diff --git a/section_1/cis_1.1/cis_1.1.1.7.yml b/section_1/cis_1.1/cis_1.1.1.7.yml index c1d5726..65a004d 100644 --- a/section_1/cis_1.1/cis_1.1.1.7.yml +++ b/section_1/cis_1.1/cis_1.1.1.7.yml @@ -1,7 +1,7 @@ --- {{ if .Vars.ubtu24cis_level_2 }} - {{ if not .Vars.ubtu24cis_squashfs_required }} + {{ if .Vars.ubtu24cis_squashfs_required }} {{ if .Vars.ubtu24cis_rule_1_1_1_7 }} file: squashfs_disabled: diff --git a/section_2/cis_2.3/cis_2.3.1.1.yml b/section_2/cis_2.3/cis_2.3.1.1.yml index 6b91037..e359200 100644 --- a/section_2/cis_2.3/cis_2.3.1.1.yml +++ b/section_2/cis_2.3/cis_2.3.1.1.yml @@ -49,27 +49,6 @@ package: NIST800-53R5: - AU-3 - AU-12 - {{ end }} - {{ if ne .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} -file: - timesync_masked: - title: 2.3.1.1 | Ensure time synchronization is in use | systemd-timesyncd masked - path: /etc/systemd/system/systemd-timesyncd.service - filetype: symlink - linked-to: /dev/null - exists: true - meta: - server: 1 - workstation: 1 - CIS_ID: 2.3.1.1 - CISv8: - - 8.4 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - NIST800-53R5: - - AU-3 - - AU-12 {{ end }} {{ end }} {{ end }} diff --git a/section_2/cis_2.3/cis_2.3.2.1.yml b/section_2/cis_2.3/cis_2.3.2.1.yml index 5b3cdae..578bcda 100644 --- a/section_2/cis_2.3/cis_2.3.2.1.yml +++ b/section_2/cis_2.3/cis_2.3.2.1.yml @@ -9,7 +9,7 @@ file: path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf exists: true contents: - - '/^NTP={{ .Vars.ubtu24cis_time_pool_name }}/' + - '/^NTP={{- range .Vars.ubtu24cis_time_pool }}{{ .name }}{{ end }}/' - '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/' meta: server: 1 diff --git a/section_2/cis_2.3/cis_2.3.3.2.yml b/section_2/cis_2.3/cis_2.3.3.2.yml index 143e150..cfc2a77 100644 --- a/section_2/cis_2.3/cis_2.3.3.2.yml +++ b/section_2/cis_2.3/cis_2.3.3.2.yml @@ -2,7 +2,7 @@ {{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} {{ if .Vars.ubtu24cis_level_1 }} - {{ if .Vars.ubtu24cis_rule_2_1_2_2 }} + {{ if .Vars.ubtu24cis_rule_2_3_3_2 }} file: chrony_user: title: 2.3.3.2 | Ensure chrony is running as user _chrony diff --git a/section_6/cis_6.1.1.x/cis_6.1.1.2.yml b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml index ba4ebe3..9fa10ac 100644 --- a/section_6/cis_6.1.1.x/cis_6.1.1.2.yml +++ b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml @@ -4,7 +4,7 @@ {{ if .Vars.ubtu24cis_rule_6_1_1_2 }} command: /etc/tmpfiles.d/systemd.conf: - title: 6.2.1.1.2 | Ensure journald log file access is configured | Manual Check Required + title: 6.1.1.2 | Ensure journald log file access is configured | Manual Check Required exec: echo "Manual - Please check journald default permissions" exit-status: 0 stdout: diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml index 2a4e8ea..e88dbb5 100644 --- a/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml @@ -10,9 +10,9 @@ file: exists: true contents: - '/^URL=/' - - '/ServerKeyFile=.*.pem' - - '/ServerCertificateFile=.*.pem' - - '/TrustedCertificateFile=.*.pem' + - '/ServerKeyFile=.*.pem/' + - '/ServerCertificateFile=.*.pem/' + - '/TrustedCertificateFile=.*.pem/' meta: server: 1 workstation: 1 diff --git a/vars/CIS.yml b/vars/CIS.yml index 20126ec..38385bc 100644 --- a/vars/CIS.yml +++ b/vars/CIS.yml @@ -591,7 +591,8 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd" # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. -ubtu24cis_time_pool_name: time.nist.gov +ubtu24cis_time_pool: + - name: time.nist.gov # The following variable represents a list of of time servers used # for configuring chrony and timesyncd