- A set of Ansible roles for CentOS and Debian hosts that provides users with the option to deploy Lynis, run a system audit and remove the audit tool.
- Deploy -
centos_lynis.yamlanddebian_lynis.yamlplaybooks will install the latest version of Lynis available. - Audit -
lynis_run.yamlplaybook conducts a standard system audit using the default profiles that come with Lynis. Once the audit is completed, a task will fetch the results file on the hosts/var/log/lynis.logand provide a copy under alynis_audit_resultsdirectory for review (the directory will be created if it does not exist under the playbook directory). - Remove -
centos_lynis_remove.yamlanddebian_lynis_remove.yamlwill remove Lynis from the hosts where it is deployed.
- Deploy -
- For reference, below is a demonstration of how the directory structure of
lynis_audit_resultswill look like after a number oflynis_run.yamlplaybook runs at different time intervals.
.
├── <INVENTORY_HOSTNAME_001>
│ ├── 2021-07-25T11:59:10Z-CentOS-8.4
│ │ └── lynis.log
│ ├── 2021-07-25T12:02:15Z-CentOS-8.4
│ │ └── lynis.log
│ ├── 2021-07-25T12:04:52Z-CentOS-8.4
│ │ └── lynis.log
│ └── 2021-07-25T12:07:18Z-CentOS-8.4
│ └── lynis.log
└── <INVENTORY_HOSTNAME_002>
├── 2021-07-25T11:59:10Z-Debian-10
│ └── lynis.log
├── 2021-07-25T12:02:15Z-Debian-10
│ └── lynis.log
├── 2021-07-25T12:04:52Z-Debian-10
│ └── lynis.log
└── 2021-07-25T12:07:18Z-Debian-10
└── lynis.log- Debian and/or CentOS Stream host(s) that the playbooks will be run against.
lynis,python3-apt,apt-transport-https,ca-certificates,gpg,curl,nss,opensslansible-vault- [optional] - can be used in thedebian_ssh.yamlorcentos_ssh.yamlplaybook to encrypt and store sensitive data "at rest".- In this use case, the
ansible_sudo_passwordvariable, which is used as the privilege escalation password, is stored in a vault. - Once the secret has been created and added to the playbook, in order for a user be able to become
sudoto run the playbook, they will need to decrypt the vault to access the variable. - This can be achieved by passing one of the following flags listed below when executing the the playbook;
--ask-vault-pass--vault-password-file
- Below is a demonstration of how the encrypted variable is defined in the playbooks;
- In this use case, the
---
# playbook for the lynis_run role.
- hosts: centos_hosts:debian_hosts
vars_files:
- become-secret
become: true
roles:
- lynis_run- For more information on how to create encrypted variables, review the official
ansibledocumentation.
- Tested on;
debian-10,centos-8-stream
- Note - For the audit task to run a full check,
rootprivilege escalation is required and is acheived through thebecome:yesdirective.- To review the task, check the
/roles/lynis_run/tasks/main.ymlfor more details.
- To review the task, check the
# clone the repository
$ git clone git@github.com:hubvu/lynis-ansible.git
# navigate into the directory
$ cd lynis-ansible/
# run the master playbook `site.yaml` with verbosity
# for non Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-become-pass \
--verbose
# run the master playbook `site.yaml` with verbosity
# for Ansible Vault users
$ ansible-playbook site.yaml \
--inventory-file=hosts \
--ask-vault-pass \
--verbose
# run the playbook `lynis_run.yaml` with verbosity
$ ansible-playbook lynis_run.yaml \
--inventory-file=hosts \
--ask-become-pass \
--verbose
# review the `lynis_audit_results` directory for the audit results.
$ cd lynis_audit_results
$ tree
$ cat /<inventory_hostname>/<date_time>-<distribution_name>-<distribution_version>/lynis.log- Contribution guidelines for this project can be found in the Contributing document.
- Licenced under the MIT License.