env-ansible/tasks/general/tests/lynis.yml

---
# Lynis hardness check.

- name: General | Tests | Lynis | Set Facts
  set_fact:
    lynis_file: "{{ user_user.home }}/Reports/{{ ansible_hostname }}.{{ lynis_report }}"

- name: General | Tests | Lynis | Set Facts 2
  set_fact:
    lynis_temp_file: "{{ lynis_file }}.tmp"

- name: General | Tests | Lynis | Rename Old Install
  shell: mv "/usr/local/lynis" "/usr/local/src/"
  ignore_errors: yes

- name: General | Tests | Lynis | Install
  git: 
    repo: https://github.com/CISOfy/lynis
    dest: "{{ lynis_install_dir }}"
    clone: yes
    force: yes
  ignore_errors: yes

- name: General | Tests | Lynis | Ensure Permissions (Looking at you Parrot OS!)
  file: 
    path: "{{ lynis_install_dir }}"
    state: directory
    mode: '0644'
    owner: root
    group: "{{ root_group }}"
    recurse: yes

- name: General | Tests | Lynis | Ensure Permissions 2
  file: 
    path: "{{ lynis_install_dir }}/lynis"
    mode: '0755'

- name: General | Tests | Lynis | Ensure Folder Permissions
  file: 
    path: "{{ lynis_install_dir }}"
    state: directory
    mode: '0755'
    recurse: no

- name: General | Tests | Lynis | Run System Audit
  shell: "{{ item }}"
  loop:
    - "./lynis audit system --no-colors > {{ lynis_temp_file }} 2>&1"
    - "mv {{ lynis_temp_file }} {{ lynis_file }}"
  args:
    executable: "{{ bash_exec.stdout }}"
    chdir: "{{ lynis_install_dir }}"

- name: General | Tests | Lynis | Make Report Readable
  file:
    path: "{{ lynis_file }}"
    mode: '0644'
Removing TODOs and fixing some consistency errors. 2021-01-31 17:21:39 -06:00			`---`
General FreeBSD and account improvements. 2021-02-03 21:17:48 -06:00			`# Lynis hardness check.`
Removing TODOs and fixing some consistency errors. 2021-01-31 17:21:39 -06:00
General Improvements (#36) * Add at and reword comment. * Add cronie, thought this was already done but last pull request got wonky. * Zypper is not happy about asking Brave repo to be added multiple times. * Replace deprecated `include` commands. * Add gcc. * Add another cc command for openSUSE. * include_tasks is not supporting ignore_errors like include used to, move to individual tasks. * Do a better job of removing libreoffice from local package manager. * Enhance reports. * Add basic VIM setup. * Undo some lynis changes, fix folder permissions so users can view. * Change lynis back to chdir and local execution. * Add doas. * Add check against old usage of setup.sh BRANCH. * Greatly reduce number of tasks, create temp file while building report. * Create temp file while building report. 2023-02-19 10:04:10 -06:00			`- name: General \| Tests \| Lynis \| Set Facts`
			`set_fact:`
Fixes and Enhancements (#48) * Fix metasplot install if /usr/local/bin is not active in path yet. Also use variables. * Use plocate on openSUSE. Supposed to be faster. Cannot have both m and p installed at the same time and p comes with the base system. * Include wheel group for user as well. * Finalize GNOME settings, go with RC commands instead of dconf module. * Add hostname to report files. * Add TBD for shared home situation. * Fix cron service for Fedora. * Disable the power button. * Fix Fedora ffmpeg issues. Move package modules from flatpak playbook. Uninstall firefox from package manager. * Enhance update function to handle shared home between multiple distributions. * Allow keeping local backups of files. * Replace flatpak repair check with accept flag instead of battery so that any automated update runs do the cleanup. * Begin hoarding settings files. * Start building out a FireFox profile. * Fix extra comment command in comment. * Add an All option to completely compress the entire directory. * Codium is still broken on all tested systems, hide from Favorites. * Add scipt to handle audio files. Also can convert to 432Hz. * Use cut instead of awk to get rid of first parameter. Fixes bugs when spaces are allowed in the filenames. * Enhancements and bugfix for "$freq". * Add playbook for desktop VPN clients. Start with Mullvad. * Add website to the seeded projects. * Add firmware updates to the update function. * Allow `fwupdmgr` to fail and have `update` still continue. * Shorten lines. * Uninstall DeltaChat. * Separate the firmware update into its own function. * Add alias for cloning one folder to another without using rm/cp. * Fix typo in rsync. * Go ahead and add extra options. * Make the files human readable size descriptions. * Remove unnecessary v, P does good enough. 2024-01-23 09:43:42 -07:00			`lynis_file: "{{ user_user.home }}/Reports/{{ ansible_hostname }}.{{ lynis_report }}"`
General Improvements (#36) * Add at and reword comment. * Add cronie, thought this was already done but last pull request got wonky. * Zypper is not happy about asking Brave repo to be added multiple times. * Replace deprecated `include` commands. * Add gcc. * Add another cc command for openSUSE. * include_tasks is not supporting ignore_errors like include used to, move to individual tasks. * Do a better job of removing libreoffice from local package manager. * Enhance reports. * Add basic VIM setup. * Undo some lynis changes, fix folder permissions so users can view. * Change lynis back to chdir and local execution. * Add doas. * Add check against old usage of setup.sh BRANCH. * Greatly reduce number of tasks, create temp file while building report. * Create temp file while building report. 2023-02-19 10:04:10 -06:00
			`- name: General \| Tests \| Lynis \| Set Facts 2`
			`set_fact:`
			`lynis_temp_file: "{{ lynis_file }}.tmp"`

Fixes and Enhancements (#24) * Add TODO. * Add note. * Fix hang from NFS sometimes not being up. * Remove noauto so that `mount -a` works. * Allow Arch to use BASH. * Add programs needed for playbook but missing from Arch Base. * Explicit rename of old install since Github connection is unreliable. Call executable from current directory after chdir. * Ensure shells are set up correctly on Arch. * Begin explicitly using microcode packages on dev machines. * Fix _ typos to -. * Add Delta Chat. * Fix equals typo and allow command to fail. * Delta Chat Desktop works great, add it to Favorites. * Add Element. * Add Element. * Change spot for Element. * Add new file(s) to call in-development project. * Remove extra comma. * Change FreeBSD update checker to weekly. * Use Github again for pulling updates. 2022-03-27 08:14:06 -05:00			`- name: General \| Tests \| Lynis \| Rename Old Install`
			`shell: mv "/usr/local/lynis" "/usr/local/src/"`
			`ignore_errors: yes`

Better names. :) 2021-02-02 21:28:17 -06:00			`- name: General \| Tests \| Lynis \| Install`
Remove more FQCN's for Debian. 2021-01-31 17:17:14 -06:00			`git:`
End script with a Lynis hardness check. 2020-12-28 20:57:05 -06:00			`repo: https://github.com/CISOfy/lynis`
Debug looks terrible. Put it in a file and hope that the color codes are ignored. 2020-12-28 21:32:28 -06:00			`dest: "{{ lynis_install_dir }}"`
End script with a Lynis hardness check. 2020-12-28 20:57:05 -06:00			`clone: yes`
			`force: yes`
General Fixes (#20) * Remove redundant calls to facts. * Must have accidentally removed miner/system thinking it was general/system. * Add missing variable xmr_stak_cpu. * Ignore when connection to GitHub fails. * Telegraf agents have been hoarding resources on Debian servers. Reset job will killall should work properly now. * Once the function sets accept, it is staying for the session. Need to unset in case `update -y` is run, cancelled, and then `update` is run. 2021-12-17 17:34:21 -06:00			`ignore_errors: yes`
End script with a Lynis hardness check. 2020-12-28 20:57:05 -06:00
Change shell module to file module. 2021-07-11 11:11:33 -05:00			`- name: General \| Tests \| Lynis \| Ensure Permissions (Looking at you Parrot OS!)`
			`file:`
			`path: "{{ lynis_install_dir }}"`
			`state: directory`
Fix permissions, again. :) 2021-07-11 12:09:33 -05:00			`mode: '0644'`
Change shell module to file module. 2021-07-11 11:11:33 -05:00			`owner: root`
Add initial HUGO support, FreeBSD 13 support, and script for Ansible to hit dev branch. (#4) * Create HUGO file. * Add HUGO. * Add script for running system against development branch. * Add newline to end of file. * Comment unused blocks. * Add path of site that HUGO should host. * Newlines, comments, and HUGO path. (#2) (#3) * Create HUGO file. * Add HUGO. * Add script for running system against development branch. * Add newline to end of file. * Comment unused blocks. * Add path of site that HUGO should host. * FreeBSD is complaining about certbot not having dict object stdout. This whole playbook is supposed to be skipped though, lol. * FreeBSD 13 is still mad. Ansible 2.11.2, jinja 2.11.2 (same version number??), Python 3.8.10. * Fix root group to be existing variable. FreeBSD uses wheel. * Allow choosing Github branch dynamically. * `branch` needs to be at General level. Testing if this works... * Change other `localhost` to `everything`. * Update FreeBSD status. * Goodbye, Code-OSS on Linux! * Delete a terrible file. * Remove excess tag. * "Fix" SSHFS for FreeBSD. * Variablize FreeBSD's loading of fusefs. * Variablize /etc/rc.conf. Enable FuseFS more properly. * Add beginning ticks. * Add missing playbook. * Enable FreeBSD mount job. * Rearrange items to be more consistent with comment. * It seems FreeBSD removed the `gnome3` metapackage. Use `gnome3-lite` instead. Also add Telegram. * Python is to 3.8 now. * Expand on FreeBSD work. * Expand on FreeBSD work. * Add placeholders for Gitlab. * Add parameter for Gitlab install. * Add Gitlab playbook. * Ensure FreeBSD uses the correct Python install. * Add newline. * Fix NFS for FreeBSD workstations. * Remove unnecessary line, restricted install to Linux in playbook. * Fix mount options for FreeBSD. * Fix mount number, as well as system-specific facts. * Add placeholders for remote viewing. * Add RDP for FreeBSD. * Omg! It works! Add setting enforcement. * Always remove OSS. * Remove hosts from explicit dev testing. 2021-07-19 07:07:03 -05:00			`group: "{{ root_group }}"`
Change shell module to file module. 2021-07-11 11:11:33 -05:00			`recurse: yes`
Parrot OS did the clone with group `staff`? Ensure it's always owned by root:root. 2021-07-11 11:08:08 -05:00
Fix permissions, again. :) 2021-07-11 12:09:33 -05:00			`- name: General \| Tests \| Lynis \| Ensure Permissions 2`
			`file:`
			`path: "{{ lynis_install_dir }}/lynis"`
			`mode: '0755'`

General Improvements (#36) * Add at and reword comment. * Add cronie, thought this was already done but last pull request got wonky. * Zypper is not happy about asking Brave repo to be added multiple times. * Replace deprecated `include` commands. * Add gcc. * Add another cc command for openSUSE. * include_tasks is not supporting ignore_errors like include used to, move to individual tasks. * Do a better job of removing libreoffice from local package manager. * Enhance reports. * Add basic VIM setup. * Undo some lynis changes, fix folder permissions so users can view. * Change lynis back to chdir and local execution. * Add doas. * Add check against old usage of setup.sh BRANCH. * Greatly reduce number of tasks, create temp file while building report. * Create temp file while building report. 2023-02-19 10:04:10 -06:00			`- name: General \| Tests \| Lynis \| Ensure Folder Permissions`
			`file:`
			`path: "{{ lynis_install_dir }}"`
			`state: directory`
			`mode: '0755'`
			`recurse: no`

Better names. :) 2021-02-02 21:28:17 -06:00			`- name: General \| Tests \| Lynis \| Run System Audit`
General Improvements (#36) * Add at and reword comment. * Add cronie, thought this was already done but last pull request got wonky. * Zypper is not happy about asking Brave repo to be added multiple times. * Replace deprecated `include` commands. * Add gcc. * Add another cc command for openSUSE. * include_tasks is not supporting ignore_errors like include used to, move to individual tasks. * Do a better job of removing libreoffice from local package manager. * Enhance reports. * Add basic VIM setup. * Undo some lynis changes, fix folder permissions so users can view. * Change lynis back to chdir and local execution. * Add doas. * Add check against old usage of setup.sh BRANCH. * Greatly reduce number of tasks, create temp file while building report. * Create temp file while building report. 2023-02-19 10:04:10 -06:00			`shell: "{{ item }}"`
			`loop:`
			`- "./lynis audit system --no-colors > {{ lynis_temp_file }} 2>&1"`
			`- "mv {{ lynis_temp_file }} {{ lynis_file }}"`
Try running in bash to clean up weird characters. 2021-02-06 07:27:57 -06:00			`args:`
			`executable: "{{ bash_exec.stdout }}"`
Fixes and Enhancements (#24) * Add TODO. * Add note. * Fix hang from NFS sometimes not being up. * Remove noauto so that `mount -a` works. * Allow Arch to use BASH. * Add programs needed for playbook but missing from Arch Base. * Explicit rename of old install since Github connection is unreliable. Call executable from current directory after chdir. * Ensure shells are set up correctly on Arch. * Begin explicitly using microcode packages on dev machines. * Fix _ typos to -. * Add Delta Chat. * Fix equals typo and allow command to fail. * Delta Chat Desktop works great, add it to Favorites. * Add Element. * Add Element. * Change spot for Element. * Add new file(s) to call in-development project. * Remove extra comma. * Change FreeBSD update checker to weekly. * Use Github again for pulling updates. 2022-03-27 08:14:06 -05:00			`chdir: "{{ lynis_install_dir }}"`
I guess command and shell hate having an FQCN. Now need to output the results. 2020-12-28 21:19:01 -06:00
Better names. :) 2021-02-02 21:28:17 -06:00			`- name: General \| Tests \| Lynis \| Make Report Readable`
Remove more FQCN's for Debian. 2021-01-31 17:17:14 -06:00			`file:`
General Improvements (#36) * Add at and reword comment. * Add cronie, thought this was already done but last pull request got wonky. * Zypper is not happy about asking Brave repo to be added multiple times. * Replace deprecated `include` commands. * Add gcc. * Add another cc command for openSUSE. * include_tasks is not supporting ignore_errors like include used to, move to individual tasks. * Do a better job of removing libreoffice from local package manager. * Enhance reports. * Add basic VIM setup. * Undo some lynis changes, fix folder permissions so users can view. * Change lynis back to chdir and local execution. * Add doas. * Add check against old usage of setup.sh BRANCH. * Greatly reduce number of tasks, create temp file while building report. * Create temp file while building report. 2023-02-19 10:04:10 -06:00			`path: "{{ lynis_file }}"`
			`mode: '0644'`