colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3 from ansible-lockdown/jan25_updates 

Jan25 updates
This commit is contained in:
uk-bolly 2025-01-13 20:04:27 +00:00 committed by GitHub
parent cffe5e4056 5de8d4c558
commit 1b98e1ed7b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 58 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
defaults/main.yml
View File

@ -665,7 +665,6 @@ ubtu24cis_apparmor_mode: complain
# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
ubtu24cis_grub_user: root
ubtu24cis_set_grub_user_pass: false
ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme
ubtu24cis_grub_user_file: /etc/grub.d/00_user
ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret
ubtu24cis_set_boot_pass: false
@ -1069,6 +1068,9 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh
# journald or rsyslog
ubtu24cis_syslog_service: 'journald'
# Enable rsyslog logging to be managed by ansible
ubtu24cis_rsyslog_ansible_managed: true
## Controls 6.1.1.x journald
# This variable specifies the address of the remote log host where logs are being sent.
@ -1107,7 +1109,12 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
# ATTENTION: Uncomment the keyword below when values are set!
ubtu24cis_journald_maxfilesec: "#MaxFileSec="
# 6.1.3.8
# 6.1.3.8 LOGRotate
# Optional to alow logrotate to be installed
# While it is required for 6.1.3.8 its not installed by default on minimal image
# or required for CIS to be installed, but in order to achieve ability to install has been added
ubtu24cis_logrotate_pkg_install: false
# ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
# To conform to CIS standards this just needs to comply with your site policy
ubtu24cis_logrotate: "daily"

4
handlers/main.yml
View File

@ -237,9 +237,7 @@
changed_when: true
- name: Auditd rules reload
when:
- not prelim_auditd_immutable_check or
'"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
ansible.builtin.command: augenrules --load
changed_when: true

25
tasks/main.yml
View File

@ -62,31 +62,6 @@
that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
- name: Check ubtu24cis_grub_user password variable has been changed
when: ubtu24cis_rule_1_4_1
tags: always
block:
- name: Check ubtu24cis_grub_user password variable has been changed | check password is set
ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
changed_when: false
register: ubtu24cis_password_set_grub_user
- name: Check ubtu24cis_grub_user password variable has been changed | check password is set
when:
- "'$y$' in ubtu24cis_password_set_grub_user.stdout"
- ubtu24cis_set_grub_user_pass
- ubtu24cis_rule_1_4_1
ansible.builtin.assert:
that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"
- name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
when: not ubtu24cis_set_grub_user_pass
ansible.builtin.assert:
that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode"
- name: Setup rules if container
when:
- ansible_connection == 'docker' or

14
tasks/prelim.yml
View File

@ -7,7 +7,7 @@
changed_when: false
- name: "PRELIM | AUDIT | Register if snap being used"
when: ubtu24cis_rule_1_1_1_6
when: ubtu24cis_rule_1_1_1_7
tags: always
ansible.builtin.shell: df -h | grep -wc "/snap"
changed_when: false
@ -15,7 +15,7 @@
register: prelim_snap_pkg_mgr
- name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
when: ubtu24cis_rule_1_1_1_6
when: ubtu24cis_rule_1_1_1_7
tags: always
ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs"
changed_when: false
@ -218,7 +218,7 @@
- name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
when: "'auditd' in ansible_facts.packages"
tags: always
ansible.builtin.shell: auditctl -l | grep -c '-e 2'
ansible.builtin.shell: auditctl -s | grep "enabled 2"
changed_when: false
failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
register: prelim_auditd_immutable_check
@ -256,3 +256,11 @@
regexp: ^IPT_SYSCTL=.*
line: IPT_SYSCTL=/etc/sysctl.conf
mode: 'u-x,go-wx'
- name: "OPTIONAL | PATCH | Install Logrotate if missing"
when:
- ubtu24cis_rule_6_1_3_8
- ubtu24cis_logrotate_pkg_install
ansible.builtin.package:
name: logrotate
state: present

12
tasks/section_2/cis_2.3.1.x.yml
View File

@ -26,14 +26,4 @@
loop:
- chrony
- ntp
- name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service"
when:
- ubtu24cis_time_sync_tool != "systemd-timesyncd"
- "'systemd-timesyncd' in ansible_facts.packages"
ansible.builtin.service:
name: systemd-timesyncd
state: stopped
enabled: false
masked: true
daemon_reload: true
- systemd-timesyncd

2
tasks/section_2/cis_2.3.2.x.yml
View File

@ -23,7 +23,7 @@
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: 'go-r'
mode: 'go-wx'
owner: root
group: root
loop:

16
tasks/section_2/cis_2.3.3.x.yml
View File

@ -58,19 +58,3 @@
name: chrony
state: started
enabled: true
- name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd"
when: "'systemd-timesyncd' in ansible_facts.packages"
ansible.builtin.systemd:
name: systemd-timesyncd
state: stopped
enabled: false
masked: true
- name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd"
when: "'ntpd' in ansible_facts.packages"
ansible.builtin.systemd:
name: ntpd
state: stopped
enabled: false
masked: true

26
tasks/section_5/cis_5.4.3.x.yml
View File

@ -34,7 +34,7 @@
state: "{{ item.state }}"
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
create: true
mode: 'go-r'
mode: 'go-wx'
block: |
TMOUT={{ ubtu24cis_shell_session_timeout }}
readonly TMOUT
@ -54,10 +54,20 @@
- rule_5.4.3.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: (?i)(umask\s+\d\d\d)
replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
loop:
- { path: '/etc/profile', line: 'umask' }
- { path: '/etc/login.defs', line: 'UMASK' }
block:
- name: "5.4.3.3 | PATCH | Ensure default user umask is configured | update current settings"
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: (?i)(umask\s+\d\d\d)
replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
loop:
- { path: '/etc/profile', line: 'umask' }
- { path: '/etc/login.defs', line: 'UMASK' }
- name: "5.4.3.3 | PATCH | Ensure default user umask is configured | add profile script to set"
ansible.builtin.template:
src: etc/profile.d/50-umask.sh.j2
dest: /etc/profile.d/50-umask.sh
owner: root
group: root
mode: 'go+r,go-wx'

4
tasks/section_6/cis_6.1.3.8.yml
View File

@ -1,7 +1,9 @@
---
- name: "6.1.3.8 | PATCH | Ensure logrotate is configured"
when: ubtu24cis_rule_6_1_3_8
when:
- ubtu24cis_rule_6_1_3_8
- "'logrotate' in ansible_facts.packages"
tags:
- level1-server
- level1-workstation

1
tasks/section_6/cis_6.2.3.x.yml
View File

@ -277,3 +277,4 @@
- auditd
ansible.builtin.command: augenrules --check
changed_when: false
register: discovered_augenrules_check

9
templates/ansible_vars_goss.yml.j2
View File

@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }}
# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
ubtu24cis_grub_user: {{ ubtu24cis_grub_user }}
ubtu24cis_bootloader_password_hash: {{ grub_user_pass }} # pragma: allowlist secret
ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }} # pragma: allowlist secret
## Controls 1.5.x
@ -580,7 +580,7 @@ ubtu24cis_ftp_client: {{ ubtu24cis_ftp_client }}
## Control 2.3.1.1
# This variable choses the tool used for time synchronization
# The two options are `chrony`and `systemd-timesyncd`.
ubtu24cis_time_sync_tool: "systemd-timesyncd"
ubtu24cis_time_sync_tool: {{ ubtu24cis_time_sync_tool }}
## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd
# The following variable represents a list of of time server pools used
@ -588,7 +588,7 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
# Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
# of the time synchronization mechanism you are using.
ubtu24cis_time_pool_name:
ubtu24cis_time_pool:
{% for pool in ubtu24cis_time_pool %}
- name: {{ pool.name }}
options: {{ pool.options }}
@ -733,6 +733,9 @@ ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }}
# Section 6
# This variable specifies the address of the remote log host where logs are being sent.
ubtu24cis_remote_log_server: {{ ubtu24cis_remote_log_server }}
# 6.1.2
# AIDE

7
templates/etc/profile.d/50-umask.sh.j2 Normal file
View File

@ -0,0 +1,7 @@
## Ansible controlled file
# Added as part of ansible-lockdown CIS baseline
# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
# Set umask with highest precedence
umask 027