diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f63884f9..e3bd1700 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.6.0 + rev: v24.7.0 hooks: - id: ansible-lint name: Ansible-lint diff --git a/ChangeLog.md b/ChangeLog.md index 76219bee..ad663199 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,15 @@ # Release CIS RedHat Enterprise Linux 7 Benchmark +## CIS v4.0.0 21-12-2023 + +- updated workflows files +- updated audit and layout + - audit_only option added +- added new option for centos to update to archived repo for packages if required + if set to true will update and backup the CentOS-Base file to use new url + - rhel7cis_add_updated_repo +- rule 5.14 updated to remove jmespath reqirement + ## v4.0.0 - 21-12-2023 - Rewrite to address v4.0.0 changes - refer to full changelog in release diff --git a/defaults/main.yml b/defaults/main.yml index 656aff1c..0fe3d38c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -29,6 +29,12 @@ benchmark_version: v4.0.0 ## Level are used heavily in audit rhel7cis_level_1: true rhel7cis_level_2: true + +# With CentOS being EoL many mirrors no longer exist and fail for updates +# setting to true will replace the default /etc/yum.repos.d/CentOS-Base.repo +# It will add the new vaulted location where it is possible to get updates and package +rhel7cis_add_updated_repo: false + ### ### Settings for associated Audit role using Goss ### diff --git a/tasks/main.yml b/tasks/main.yml index 01aeb340..0e860f09 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -76,6 +76,18 @@ when: - system_is_container +- name: Update CentOS repo for packages - Use vaulted/archive URL - backup original + ansible.builtin.template: + src: etc/yum.repos.d/CentOS-Base.repo.j2 + dest: /etc/yum.repos.d/CentOS-Base.repo + owner: root + group: root + mode: '0644' + backup: true + when: + - rhel7cis_add_updated_repo + - ansible_distribution == "CentOS" + - name: Run pre-reqs tags: - always diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 19dff268..800cc105 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -21,26 +21,24 @@ when: - audit_format == "json" block: - - name: Post Audit | Capture data {{ post_audit_outfile }} - ansible.builtin.shell: "cat {{ post_audit_outfile }}" - register: discovered_post_audit + - name: Post Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 changed_when: false + register: post_audit_summary - - name: Post Audit | Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ discovered_post_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Post Audit | Capture data {{ post_audit_outfile }} - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: discovered_post_audit + - name: Post Audit | Capture audit data if documentation format + ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" changed_when: false + register: post_audit_summary - - name: Post Audit | Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ discovered_post_audit.stdout_lines }}" + post_audit_results: "{{ post_audit_summary.stdout }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index fb6d709f..8cd3101f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -90,29 +90,27 @@ when: - audit_format == "json" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: discovered_pre_audit + - name: Pre Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 changed_when: false + register: pre_audit_summary - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ discovered_pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: discovered_pre_audit + - name: Pre Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false + register: pre_audit_summary - - name: Pre Audit | Capture pre-audit result | documentation format + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ discovered_pre_audit.stdout_lines }}" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only when: diff --git a/tasks/section_5/cis_5.1.4.yml b/tasks/section_5/cis_5.1.4.yml index 8e3a67a1..d52adb64 100644 --- a/tasks/section_5/cis_5.1.4.yml +++ b/tasks/section_5/cis_5.1.4.yml @@ -18,20 +18,13 @@ failed_when: false register: rhel7cis_5_1_4_logfiles - - name: "5.1.4 | AUDIT | Ensure all logfiles have appropriate access configured | set_fact" - ansible.builtin.set_fact: - rhel7cis_4_2_3_logfiles_flattened: "{{ rhel7cis_5_1_4_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid] - when: - - rhel7cis_5_1_4_logfiles.stdout_lines | length > 0 - - rhel7cis_5_1_4_logfiles is defined - - name: "5.1.4 | PATCH | Ensure all logfiles have appropriate access configured | change permissions" ansible.builtin.file: path: "{{ item }}" mode: '0640' - loop: "{{ rhel7cis_5_1_4_logfiles_flattened }}" + loop: "{{ rhel7cis_5_1_4_logfiles.stdout_lines }}" when: - - rhel7cis_5_1_4_logfiles_flattened is defined + - rhel7cis_5_1_4_logfiles.stdout_lines | length > 0 - item != "/var/log/btmp" - item != "/var/log/utmp" - item != "/var/log/wtmp" diff --git a/templates/etc/yum.repos.d/CentOS-Base.repo.j2 b/templates/etc/yum.repos.d/CentOS-Base.repo.j2 new file mode 100644 index 00000000..f2a66f9b --- /dev/null +++ b/templates/etc/yum.repos.d/CentOS-Base.repo.j2 @@ -0,0 +1,34 @@ +# Note the BaseUrl Changes +## This is due to CentOS being End Of Life +# This will now use the legacy archived path +# Original paths +# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra +# #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ + +[base] +name=CentOS-$releasever - Base +baseurl=https://vault.centos.org/7.9.2009/os/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#released updates +[updates] +name=CentOS-$releasever - Updates +baseurl=https://vault.centos.org/7.9.2009/updates/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that may be useful +[extras] +name=CentOS-$releasever - Extras +baseurl=https://vault.centos.org/7.9.2009/extras/$basearch +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that extend functionality of existing packages +[centosplus] +name=CentOS-$releasever - Plus +baseurl=https://vault.centos.org/7.9.2009/centosplus/$basearch +gpgcheck=1 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 diff --git a/vars/audit.yml b/vars/audit.yml index bb50f6d3..4de8a7dd 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -34,7 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The audit results are: {{ pre_audit_summary }} - {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }}