Functions

.ansible-lint

@@ -18,6 +18,7 @@ skip_list:
     - '306'
     - '602'
     - '208'
+    - 'tag[no-duplicate]'
 use_default_rules: true
 rulesdir:
     - ./rules/

.github/workflows/devel_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - devel
+            - benchmark*
         paths:
             - '**.yml'
             - '**.sh'
@@ -70,7 +71,6 @@
                  echo IAC_BRANCH=main >> $GITHUB_ENV
               fi
 
-
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4

.github/workflows/main_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - main
+            - latest
         paths:
             - '**.yml'
             - '**.sh'
@@ -23,6 +24,7 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
+
       # This workflow contains a single job that tests the playbook
       playbook-test:
         # The type of runner that the job will run on

defaults/main.yml

@@ -55,6 +55,10 @@ rhel8stig_skip_reboot: true
 # Defined will change if control requires
 change_requires_reboot: false
 
+# Create managed not custom local_facts files
+create_benchmark_facts: true
+ansible_facts_path: /etc/ansible/facts.d
+
 ###########################################
 ### Goss is required on the remote host ###
 ### vars/auditd.yml for other settings  ###
@@ -69,11 +73,7 @@ audit_run_heavy_tests: true
 
 ## Only run Audit do not remediate
 audit_only: false
-### As part of audit_only ###
-# This will enable files to be copied back to control node in audit_only mode
-fetch_audit_files: false
-# Path to copy the files to will create dir structure in audit_only mode
-audit_capture_files_dir: /some/location to copy to on control node
+
 #############################
 
 # How to retrieve audit binary
@@ -103,6 +103,20 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'
 
+## Ability to collect and take audit files moving to a centralised location
+# This enables the collection of the files from the host
+fetch_audit_output: false
+
+# Method of getting,uploading the summary files
+## Ensure access and permissions are avaiable for these to occur.
+## options are
+# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
+# copy - copies file to a location available to the managed node
+audit_output_collection_method: fetch
+
+# Location to put the audit files
+audit_output_destination: /opt/audit_summaries/
+
 ### Goss Settings ##
 ####### END ########
 

tasks/audit_only.yml

@@ -10,14 +10,6 @@
   delegate_to: localhost
   become: false
 
-- name: Audit_only | Get audits from systems and put in group dir
-  ansible.builtin.fetch:
-      dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
-      flat: true
-      mode: '0644'
-      src: "{{ pre_audit_outfile }}"
-  when: fetch_audit_files
-
 - name: Audit_only | Show Audit Summary
   when:
       - audit_only

tasks/fetch_audit_output.yml

@@ -0,0 +1,40 @@
+---
+
+# Stage to copy audit output to a centralised location
+
+- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller"
+  when: audit_output_collection_method == "fetch"
+  ansible.builtin.fetch:
+      src: "{{ item }}"
+      dest: "{{ audit_output_destination }}"
+      flat: true
+  failed_when: false
+  register: discovered_audit_fetch_state
+  loop:
+      - "{{ pre_audit_outfile }}"
+      - "{{ post_audit_outfile }}"
+  become: false
+
+# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
+# Allowing backup to one location
+- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node"
+  when: audit_output_collection_method == "copy"
+  ansible.builtin.copy:
+      src: "{{ item }}"
+      dest: "{{ audit_output_destination }}"
+      mode: 'u-x,go-wx'
+      flat: true
+  failed_when: false
+  register: discovered_audit_fetch_copy_state
+  loop:
+      - pre_audit_outfile
+      - post_audit_outfile
+
+- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+  when:
+      - (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or
+        (discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed)
+  block:
+      - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+        ansible.builtin.debug:
+            msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"

tasks/fix-cat1.yml

@@ -108,7 +108,7 @@
             replace: "{{ rhel8stig_replace_quoted_params }}"
         vars:
             query: "{{ prelim_rhel8stig_boot_part.stdout }}"
-            key: GRUB_CMDLINE_LINUX  # noqa var-naming[no-reserved]
+            key: GRUB_CMDLINE_LINUX  # noqa: var-naming[no-reserved]
             param: boot
             value: UUID={{ prelim_rhel8stig_boot_uuid.stdout }}
             insert: true

tasks/main.yml

@@ -141,23 +141,23 @@
       file: fix-cat1.yml
   when: rhel8stig_cat1_patch
   tags:
-      - CAT1
+      - rhel8stig_cat1
       - high
 
 - name: Include CAT II patches
   ansible.builtin.import_tasks:
       file: fix-cat2.yml
   when: rhel8stig_cat2_patch
   tags:
-      - CAT2
+      - rhel8stig_cat2
       - medium
 
 - name: Include CAT III patches
   ansible.builtin.import_tasks:
       file: fix-cat3.yml
   when: rhel8stig_cat3_patch
   tags:
-      - CAT3
+      - rhel8stig_cat3
       - low
 
 - name: Flush handlers
@@ -187,6 +187,36 @@
   tags:
       - run_audit
 
+- name: Add ansible file showing Benchmark and levels applied
+  block:
+      - name: Create ansible facts directory
+        ansible.builtin.file:
+            path: "{{ ansible_facts_path }}"
+            state: directory
+            owner: root
+            group: root
+            mode: 'u=rwx,go=rx'
+
+      - name: Create ansible facts file
+        ansible.builtin.template:
+            src: etc/ansible/compliance_facts.j2
+            dest: "{{ ansible_facts_path }}/compliance_facts.fact"
+            owner: root
+            group: root
+            mode: "u-x,go-wx"
+  when: create_benchmark_facts
+  tags:
+      - always
+      - benchmark
+
+- name: Fetch audit files
+  ansible.builtin.import_tasks:
+      file: fetch_audit_output.yml
+  when:
+      - fetch_audit_output
+      - run_audit
+  tags: always
+
 - name: Show Audit Summary
   ansible.builtin.debug:
       msg: "{{ audit_results.split('\n') }}"

templates/etc/ansible/compliance_facts.j2

@@ -0,0 +1,37 @@
+# STIG Hardening Carried out
+# Added as part of ansible-lockdown STIG baseline
+# provided by Mindpoint Group - A Tyto Athene Company
+
+[lockdown_details]
+# Benchmark release
+Benchmark_release = STIG-{{ benchmark_version }}
+Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
+# If options set (doesn't mean it ran all controls)
+cat_1_hardening_enabled = {{ rhel8stig_cat1_patch }}
+cat_2_hardening_enabled = {{ rhel8stig_cat2_patch }}
+cat_3_hardening_enabled = {{ rhel8stig_cat3_patch }}
+
+{% if ansible_run_tags | length > 0 %}
+# If tags used to stipulate run level
+{% if 'rhel8stig_cat1' in ansible_run_tags %}
+Cat_1_Server_tag_run = true
+{% endif %}
+{% if 'rhel8stig_cat2' in ansible_run_tags %}
+Cat_2_Server_tag_run = true
+{% endif %}
+{% if 'rhel8stig_cat3' in ansible_run_tags %}
+Cat_3_Server_tag_run = true
+{% endif %}
+{% endif %}
+
+[lockdown_audit_details]
+{% if run_audit %}
+# Audit run
+audit_file_local_location = {{ audit_log_dir }}
+{% if not audit_only %}
+audit_summary = {{ post_audit_results }}
+{% endif %}
+{% if fetch_audit_output %}
+audit_files_centralized_location = {{ audit_output_destination }}
+{% endif %}
+{% endif %}