Merge pull request #252 from ansible-lockdown/devel

Final v1.0 release to main

Author: uk-bolly

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -36,13 +36,13 @@ repos:
     args: [ '--baseline', '.config/.secrets.baseline' ]
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.4
+  rev: v8.21.2
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.7.0
+  rev: v24.9.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

tasks/prelim.yml

@@ -138,35 +138,32 @@
       - always
 
 - name: "PRELIM | PATCH | Ensure auditd is installed"
-  block:
-      - name: "PRELIM | PATCH | Ensure auditd is installed"
-        ansible.builtin.package:
-            name: ['auditd', 'audispd-plugins']
-            state: present
-        when:
-            - "'auditd' not in ansible_facts.packages or
-              'auditd-plugins' not in ansible_facts.packages"
-
-      - name: "PRELIM | AUDIT | Audit conf and rules files | list files"
-        ansible.builtin.find:
-            path: /etc/audit/
-            file_type: file
-            recurse: true
-            patterns: '*.conf,*.rules'
-        register: auditd_conf_files
-
+  ansible.builtin.package:
+      name: ['auditd', 'audispd-plugins']
+      state: present
   when:
-      - ubtu22cis_rule_4_1_1_1 or
-        ubtu22cis_rule_4_1_4_5 or
-        ubtu22cis_rule_4_1_4_6 or
-        ubtu22cis_rule_4_1_4_7
+      - "'auditd' not in ansible_facts.packages or
+        'auditd-plugins' not in ansible_facts.packages"
+      - ubtu22cis_rule_4_1_1_1
   tags:
       - level2-server
       - level2-workstation
       - patch
       - auditd
       - always
 
+- name: "PRELIM | AUDIT | Audit conf and rules files | list files"
+  ansible.builtin.find:
+      path: /etc/audit/
+      file_type: file
+      recurse: true
+      patterns: '*.conf,*.rules'
+  register: auditd_conf_files
+  tags:
+      - patch
+      - auditd
+      - always
+
 - name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
   ansible.builtin.shell: auditctl -l | grep -c '-e 2'
   changed_when: false

tasks/section_4/cis_4.1.4.x.yml

@@ -23,7 +23,7 @@
             "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
         ansible.builtin.file:
             path: "{{ audit_discovered_logfile.stdout }}"
-            mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}"
+            mode: 'u-x,g-wx,o-rwx'
             owner: root
             group: root
   when:

tasks/section_4/cis_4.2.3.yml

@@ -14,6 +14,8 @@
         ansible.builtin.file:
             path: "{{ item.path }}"
             mode: '0640'
+        failed_when: logfiles_perms_update.state not in '[ file, absent ]'
+        register: logfiles_perms_update
         loop: "{{ logfiles.files }}"
         loop_control:
             label: "{{ item.path }}"

tasks/section_6/cis_6.1.x.yml

@@ -21,6 +21,8 @@
       owner: root
       group: root
       mode: '0644'
+  failed_when: discovered_file_exists.state not in '[ file, absent ]'
+  register: discovered_file_exists
   when:
       - ubtu22cis_rule_6_1_2
   tags:

vars/audit.yml

@@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma
 
 ### Audit binary settings ###
 audit_bin_version:
-    release: v0.4.4
-    AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
+    release: v0.4.8
+    AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f'
+    ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d'
 audit_bin_path: /usr/local/bin/
 audit_bin: "{{ audit_bin_path }}goss"
 audit_format: json