April 24 updates

Changelog.md

@@ -4,8 +4,15 @@
 
 ### 1.1.0
 
-- #216 thanks to @txsastre
-- moved the audit to run prior to any changes taking place on the system (exception of required)
+- #223 thanks to feedback @txsastre
+- audit
+  - moved the audit to run prior to any changes taking place on the system (exception of required)
+  - improvements to copy/archive/get_url content methods incl notes in defaults/main.yml
+  - tidy up and logic of var naming
+- lint and tidy up
+- ansible version update
+- unused filesystem added to skip if container list
+- unused vars removed
 
 ### 1.0.9
 

README.md

@@ -67,9 +67,9 @@ This role was developed against a clean install of the Operating System. If you
 
 **Technical Dependencies:**
 
-- Running Ansible/Tower setup (this role is tested against Ansible version 2.10.1 and newer)
+- Running Ansible/Tower setup (this role is tested against Ansible version 2.12.1 and newer)
 - Python3 Ansible run environment
-- goss >= 0.4.0 (If using for audit)
+- goss >= 0.4.4 (If using for audit)
 
 ## Auditing (new)
 

defaults/main.yml

@@ -52,23 +52,26 @@ ubtu22cis_uses_root: false
 ### Settings for associated Audit role using Goss
 ###
 
-##########################################
+###########################################
 ### Goss is required on the remote host ###
-## Refer to vars/auditd.yml for any other settings ##
+### vars/auditd.yml for other settings  ###
 
 # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system)
 setup_audit: false
 
 # enable audits to run - this runs the audit and get the latest content
 run_audit: false
+# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
+audit_run_heavy_tests: true
 
-# Only run Audit do not remediate
+## Only run Audit do not remediate
 audit_only: false
-# As part of audit_only
-# This will enable files to be copied back to control node
+### As part of audit_only ###
+# This will enable files to be copied back to control node in audit_only mode
 fetch_audit_files: false
-# Path to copy the files to will create dir structure
+# Path to copy the files to will create dir structure in audit_only mode
 audit_capture_files_dir: /some/location to copy to on control node
+#############################
 
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
@@ -81,29 +84,24 @@ get_audit_binary_method: download
 audit_bin_copy_location: /some/accessible/path
 
 # how to get audit files onto host options
-# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf
+# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf
 audit_content: git
 
-# archive or copy:
-audit_conf_copy: "some path to copy from"
-
-# get_url:
-audit_files_url: "some url maybe s3?"
-
-# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system
-audit_run_heavy_tests: true
+# If using either archive, copy, get_url:
+## Note will work with .tar files - zip will require extra configuration
+### If using get_url this is expecting github url in tar.gz format e.g.
+### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz
+audit_conf_source: "some path or url to copy from"
 
-# This variable specifies the timeout (in ms) for audit commands that
-# take a very long time: if a command takes too long to complete,
-# it will be forcefully terminated after the specified duration.
-audit_cmd_timeout: 120000
+# Destination for the audit content to be placed on managed node
+# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory
+audit_conf_dest: "/opt"
 
-### End Goss enablements ####
+# Where the audit logs are stored
+audit_log_dir: '/opt'
 
-## Running role under chroot
-# Tweak role to run in a chroot, such as in a kickstart %post script.
-# The correct value of this variable is auto-determined.
-ubtu22cis_system_is_chroot: "{{ ansible_is_chroot | default(False) }}"
+### Goss Settings ##
+####### END ########
 
 ## Running in EC2 pipeline
 # Skip events for EC2 instance testing pipeline.

handlers/main.yml

@@ -2,7 +2,7 @@
 
 - name: Update_Initramfs
   ansible.builtin.shell: update-initramfs -u
-  notify: change_requires_reboot
+  notify: set_reboot_required
 
 - name: Remount tmp
   ansible.posix.mount:
@@ -43,7 +43,7 @@
 - name: Grub update
   ansible.builtin.shell: update-grub
   failed_when: false
-  notify: change_requires_reboot
+  notify: set_reboot_required
 
 - name: Restart timeservice
   ansible.builtin.systemd:
@@ -118,7 +118,7 @@
 - name: Audit_immutable_fact
   ansible.builtin.debug:
       msg: "Reboot required for auditd to apply new rules as immutable set"
-  notify: change_requires_reboot
+  notify: set_reboot_required
   when:
       - audit_rules_updated.changed
       - auditd_immutable_check is defined
@@ -130,14 +130,11 @@
   tags:
       - skip_ansible_lint
 
-- name: restart sshd
+- name: Restart sshd
   ansible.builtin.systemd:
       name: sshd
       state: restarted
 
-- name: reload gdm
-  ansible.builtin.shell: dpkg-reconfigure gdm3
-
-- name: change_requires_reboot
+- name: set_reboot_required
   ansible.builtin.set_fact:
       change_requires_reboot: true

meta/main.yml

@@ -7,7 +7,7 @@ galaxy_info:
     license: MIT
     namespace: mindpointgroup
     role_name: ubuntu22_cis
-    min_ansible_version: 2.10.1
+    min_ansible_version: 2.12.1
     platforms:
         - name: Ubuntu
           versions:

tasks/LE_audit_setup.yml

@@ -10,7 +10,7 @@
       - name: Pre Audit Setup | Set audit package name | ARM64
         ansible.builtin.set_fact:
             audit_pkg_arch_name: ARM64
-        when: ansible_facts.machine == "aarch64"
+        when: ansible_facts.machine == "arm64"
 
 - name: Pre Audit Setup | Download audit binary
   ansible.builtin.get_url:

tasks/audit_only.yml

@@ -22,7 +22,7 @@
   when:
       - audit_only
   ansible.builtin.debug:
-      msg: "The Audit results are: {{ pre_audit_summary }}."
+      msg: "{{ audit_results.split('\n') }}"
 
 - name: Audit_only | Stop Playbook Audit Only selected
   when:

tasks/auditd.yml

@@ -12,7 +12,7 @@
       - Auditd rules reload
       - Audit_immutable_fact
       - Restart auditd
-      - change_requires_reboot
+      - set_reboot_required
   when: update_audit_template
 
 - name: POST | Set up auditd user logging exceptions

tasks/main.yml

@@ -175,7 +175,7 @@
   tags:
       - section6
 
-- name: run auditd logic
+- name: Run auditd logic
   ansible.builtin.import_tasks:
       file: auditd.yml
   when: update_audit_template

tasks/post_remediation_audit.yml

@@ -5,7 +5,7 @@
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"
-      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
+      AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
       AUDIT_FILE: goss.yml
 
 - name: Post Audit | ensure audit files readable by users
@@ -22,7 +22,7 @@
       - audit_format == "json"
   block:
       - name: capture data {{ post_audit_outfile }}
-        ansible.builtin.shell: cat {{ post_audit_outfile }}
+        ansible.builtin.shell: "cat {{ post_audit_outfile }}"
         register: post_audit
         changed_when: false
 
@@ -37,7 +37,7 @@
       - audit_format == "documentation"
   block:
       - name: Post Audit | capture data {{ post_audit_outfile }}
-        ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
+        ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
         register: post_audit
         changed_when: false
 

tasks/pre_remediation_audit.yml

@@ -5,7 +5,8 @@
       - setup_audit
   tags:
       - setup_audit
-  ansible.builtin.include_tasks: LE_audit_setup.yml
+  ansible.builtin.include_tasks:
+      file: LE_audit_setup.yml
 
 - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
   ansible.builtin.file:
@@ -32,23 +33,25 @@
   when:
       - audit_content == 'copy'
   ansible.builtin.copy:
-      src: "{{ audit_local_copy }}"
+      src: "{{ audit_conf_source }}"
       dest: "{{ audit_conf_dest }}"
       mode: preserve
 
 - name: Pre Audit Setup | Unarchive audit content files on server
   when:
-      - audit_content == 'archived'
+      - audit_content == 'archive'
   ansible.builtin.unarchive:
-      src: "{{ audit_conf_copy  }}"
-      dest: "{{ audit_conf_dir }}"
+      src: "{{ audit_conf_source }}"
+      dest: "{{ audit_conf_dest }}"
 
 - name: Pre Audit Setup | Get audit content from url
   when:
       - audit_content == 'get_url'
-  ansible.builtin.get_url:
-      url: "{{ audit_files_url }}"
-      dest: "{{ audit_conf_dir }}"
+  ansible.builtin.unarchive:
+      src: "{{ audit_conf_source }}"
+      dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
+      remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
+      extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"
 
 - name: Pre Audit Setup | Check Goss is available
   when:
@@ -81,15 +84,15 @@
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"
-      AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
+      AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
       AUDIT_FILE: goss.yml
 
 - name: Pre Audit | Capture audit data if json format
   when:
       - audit_format == "json"
   block:
       - name: Pre Audit | Capture data {{ pre_audit_outfile }}
-        ansible.builtin.shell: cat {{ pre_audit_outfile }}
+        ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
         register: pre_audit
         changed_when: false
 
@@ -104,7 +107,7 @@
       - audit_format == "documentation"
   block:
       - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format
-        ansible.builtin.shell: tail -2 {{ pre_audit_outfile }}
+        ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
         register: pre_audit
         changed_when: false
 

tasks/section_1/main.yml

@@ -3,6 +3,7 @@
 - name: "SECTION | 1.1.1 | Disable Unused Filesystems"
   ansible.builtin.import_tasks:
       file: cis_1.1.1.x.yml
+  when: not system_is_container
 
 - name: "SECTION | 1.1.2 | configure /tmp"
   ansible.builtin.import_tasks: