Merge pull request #124 from ansible-lockdown/devel

Release to main

Author: uk-bolly

.github/workflows/devel_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - devel
+            - benchmark*
         paths:
             - '**.yml'
             - '**.sh'
@@ -27,7 +28,7 @@
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
       welcome:
-        runs-on: self-hosted
+        runs-on: ubuntu-latest
 
         steps:
             - uses: actions/first-interaction@main
@@ -70,7 +71,6 @@
                  echo IAC_BRANCH=main >> $GITHUB_ENV
               fi
 
-
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4

.github/workflows/main_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - main
+            - latest
         paths:
             - '**.yml'
             - '**.sh'
@@ -23,17 +24,6 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: self-hosted
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
       # This workflow contains a single job that tests the playbook
       playbook-test:

.gitignore

@@ -1,7 +1,6 @@
 .env
 *.log
 *.retry
-.cache
 .vagrant
 tests/*redhat-subscription
 tests/Dockerfile
@@ -10,11 +9,9 @@ tests/Dockerfile
 packer_cache
 delete*
 ignore*
-test_inv
-# temp remove doc while this is built up
-doc/
 # VSCode
 .vscode
+vagrant
 
 # Byte-compiled / optimized / DLL files
 __pycache__/
@@ -47,9 +44,5 @@ benchparse/
 # GitHub Action/Workflow files
 .github/
 
-# key types
-*.pem
-*.ppk
-*.key
-*.rsa
-*.ecdsa
+# ansible-lint
+.ansible/

.pre-commit-config.yaml

@@ -35,12 +35,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.23.3
+  rev: v8.24.2
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.1.2
+  rev: v25.2.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -59,6 +59,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.35.1  # or higher tag
+  rev: v1.37.0  # or higher tag
   hooks:
   - id: yamllint

defaults/main.yml

@@ -68,6 +68,10 @@ amzn2023cis_legacy_boot: false
 ## are used in ansible
 python2_bin: /bin/python2.7
 
+# Create managed not custom local_facts files
+create_benchmark_facts: true
+ansible_facts_path: /etc/ansible/facts.d
+
 ## Benchmark name and profile used by audting control role
 # The audit variable can be found at the base
 benchmark: AMAZON2023-CIS
@@ -137,6 +141,20 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'
 
+## Ability to collect and take audit files moving to a centralised location
+# This enables the collection of the files from the host
+fetch_audit_output: false
+
+# Method of getting,uploading the summary files
+## Ensure access and permissions are avaiable for these to occur.
+## options are
+# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
+# copy - copies file to a location available to the managed node
+audit_output_collection_method: fetch
+
+# Location to put the audit files
+audit_output_destination: /opt/audit_summaries/
+
 ### Goss Settings ##
 ####### END ########
 
@@ -980,6 +998,11 @@ amzn2023cis_shell_session_timeout:
     # CIS states that this value shall never exceed 900 or be equal to 0.
     timeout: 600
 
+## Control 4.6.5 Ensure default user umask is 027 or more restrictive
+# The following variable specifies the "umask" to set in the `/etc/bashrc` and `/etc/profile` and `/etc/login.defs`.
+# The value needs to be `027` or more restrictive to comply with CIS standards
+amzn2023cis_umask: '027'
+
 ##
 ## Section 5 Control Variables
 ##

tasks/fetch_audit_output.yml

@@ -0,0 +1,46 @@
+---
+
+# Stage to copy audit output to a centralised location
+
+- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller"
+  when: audit_output_collection_method == "fetch"
+  ansible.builtin.fetch:
+      src: "{{ item }}"
+      dest: "{{ audit_output_destination }}"
+      flat: true
+  failed_when: false
+  register: discovered_audit_fetch_state
+  loop:
+      - "{{ pre_audit_outfile }}"
+      - "{{ post_audit_outfile }}"
+  become: false
+
+# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
+# Allowing backup to one location
+- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node"
+  when: audit_output_collection_method == "copy"
+  ansible.builtin.copy:
+      src: "{{ item }}"
+      dest: "{{ audit_output_destination }}"
+      mode: 'u-x,go-wx'
+      flat: true
+  failed_when: false
+  register: discovered_audit_fetch_copy_state
+  loop:
+      - pre_audit_outfile
+      - post_audit_outfile
+
+- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+  when:
+      - (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or
+        (discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed)
+  block:
+      - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+        ansible.builtin.debug:
+            msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
+
+      - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+        vars:
+            warn_control_id: "FETCH_AUDIT_FILES"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml

tasks/main.yml

@@ -163,6 +163,36 @@
   tags:
       - run_audit
 
+- name: Add ansible file showing Benchmark and levels applied
+  block:
+      - name: Create ansible facts directory
+        ansible.builtin.file:
+            path: "{{ ansible_facts_path }}"
+            state: directory
+            owner: root
+            group: root
+            mode: 'u=rwx,go=rx'
+
+      - name: Create ansible facts file
+        ansible.builtin.template:
+            src: etc/ansible/compliance_facts.j2
+            dest: "{{ ansible_facts_path }}/compliance_facts.fact"
+            owner: root
+            group: root
+            mode: "u-x,go-wx"
+  when: create_benchmark_facts
+  tags:
+      - always
+      - benchmark
+
+- name: Fetch audit files
+  ansible.builtin.import_tasks:
+      file: fetch_audit_output.yml
+  when:
+      - fetch_audit_output
+      - run_audit
+  tags: always
+
 - name: Show Audit Summary
   when:
       - run_audit

tasks/section_4/cis_4.6.x.yml

@@ -93,7 +93,7 @@
         ansible.builtin.replace:
             path: "{{ item }}"
             regexp: ^(?i)(\s*umask)\s+(?!\d*[2,7]7)\d{3,4}
-            replace: '\1 027'
+            replace: '\1 {{ amzn2023cis_umask }}'
         loop:
             - /etc/bashrc
             - /etc/profile

templates/etc/ansible/compliance_facts.j2

@@ -0,0 +1,39 @@
+# CIS Hardening Carried out
+# Added as part of ansible-lockdown CIS baseline
+# provided by Mindpoint Group - A Tyto Athene Company
+
+[lockdown_details]
+# Benchmark release
+Benchmark_release = CIS-{{ benchmark_version }}
+Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
+# If options set (doesn't mean it ran all controls)
+level_1_hardening_enabled = {{ amzn2023cis_level_1 }}
+level_2_hardening_enabled = {{ amzn2023cis_level_2 }}
+
+{% if ansible_run_tags | length > 0 %}
+# If tags used to stipulate run level
+{% if 'level1-server' in ansible_run_tags %}
+Level_1_Server_tag_run = true
+{% endif %}
+{% if 'level2-server' in ansible_run_tags %}
+Level_2_Server_tag_run = true
+{% endif %}
+{% if 'level1-workstation' in ansible_run_tags %}
+Level_1_workstation_tag_run = true
+{% endif %}
+{% if 'level2-workstation' in ansible_run_tags %}
+Level_2_workstation_tag_run = true
+{% endif %}
+{% endif %}
+
+[lockdown_audit_details]
+{% if run_audit %}
+# Audit run
+audit_file_local_location = {{ audit_log_dir }}
+{% if not audit_only %}
+audit_summary = {{ post_audit_results }}
+{% endif %}
+{% if fetch_audit_output %}
+audit_files_centralized_location = {{ audit_output_destination }}
+{% endif %}
+{% endif %}