diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d346307..acdd896 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,12 +11,17 @@ repos: hooks: # Safety - id: detect-aws-credentials + name: Detect AWS Credentials - id: detect-private-key + name: Detect Private Keys # git checks - id: check-merge-conflict + name: Check for merge conflicts - id: check-added-large-files + name: Check for Large files - id: check-case-conflict + name: Check case conflict # General checks - id: trailing-whitespace @@ -27,6 +32,7 @@ repos: types: [text] args: [--markdown-linebreak-ext=md] - id: end-of-file-fixer + name: Ensure line at end of file # Scan for passwords - repo: https://github.com/Yelp/detect-secrets @@ -51,14 +57,15 @@ repos: # https://github.com/ansible/ansible-lint/issues/611 pass_filenames: false always_run: true - additional_dependencies: + # additional_dependencies: # https://github.com/pre-commit/pre-commit/issues/1526 # If you want to use specific version of ansible-core or ansible, feel # free to override `additional_dependencies` in your own hook config # file. - #- ansible-core>=2.10.1 + # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git rev: v1.35.1 # or higher tag hooks: - id: yamllint + name: Check YAML Lint diff --git a/.yamllint b/.yamllint index 78eb3e2..fa7b697 100755 --- a/.yamllint +++ b/.yamllint @@ -1,6 +1,5 @@ --- extends: default -locale: en_US.UTF-8 ignore: | tests/ molecule/ @@ -17,7 +16,7 @@ rules: comments: ignore-shebangs: true min-spaces-from-content: 1 # prettier compatibility - comments-indentation: false + comments-indentation: enable empty-lines: max: 1 indentation: diff --git a/defaults/main.yml b/defaults/main.yml index 19c4b5a..3a6a356 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -630,13 +630,16 @@ ubtu24cis_purge_apt: false ## Section 1 Control Variables ## -## tmp mount type -# This variable determines, to which mount type -# the tmp mount type will be set, if it cannot be -# correctly discovered. will force the tmp_mnt type -# if not correctly discovered. -# Possible values are `tmp_systemd` or `fstab`- -expected_tmp_mnt: fstab +## Ability to enabe debug on mounts to assist in troubleshooting +# Mount point changes are set based upon facts created in Prelim +# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. +ubtu24cis_debug_mount_data: false + +## Control 1.1.2 +# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, +# otherwise fstab configuration will be used. +# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. +ubtu24cis_tmp_svc: false ## Controls 1.3.1.x - apparmor # AppArmor security policies define what system resources applications can access and their privileges. diff --git a/handlers/main.yml b/handlers/main.yml index cc96914..e3a9c38 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,83 +1,153 @@ --- -- name: Writing the tmp file | tmp_systemd - when: - - "'/tmp' in mount_names" - - item.mount == "/tmp" - - tmp_mnt_type == 'tmp_systemd' - ansible.builtin.template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: 'u-x,go-wx' - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - listen: Writing and remounting tmp - -- name: Writing the tmp file | fstab - when: - - "'/tmp' in mount_names" - - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" +- name: "Adding options for /tmp" + when: not ubtu24cis_tmp_svc + vars: + mount_point: '/tmp' ansible.posix.mount: - path: /tmp - src: "{{ item.device }}" + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ item.fstype }}" - opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - listen: Writing and remounting tmp + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /tmp" + +- name: "Remounting /tmp" + vars: + mount_point: '/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /tmp" + +- name: "Remounting /tmp systemd" + vars: + mount_point: '/tmp' + ansible.builtin.systemd: + name: tmp.mount + state: restarted + daemon_reload: true + listen: "Remount /tmp" + +- name: "Adding options for /dev/shm" + vars: + mount_point: '/dev/shm' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /dev/shm" + +- name: "Remounting /dev/shm" + vars: + mount_point: '/dev/shm' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /dev/shm" + +- name: "Adding options for /home" + vars: + mount_point: '/home' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /home" + +- name: "Remounting /home" + vars: + mount_point: '/home' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /home" + +- name: "Adding options for /var" + vars: + mount_point: '/var' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var" + +- name: "Remounting /var" + vars: + mount_point: '/var' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var" + +- name: "Adding options for /var/tmp" + vars: + mount_point: '/var/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/tmp" + +- name: "Remounting /var/tmp" + vars: + mount_point: '/var/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/tmp" + +- name: "Adding options for /var/log" + vars: + mount_point: '/var/log' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log" + +- name: "Remounting /var/log" + vars: + mount_point: '/var/log' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/log" + +- name: "Adding options for /var/log/audit" + vars: + mount_point: '/var/log/audit' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log/audit" + +- name: "Remounting /var/log/audit" + vars: + mount_point: '/var/log/audit' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/log/audit" - name: Update_Initramfs ansible.builtin.command: update-initramfs -u changed_when: true notify: Set_reboot_required -- name: Remount tmp - when: - - "'/tmp' in mount_names" - ansible.posix.mount: - path: /tmp - state: remounted - listen: Writing and remounting tmp - -- name: Remount var - ansible.posix.mount: - path: /var - state: remounted - -- name: Remount var_tmp - ansible.posix.mount: - path: /var/tmp - state: remounted - -- name: Remount var_log - ansible.posix.mount: - path: /var/log - state: remounted - -- name: Remount var_log_audit - ansible.posix.mount: - path: /var/log/audit - state: remounted - -- name: Remount home - ansible.posix.mount: - path: /home - state: remounted - -- name: Remount dev_shm - ansible.posix.mount: - path: /dev/shm - src: /dev/shm - state: remounted - - name: Grub update ansible.builtin.command: update-grub changed_when: true @@ -181,10 +251,16 @@ msg: "Reboot required for auditd to apply new rules as immutable set" notify: Set_reboot_required -- name: Restart auditd - when: discovered_audit_rules_updated is defined - tags: skip_ansible_lint - ansible.builtin.shell: service auditd restart +- name: Stop auditd process + ansible.builtin.command: systemctl kill auditd + changed_when: true + listen: Restart auditd + +- name: Start auditd process + ansible.builtin.systemd_service: + name: auditd + state: started + listen: Restart auditd - name: Restart sshd ansible.builtin.systemd: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 07efa1a..518cfe3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -22,51 +22,34 @@ failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] register: prelim_squashfs_builtin -- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" +- name: PRELIM | AUDIT | Section 1.1 | Create list of mount points tags: always ansible.builtin.set_fact: - mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" + prelim_mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" -- name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - when: - - "'/tmp' in mount_names" - - ubtu24cis_rule_1_1_2_1_1 or - ubtu24cis_rule_1_1_2_1_2 or - ubtu24cis_rule_1_1_2_1_3 or - ubtu24cis_rule_1_1_2_1_4 +- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options tags: always block: - - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - ansible.builtin.command: systemctl is-enabled tmp.mount # noqa command-instead-of-module + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - call mount # noqa command-instead-of-module + ansible.builtin.shell: | + mount | awk '{print $1, $3, $5, $6}' changed_when: false - failed_when: prelim_tmp_mnt_type.rc not in [ 0, 1 ] - register: prelim_tmp_mnt_type + register: prelim_mount_output - - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable - when: "'generated' in prelim_tmp_mnt_type.stdout" + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact # This is inherited and used in mountpoints tasks ansible.builtin.set_fact: - tmp_mnt_type: "{{ expected_tmp_mnt }}" + prelim_mount_point_fs_and_options: >- + {%- set prelim_mount_point_fs_and_options = {} -%} + {%- for line in prelim_mount_output.stdout_lines -%} + {%- set fields = line.split() -%} + {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} + {%- endfor -%} + {{ prelim_mount_point_fs_and_options }} - - name: PRELIM | AUDIT | Capture tmp mount type | Set systemd service - when: "'generated' not in prelim_tmp_mnt_type.stdout" - ansible.builtin.set_fact: - tmp_mnt_type: tmp_systemd - -- name: PRELIM | Initialize the mount options variable - tags: always - block: - - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact - when: "'/tmp' not in mount_names" - ansible.builtin.set_fact: - tmp_partition_mount_options: [] - - - name: PRELIM | Initializing the var if there is a /tmp mount | set_fact - when: - - item.mount == "/tmp" - - "'/tmp' in mount_names" - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ item.options.split(',') }}" - loop: "{{ ansible_facts.mounts }}" + - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" + when: ubtu24cis_debug_mount_data + ansible.builtin.debug: + msg: "{{ prelim_mount_point_fs_and_options }}" - name: Include audit specific variables when: diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index fa2671d..4936c77 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -1,8 +1,8 @@ --- -- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition" +- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition" when: - - required_mount not in mount_names + - required_mount not in prelim_mount_names - ubtu24cis_rule_1_1_2_1_1 tags: - level1-server @@ -11,42 +11,58 @@ - mounts - rule_1.1.2.1.1 - NIST800-53R5_CM-7 - - tmp vars: - warn_control_id: '1.1.2.1.1' - required_mount: '/tmp' + warn_control_id: "1.1.2.1.1" + required_mount: "/tmp" block: - - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_tmp_mount.rc not in [ 0, 1 ] + register: discovered_tmp_mount - - name: "1.1.2.1.1 | WARN | Ensure /tmp is a separate partition | warn_count" + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" + when: discovered_tmp_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Present" + when: discovered_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml +# via fstab - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - - required_mount in mount_names + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu24cis_rule_1_1_2_1_2 + - not ubtu24cis_tmp_svc tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.2 - - NIST800-53R5_CM-7 - - tmp + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 vars: - required_mount: '/tmp' - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nodev'] }}" - changed_when: true - notify: Writing and remounting tmp + mount_point: "/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: - - required_mount in mount_names + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu24cis_rule_1_1_2_1_3 + - not ubtu24cis_tmp_svc tags: - level1-server - level1-workstation @@ -55,18 +71,20 @@ - rule_1.1.2.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - - tmp vars: - required_mount: '/tmp' + mount_point: "/tmp" + required_option: nosuid + notify: *mount_option_notify ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nosuid'] }}" - changed_when: true - notify: Writing and remounting tmp + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: - - required_mount in mount_names + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu24cis_rule_1_1_2_1_4 + - not ubtu24cis_tmp_svc tags: - level1-server - level1-workstation @@ -75,10 +93,40 @@ - rule_1.1.2.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - - tmp vars: - required_mount: '/tmp' + mount_point: "/tmp" + required_option: noexec + notify: *mount_option_notify ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['noexec'] }}" - changed_when: true - notify: Writing and remounting tmp + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +# via systemd +- name: | + "1.1.2.1.1 | PATCH | Ensure /tmp is configured + 1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition + 1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" + when: + - ubtu24cis_tmp_svc + - ubtu24cis_rule_1_1_2_1_1 or ubtu24cis_rule_1_1_2_1_2 or ubtu24cis_rule_1_1_2_1_3 or ubtu24cis_rule_1_1_2_1_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.1.1 + - rule_1.1.2.1.2 + - rule_1.1.2.1.3 + - rule_1.1.2.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + ansible.builtin.template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: 'go-wx' + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 12969dc..0fd12ca 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -3,6 +3,7 @@ - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" when: - ubtu24cis_rule_1_1_2_2_1 + - required_mount not in prelim_mount_names tags: - level1-server - level1-workstation @@ -11,48 +12,84 @@ - rule_1.1.2.2.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.2.1' - required_mount: '/dev/shm' + warn_control_id: "1.1.2.2.1" + required_mount: "/dev/shm" block: - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" ansible.builtin.command: findmnt -kn "{{ required_mount }}" changed_when: false - failed_when: discovered_shm_mount.rc not in [ 0, 1 ] - register: discovered_shm_mount + failed_when: discovered_dev_shm_mount.rc not in [ 0, 1 ] + register: discovered_dev_shm_mount - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" - when: discovered_shm_mount is undefined + when: discovered_dev_shm_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present" - when: discovered_shm_mount is undefined + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -- name: | - "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition - 1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition - 1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" +- name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" when: - - discovered_shm_mount is defined - - ubtu24cis_rule_1_1_2_2_2 or - ubtu24cis_rule_1_1_2_2_3 or - ubtu24cis_rule_1_1_2_2_4 + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_2_2 tags: - level1-server - level1-workstation - patch - mounts - - rule_1.1.2.2.1 - rule_1.1.2.2.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_2_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.2.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required - ansible.posix.mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if ubtu24cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_2_4 %}noexec{% endif %} + vars: + mount_point: "/dev/shm" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_2_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.2.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 36c1ecc..e3d3d40 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -1,55 +1,74 @@ --- - -- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home" +- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" when: - ubtu24cis_rule_1_1_2_3_1 - - "'/home' not in mount_names" + - required_mount not in prelim_mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.3.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.3.1' - required_mount: '/home' + warn_control_id: "1.1.2.3.1" + required_mount: "/home" block: - - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_home_mount.rc not in [ 0, 1 ] + register: discovered_home_mount - - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present" + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition - 1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition +- name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" when: - - "'/home' in mount_names" - - item.mount == "/home" - - ubtu24cis_rule_1_1_2_3_2 or - ubtu24cis_rule_1_1_2_3_3 + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_3_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.3.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/home" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_3_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.3.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required - ansible.posix.mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if ubtu24cis_rule_1_1_2_3_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_3_3 %}nosuid{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/home" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 6805c9e..eb6e907 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -1,13 +1,13 @@ --- -- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" +- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" when: - - "'/var' not in mount_names" - ubtu24cis_rule_1_1_2_4_1 + - required_mount not in prelim_mount_names tags: - - level2-server - - level2-workstation - - patch + - level1-server + - level1-workstation + - audit - mounts - rule_1.1.2.4.1 - NIST800-53R5_CM-7 @@ -15,41 +15,61 @@ warn_control_id: '1.1.2.4.1' required_mount: '/var' block: - - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_mount.rc not in [ 0, 1 ] + register: discovered_var_mount - - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" - "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" +- name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" when: - - "'/var' in mount_names" - - item.mount == "/var" - - ubtu24cis_rule_1_1_2_4_2 or - ubtu24cis_rule_1_1_2_4_3 + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_4_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.4.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_4_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.4.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required - ansible.posix.mount: - name: /var - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if ubtu24cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_4_3 %}nosuid{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index 803fa18..ef721f0 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -1,13 +1,12 @@ --- -# Skips if mount is absent -- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp" +- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" when: - ubtu24cis_rule_1_1_2_5_1 - - "'/var/tmp' not in mount_names" + - required_mount not in prelim_mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.5.1 @@ -16,44 +15,81 @@ warn_control_id: '1.1.2.5.1' required_mount: '/var/tmp' block: - - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_tmp_mount.rc not in [ 0, 1 ] + register: discovered_var_tmp_mount - - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent" + when: discovered_var_tmp_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Present" + when: discovered_var_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" - "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" - "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" +- name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" when: - - "'/var/tmp' in mount_names" - - item.mount == "/var/tmp" - - ubtu24cis_rule_1_1_2_5_2 or - ubtu24cis_rule_1_1_2_5_3 or - ubtu24cis_rule_1_1_2_5_4 + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_5_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.5.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_5_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.5.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_5_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.5.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required - ansible.posix.mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if ubtu24cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_5_4 %}noexec{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 06c658e..6a258f9 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -1,12 +1,12 @@ --- -- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" +- name: "1/.1 | PATCH | Ensure /var/log is a separate partition" when: - ubtu24cis_rule_1_1_2_6_1 - - "'/var/log' not in mount_names" + - required_mount not in prelim_mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.6.1 @@ -15,44 +15,81 @@ warn_control_id: '1.1.2.6.1' required_mount: '/var/log' block: - - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_mount.rc not in [ 0, 1 ] + register: discovered_var_log_mount - - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Absent" + when: discovered_var_log_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Present" + when: discovered_var_log_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" - "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" - "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" +- name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" when: - - "'/var/log' in mount_names" - - item.mount == "/var/log" - - ubtu24cis_rule_1_1_2_6_2 or - ubtu24cis_rule_1_1_2_6_3 or - ubtu24cis_rule_1_1_2_6_4 + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_6_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.6.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_6_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.6.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_6_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.6.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required - ansible.posix.mount: - name: /var/log - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if ubtu24cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_6_4 %}noexec{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/log" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index c598eac..ff636db 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -1,12 +1,12 @@ --- -- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" +- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition" when: - ubtu24cis_rule_1_1_2_7_1 - - "'/var/log/audit' not in mount_names" + - required_mount not in prelim_mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.7.1 @@ -15,44 +15,81 @@ warn_control_id: '1.1.2.7.1' required_mount: '/var/log/audit' block: - - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_audit_mount.rc not in [ 0, 1 ] + register: discovered_var_log_audit_mount - - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent" + when: discovered_var_log_audit_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Present" + when: discovered_var_log_audit_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" - "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" - "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" +- name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" when: - - "'/var/log/audit' in mount_names" - - item.mount == "/var/log/audit" - - ubtu24cis_rule_1_1_2_7_2 or - ubtu24cis_rule_1_1_2_7_3 or - ubtu24cis_rule_1_1_2_7_4 + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_7_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.7.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_7_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.7.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" + when: + - prelim_mount_point_fs_and_options[mount_point] is defined + - ubtu24cis_rule_1_1_2_7_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.7.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required - ansible.posix.mount: - name: /var/log/audit - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if ubtu24cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_7_4 %}noexec{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/log/audit" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_6/cis_6.3.x.yml b/tasks/section_6/cis_6.3.x.yml index 4b8c54d..5196055 100644 --- a/tasks/section_6/cis_6.3.x.yml +++ b/tasks/section_6/cis_6.3.x.yml @@ -52,9 +52,9 @@ state: absent - name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - when: - - not ansible_check_mode - ansible.builtin.shell: "{{ aide_initiate_command }}" + when: not ansible_check_mode + ansible.builtin.command: "{{ aide_initiate_command }}" + changed_when: true args: creates: "{{ ubtu24cis_aide_db_file }}" async: "{{ ubtu24cis_aide_init_async }}" diff --git a/vars/main.yml b/vars/main.yml index fa065e8..0ef07c0 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -13,7 +13,6 @@ system_is_container: false warn_control_list: "" warn_count: 0 - # Aide initiate command for new DB creation aide_initiate_command: aideinit -y -f