From 7995ac59b6ce030de372753c38121daa12d87bed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 08:25:10 +0000 Subject: [PATCH 1/8] Updated raneg for pool Signed-off-by: Mark Bolwell --- section_2/cis_2.3/cis_2.3.2.1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/section_2/cis_2.3/cis_2.3.2.1.yml b/section_2/cis_2.3/cis_2.3.2.1.yml index 5b3cdae..158ceca 100644 --- a/section_2/cis_2.3/cis_2.3.2.1.yml +++ b/section_2/cis_2.3/cis_2.3.2.1.yml @@ -9,7 +9,7 @@ file: path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf exists: true contents: - - '/^NTP={{ .Vars.ubtu24cis_time_pool_name }}/' + - '/^NTP={{- range .Vars.ubtu24cis_time_pool }}{{ .name }}i{{ end }}/' - '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/' meta: server: 1 From 1100a955454cd4e9069cc7091113e0b86f1b4c00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 08:25:29 +0000 Subject: [PATCH 2/8] fixed typo in rule number Signed-off-by: Mark Bolwell --- section_2/cis_2.3/cis_2.3.3.2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/section_2/cis_2.3/cis_2.3.3.2.yml b/section_2/cis_2.3/cis_2.3.3.2.yml index 143e150..cfc2a77 100644 --- a/section_2/cis_2.3/cis_2.3.3.2.yml +++ b/section_2/cis_2.3/cis_2.3.3.2.yml @@ -2,7 +2,7 @@ {{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }} {{ if .Vars.ubtu24cis_level_1 }} - {{ if .Vars.ubtu24cis_rule_2_1_2_2 }} + {{ if .Vars.ubtu24cis_rule_2_3_3_2 }} file: chrony_user: title: 2.3.3.2 | Ensure chrony is running as user _chrony From d34d522abd2beda5425e5f7bba186a4a22d36f97 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 08:25:47 +0000 Subject: [PATCH 3/8] fix typo Signed-off-by: Mark Bolwell --- section_6/cis_6.1.1.x/cis_6.1.1.2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/section_6/cis_6.1.1.x/cis_6.1.1.2.yml b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml index ba4ebe3..9fa10ac 100644 --- a/section_6/cis_6.1.1.x/cis_6.1.1.2.yml +++ b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml @@ -4,7 +4,7 @@ {{ if .Vars.ubtu24cis_rule_6_1_1_2 }} command: /etc/tmpfiles.d/systemd.conf: - title: 6.2.1.1.2 | Ensure journald log file access is configured | Manual Check Required + title: 6.1.1.2 | Ensure journald log file access is configured | Manual Check Required exec: echo "Manual - Please check journald default permissions" exit-status: 0 stdout: From 5cdb1f431c73defcb9fc76480cb51570fe816a68 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 08:26:23 +0000 Subject: [PATCH 4/8] updated time pool layout Signed-off-by: Mark Bolwell --- vars/CIS.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vars/CIS.yml b/vars/CIS.yml index 20126ec..38385bc 100644 --- a/vars/CIS.yml +++ b/vars/CIS.yml @@ -591,7 +591,8 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd" # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. -ubtu24cis_time_pool_name: time.nist.gov +ubtu24cis_time_pool: + - name: time.nist.gov # The following variable represents a list of of time servers used # for configuring chrony and timesyncd From 7e12643649385a6e3236e8c79724682c2a905ac8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:26:05 +0000 Subject: [PATCH 5/8] removed mask check as package removed by ubuntu Signed-off-by: Mark Bolwell --- section_2/cis_2.3/cis_2.3.1.1.yml | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/section_2/cis_2.3/cis_2.3.1.1.yml b/section_2/cis_2.3/cis_2.3.1.1.yml index 6b91037..e359200 100644 --- a/section_2/cis_2.3/cis_2.3.1.1.yml +++ b/section_2/cis_2.3/cis_2.3.1.1.yml @@ -49,27 +49,6 @@ package: NIST800-53R5: - AU-3 - AU-12 - {{ end }} - {{ if ne .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }} -file: - timesync_masked: - title: 2.3.1.1 | Ensure time synchronization is in use | systemd-timesyncd masked - path: /etc/systemd/system/systemd-timesyncd.service - filetype: symlink - linked-to: /dev/null - exists: true - meta: - server: 1 - workstation: 1 - CIS_ID: 2.3.1.1 - CISv8: - - 8.4 - CISv8_IG1: false - CISv8_IG2: true - CISv8_IG3: true - NIST800-53R5: - - AU-3 - - AU-12 {{ end }} {{ end }} {{ end }} From eb3e0b3da0ee9cfbf6fc7587ffe5c1e2fdc1ec52 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 11:50:24 +0000 Subject: [PATCH 6/8] fixed typo Signed-off-by: Mark Bolwell --- section_2/cis_2.3/cis_2.3.2.1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/section_2/cis_2.3/cis_2.3.2.1.yml b/section_2/cis_2.3/cis_2.3.2.1.yml index 158ceca..578bcda 100644 --- a/section_2/cis_2.3/cis_2.3.2.1.yml +++ b/section_2/cis_2.3/cis_2.3.2.1.yml @@ -9,7 +9,7 @@ file: path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf exists: true contents: - - '/^NTP={{- range .Vars.ubtu24cis_time_pool }}{{ .name }}i{{ end }}/' + - '/^NTP={{- range .Vars.ubtu24cis_time_pool }}{{ .name }}{{ end }}/' - '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/' meta: server: 1 From 350b226033ae379ba452f3ef07b92b37a4ab9f6b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:34:26 +0000 Subject: [PATCH 7/8] fixed missing / Signed-off-by: Mark Bolwell --- section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml index 2a4e8ea..e88dbb5 100644 --- a/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml +++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml @@ -10,9 +10,9 @@ file: exists: true contents: - '/^URL=/' - - '/ServerKeyFile=.*.pem' - - '/ServerCertificateFile=.*.pem' - - '/TrustedCertificateFile=.*.pem' + - '/ServerKeyFile=.*.pem/' + - '/ServerCertificateFile=.*.pem/' + - '/TrustedCertificateFile=.*.pem/' meta: server: 1 workstation: 1 From 0d81193b711f1fae61ba2a25ac73363431ccc543 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:34:48 +0000 Subject: [PATCH 8/8] fixed logic Signed-off-by: Mark Bolwell --- section_1/cis_1.1/cis_1.1.1.7.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/section_1/cis_1.1/cis_1.1.1.7.yml b/section_1/cis_1.1/cis_1.1.1.7.yml index c1d5726..65a004d 100644 --- a/section_1/cis_1.1/cis_1.1.1.7.yml +++ b/section_1/cis_1.1/cis_1.1.1.7.yml @@ -1,7 +1,7 @@ --- {{ if .Vars.ubtu24cis_level_2 }} - {{ if not .Vars.ubtu24cis_squashfs_required }} + {{ if .Vars.ubtu24cis_squashfs_required }} {{ if .Vars.ubtu24cis_rule_1_1_1_7 }} file: squashfs_disabled: