Merge pull request #7 from ansible-lockdown/tweaks

Improvements
2025-01-13 18:29:49 +00:00 · 2025-01-13 18:29:49 +00:00 · 171b97c379
parent 593c45d6b0 0d81193b71
commit 171b97c379
7 changed files with 9 additions and 29 deletions
--- a/section_1/cis_1.1/cis_1.1.1.7.yml
+++ b/section_1/cis_1.1/cis_1.1.1.7.yml
@ -1,7 +1,7 @@
 ---

 {{ if .Vars.ubtu24cis_level_2 }}
-  {{ if not .Vars.ubtu24cis_squashfs_required }}
+  {{ if .Vars.ubtu24cis_squashfs_required }}
  {{ if .Vars.ubtu24cis_rule_1_1_1_7 }}
 file:
  squashfs_disabled:
--- a/section_2/cis_2.3/cis_2.3.1.1.yml
+++ b/section_2/cis_2.3/cis_2.3.1.1.yml
@ -49,27 +49,6 @@ package:
      NIST800-53R5:
      - AU-3
      - AU-12
-  {{ end }}
-  {{ if ne .Vars.ubtu24cis_time_sync_tool "systemd-timesyncd" }}
-file:
-  timesync_masked:
-    title: 2.3.1.1 | Ensure time synchronization is in use | systemd-timesyncd masked
-    path: /etc/systemd/system/systemd-timesyncd.service
-    filetype: symlink
-    linked-to: /dev/null
-    exists: true
-    meta:
-      server: 1
-      workstation: 1
-      CIS_ID: 2.3.1.1
-      CISv8:
-      - 8.4
-      CISv8_IG1: false
-      CISv8_IG2: true
-      CISv8_IG3: true
-      NIST800-53R5:
-      - AU-3
-      - AU-12
    {{ end }}
  {{ end }}
 {{ end }}
--- a/section_2/cis_2.3/cis_2.3.2.1.yml
+++ b/section_2/cis_2.3/cis_2.3.2.1.yml
@ -9,7 +9,7 @@ file:
    path: /etc/systemd/timesyncd.conf.d/50-timesyncd.conf
    exists: true
    contents:
-    - '/^NTP={{ .Vars.ubtu24cis_time_pool_name }}/'
+    - '/^NTP={{- range .Vars.ubtu24cis_time_pool }}{{ .name }}{{ end }}/'
    - '/^FallbackNTP={{- range .Vars.ubtu24cis_time_servers }}{{ .name }} {{ end }}/'
    meta:
      server: 1
--- a/section_2/cis_2.3/cis_2.3.3.2.yml
+++ b/section_2/cis_2.3/cis_2.3.3.2.yml
@ -2,7 +2,7 @@

 {{ if eq .Vars.ubtu24cis_time_sync_tool "chrony" }}
  {{ if .Vars.ubtu24cis_level_1 }}
-    {{ if .Vars.ubtu24cis_rule_2_1_2_2 }}
+    {{ if .Vars.ubtu24cis_rule_2_3_3_2 }}
 file:
  chrony_user:
    title: 2.3.3.2 | Ensure chrony is running as user _chrony
--- a/section_6/cis_6.1.1.x/cis_6.1.1.2.yml
+++ b/section_6/cis_6.1.1.x/cis_6.1.1.2.yml
@ -4,7 +4,7 @@
  {{ if .Vars.ubtu24cis_rule_6_1_1_2 }}
 command:
  /etc/tmpfiles.d/systemd.conf:
-    title: 6.2.1.1.2 | Ensure journald log file access is configured | Manual Check Required
+    title: 6.1.1.2 | Ensure journald log file access is configured | Manual Check Required
    exec: echo "Manual - Please check journald default permissions"
    exit-status: 0
    stdout:
--- a/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml
+++ b/section_6/cis_6.1.2.x/cis_6.1.2.1.2.yml
@ -10,9 +10,9 @@ file:
    exists: true
    contents:
    - '/^URL=/'
-    - '/ServerKeyFile=.*.pem'
-    - '/ServerCertificateFile=.*.pem'
-    - '/TrustedCertificateFile=.*.pem'
+    - '/ServerKeyFile=.*.pem/'
+    - '/ServerCertificateFile=.*.pem/'
+    - '/TrustedCertificateFile=.*.pem/'
    meta:
      server: 1
      workstation: 1
--- a/vars/CIS.yml
+++ b/vars/CIS.yml
@ -591,7 +591,8 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
 # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
 # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
 # of the time synchronization mechanism you are using.
-ubtu24cis_time_pool_name: time.nist.gov
+ubtu24cis_time_pool:
+  - name: time.nist.gov

 # The following variable represents a list of of time servers used
 # for configuring chrony and timesyncd