### SELinux Configuration Test Example (Goss) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit_development This example shows a Goss test configuration for the SELinux configuration file. It includes checks for existence, specific content patterns, and associated metadata for CIS compliance. Note that duplicate file identifiers can lead to only one test result being reported. ```yaml file: /etc/selinux/config: title: 1.6.1.4 | Ensure the SELinux mode is not disabled | config exists: true contains: - '/^SELINUX( |)=( |)(enforcing|permissive)/' - '!/^SELINUX( |)=( |)disabled/' meta: server: 1 workstation: 1 CIS_ID: - 1.6.1.4 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true ``` -------------------------------- ### Audit Control File Structure Example Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit_development Illustrates a typical directory structure for organizing audit controls, grouping similar tests under parent directories for better management. ```text |- control group e.g. section_1 |-- grouped controls |---- control test ``` ```text |- section_1 |-- cis_1.1 |--- cis_1.1.x.yml ``` -------------------------------- ### SELinux Enforcing Mode Test Example (Goss) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit_development This example demonstrates a Goss test for ensuring SELinux mode is enforcing on the configuration file. It specifies content patterns and associated metadata for CIS compliance. This test, when run with the previous SELinux test on the same file, will result in only one test's output being considered due to the duplicate file identifier. ```yaml file: /etc/selinux/config: title: 1.6.1.5 | Ensure the SELinux mode is enforcing | config exists: true contains: - '/^SELINUX( |)=( |)enforcing/' - '!/^SELINUX( |)=( |)disabled/' meta: server: 2 workstation: 2 CIS_ID: - 1.6.1.5 CISv8: - 3.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true ``` -------------------------------- ### Install Ansible Role using Ansible Galaxy Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-getting-started Installs the Ansible Lockdown RHEL8-CIS role using the `ansible-galaxy` command. This method places the role in the default Ansible roles directory, making it readily available for playbooks. Ensure Ansible is installed. ```bash ansible-galaxy install git+https://github.com/ansible-lockdown/RHEL8-CIS.git ``` -------------------------------- ### Check Goss Installation and Version (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Verifies if the Goss executable is installed and meets the minimum version requirement (AUDIT_BIN_MIN_VER). It extracts the installed version, compares it, and sets an export FAILURE variable if requirements are not met. ```bash if [ -s "${AUDIT_BIN}" ]; then goss_installed_version="$($AUDIT_BIN -v | awk '{print $NF}' | cut -dv -f2)" newer_version=$(echo -e "$goss_installed_version\n$AUDIT_BIN_MIN_VER" | sort -V | tail -n 1) if [ "$goss_installed_version" = "$newer_version" ] || [ "$goss_installed_version" = "$AUDIT_BIN_MIN_VER" ]; then echo "OK - Goss is installed and version is ok ($goss_installed_version >= $AUDIT_BIN_MIN_VER)" else echo "WARNING - Goss installed = ${goss_installed_version}, does not meet minimum of ${AUDIT_BIN_MIN_VER}" export FAILURE=2 fi else echo "WARNING - The audit binary is not available at $AUDIT_BIN" export FAILURE=1 fi ``` -------------------------------- ### Configure Custom Ansible Role Path Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-getting-started An example of an `ansible.cfg` file that specifies custom paths for Ansible roles. This is useful when roles are not installed in the default locations. Ansible will search for roles in both the default and custom paths. ```ini [DEFAULTS] roles_path = /etc/ansible/roles:/home/myuser/custom/roles ``` -------------------------------- ### CIS Control Metadata Example Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit_development This snippet demonstrates the metadata structure for CIS (Center for Internet Security) controls. It includes server and workstation CIS levels, control IDs, and association with CIS v8 groups and implementation groups. ```yaml meta: server: 1 workstation: 1 CIS_ID: 1.1.1.1 CISv8: - 4.8 CISv8_IG1: false CISv8_IG2: true CISv8_IG3: true ``` -------------------------------- ### STIG Control Metadata Example Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit_development This snippet illustrates the metadata structure for STIG (Security Technical Implementation Guide) controls. It contains category (Cat), Common Configuration Item (CCI), Group Title, Rule ID, STIG ID, and Vulnerability ID. ```yaml meta: Cat: 1 CCI: - CCI-001494 - CCI-001496 - CCI-002165 - CCI-002235 Group_Title: SRG-OS-000257-GPOS-00098 Rule_ID: SV-204392r646841_rule STIG_ID: RHEL-07-010010 Vul_ID: V-204392 ``` -------------------------------- ### CIS Control Tagging Example - YAML Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-getting-started This example illustrates CIS control tagging in Ansible. It shows tags indicating compliance levels (level1-server, level1-workstation), automation status, and functional areas such as 'patch' and 'dhcp', along with specific rule references like 'rule_2.2.5'. ```yaml tags: - level1-server - level1-workstation - automated - patch - dhcp - rule_2.2.5 ``` -------------------------------- ### Basic Audit Control Test using Goss Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit_development A basic example of an audit control written using Goss modules. This snippet demonstrates how to define a command to check for disabled USB storage, including metadata for reporting and conditional execution. ```yaml {{ if .Vars.rhel9cis_level_1 }} {{ if .Vars.rhelcis9_1_1_10 }} command: usb-storage: title: 1.1.10 | Disable USB Storage exit-status: 0 exec: "modprobe -n -v usb-storage | grep -E '(usb-storage|install)'" stdout: - install /bin/true meta: server: 1 workstation: 2 CIS_ID: 1.1.10 CISv8: - 10.3 CISv8_IG1: true CISv8_IG2: true CISv8_IG3: true {{ end }} {{ end }} ``` -------------------------------- ### Install Ansible Role using Git Clone Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-getting-started Clones the Ansible Lockdown RHEL8-CIS role repository into a local directory using `git clone`. This method allows for more control over the role's location. The role can be cloned into a specific directory or a directory with the same name as the repository. ```bash cd ~/CIS_Roles git clone https://github.com/ansible-lockdown/RHEL8-CIS.git ``` ```bash mkdir ~/CIS_Roles git clone https://github.com/ansible-lockdown/RHEL8-CIS.git ~/CIS_Roles ``` -------------------------------- ### Run Goss Manually Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit-faq This command demonstrates how to manually execute Goss for auditing. Goss is designed to run with discovered variables passed for metadata; without them, it will fail. The `run_audit` script provides examples of how these variables are created and supplied to Goss. ```shell goss -g goss.yml -v ``` -------------------------------- ### Run Ansible Role Standalone via CLI Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-getting-started Executes the Ansible RHEL8-STIG role as a standalone playbook using the `ansible-playbook` command. This example demonstrates how to specify an inventory file, pass extra variables to control role behavior, and point to the `site.yml` playbook within the role. ```bash cd roles ansible-playbook -i hosts -e '{ "rhel8stig_cat2_patch":false,"rhel8stig_cat3_patch":false }' ./RHEL8-STIG/site.yml ``` -------------------------------- ### Ansible Local Facts for Benchmark Audit Details Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started This example displays the structure of Ansible local facts, specifically the Benchmark_Audit_Details. It includes the local file path of the audit log and a summary of the audit results, such as counts, failures, skips, and duration. This is a typical output when querying Ansible facts. ```json { "ansible_facts": { "ansible_local": { "lockdown_facts": { "Benchmark_Audit_Details": { "audit_file_location_local": "/opt", "audit_summary": "Count: 798, Failed: 24, Skipped: 6, Duration: 38.824s" }, "Benchmark_Details": { "benchmark_release": "CIS-v2.0.0", "benchmark_run_date": "2025-03-31 - 14:59:43", "level_1_hardening_enabled": "True", "level_2_hardening_enabled": "True" } } }, "discovered_interpreter_python": "/usr/bin/python3" }, "changed": false } ``` -------------------------------- ### STIG Control Tagging Example - YAML Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-getting-started This example demonstrates how STIG controls are tagged in Ansible. Tags include specific control IDs, severity levels (CAT2), CCI references, SRG IDs, and functional areas like 'fapolicy'. These tags are used to manage playbook execution. ```yaml tags: - RHEL-08-040137 - CAT2 - CCI-001764 - SRG-OS-000368-GPOS-00154 - SV-244546r809339_rule - V-244546 - fapolicy ``` -------------------------------- ### Ansible Fatal Error: Install 'jmespath' Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-faq This error occurs when the 'jmespath' library is not installed, which is required for the json_query filter in Ansible playbooks, especially during OS patching. Ensure 'jmespath' is installed to resolve this issue. Note: Newer releases may have removed this dependency. ```text fatal: [ansible]: FAILED! => {"msg": "You need to install \"jmespath\" prior to running json_query filter"} ``` -------------------------------- ### Audit Control Variable Precedence Example Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit_development Demonstrates how to define variable precedence in audit controls. Variables with higher impact or scope should be declared earlier in the file structure. ```yaml {{ .Vars.section_1 }} {{ .Vars.rhelcis8_1_1_1_1 }} ``` -------------------------------- ### Use Ansible Role within an Existing Playbook Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-getting-started An example of an Ansible playbook that incorporates the RHEL8-CIS role. The role is included using the `roles` directive and conditional execution based on Ansible facts such as OS family and major version. ```yaml --- - hosts: servers become: yes roles: - role: RHEL8-CIS when: - ansible_os_family == 'RedHat' - ansible_distribution_major_version | version_compare('8', '=') ``` -------------------------------- ### Ansible CIS Control: Enable Auditing for Processes Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem_development This Ansible playbook task configures RHEL 8 systems to ensure auditing for processes that start prior to auditd is enabled, following CIS benchmarks. It modifies the GRUB configuration to include the necessary audit settings. ```yaml - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" when: rhel8cis_rule_4_1_1_3 tags: - level2-server - level2-workstation - automated - patch - auditd - grub - rule_4.1.1.3 block: - name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: no register: discovered_default_grub_cmdline_linux - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" when: "'audit=' in discovered_default_grub_cmdline_linux.stdout" ansible.builtin.replace: path: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' notify: grub2cfg - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" when: "'audit=' not in discovered_default_grub_cmdline_linux.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ discovered_default_grub_cmdline_linux.stdout }} audit=1"' notify: grub2cfg ``` -------------------------------- ### Set Ansible Role Variables via CLI Extra-Vars Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem-getting-started Demonstrates how to override Ansible role variables directly on the command line using the `-e` flag with `ansible-playbook`. This example shows how to disable specific STIG categories (CAT2 and CAT3) by setting their corresponding patch variables to `false`. ```bash ansible-playbook -i host_file -e '{ "rhel8stig_cat2_patch":false,"rhel8stig_cat3_patch":false }' ./RHEL8-STIG/site.yml ``` -------------------------------- ### Run Goss with Documentation Output Format Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This snippet shows how to run Goss with a specific output format, 'documentation'. This format provides a more human-readable output for passing tests, detailing the checks performed and their results. It requires the Goss binary path, the goss.yml file, and the '-f documentation' flag. ```shell # /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate -f documentation Title: 1.1.20 Check for removable media nodev Command: floppy_nodev: exit-status: matches expectation: [0] Command: floppy_nodev: stdout: matches expectation: [OK] < -------cut ------- > Title: 1.1.20 Check for removable media noexec Command: floppy_noexec: exit-status: matches expectation: [0] Command: floppy_noexec: stdout: matches expectation: [OK] Total Duration: 0.022s Count: 12, Failed: 0, Skipped: 0 ``` -------------------------------- ### Display Script Usage Instructions (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Defines a Help function that prints usage instructions and available command-line options for the audit script. This function is typically called when the '-h' option is provided or in case of invalid arguments. ```bash Help() { echo "Script to run the goss audit" echo echo "Syntax: $0 [-f|-g|-m|-o|-v|-w|-h]" echo "options:" echo "-f optional - change the format output (options json(default), documentation, rspecish)" echo "-g optional - Add a group that the server should be grouped with (default value = ungrouped)" echo "-m optional - maximum concurrent processes (number, default 50)" echo "-o optional - file to output audit data" echo "-v optional - relative path to the vars file to load (default e.g. $AUDIT_CONTENT_LOCATION/${OS}-$BENCHMARK/vars/${BENCHMARK}.yml)" echo "-w optional - Sets the system_type to workstation (Default - Server)" echo "-h Print this Help." echo } ``` -------------------------------- ### Create Custom Ansible Facts for Hardening Report Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started This Ansible task conditionally creates a directory and a Jinja2 template file to store custom facts about applied hardening benchmarks and levels. It ensures the facts directory exists with correct permissions and then populates the facts file from a template. This is useful for post-hardening reporting and compliance verification. ```ansible - name: Add ansible file showing Benchmark and levels applied when: create_benchmark_facts tags: - always - benchmark block: - name: Create ansible facts directory ansible.builtin.file: path: "{{ ansible_facts_path }}" state: directory owner: root group: root mode: 'u=rwx,go=rx' - name: Create ansible facts file ansible.builtin.template: src: etc/ansible/compliance_facts.j2 dest: "{{ ansible_facts_path }}/compliance_facts.fact" owner: root group: root mode: "u-x,go-wx" ``` -------------------------------- ### Ansible Local Facts for STIG Benchmark Details Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started This JSON output demonstrates Ansible local facts containing STIG benchmark details. It shows the benchmark release (e.g., STIG-v2r2), run date, and the enabled status for hardening categories (CAT 1, 2, 3). This structure is useful for verifying benchmark compliance. ```json { "ansible_facts": { "ansible_local": { "lockdown_facts": { "Benchmark_Audit_Details": { "audit_file_location_local": "/opt", "audit_summary = Count: 979, Failed: 73, Skipped: 22, Duration: 18.411s" }, "Benchmark_Details": { "benchmark_release": "STIG-v2r2", "benchmark_run_date": "2025-03-31 - 14:59:43", "cat_1_hardening_enabled": "True", "cat_2_hardening_enabled": "True", "cat_3_hardening_enabled": "True" } } }, "discovered_interpreter_python": "/usr/bin/python3" }, "changed": false } ``` -------------------------------- ### Ansible Jinja2 Template for CIS Lockdown Details Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started This Jinja2 template defines the structure for an INI-formatted facts file that records details about CIS benchmark hardening. It includes the benchmark release, run date, hardening levels enabled, and tags used during the Ansible run. The content is conditionally generated based on variables. ```jinja2 [lockdown_details] # Benchmark release Benchmark_release = CIS-{{ benchmark_version }} Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} # Hardening levels enabled via variables level_1_hardening_enabled = {{ rhel9cis_level_1 }} level_2_hardening_enabled = {{ rhel9cis_level_2 }} # Tag-based hardening run types (conditional) {% if 'level1-server' in ansible_run_tags %} Level_1_Server_tag_run = true {% endif %} {% if 'level2-server' in ansible_run_tags %} Level_2_Server_tag_run = true {% endif %} {% if 'level1-workstation' in ansible_run_tags %} Level_1_workstation_tag_run = true {% endif %} {% if 'level2-workstation' in ansible_run_tags %} Level_2_workstation_tag_run = true {% endif %} ``` -------------------------------- ### Define Audit Paths (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Constructs full paths for audit content based on the detected OS vendor and benchmark details. This includes defining the versioned content directory and the location of audit variables. ```bash audit_content_version=$os_vendor$os_maj_ver-$BENCHMARK-Audit audit_content_dir=$AUDIT_CONTENT_LOCATION/$audit_content_version audit_vars=vars/${BENCHMARK}.yml ``` -------------------------------- ### Ansible Jinja2 Configuration for STIG Benchmark Details Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started This Jinja2 template configures STIG benchmark details within an Ansible playbook. It defines the benchmark release version, run date, and hardening levels (CAT 1, 2, 3) based on variables. It also conditionally sets flags if specific Ansible tags are used for the run. ```ansible [lockdown_details] # Benchmark release Benchmark_release = STIG-{{ benchmark_version }} Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} # If options set (doesn't mean it ran all controls) cat_1_hardening_enabled = {{ rhel9stig_cat1 }} cat_2_hardening_enabled = {{ rhel9stig_cat2 }} cat_3_hardening_enabled = {{ rhel9stig_cat3 }} # Tag-based hardening run types (conditional) {% if ansible_run_tags | length > 0 %} # If tags used to stipulate run level {% if 'rhel9stig_cat1' in ansible_run_tags %} Cat_1_Server_tag_run = true {% endif %} {% if 'rhel9stig_cat2' in ansible_run_tags %} Cat_2_Server_tag_run = true {% endif %} {% if 'rhel9stig_cat3' in ansible_run_tags %} Cat_3_Server_tag_run = true {% endif %} {% endif %} ``` -------------------------------- ### Format and Summarize Audit Results (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Prepares commands to display a summary of the audit results based on the selected format. It adjusts the summary command for JSON output and suppresses it for JUnit or TAP formats. ```bash output_summary="tail -2 $audit_out" format_output="-f $format" if [ "$format" = json ]; then format_output="-f json -o pretty" output_summary='grep -A 4 "summary": $audit_out' elif [ "$format" = junit ] || [ "$format" = tap ]; then output_summary="" fi ``` -------------------------------- ### Define Goss Binary and Audit File Paths (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Sets environment variables for the Goss executable location, minimum version, and the default audit configuration file path. These variables are crucial for locating and configuring the audit tool. ```bash AUDIT_BIN="${AUDIT_BIN:-\/usr\/local\/bin\/goss}" # location of the goss executable AUDIT_BIN_MIN_VER="0.4.4" AUDIT_FILE="${AUDIT_FILE:-goss.yml}" # default Goss configuration file AUDIT_CONTENT_LOCATION="${AUDIT_CONTENT_LOCATION:-\/opt}" # Location for audit files ``` -------------------------------- ### Run Goss Full Check Manually Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This snippet shows how to manually run a full Goss validation. It requires specifying the path to the Goss binary, a vars file, and the main goss.yml file. The output format is the default, showing dots for passing tests and letters for failures/skips. ```shell # {{path to your goss binary}} --vars {{ path to the vars file }} -g {{path to your clone of this repo }}/goss.yml --validate ``` ```shell # /usr/local/bin/goss --vars ../vars/cis.yml -g /home/bolly/rh8_cis_goss/goss.yml validate ......FF....FF................FF...F..FF.............F........................FSSSS.............FS.F.F.F.F.........FFFFF.... Failures/Skipped: Title: 1.6.1 Ensure core dumps are restricted (Automated)_sysctl Command: suid_dumpable_2: exit-status: Expected : 1 to equal : 0 Command: suid_dumpable_2: stdout: patterns not found: [fs.suid_dumpable = 0] Title: 1.4.2 Ensure filesystem integrity is regularly checked (Automated) Service: aidecheck: enabled: Expected : false to equal : true Service: aidecheck: running: Expected : false to equal : true < ---------cut ------- > Title: 1.1.22 Ensure sticky bit is set on all world-writable directories Command: version: exit-status: Expected : 0 to equal : 123 Total Duration: 5.102s Count: 124, Failed: 21, Skipped: 5 ``` -------------------------------- ### Run Ansible Audit as Part of Playbook Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This configuration enables running security audits as part of an Ansible playbook. It allows for capturing pre- and post-remediation states and can optionally fetch audit files back to the control node. ```yaml audit_only: true # This will enable files to be copied back to control node fetch_audit_files: false # Path to copy the files to will create dir structure audit_capture_files_dir: "/some/location to copy to on control node" ``` -------------------------------- ### Detect OS Vendor (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Determines the operating system vendor by checking the /etc/os-release file for specific keywords like 'rhel' or 'oracle'. If these are not found, it uses 'hostnamectl' to identify the OS vendor. ```bash if [ "$(grep -Ec "rhel|oracle" \/etc\/os-release)" != 0 ]; then os_vendor="RHEL" else os_vendor="$(hostnamectl | grep Oper | cut -d : -f2 | awk '{print $1}' | tr '[:lower:]')" fi ``` -------------------------------- ### Ansible Jinja2 Configuration for Lockdown Audit Details Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started This Jinja2 template configures audit-specific details for the Lockdown project when auditing is enabled. It includes the local path for audit logs, the post-audit results summary, and the destination for centralized audit files, all conditionally rendered based on playbook variables. ```ansible [lockdown_audit_details] {% if run_audit %} # Audit run audit_file_local_location = {{ audit_log_dir }} {% if not audit_only %} audit_summary = {{ post_audit_results }} {% endif %} {% if fetch_audit_output %} audit_files_centralized_location = {{ audit_output_destination }} {% endif %} {% endif %} ``` -------------------------------- ### PowerShell: Run Goss Security Audit Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This PowerShell script, 'run_audit.ps1', acts as a wrapper for executing Goss security audits on Windows systems. It allows users to specify the audit content directory, the path to the Goss binary, a variable file for audit settings, an optional group for categorization, and a custom output file path. Default values are provided for most parameters. ```powershell # Run the script with default settings . un_audit.ps1 # Specify a custom path for the audit binary . un_audit.ps1 -auditbin C:\path_to\binary.exe # Define a custom audit directory . un_audit.ps1 -auditdir C:\somepath_for_audit_content ``` -------------------------------- ### Execute Goss Audit (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Runs the Goss audit command with specified parameters, including the content directory, audit file, variable file path, inline variables, and output format. The output is redirected to the determined audit output file. ```bash echo "Audit Started" $AUDIT_BIN -g "$audit_content_dir/$AUDIT_FILE" --vars "$varfile_path" --vars-inline "$audit_json_vars" v $format_output > "$audit_out" ``` -------------------------------- ### Run Specific Goss Test Section Manually Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This command demonstrates how to execute only a particular section of Goss tests. It requires specifying the Goss binary path, the goss.yml file for the specific section, and the 'validate' command. The output shows minimal results as only a subset of tests is run. ```shell # /usr/local/bin/goss -g /home/bolly/rh8_cis_goss/section_1/cis_1.1/cis_1.1.22.yml validate ............ Total Duration: 0.033s Count: 12, Failed: 0, Skipped: 0 ``` -------------------------------- ### Process Command-Line Arguments (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Uses the getopts built-in command to parse command-line options provided to the script. It assigns values to variables like FORMAT, GROUP, MAX, OUTFILE, and VARS_PATH based on the options given. ```bash while getopts f:g:m:o:v::wh option; do case "${option}" in f ) FORMAT=${OPTARG} ;; # Output format (json, rspecish, etc.) g ) GROUP=${OPTARG} ;; # Defines server group m ) MAX=${OPTARG} ;; o ) OUTFILE=${OPTARG} ;; # Specifies output file v ) VARS_PATH=${OPTARG} ;; # Variables file path w ) host_system_type=Workstation ;; # Change system type to Workstation h ) Help; exit;; # Show help and exit ? ) echo "Invalid option: -${OPTARG}."; Help; exit;; # Invalid option handler esac done ``` -------------------------------- ### Ansible: Fetch Audit Files to Controller Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This Ansible task uses the 'fetch' module to copy audit output files from managed nodes to the Ansible controller. It runs conditionally if the 'audit_output_collection_method' variable is set to 'fetch'. The task iterates over specified output files, saves them to a destination directory on the controller, and prevents failure if a file is not found. Privilege escalation is disabled. ```yaml - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller" when: audit_output_collection_method == "fetch" ansible.builtin.fetch: src: "{{ item }}" dest: "{{ audit_output_destination }}" flat: true failed_when: false register: discovered_audit_fetch_state loop: - "{{ pre_audit_outfile }}" - "{{ post_audit_outfile }}" loop_control: label: "{{ item }}" become: false ``` -------------------------------- ### Display Audit Completion Status (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Checks if the audit completed successfully by looking for benchmark keywords in the output file or if the format is JUnit/TAP. It then prints the location of the completed file and a completion message, or an error message if issues occurred. ```bash if [ "$(grep -c $BENCHMARK "$audit_out")" != 0 ] || [ "$format" = junit ] || [ "$format" = tap ]; then eval $output_summary echo "Completed file can be found at $audit_out" echo "Audit Completed" else echo -e "Fail: There were issues when running the audit, please investigate $audit_out" fi ``` -------------------------------- ### Windows Standalone Audit Script Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This is a placeholder for the Windows standalone audit script. The actual script (`run_audit.ps1`) would be written in PowerShell and would perform similar security auditing functions as its Linux counterpart. -------------------------------- ### Linux Standalone Audit Script Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit The `run_audit.sh` script is a Bash script designed to perform security audits on Linux systems using the Goss binary. It is configurable and can audit against CIS or STIG benchmarks. ```shell # Goss benchmark variables (these should not need changing unless new release) BENCHMARK=CIS BENCHMARK_VER=1.0.0 BENCHMARK_OS=RHEL9 ``` -------------------------------- ### Ansible: Copy Audit Files on Managed Node Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This Ansible task uses the 'copy' module to transfer audit output files to a specified location accessible by the managed node. It executes only when 'audit_output_collection_method' is set to 'copy'. The task copies files from a source to a destination on the managed node, sets specific file permissions, and registers the outcome. Failure is suppressed if the file does not exist. ```yaml - name: "FETCH_AUDIT_FILES | Copy files to location available to managed node" when: audit_output_collection_method == "copy" ansible.builtin.copy: src: "{{ item }}" dest: "{{ audit_output_destination }}" mode: 'u-x,go-wx' flat: true failed_when: false register: discovered_audit_copy_state loop: - "{{ pre_audit_outfile }}" - "{{ post_audit_outfile }}" loop_control: label: "{{ item }}" ``` -------------------------------- ### Ansible Jinja2 Configuration for Audit Run Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started This snippet shows how to configure audit run parameters using Ansible's Jinja2 templating. It dynamically sets audit file locations and summaries based on playbook variables. It is used within Ansible playbooks to manage audit logging. ```ansible audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} audit_file_local_location = {{ audit_log_dir }} {% if not audit_only %} audit_summary = {{ post_audit_results }} {% endif %} {% if fetch_audit_output %} audit_files_centralized_location = {{ audit_output_destination }} {% endif %} {% endif %} ``` -------------------------------- ### Set Output File Path (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Dynamically determines the output file path for the audit results. If an output file is specified via the '-o' option, it uses that; otherwise, it constructs a default filename using system details and the audit format. ```bash if [ -z "$OUTFILE" ]; then export audit_out=${AUDIT_CONTENT_LOCATION}\/audit_${host_os_hostname}-$BENCHMARK-${BENCHMARK_OS}_${host_epoch}.$format else export audit_out=${OUTFILE} fi ``` -------------------------------- ### Accessing Custom Compliance Facts in Ansible Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started Demonstrates how to access custom facts that have been created on managed hosts using Ansible. Once the facts are gathered, they can be referenced in playbooks via the `ansible_local` variable, allowing for dynamic conditional logic or reporting based on the stored compliance data. ```jinja2 {{ ansible_local.compliance.benchmark_version }} ``` -------------------------------- ### Ansible Jinja2 Template for Audit Details Source: https://ansible-lockdown.readthedocs.io/en/latest/combined/comb-getting-started This Jinja2 template segment is designed to capture audit-specific information within an INI-formatted facts file. It is conditionally included only if the `run_audit` variable is set to true, allowing for the logging of audit-related details when an audit is performed. ```jinja2 [lockdown_audit_details] {% if run_audit %} ``` -------------------------------- ### Set Audit Max Concurrent Processes Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/audit-faq This variable allows you to limit the number of concurrent processes during an audit on both Windows and Linux systems. It helps in managing the system's performance impact. The `run_audit` script also supports this configuration via a specific flag. ```yaml audit_max_concurrent ``` ```shell -m # ``` -------------------------------- ### Ansible: Warn on Fetch/Copy Failure Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit This Ansible task displays a warning message if the audit file fetch or copy operations did not result in any changes, indicating a potential issue. It checks if the respective state variable is defined and if the 'changed' status is false for either the fetch or copy method. This helps in identifying situations where audit files might not have been successfully transferred. ```yaml - name: "FETCH_AUDIT_FILES | Warning if issues with fetch or copy" when: - (audit_output_collection_method == "fetch" and discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or (audit_output_collection_method == "copy" and discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed) block: - name: "FETCH_AUDIT_FILES | Warning if issues with fetch_audit_files" ansible.builtin.debug: msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy" ``` -------------------------------- ### Ansible STIG Control: Restrict Privilege Elevation Source: https://ansible-lockdown.readthedocs.io/en/latest/remediate/rem_development This Ansible playbook task demonstrates how to restrict privilege elevation in RHEL 8 systems according to STIG guidelines. It identifies and removes specific configurations from sudoers files that allow broad privilege escalation. ```yaml - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel." when: - rhel_08_010382 - rhel8stig_disruption_high tags: - RHEL-08-010382 - CAT2 - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-237641r646893_rule - V-237641 - NIST800-53R5_CM-7 - sudo block: - name: "MEDIUM | RHEL-08-010382 | AUDIT | RHEL 8 must restrict privilege elevation to authorized personnel. | Get ALL settings" ansible.builtin.shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: discovered_sudoers_all_privilege - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 1" when: discovered_sudoers_all_privilege.stdout | length > 0 ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL ALL=(ALL) ALL' state: absent validate: '/usr/sbin/visudo -cf %s' loop: "{{ discovered_sudoers_all_privilege.stdout_lines }}" - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 2" when: discovered_sudoers_all_privilege.stdout | length > 0 ansible.builtin.lineinfile: path: "{{ item }}" regexp: 'ALL ALL=(ALL:ALL) ALL' state: absent validate: '/usr/sbin/visudo -cf %s' loop: "{{ discovered_sudoers_all_privilege.stdout_lines }}" ``` -------------------------------- ### Enforce Root Privileges Check (Bash) Source: https://ansible-lockdown.readthedocs.io/en/latest/audit/getting-started-audit Checks if the script is being executed with root privileges by examining the user ID. If the user is not root (UID not equal to 0), it prints an error message and exits. ```bash if [ "$(/usr/bin/id -u)" -ne 0 ]; then echo "Script needs to run with root privileges" exit 1 fi ``` -------------------------------- ### Enable Auditd User Exclusions (YAML) Source: https://ansible-lockdown.readthedocs.io/en/latest/CIS/CIS_advanced This snippet shows how to enable the functionality to exclude specific users from auditd logging. It requires setting a boolean flag and then defining a list of users to be excluded. ```yaml allow_auditd_uid_user_exclusions: true ``` ```yaml rhel8cis_auditd_uid_exclude: - ansible - vagrant ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.