: not ignore_apt_update_changed_when
 
 - name: Include audit specific variables
   when:
@@ -243,22 +243,6 @@
     name: acl
     state: present
 
-- name: "PRELIM | PATCH | Install cron"
-  when: ubtu24cis_rule_2_4_1_1
-  tags: always
-  ansible.builtin.package:
-    name: cron
-    state: present
-
-- name: "PRELIM | PATCH | Install UFW"
-  when:
-    - ubtu24cis_rule_2_4_1_1
-    - ubtu24cis_firewall_package == "ufw"
-  tags: always
-  ansible.builtin.package:
-    name: ufw
-    state: present
-
 ## Optional
 
 - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings"

tasks/section_2/cis_2.1.x.yml

@@ -46,7 +46,7 @@
       when:
         - not ubtu24cis_avahi_server
         - not ubtu24cis_avahi_mask
-        - "'avahi' in ansible_facts.packages or 'avahi-autoipd' in ansible_facts.packages"
+        - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
       ansible.builtin.package:
         name:
           - avahi-autoipd

tasks/section_6/cis_6.2.1.x.yml

@@ -4,7 +4,7 @@
   when:
     - ubtu24cis_rule_6_2_1_1
     - "'auditd' not in ansible_facts.packages or
-      'audispd-plugins' not in ansible_facts.packages"
+      'audisd-plugins' not in ansible_facts.packages"
   tags:
     - level2-server
     - level2-workstation
@@ -30,7 +30,7 @@
     - NIST800-53R5_AU-3
     - NIST800-53R5_AU-12
     - auditd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: auditd
     state: started
     enabled: true

templates/etc/ansible/compliance_facts.j2

@@ -1,39 +0,0 @@
-# CIS Hardening Carried out
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
-
-[lockdown_details]
-# Benchmark release
-Benchmark_release = CIS-{{ benchmark_version }}
-Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
-# If options set (doesn't mean it ran all controls)
-level_1_hardening_enabled = {{ ubtu24cis_level_1 }}
-level_2_hardening_enabled = {{ ubtu24cis_level_2 }}
-
-{% if ansible_run_tags | length > 0 %}
-# If tags used to stipulate run level
-{% if 'level1-server' in ansible_run_tags %}
-Level_1_Server_tag_run = true
-{% endif %}
-{% if 'level2-server' in ansible_run_tags %}
-Level_2_Server_tag_run = true
-{% endif %}
-{% if 'level1-workstation' in ansible_run_tags %}
-Level_1_workstation_tag_run = true
-{% endif %}
-{% if 'level2-workstation' in ansible_run_tags %}
-Level_2_workstation_tag_run = true
-{% endif %}
-{% endif %}
-
-[lockdown_audit_details]
-{% if run_audit %}
-# Audit run
-audit_file_local_location = {{ audit_log_dir }}
-{% if not audit_only %}
-audit_summary = {{ post_audit_results }}
-{% endif %}
-{% if fetch_audit_output %}
-audit_files_centralized_location = {{ audit_output_destination }}
-{% endif %}
-{% endif %}