Skip to content

Latest commit

 

History

History
147 lines (120 loc) · 6.46 KB

README.md

File metadata and controls

147 lines (120 loc) · 6.46 KB

Ansible Role - Lynis Security Auditing

What is this?

  • A set of Ansible roles for CentOS and Debian hosts that provides users with the option to deploy Lynis, run a system audit and remove the audit tool.
    • Deploy - centos_lynis.yaml and debian_lynis.yaml playbooks will install the latest version of Lynis available.
    • Audit - lynis_run.yaml playbook conducts a standard system audit using the default profiles that come with Lynis. Once the audit is completed, a task will fetch the results file on the hosts /var/log/lynis.log and provide a copy under a lynis_audit_results directory for review (the directory will be created if it does not exist under the playbook directory).
    • Remove - centos_lynis_remove.yaml and debian_lynis_remove.yaml will remove Lynis from the hosts where it is deployed.
  • For reference, below is a demonstration of how the directory structure of lynis_audit_results will look like after a number of lynis_run.yaml playbook runs at different time intervals.
.
├── <INVENTORY_HOSTNAME_001>
│   ├── 2021-07-25T11:59:10Z-CentOS-8.4
│   │   └── lynis.log
│   ├── 2021-07-25T12:02:15Z-CentOS-8.4
│   │   └── lynis.log
│   ├── 2021-07-25T12:04:52Z-CentOS-8.4
│   │   └── lynis.log
│   └── 2021-07-25T12:07:18Z-CentOS-8.4
│       └── lynis.log
└── <INVENTORY_HOSTNAME_002>
    ├── 2021-07-25T11:59:10Z-Debian-10
    │   └── lynis.log
    ├── 2021-07-25T12:02:15Z-Debian-10
    │   └── lynis.log
    ├── 2021-07-25T12:04:52Z-Debian-10
    │   └── lynis.log
    └── 2021-07-25T12:07:18Z-Debian-10
        └── lynis.log

Resource Requirements

Dependencies

  • lynis, python3-apt, apt-transport-https, ca-certificates, gpg, curl, nss, openssl
  • ansible-vault - [optional] - can be used in the debian_ssh.yaml or centos_ssh.yaml playbook to encrypt and store sensitive data "at rest".
    • In this use case, the ansible_sudo_password variable, which is used as the privilege escalation password, is stored in a vault.
    • Once the secret has been created and added to the playbook, in order for a user be able to become sudo to run the playbook, they will need to decrypt the vault to access the variable.
    • This can be achieved by passing one of the following flags listed below when executing the the playbook;
      • --ask-vault-pass
      • --vault-password-file
    • Below is a demonstration of how the encrypted variable is defined in the playbooks;
---
# playbook for the lynis_run role.
- hosts: centos_hosts:debian_hosts
  vars_files:
    - become-secret
  become: true
  roles:
    - lynis_run

Supported Distributions

  • Tested on;
    • debian-10 , centos-8-stream

Quick-start & Usage

  • Note - For the audit task to run a full check, root privilege escalation is required and is acheived through the become:yes directive.
# clone the repository
$ git clone [email protected]:hubvu/lynis-ansible.git

# navigate into the directory
$ cd lynis-ansible/

# run the master playbook `site.yaml` with verbosity
# for non Ansible Vault users
$ ansible-playbook site.yaml \
  --inventory-file=hosts \
  --ask-become-pass \
  --verbose

# run the master playbook `site.yaml` with verbosity
# for Ansible Vault users
$ ansible-playbook site.yaml \
  --inventory-file=hosts \
  --ask-vault-pass \
  --verbose

# run the playbook `lynis_run.yaml` with verbosity
$ ansible-playbook lynis_run.yaml \
  --inventory-file=hosts \
  --ask-become-pass \
  --verbose

# review the `lynis_audit_results` directory for the audit results.
$ cd lynis_audit_results
$ tree
$ cat /<inventory_hostname>/<date_time>-<distribution_name>-<distribution_version>/lynis.log

Contributing

  • Contribution guidelines for this project can be found in the Contributing document.

Acknowledgements

License