From 3e92d4b54b36ed10ffde9bc0d4456e3456258595 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 08:40:32 +0000 Subject: [PATCH 01/13] fixed permissions 5.4.3.2 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index e3e7d6b..2272c82 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -34,7 +34,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 'go-r' + mode: 'go+r' block: | TMOUT={{ ubtu24cis_shell_session_timeout }} readonly TMOUT From c129cf05520c9469df403d27ff6a2bbb7f92011c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:03:01 +0000 Subject: [PATCH 02/13] removed mask section u24 now removes time package not used automatically Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.3.1.x.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml index 2037c96..6242dee 100644 --- a/tasks/section_2/cis_2.3.1.x.yml +++ b/tasks/section_2/cis_2.3.1.x.yml @@ -26,14 +26,4 @@ loop: - chrony - ntp - - - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service" - when: - - ubtu24cis_time_sync_tool != "systemd-timesyncd" - - "'systemd-timesyncd' in ansible_facts.packages" - ansible.builtin.service: - name: systemd-timesyncd - state: stopped - enabled: false - masked: true - daemon_reload: true + - systemd-timesyncd From 3c628434188ede7dbfb4d6e584161b3d098ce04e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:05:37 +0000 Subject: [PATCH 03/13] fixed file permissions 2.3.2.1 Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.3.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml index 5dcc083..3101212 100644 --- a/tasks/section_2/cis_2.3.2.x.yml +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -23,7 +23,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: 'go-r' + mode: 'go-wx' owner: root group: root loop: From b7bdc7f67c44e27c05b9415c159417f64896202b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:26:52 +0000 Subject: [PATCH 04/13] Updated bootloader hash var and time tool inherit Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7ddf258..f558438 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }} # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu24cis_grub_user: {{ ubtu24cis_grub_user }} -ubtu24cis_bootloader_password_hash: {{ grub_user_pass }} # pragma: allowlist secret +ubtu24cis_bootloader_password_hash: {{ ubtu24cis_grub_user_passwd }} # pragma: allowlist secret ## Controls 1.5.x @@ -580,7 +580,7 @@ ubtu24cis_ftp_client: {{ ubtu24cis_ftp_client }} ## Control 2.3.1.1 # This variable choses the tool used for time synchronization # The two options are `chrony`and `systemd-timesyncd`. -ubtu24cis_time_sync_tool: "systemd-timesyncd" +ubtu24cis_time_sync_tool: {{ ubtu24cis_time_sync_tool }} ## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd # The following variable represents a list of of time server pools used @@ -588,7 +588,7 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd" # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. -ubtu24cis_time_pool_name: +ubtu24cis_time_pool: {% for pool in ubtu24cis_time_pool %} - name: {{ pool.name }} options: {{ pool.options }} @@ -733,6 +733,9 @@ ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }} # Section 6 +# This variable specifies the address of the remote log host where logs are being sent. +ubtu24cis_remote_log_server: {{ ubtu24cis_remote_log_server }} + # 6.1.2 # AIDE From 9709aa503bc5e26455609a404946ea7408e22e77 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:27:23 +0000 Subject: [PATCH 05/13] 5.4.3.2 updated permissions Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 2272c82..2ea9c2f 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -34,7 +34,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 'go+r' + mode: 'go-w' block: | TMOUT={{ ubtu24cis_shell_session_timeout }} readonly TMOUT From cc307541a9d524d8344e7a4b5cabd311192d3bf5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:37:54 +0000 Subject: [PATCH 06/13] 5.4.3.3 updated to add profile script Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.3.x.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 2ea9c2f..bac9c32 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -34,7 +34,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 'go-w' + mode: 'go-wx' block: | TMOUT={{ ubtu24cis_shell_session_timeout }} readonly TMOUT @@ -54,10 +54,20 @@ - rule_5.4.3.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.builtin.replace: - path: "{{ item.path }}" - regexp: (?i)(umask\s+\d\d\d) - replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}' - loop: - - { path: '/etc/profile', line: 'umask' } - - { path: '/etc/login.defs', line: 'UMASK' } + block: + - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | update current settings" + ansible.builtin.replace: + path: "{{ item.path }}" + regexp: (?i)(umask\s+\d\d\d) + replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}' + loop: + - { path: '/etc/profile', line: 'umask' } + - { path: '/etc/login.defs', line: 'UMASK' } + + - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | add profile script to set" + ansible.builtin.template: + src: etc/profile.d/50-umask.sh.j2 + dest: /etc/profile.d/50-umask.sh + owner: root + group: root + mode: 'go+r,go-wx' From 113b32018fe5966aa3183e771ee9f998dc2d16b8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:38:24 +0000 Subject: [PATCH 07/13] profile script Signed-off-by: Mark Bolwell --- templates/etc/profile.d/50-umask.sh.j2 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 templates/etc/profile.d/50-umask.sh.j2 diff --git a/templates/etc/profile.d/50-umask.sh.j2 b/templates/etc/profile.d/50-umask.sh.j2 new file mode 100644 index 0000000..e300e9c --- /dev/null +++ b/templates/etc/profile.d/50-umask.sh.j2 @@ -0,0 +1,7 @@ +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown + +# Set umask with highest precedence + +umask 027 From 18152bc17d5593d5c381a6f65b6635e53bb9e8b8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:39:13 +0000 Subject: [PATCH 08/13] fix conditional for snap/squashfs Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 518cfe3..eba0b21 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -7,7 +7,7 @@ changed_when: false - name: "PRELIM | AUDIT | Register if snap being used" - when: ubtu24cis_rule_1_1_1_6 + when: ubtu24cis_rule_1_1_1_7 tags: always ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false @@ -15,7 +15,7 @@ register: prelim_snap_pkg_mgr - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" - when: ubtu24cis_rule_1_1_1_6 + when: ubtu24cis_rule_1_1_1_7 tags: always ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false From 6e78559776e4cd36f3f3dfe5978f080f3d5b27ca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:40:06 +0000 Subject: [PATCH 09/13] tidy up grub/bootloader logic Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - tasks/main.yml | 25 ------------------------- templates/ansible_vars_goss.yml.j2 | 2 +- 3 files changed, 1 insertion(+), 27 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3a6a356..28b802e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -665,7 +665,6 @@ ubtu24cis_apparmor_mode: complain # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu24cis_grub_user: root ubtu24cis_set_grub_user_pass: false -ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme ubtu24cis_grub_user_file: /etc/grub.d/00_user ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret ubtu24cis_set_boot_pass: false diff --git a/tasks/main.yml b/tasks/main.yml index e246e7f..cfdb641 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -62,31 +62,6 @@ that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly" -- name: Check ubtu24cis_grub_user password variable has been changed - when: ubtu24cis_rule_1_4_1 - tags: always - block: - - name: Check ubtu24cis_grub_user password variable has been changed | check password is set - ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" - changed_when: false - register: ubtu24cis_password_set_grub_user - - - name: Check ubtu24cis_grub_user password variable has been changed | check password is set - when: - - "'$y$' in ubtu24cis_password_set_grub_user.stdout" - - ubtu24cis_set_grub_user_pass - - ubtu24cis_rule_1_4_1 - ansible.builtin.assert: - that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' - msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly" - - - name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set - when: not ubtu24cis_set_grub_user_pass - ansible.builtin.assert: - that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout - fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption" - success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode" - - name: Setup rules if container when: - ansible_connection == 'docker' or diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index f558438..02d8c3e 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }} # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu24cis_grub_user: {{ ubtu24cis_grub_user }} -ubtu24cis_bootloader_password_hash: {{ ubtu24cis_grub_user_passwd }} # pragma: allowlist secret +ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }} # pragma: allowlist secret ## Controls 1.5.x From e69c18fa1c94652ef95ebc6d57e4196e0229b28c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 13:16:56 +0000 Subject: [PATCH 10/13] improved audit handler and related rules Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 +--- tasks/prelim.yml | 2 +- tasks/section_6/cis_6.2.3.x.yml | 1 + 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index e3a9c38..64b0aad 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -237,9 +237,7 @@ changed_when: true - name: Auditd rules reload - when: - - not prelim_auditd_immutable_check or - '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout' + when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1 ansible.builtin.command: augenrules --load changed_when: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eba0b21..05c725c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -218,7 +218,7 @@ - name: "PRELIM | AUDIT | Check if auditd is immutable before changes" when: "'auditd' in ansible_facts.packages" tags: always - ansible.builtin.shell: auditctl -l | grep -c '-e 2' + ansible.builtin.shell: auditctl -s | grep "enabled 2" changed_when: false failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] register: prelim_auditd_immutable_check diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 58db7d6..dbcbfa4 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -277,3 +277,4 @@ - auditd ansible.builtin.command: augenrules --check changed_when: false + register: discovered_augenrules_check From d190c51fa40883fe29d2fea56b19e83c4e9c07c2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 14:00:34 +0000 Subject: [PATCH 11/13] Updated since ubuntu removes unncessary time pkgs Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.3.3.x.yml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index 68af2fc..19177b9 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -58,19 +58,3 @@ name: chrony state: started enabled: true - - - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd" - when: "'systemd-timesyncd' in ansible_facts.packages" - ansible.builtin.systemd: - name: systemd-timesyncd - state: stopped - enabled: false - masked: true - - - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd" - when: "'ntpd' in ansible_facts.packages" - ansible.builtin.systemd: - name: ntpd - state: stopped - enabled: false - masked: true From 7095fdc49f436b62fd11cdc31aa1144965b5d15d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 14:29:47 +0000 Subject: [PATCH 12/13] added rsyslog override logging option Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 28b802e..6c2af85 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1068,6 +1068,9 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh # journald or rsyslog ubtu24cis_syslog_service: 'journald' +# Enable rsyslog logging to be managed by ansible +ubtu24cis_rsyslog_ansible_managed: true + ## Controls 6.1.1.x journald # This variable specifies the address of the remote log host where logs are being sent. From 5de8d4c5586c5a242b434e9bb8e7a26c93da4e7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 15:33:10 +0000 Subject: [PATCH 13/13] Added optional logrotate install and variable, improved 6.1.3.8 logic Signed-off-by: Mark Bolwell --- defaults/main.yml | 7 ++++++- tasks/prelim.yml | 8 ++++++++ tasks/section_6/cis_6.1.3.8.yml | 4 +++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6c2af85..d37ae5e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1109,7 +1109,12 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree=" # ATTENTION: Uncomment the keyword below when values are set! ubtu24cis_journald_maxfilesec: "#MaxFileSec=" -# 6.1.3.8 +# 6.1.3.8 LOGRotate +# Optional to alow logrotate to be installed +# While it is required for 6.1.3.8 its not installed by default on minimal image +# or required for CIS to be installed, but in order to achieve ability to install has been added +ubtu24cis_logrotate_pkg_install: false + # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation # To conform to CIS standards this just needs to comply with your site policy ubtu24cis_logrotate: "daily" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 05c725c..74ee0c7 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -256,3 +256,11 @@ regexp: ^IPT_SYSCTL=.* line: IPT_SYSCTL=/etc/sysctl.conf mode: 'u-x,go-wx' + +- name: "OPTIONAL | PATCH | Install Logrotate if missing" + when: + - ubtu24cis_rule_6_1_3_8 + - ubtu24cis_logrotate_pkg_install + ansible.builtin.package: + name: logrotate + state: present diff --git a/tasks/section_6/cis_6.1.3.8.yml b/tasks/section_6/cis_6.1.3.8.yml index 932801e..1c68890 100644 --- a/tasks/section_6/cis_6.1.3.8.yml +++ b/tasks/section_6/cis_6.1.3.8.yml @@ -1,7 +1,9 @@ --- - name: "6.1.3.8 | PATCH | Ensure logrotate is configured" - when: ubtu24cis_rule_6_1_3_8 + when: + - ubtu24cis_rule_6_1_3_8 + - "'logrotate' in ansible_facts.packages" tags: - level1-server - level1-workstation