Merge pull request #7 from ansible-lockdown/tweaks

Improvements

section_1/cis_1.1/cis_1.1.1.7.yml

@@ -1,7 +1,7 @@
 ---
 
 {{ if .Vars.ubtu24cis_level_2 }}
-  {{ if not .Vars.ubtu24cis_squashfs_required }}
+  {{ if .Vars.ubtu24cis_squashfs_required }}
   {{ if .Vars.ubtu24cis_rule_1_1_1_7 }}
 file:
   squashfs_disabled:

section_2/cis_2.3/cis_2.3.1.1.yml

@@ -49,27 +49,6 @@ package:
       NIST800-53R5:
       - AU-3
       - AU-12
-  {{ end }}
-  {{ if ne .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }}
-file:
-  timesync_masked:
-    title: 2.3.1.1 | Ensure time synchronization is in use | systemd-timesyncd masked
-    path: /etc/systemd/system/systemd-timesyncd.service
-    filetype: symlink
-    linked-to: /dev/null
-    exists: true
-    meta:
-      server: 1
-      workstation: 1
-      CIS_ID: 2.3.1.1
-      CISv8:
-      - 8.4
-      CISv8_IG1: false
-      CISv8_IG2: true
-      CISv8_IG3: true
-      NIST800-53R5:
-      - AU-3
-      - AU-12
     {{ end }}
   {{ end }}
 {{ end }}

section_2/cis_2.3/cis_2.3.2.1.yml

@@ -9,7 +9,7 @@ file:
     path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf
     exists: true
     contents:
-    - '/^NTP={{ .Vars.ubtu24cis_time_pool_name }}/'
+    - '/^NTP={{- range .Vars.ubtu24cis_time_pool }}{{ .name }}{{ end }}/'
     - '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/'
     meta:
       server: 1

section_2/cis_2.3/cis_2.3.3.2.yml

@@ -2,7 +2,7 @@
 
 {{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }}
   {{ if .Vars.ubtu24cis_level_1 }}
-    {{ if .Vars.ubtu24cis_rule_2_1_2_2 }}
+    {{ if .Vars.ubtu24cis_rule_2_3_3_2 }}
 file:
   chrony_user:
     title: 2.3.3.2 | Ensure chrony is running as user _chrony

section_6/cis_6.1.1.x/cis_6.1.1.2.yml

@@ -4,7 +4,7 @@
   {{ if .Vars.ubtu24cis_rule_6_1_1_2 }}
 command:
   /etc/tmpfiles.d/systemd.conf:
-    title: 6.2.1.1.2 | Ensure journald log file access is configured | Manual Check Required
+    title: 6.1.1.2 | Ensure journald log file access is configured | Manual Check Required
     exec: echo "Manual - Please check journald default permissions"
     exit-status: 0
     stdout:

section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml

@@ -10,9 +10,9 @@ file:
     exists: true
     contents:
     - '/^URL=/'
-    - '/ServerKeyFile=.*.pem'
+    - '/ServerKeyFile=.*.pem/'
-    - '/ServerCertificateFile=.*.pem'
+    - '/ServerCertificateFile=.*.pem/'
-    - '/TrustedCertificateFile=.*.pem'
+    - '/TrustedCertificateFile=.*.pem/'
     meta:
       server: 1
       workstation: 1

vars/CIS.yml

@@ -591,7 +591,8 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
 # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
 # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
 # of the time synchronization mechanism you are using.
-ubtu24cis_time_pool_name: time.nist.gov
+ubtu24cis_time_pool:
+  - name: time.nist.gov
 
 # The following variable represents a list of of time servers used
 # for configuring chrony and timesyncd