Merge pull request #300 from ansible-lockdown/devel

Devel updates to main

Author: uk-bolly

.github/workflows/devel_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - devel
+            - benchmark*
         paths:
             - '**.yml'
             - '**.sh'
@@ -70,7 +71,6 @@
                  echo IAC_BRANCH=main >> $GITHUB_ENV
               fi
 
-
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4

.github/workflows/main_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - main
+            - latest
         paths:
             - '**.yml'
             - '**.sh'
@@ -23,17 +24,6 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: self-hosted
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
       # This workflow contains a single job that tests the playbook
       playbook-test:

.gitignore

@@ -43,3 +43,6 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
+
+# ansible-lint cache
+.ansible/

.pre-commit-config.yaml

@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.23.3
+  rev: v8.28.0
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.1.2
+  rev: v25.7.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -65,7 +65,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.35.1  # or higher tag
+  rev: v1.37.1  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint

defaults/main.yml

@@ -20,6 +20,11 @@ skip_reboot: true
 # The audit variable found at the base
 benchmark: UBUNTU22-CIS
 benchmark_version: v2.0.0
+
+# Create managed not custom local_facts files
+create_benchmark_facts: true
+ansible_facts_path: /etc/ansible/facts.d
+
 # Used for audit
 ubtu22cis_level_1: true
 ubtu22cis_level_2: true
@@ -101,6 +106,20 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'
 
+## Ability to collect and take audit files moving to a centralised location
+# This enables the collection of the files from the host
+fetch_audit_output: false
+
+# Method of getting,uploading the summary files
+## Ensure access and permissions are avaiable for these to occur.
+## options are
+# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
+# copy - copies file to a location available to the managed node
+audit_output_collection_method: fetch
+
+# Location to put the audit files
+audit_output_destination: /opt/audit_summaries/
+
 ### Goss Settings ##
 ####### END ########
 
@@ -609,6 +628,10 @@ ubtu22cis_desktop_required: false
 # This will also purge any packages not removed via this playbook
 ubtu22cis_purge_apt: false
 
+## Ignore change_when for apt update task
+# Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes
+ubtu22cis_ignore_apt_update_changed_when: false
+
 ##
 ## Section 1 Control Variables
 ##

tasks/fetch_audit_output.yml

@@ -0,0 +1,46 @@
+---
+
+# Stage to copy audit output to a centralised location
+
+- name: "POST | FETCH | Fetch files and copy to controller"
+  when: audit_output_collection_method == "fetch"
+  ansible.builtin.fetch:
+    src: "{{ item }}"
+    dest: "{{ audit_output_destination }}"
+    flat: true
+  failed_when: false
+  register: discovered_audit_fetch_state
+  loop:
+    - "{{ pre_audit_outfile }}"
+    - "{{ post_audit_outfile }}"
+  become: false
+
+# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
+# Allowing backup to one location
+- name: "POST | FETCH | Copy files to location available to managed node"
+  when: audit_output_collection_method == "copy"
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ audit_output_destination }}"
+    mode: 'u-x,go-wx'
+    flat: true
+  failed_when: false
+  register: discovered_audit_copy_state
+  loop:
+    - "{{ pre_audit_outfile }}"
+    - "{{ post_audit_outfile }}"
+
+- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+  when:
+    - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
+      (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
+  block:
+    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+      ansible.builtin.debug:
+        msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
+
+    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+      vars:
+        warn_control_id: "FETCH_AUDIT_FILES"
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml

tasks/main.yml

@@ -91,7 +91,8 @@
 - name: Setup rules if container
   when:
     - ansible_connection == 'docker' or
-      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+      (ansible_facts.virtualization_type is defined and
+       ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"])
   tags:
     - container_discovery
     - always
@@ -210,6 +211,39 @@
   ansible.builtin.import_tasks:
     file: post_remediation_audit.yml
 
+- name: Add ansible file showing Benchmark and levels applied if audit details not present
+  when:
+    - create_benchmark_facts
+    - (post_audit_summary is defined) or
+      (ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined)
+  tags:
+    - always
+    - benchmark
+  block:
+    - name: Create ansible facts directory if audit facts not present
+      ansible.builtin.file:
+        path: "{{ ansible_facts_path }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 'u=rwx,go=rx'
+
+    - name: Create ansible facts file and levels applied if audit facts not present
+      ansible.builtin.template:
+        src: etc/ansible/compliance_facts.j2
+        dest: "{{ ansible_facts_path }}/compliance_facts.fact"
+        owner: root
+        group: root
+        mode: 'u-x,go=r'
+
+- name: Fetch audit files
+  when:
+    - fetch_audit_output
+    - run_audit
+  tags: always
+  ansible.builtin.import_tasks:
+    file: fetch_audit_output.yml
+
 - name: Show Audit Summary
   when: run_audit
   tags: run_audit

tasks/prelim.yml

@@ -47,6 +47,12 @@
       ansible.builtin.debug:
         msg: "{{ prelim_mount_point_fs_and_options }}"
 
+- name: "PRELIM | PATCH | Run apt update"
+  tags: always
+  ansible.builtin.package:
+    update_cache: true
+  changed_when: not ubtu22cis_ignore_apt_update_changed_when
+
 - name: Include audit specific variables
   when:
     - run_audit or audit_only
@@ -141,6 +147,14 @@
   check_mode: false
   register: prelim_sudoers_files
 
+- name: "PRELIM | AUDIT | Capture pam configs related files"
+  tags: always
+  ansible.builtin.find:
+    paths:
+      - '/usr/share/pam-configs/'
+      - '/etc/pam.d/'
+  register: prelim_pam_conf_files
+
 - name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x
   when:
     - ubtu22cis_rule_5_3_3_2_1 or
@@ -151,11 +165,26 @@
       ubtu22cis_rule_5_3_3_2_6
   tags: always
   ansible.builtin.file:
-    path: '/etc/security/pwquality.conf.d'
-    state: directory
+    path: "{{ item.path }}"
+    state: "{{ item.state }}"
     owner: root
     group: root
     mode: 'g-w,o-rwx'
+    modification_time: preserve
+    access_time: preserve
+  register: prelim_pwquality_dummy
+  changed_when: prelim_pwquality_dummy.diff == "absent"
+  loop:
+    - { path: '/etc/security/pwquality.conf.d', state: 'directory' }
+    - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }
+
+- name: "PRELIM | AUDIT | Capture pam security related files"
+  tags: always
+  ansible.builtin.find:
+    paths:
+      - /etc/security/pwquality.conf.d/
+    patterns: '*.conf'
+  register: prelim_pam_pwquality_confs
 
 - name: PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def
   when: not discover_int_uid

tasks/section_1/cis_1.1.2.1.x.yml

@@ -128,5 +128,5 @@
     dest: /etc/systemd/system/tmp.mount
     owner: root
     group: root
-    mode: "go-wx"
+    mode: 'go-wx'
   notify: *mount_option_notify

tasks/section_1/cis_1.4.x.yml

@@ -18,7 +18,7 @@
         dest: "{{ ubtu22cis_grub_user_file }}"
         owner: root
         group: root
-        mode: 'go-w'
+        mode: 'go-w,u+x'
       notify: Grub update
 
     - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"