Merge pull request #26 from ansible-lockdown/devel

Release to main
Merge pull request #2 from ansible-lockdown/devel
2025-03-18 15:56:54 +00:00 · 2025-01-07 14:33:17 -05:00
17 changed files with 93 additions and 259 deletions
--- a/.github/workflows/devel_pipeline_validation.yml
+++ b/.github/workflows/devel_pipeline_validation.yml
@ -7,7 +7,6 @@
        types: [opened, reopened, synchronize]
        branches:
            - devel
-            - benchmark*
        paths:
            - '**.yml'
            - '**.sh'
@ -71,6 +70,7 @@
                 echo IAC_BRANCH=main >> $GITHUB_ENV
              fi

+
          # Pull in terraform code for linux servers
          - name: Clone GitHub IaC plan
            uses: actions/checkout@v4
--- a/.github/workflows/main_pipeline_validation.yml
+++ b/.github/workflows/main_pipeline_validation.yml
@ -7,7 +7,6 @@
        types: [opened, reopened, synchronize]
        branches:
            - main
-            - latest
        paths:
            - '**.yml'
            - '**.sh'
@ -24,6 +23,17 @@
  # A workflow run is made up of one or more jobs
  # that can run sequentially or in parallel
  jobs:
+    # This will create messages for first time contributers and direct them to the Discord server
+      welcome:
+        runs-on: self-hosted
+
+        steps:
+            - uses: actions/first-interaction@main
+              with:
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                pr-message: |-
+                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.

      # This workflow contains a single job that tests the playbook
      playbook-test:
--- a/.gitignore
+++ b/.gitignore
@ -44,5 +44,5 @@ benchparse/
 # GitHub Action/Workflow files
 .github/

-# ansible-lint cache
+# Precommit
 .ansible/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -41,12 +41,12 @@ repos:
  - id: detect-secrets

 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.24.3
+  rev: v8.24.0
  hooks:
  - id: gitleaks

 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.2.1
+  rev: v25.1.3
  hooks:
  - id: ansible-lint
    name: Ansible-lint
@ -65,7 +65,7 @@ repos:
    # - ansible-core>=2.10.1

 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.0  # or higher tag
+  rev: v1.36.2  # or higher tag
  hooks:
  - id: yamllint
    name: Check YAML Lint
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -21,10 +21,6 @@ skip_reboot: true
 benchmark: UBUNTU24-CIS
 benchmark_version: v1.0.0

-# Create managed not custom local_facts files
-create_benchmark_facts: true
-ansible_facts_path: /etc/ansible/facts.d
-
 # Used for audit
 ubtu24cis_level_1: true
 ubtu24cis_level_2: true
@ -106,18 +102,6 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'

-# Method of getting,uploading the summary files
-## Enable the collection of audit files
-fetch_audit_output: false
-## Ensure access and permissions are available for these to occur.
-## options are
-# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
-# copy - copies file to a location available to the managed node
-audit_output_collection_method: fetch
-
-# Location to put the audit files
-audit_output_destination: /opt/audit_summaries/
-
 ### Goss Settings ##
 ####### END ########

@ -644,7 +628,7 @@ ubtu24cis_purge_apt: false

 ## Ignore change_when for apt update task
 # Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes
-ubtu24cis_ignore_apt_update_changed_when: false
+ignore_apt_update_changed_when: false

 ##
 ## Section 1 Control Variables
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -257,7 +257,7 @@
  listen: Restart auditd

 - name: Start auditd process
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: auditd
    state: started
  listen: Restart auditd
--- a/tasks/audit_only.yml
+++ b/tasks/audit_only.yml
@ -10,6 +10,14 @@
  delegate_to: localhost
  become: false

+- name: Audit_only | Get audits from systems and put in group dir
+  when: fetch_audit_files
+  ansible.builtin.fetch:
+    dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
+    flat: true
+    mode: 'go-wx'
+    src: "{{ pre_audit_outfile }}"
+
 - name: Audit_only | Show Audit Summary
  when: audit_only
  ansible.builtin.debug:
--- a/tasks/fetch_audit_output.yml
+++ b/tasks/fetch_audit_output.yml
@ -1,46 +0,0 @@
---
-
-# Stage to copy audit output to a centralised location
-
- name: "POST | FETCH | Fetch files and copy to controller"
-  when: audit_output_collection_method == "fetch"
-  ansible.builtin.fetch:
-    src: "{{ item }}"
-    dest: "{{ audit_output_destination }}"
-    flat: true
-  failed_when: false
-  register: discovered_audit_fetch_state
-  loop:
-    - "{{ pre_audit_outfile }}"
-    - "{{ post_audit_outfile }}"
-  become: false
-
-# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
-# Allowing backup to one location
- name: "POST | FETCH | Copy files to location available to managed node"
-  when: audit_output_collection_method == "copy"
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "{{ audit_output_destination }}"
-    mode: 'u-x,go-wx'
-    flat: true
-  failed_when: false
-  register: discovered_audit_copy_state
-  loop:
-    - "{{ pre_audit_outfile }}"
-    - "{{ post_audit_outfile }}"
-
- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-  when:
-    - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
-      (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
-  block:
-    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-      ansible.builtin.debug:
-        msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
-
-    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-      vars:
-        warn_control_id: "FETCH_AUDIT_FILES"
-      ansible.builtin.import_tasks:
-        file: warning_facts.yml
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -65,8 +65,7 @@
 - name: Setup rules if container
  when:
    - ansible_connection == 'docker' or
-      (ansible_facts.virtualization_type is defined and
-       ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"])
+      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
  tags: always
  block:
    - name: Discover and set container variable if required
@ -170,39 +169,6 @@
  ansible.builtin.import_tasks:
    file: post_remediation_audit.yml

- name: Add ansible file showing Benchmark and levels applied if audit details not present
-  when:
-    - create_benchmark_facts
-    - (post_audit_summary is defined) or
-      (ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined)
-  tags:
-    - always
-    - benchmark
-  block:
-    - name: Create ansible facts directory if audit facts not present
-      ansible.builtin.file:
-        path: "{{ ansible_facts_path }}"
-        state: directory
-        owner: root
-        group: root
-        mode: 'u=rwx,go=rx'
-
-    - name: Create ansible facts file and levels applied if audit facts not present
-      ansible.builtin.template:
-        src: etc/ansible/compliance_facts.j2
-        dest: "{{ ansible_facts_path }}/compliance_facts.fact"
-        owner: root
-        group: root
-        mode: 'u-x,go=r'
-
- name: Fetch audit files
-  when:
-    - fetch_audit_output
-    - run_audit
-  tags: always
-  ansible.builtin.import_tasks:
-    file: fetch_audit_output.yml
-
 - name: Show Audit Summary
  when: run_audit
  tags: run_audit
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -55,7 +55,7 @@
  tags: always
  ansible.builtin.package:
    update_cache: true
-  changed_when: not ubtu24cis_ignore_apt_update_changed_when
+  changed_when: not ignore_apt_update_changed_when

 - name: Include audit specific variables
  when:
@ -150,41 +150,6 @@
        max_int_uid: "{{ prelim_uid_max_id.stdout }}"
        min_int_gid: "{{ prelim_gid_min_id.stdout }}"

- name: "PRELIM | AUDIT | Capture pam configs related files"
-  tags: always
-  ansible.builtin.find:
-    paths:
-      - '/usr/share/pam-configs/'
-      - '/etc/pam.d/'
-  register: prelim_pam_conf_files
-
- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x
-  when:
-    - ubtu24cis_rule_5_3_3_2_1 or
-      ubtu24cis_rule_5_3_3_2_6
-  tags: always
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: "{{ item.state }}"
-    owner: root
-    group: root
-    mode: 'g-w,o-rwx'
-    modification_time: preserve
-    access_time: preserve
-  register: prelim_pwquality_dummy
-  changed_when: prelim_pwquality_dummy.diff == "absent"
-  loop:
-    - { path: '/etc/security/pwquality.conf.d', state: 'directory' }
-    - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }
-
- name: "PRELIM | AUDIT | Capture pam security related files"
-  tags: always
-  ansible.builtin.find:
-    paths:
-      - /etc/security/pwquality.conf.d/
-    patterns: '*.conf'
-  register: prelim_pam_pwquality_confs
-
 - name: "PRELIM | AUDIT | Interactive Users"
  tags: always
  ansible.builtin.shell: >
@ -278,22 +243,6 @@
    name: acl
    state: present

- name: "PRELIM | PATCH | Install cron"
-  when: ubtu24cis_rule_2_4_1_1
-  tags: always
-  ansible.builtin.package:
-    name: cron
-    state: present
-
- name: "PRELIM | PATCH | Install UFW"
-  when:
-    - ubtu24cis_rule_2_4_1_1
-    - ubtu24cis_firewall_package == "ufw"
-  tags: always
-  ansible.builtin.package:
-    name: ufw
-    state: present
-
 ## Optional

 - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings"
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@ -46,7 +46,7 @@
      when:
        - not ubtu24cis_avahi_server
        - not ubtu24cis_avahi_mask
-        - "'avahi' in ansible_facts.packages or 'avahi-autoipd' in ansible_facts.packages"
+        - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
      ansible.builtin.package:
        name:
          - avahi-autoipd
--- a/tasks/section_5/cis_5.3.3.1.x.yml
+++ b/tasks/section_5/cis_5.3.3.1.x.yml
@ -28,10 +28,12 @@
    - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files"
      when: discovered_faillock_deny_files.stdout | length > 0
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)'
        replace: \1\2
-      loop: "{{ prelim_pam_conf_files.files }}"
+      with_fileglob:
+        - '/usr/share/pam-configs/*'
+        - '/etc/pam.d/*'

 - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
  when: ubtu24cis_rule_5_3_3_1_2
@ -61,10 +63,12 @@
    - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files"
      when: discovered_faillock_unlock_files.stdout | length > 0
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)'
        replace: \1\2
-      loop: "{{ prelim_pam_conf_files.files }}"
+      with_fileglob:
+        - '/usr/share/pam-configs/*'
+        - '/etc/pam.d/*'

 - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
  when: ubtu24cis_rule_5_3_3_1_3
@ -94,7 +98,9 @@
    - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files"
      when: discovered_faillock_rootlock_files.stdout | length > 0
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)'
        replace: \1\3
-      loop: "{{ prelim_pam_conf_files.files }}"
+      with_fileglob:
+        - '/usr/share/pam-configs/*'
+        - '/etc/pam.d/*'
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -11,15 +11,15 @@
    - pam
  block:
    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
-      when: "ubtu24cis_passwd_difok_file not in item.path"
+      when: item != ubtu24cis_passwd_difok_file
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: 'difok\s*=\s*\d+\b'
        replace: ''
-      with_items:
-        - "{{ prelim_pam_pwquality_confs.files }}"
-        - { path: '/etc/security/pwquality.conf'}
-        - { path: '/etc/pam.d/common-password' }
+      with_fileglob:
+        - '/etc/security/pwquality.conf'
+        - '/etc/security/pwquality.conf.d/*.conf'
+        - '/etc/pam.d/common-password'

    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
      ansible.builtin.template:
@ -40,15 +40,15 @@
    - pam
  block:
    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
-      when: "ubtu24cis_passwd_minlen_file not in item.path"
+      when: item != ubtu24cis_passwd_minlen_file
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: 'minlen\s*=\s*\d+\b'
        replace: ''
-      with_items:
-        - "{{ prelim_pam_pwquality_confs.files }}"
-        - { path: '/etc/security/pwquality.conf'}
-        - { path: '/etc/pam.d/common-password' }
+      with_fileglob:
+        - '/etc/security/pwquality.conf'
+        - '/etc/security/pwquality.conf.d/*.conf'
+        - '/etc/pam.d/common-password'

    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
      ansible.builtin.template:
@ -69,15 +69,15 @@
    - pam
  block:
    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
-      when: "ubtu24cis_passwd_complex_file not in item.path"
+      when: item != ubtu24cis_passwd_complex_file
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
        replace: ''
-      with_items:
-        - "{{ prelim_pam_pwquality_confs.files }}"
-        - { path: '/etc/security/pwquality.conf'}
-        - { path: '/etc/pam.d/common-password' }
+      with_fileglob:
+        - '/etc/security/pwquality.conf'
+        - '/etc/security/pwquality.conf.d/*.conf'
+        - '/etc/pam.d/common-password'

    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
      ansible.builtin.template:
@ -98,15 +98,15 @@
    - pam
  block:
    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
-      when: "ubtu24cis_passwd_maxrepeat_file not in item.path"
+      when: item != ubtu24cis_passwd_maxrepeat_file
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: 'maxrepeat\s*=\s*\d+\b'
        replace: ''
-      with_items:
-        - "{{ prelim_pam_pwquality_confs.files }}"
-        - { path: '/etc/security/pwquality.conf'}
-        - { path: '/etc/pam.d/common-password' }
+      with_fileglob:
+        - '/etc/security/pwquality.conf'
+        - '/etc/security/pwquality.conf.d/*.conf'
+        - '/etc/pam.d/common-password'

    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
      ansible.builtin.template:
@ -127,15 +127,15 @@
    - pam
  block:
    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
-      when: "ubtu24cis_passwd_maxsequence_file not in item.path"
+      when: item != ubtu24cis_passwd_maxsequence_file
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: 'maxsequence\s*=\s*\d+\b'
        replace: ''
-      with_items:
-        - "{{ prelim_pam_pwquality_confs.files }}"
-        - { path: '/etc/security/pwquality.conf'}
-        - { path: '/etc/pam.d/common-password' }
+      with_fileglob:
+        - '/etc/security/pwquality.conf'
+        - '/etc/security/pwquality.conf.d/*.conf'
+        - '/etc/pam.d/common-password'

    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
      ansible.builtin.template:
@ -156,15 +156,15 @@
    - pam
  block:
    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
-      when: "ubtu24cis_passwd_dictcheck_file not in item.path"
+      when: item != ubtu24cis_passwd_dictcheck_file
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: 'dictcheck\s*=\s*\d+\b'
        replace: ''
-      with_items:
-        - "{{ prelim_pam_pwquality_confs.files }}"
-        - { path: '/etc/security/pwquality.conf'}
-        - { path: '/etc/pam.d/common-password' }
+      with_fileglob:
+        - '/etc/security/pwquality.conf'
+        - '/etc/security/pwquality.conf.d/*.conf'
+        - '/etc/pam.d/common-password'

    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
      ansible.builtin.template:
@ -185,15 +185,15 @@
    - pam
  block:
    - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file"
-      when: "ubtu24cis_passwd_quality_enforce_file not in item.path"
+      when: item != ubtu24cis_passwd_quality_enforce_file
      ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
        regexp: 'enforcing\s*=\s*\d+\b'
        replace: ''
-      with_items:
-        - "{{ prelim_pam_pwquality_confs.files }}"
-        - { path: '/etc/security/pwquality.conf'}
-        - { path: '/etc/pam.d/common-password' }
+      with_fileglob:
+        - '/etc/security/pwquality.conf'
+        - '/etc/security/pwquality.conf.d/*.conf'
+        - '/etc/pam.d/common-password'

    - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists"
      ansible.builtin.template:
--- a/tasks/section_6/cis_6.1.4.1.yml
+++ b/tasks/section_6/cis_6.1.4.1.yml
@ -30,14 +30,11 @@
      loop: "{{ discovered_logfiles.stdout_lines }}"

    - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
-      when:
-        - discovered_system_logfiles.stdout_lines is defined
-        - item == "/var/log/btmp"
-        - item == "/var/log/utmp"
-        - item == "/var/log/wtmp"
-        - item == "/var/log/lastlog"
-        - "'sssd' in item or 'SSSD' in item"
      ansible.builtin.file:
        path: "{{ item }}"
        mode: 'ug-x,o-wx'
-      loop: "{{ discovered_system_logfiles.stdout_lines }}"
+      with_fileglob:
+        - "/var/log/*tmp"
+        - "/var/log/lastlog*"
+        - "/var/log/sssd*"
+        - "/var/log/SSSD*"
--- a/tasks/section_6/cis_6.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.1.x.yml
@ -4,7 +4,7 @@
  when:
    - ubtu24cis_rule_6_2_1_1
    - "'auditd' not in ansible_facts.packages or
-      'audispd-plugins' not in ansible_facts.packages"
+      'audisd-plugins' not in ansible_facts.packages"
  tags:
    - level2-server
    - level2-workstation
@ -30,7 +30,7 @@
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - auditd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: auditd
    state: started
    enabled: true
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -43,8 +43,8 @@
 {{ arch_syscalls.append( syscall) }}
 {% endif %}
 {% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }}  -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@ -99,7 +99,7 @@
 {% endif %}
 {% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
-{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
+{% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
 {% set arch_syscalls = [] %}
 {% for syscall in syscalls  %}
 {% if syscall in supported_syscalls %}
--- a/templates/etc/ansible/compliance_facts.j2
+++ b/templates/etc/ansible/compliance_facts.j2
@ -1,40 +0,0 @@
-# CIS Hardening Carried out
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
-
-[lockdown_details]
-# Benchmark release
-Benchmark_release = CIS-{{ benchmark_version }}
-Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
-# If options set (doesn't mean it ran all controls)
-level_1_hardening_enabled = {{ ubtu24cis_level_1 }}
-level_2_hardening_enabled = {{ ubtu24cis_level_2 }}
-
-{% if ansible_run_tags | length > 0 %}
-# If tags used to stipulate run level
-{% if 'level1-server' in ansible_run_tags %}
-Level_1_Server_tag_run = true
-{% endif %}
-{% if 'level2-server' in ansible_run_tags %}
-Level_2_Server_tag_run = true
-{% endif %}
-{% if 'level1-workstation' in ansible_run_tags %}
-Level_1_workstation_tag_run = true
-{% endif %}
-{% if 'level2-workstation' in ansible_run_tags %}
-Level_2_workstation_tag_run = true
-{% endif %}
-{% endif %}
-
-[lockdown_audit_details]
-{% if run_audit %}
-# Audit run
-audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
-audit_file_local_location = {{ audit_log_dir }}
-{% if not audit_only %}
-audit_summary = {{ post_audit_results }}
-{% endif %}
-{% if fetch_audit_output %}
-audit_files_centralized_location = {{ audit_output_destination }}
-{% endif %}
-{% endif %}
Author	SHA1	Message	Date
uk-bolly	ecb63ea0d4	Merge pull request #26 from ansible-lockdown/devel Release to main	2025-03-18 15:56:54 +00:00
Stephen Williams	21735de06a	Merge pull request #2 from ansible-lockdown/devel Minor Updates	2025-01-07 14:33:17 -05:00