Merge pull request #180 from ansible-lockdown/devel

Release of v2.0.1 to main

Author: uk-bolly

.github/workflows/devel_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - devel
+            - benchmark*
         paths:
             - '**.yml'
             - '**.sh'
@@ -27,7 +28,7 @@
   jobs:
     # This will create messages for first time contributers and direct them to the Discord server
       welcome:
-        runs-on: self-hosted
+        runs-on: ubuntu-latest
 
         steps:
             - uses: actions/first-interaction@main
@@ -70,7 +71,6 @@
                  echo IAC_BRANCH=main >> $GITHUB_ENV
               fi
 
-
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4

.github/workflows/main_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - main
+            - latest
         paths:
             - '**.yml'
             - '**.sh'
@@ -23,17 +24,6 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: self-hosted
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
       # This workflow contains a single job that tests the playbook
       playbook-test:

.gitignore

@@ -43,3 +43,6 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
+
+# ansible-lint cache
+.ansible/

.pre-commit-config.yaml

@@ -37,14 +37,14 @@ repos:
     exclude: .config/.gitleaks-report.json tasks/parse_etc_password
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.24.0
+  rev: v8.27.2
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
     exclude: .config/.secrets.baseline
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.1.3
+  rev: v25.6.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -63,6 +63,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.36.2  # or higher tag
+  rev: v1.37.1  # or higher tag
   hooks:
   - id: yamllint

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

defaults/main.yml

@@ -12,6 +12,13 @@ skip_reboot: true
 
 system_is_container: false
 
+# Used for audit
+ubtu20cis_level_1: true
+ubtu20cis_level_2: true
+
+# Create managed not custom local_facts files
+create_benchmark_facts: true
+ansible_facts_path: /etc/ansible/facts.d
 ## Benchmark name used by auditing control role
 # The audit variable found at the base
 benchmark: UBUNTU20-CIS
@@ -36,16 +43,12 @@ audit_run_heavy_tests: true
 
 ## Only run Audit do not remediate
 audit_only: false
-### As part of audit_only ###
-# This will enable files to be copied back to control node in audit_only mode
-fetch_audit_files: false
-# Path to copy the files to will create dir structure in audit_only mode
-audit_capture_files_dir: /some/location to copy to on control node
+
 #############################
 
 # How to retrieve audit binary
 # Options are copy or download - detailed settings at the bottom of this file
-# you will need to access to either github or the file already dowmloaded
+# you will need to access to either github or the file already downloaded
 get_audit_binary_method: download
 
 ## if get_audit_binary_method - copy the following needs to be updated for your environment
@@ -70,8 +73,23 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'
 
+## Ability to collect and take audit files moving to a centralised location
+# This enables the collection of the files from the host
+fetch_audit_output: false
+
+# Method of getting,uploading the summary files
+## Ensure access and permissions are available for these to occur.
+## options are
+# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
+# copy - copies file to a location available to the managed node
+audit_output_collection_method: fetch
+
+# Location to put the audit files
+audit_output_destination: /opt/audit_summaries/
+
 ### Goss Settings ##
 ####### END ########
+
 # We've defined complexity-high to mean that we cannot automatically remediate
 # the rule in question.  In the future this might mean that the remediation
 # may fail in some cases.
@@ -85,7 +103,7 @@ ubtu20cis_audit_complex: true
 # We've defined disruption-high to indicate items that are likely to cause
 # disruption in a normal workflow.  These items can be remediated automatically
 # but are disabled by default to avoid disruption.
-# Value of true runs duscruptive tasks, value of false will skip disruptive tasks
+# Value of true runs disruptive tasks, value of false will skip disruptive tasks
 ubtu20cis_disruption_high: true
 
 # Show "changed" for disruptive items not remediated per disruption-high
@@ -604,7 +622,7 @@ ubtu20cis_ufw_allow_in:
 # Controls 3.5.3.2.1 through 3.5.3.3.4
 # The iptables module only writes to memory which means a reboot could revert settings
 # The below toggle will install iptables-persistent and save the rules in memory (/etc/iptables/rules.v4 or rules.v6)
-# This makes the CIS role changes permenant
+# This makes the CIS role changes permanent
 ubtu20cis_save_iptables_cis_rules: true
 
 # Section 4 Control Variables
@@ -616,19 +634,19 @@ ubtu20cis_save_iptables_cis_rules: true
 
 # log_level is the log level variable. This needs to be set to VERBOSE or INFO to conform to CIS standards
 
-# max_auth_tries is the max number of authentication attampts per connection.
+# max_auth_tries is the max number of authentication attempts per connection.
 # This value should be 10 or less to conform to CIS standards
 
-# ciphers is a comma seperated list of site approved ciphers
+# ciphers is a comma separated list of site approved ciphers
 # ONLY USE STRONG CIPHERS. Weak ciphers are listed below
 # DO NOT USE: 3des-cbc, aes128-cbc, aes192-cbc, and aes256-cbc
 
-# MACs is the comma seperated list of site approved MAC algorithms that SSH can use during communication
+# MACs is the comma separated list of site approved MAC algorithms that SSH can use during communication
 # ONLY USE STRONG ALGORITHMS. Weak algorithms are listed below
 # DO NOT USE: hmac-md5, hmac-md5-96, hmac-ripemd160, hmac-sha1, hmac-sha1-96, umac-64@openssh.com, umac-128@openssh.com, hmac-md5-etm@openssh.com,
 # hmac-md5-96-etm@openssh.com, hmac-ripemd160-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha1-96-etm@openssh.com, umac-64-etm@openssh.com, umac-128-etm@openssh.com
 
-# kex_algorithms is comma seperated list of the algorithms for key exchange methods
+# kex_algorithms is comma separated list of the algorithms for key exchange methods
 # ONLY USE STRONG ALGORITHMS. Weak algorithms are listed below
 # DO NOT USE: diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
 
@@ -668,7 +686,7 @@ ubtu20cis_passwd_hash_algo: sha512  # pragma: allowlist secret
 # pam_tally2 login options allows for audit to be removed if required
 ubtu20cis_pamtally2_login_opts: 'onerr=fail audit silent deny=5 unlock_time=900'
 
-# ubtu20cis_pamd_pwhistory_remember is number of password chnage cycles a user can re-use a password
+# ubtu20cis_pamd_pwhistory_remember is number of password change cycles a user can re-use a password
 # This needs to be 5 or more to conform to CIS standards
 ubtu20cis_pamd_pwhistory_remember: 5
 

tasks/LE_audit_setup.yml

@@ -1,34 +1,31 @@
 ---
-
 - name: Pre Audit Setup | Set audit package name
   block:
       - name: Pre Audit Setup | Set audit package name | 64bit
+        when: ansible_facts.machine == "x86_64"
         ansible.builtin.set_fact:
             audit_pkg_arch_name: AMD64
-        when: ansible_facts.machine == "x86_64"
 
       - name: Pre Audit Setup | Set audit package name | ARM64
+        when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64")
         ansible.builtin.set_fact:
             audit_pkg_arch_name: ARM64
-        when: ansible_facts.machine == "aarch64"
 
 - name: Pre Audit Setup | Download audit binary
+  when: get_audit_binary_method == 'download'
   ansible.builtin.get_url:
       url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
       dest: "{{ audit_bin }}"
       owner: root
       group: root
       checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
-      mode: '0555'
-  when:
-      - get_audit_binary_method == 'download'
+      mode: 'u+x,go-w'
 
 - name: Pre Audit Setup | Copy audit binary
+  when: get_audit_binary_method == 'copy'
   ansible.builtin.copy:
-      src: "{{ audit_bin_copy_location }}"
+      src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}"
       dest: "{{ audit_bin }}"
-      mode: '0555'
       owner: root
       group: root
-  when:
-      - get_audit_binary_method == 'copy'
+      mode: 'u+x,go-w'

tasks/audit_only.yml

@@ -1,30 +1,17 @@
 ---
 
-- name: Audit_Only | Create local Directories for hosts
-  ansible.builtin.file:
-      mode: '0755'
-      path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
-      recurse: true
-      state: directory
-  when: fetch_audit_files
-  delegate_to: localhost
-  become: false
-
-- name: Audit_only | Get audits from systems and put in group dir
-  ansible.builtin.fetch:
-      dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
-      flat: true
-      mode: '0644'
-      src: "{{ pre_audit_outfile }}"
-  when: fetch_audit_files
-
-- name: Audit_only | Show Audit Summary
+- name: Audit_only | Fetch audit files
   when:
+      - fetch_audit_output
       - audit_only
+  ansible.builtin.import_tasks:
+      file: fetch_audit_output.yml
+
+- name: Audit_only | Show Audit Summary
+  when: audit_only
   ansible.builtin.debug:
       msg: "{{ audit_results.split('\n') }}"
 
-- name: Audit_only | Stop Playbook Audit Only selected
-  when:
-      - audit_only
-  ansible.builtin.meta: end_play
+- name: Audit_only | Stop task for host as audit_only selected
+  when: audit_only
+  ansible.builtin.meta: end_host

tasks/fetch_audit_output.yml

@@ -0,0 +1,47 @@
+---
+
+# Stage to copy audit output to a centralised location
+
+- name: "POST | FETCH | Fetch files and copy to controller"
+  when: audit_output_collection_method == "fetch"
+  ansible.builtin.fetch:
+      src: "{{ item }}"
+      dest: "{{ audit_output_destination }}"
+      flat: true
+  changed_when: true
+  failed_when: false
+  register: discovered_audit_fetch_state
+  loop:
+      - "{{ pre_audit_outfile }}"
+      - "{{ post_audit_outfile }}"
+  become: false
+
+# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
+# Allowing backup to one location
+- name: "POST | FETCH | Copy files to location available to managed node"
+  when: audit_output_collection_method == "copy"
+  ansible.builtin.copy:
+      src: "{{ item }}"
+      dest: "{{ audit_output_destination }}"
+      mode: 'u-x,go-wx'
+      flat: true
+  failed_when: false
+  register: discovered_audit_copy_state
+  loop:
+      - "{{ pre_audit_outfile }}"
+      - "{{ post_audit_outfile }}"
+
+- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+  when:
+      - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
+        (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
+  block:
+      - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+        ansible.builtin.debug:
+            msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
+
+      - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+        vars:
+            warn_control_id: "FETCH_AUDIT_FILES"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml

tasks/main.yml

@@ -89,18 +89,14 @@
 
 - name: Include audit specific variables
   ansible.builtin.include_vars: audit.yml
-  when:
-      - run_audit or audit_only
-      - setup_audit
+  when: run_audit or audit_only or setup_audit
   tags:
       - setup_audit
       - run_audit
 
 - name: Include pre-remediation audit tasks
   ansible.builtin.import_tasks: pre_remediation_audit.yml
-  when:
-      - run_audit or audit_only
-      - setup_audit
+  when: run_audit or audit_only or setup_audit
   tags:
       - run_audit
 
@@ -181,6 +177,36 @@
   when:
       - run_audit
 
+- name: Add ansible file showing Benchmark and levels applied
+  block:
+      - name: Create ansible facts directory
+        ansible.builtin.file:
+            path: "{{ ansible_facts_path }}"
+            state: directory
+            owner: root
+            group: root
+            mode: 'u=rwx,go=rx'
+
+      - name: Create ansible facts file
+        ansible.builtin.template:
+            src: etc/ansible/compliance_facts.j2
+            dest: "{{ ansible_facts_path }}/compliance_facts.fact"
+            owner: root
+            group: root
+            mode: "u-x,go-wx"
+  when: create_benchmark_facts
+  tags:
+      - always
+      - benchmark
+
+- name: Fetch audit files
+  ansible.builtin.import_tasks:
+      file: fetch_audit_output.yml
+  when:
+      - fetch_audit_output
+      - run_audit
+  tags: always
+
 - name: Show Audit Summary
   ansible.builtin.debug:
       msg: "{{ audit_results.split('\n') }}"