You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Audit - lynis_run.yaml playbook conducts a standard system audit using the default profiles that come with Lynis. Once the audit is completed, a task will fetch the results file on the hosts /var/log/lynis.log and provide a copy under a lynis_audit_results directory for review (the directory will be created if it does not exist under the playbook directory).
For reference, below is a demonstration of how the directory structure of lynis_audit_results will look like after a number of lynis_run.yaml playbook runs at different time intervals.
In this use case, the ansible_sudo_password variable, which is used as the privilege escalation password, is stored in a vault.
Once the secret has been created and added to the playbook, in order for a user be able to become sudo to run the playbook, they will need to decrypt the vault to access the variable.
This can be achieved by passing one of the following flags listed below when executing the the playbook;
--ask-vault-pass
--vault-password-file
Below is a demonstration of how the encrypted variable is defined in the playbooks;
---
# playbook for the lynis_run role.
- hosts: centos_hosts:debian_hostsvars_files:
- become-secretbecome: trueroles:
- lynis_run
# clone the repository
$ git clone [email protected]:hubvu/lynis-ansible.git
# navigate into the directory
$ cd lynis-ansible/
# run the master playbook `site.yaml` with verbosity# for non Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-become-pass \
--verbose
# run the master playbook `site.yaml` with verbosity# for Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-vault-pass \
--verbose
# run the playbook `lynis_run.yaml` with verbosity
$ ansible-playbook lynis_run.yaml \
--inventory-file=hosts \
--ask-become-pass \
--verbose
# review the `lynis_audit_results` directory for the audit results.
$ cd lynis_audit_results
$ tree
$ cat /<inventory_hostname>/<date_time>-<distribution_name>-<distribution_version>/lynis.log
Contributing
Contribution guidelines for this project can be found in the Contributing document.