colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5 from ansible-lockdown/align_audit_mounts 

Align audit mounts
This commit is contained in:
uk-bolly 2024-12-11 16:45:37 +00:00 committed by GitHub
parent b87b6fbefd f77befa17e
commit 1e286afdd8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 628 additions and 327 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.pre-commit-config.yaml
View File

@ -11,12 +11,17 @@ repos:
hooks: hooks:
# Safety # Safety
- id: detect-aws-credentials - id: detect-aws-credentials
name: Detect AWS Credentials
- id: detect-private-key - id: detect-private-key
name: Detect Private Keys
# git checks # git checks
- id: check-merge-conflict - id: check-merge-conflict
name: Check for merge conflicts
- id: check-added-large-files - id: check-added-large-files
name: Check for Large files
- id: check-case-conflict - id: check-case-conflict
name: Check case conflict
# General checks # General checks
- id: trailing-whitespace - id: trailing-whitespace
@ -27,6 +32,7 @@ repos:
types: [text] types: [text]
args: [--markdown-linebreak-ext=md] args: [--markdown-linebreak-ext=md]
- id: end-of-file-fixer - id: end-of-file-fixer
name: Ensure line at end of file
# Scan for passwords # Scan for passwords
- repo: https://github.com/Yelp/detect-secrets - repo: https://github.com/Yelp/detect-secrets
@ -51,14 +57,15 @@ repos:
# https://github.com/ansible/ansible-lint/issues/611 # https://github.com/ansible/ansible-lint/issues/611
pass_filenames: false pass_filenames: false
always_run: true always_run: true
additional_dependencies: # additional_dependencies:
# https://github.com/pre-commit/pre-commit/issues/1526 # https://github.com/pre-commit/pre-commit/issues/1526
# If you want to use specific version of ansible-core or ansible, feel # If you want to use specific version of ansible-core or ansible, feel
# free to override `additional_dependencies` in your own hook config # free to override `additional_dependencies` in your own hook config
# file. # file.
#- ansible-core>=2.10.1 # - ansible-core>=2.10.1
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git
rev: v1.35.1 # or higher tag rev: v1.35.1 # or higher tag
hooks: hooks:
- id: yamllint - id: yamllint
name: Check YAML Lint

3
.yamllint
View File

@ -1,6 +1,5 @@
--- ---
extends: default extends: default
locale: en_US.UTF-8
ignore: | ignore: |
tests/ tests/
molecule/ molecule/
@ -17,7 +16,7 @@ rules:
comments: comments:
ignore-shebangs: true ignore-shebangs: true
min-spaces-from-content: 1 # prettier compatibility min-spaces-from-content: 1 # prettier compatibility
comments-indentation: false comments-indentation: enable
empty-lines: empty-lines:
max: 1 max: 1
indentation: indentation:

17
defaults/main.yml
View File

@ -630,13 +630,16 @@ ubtu24cis_purge_apt: false
## Section 1 Control Variables ## Section 1 Control Variables
## ##
## tmp mount type ## Ability to enabe debug on mounts to assist in troubleshooting
# This variable determines, to which mount type # Mount point changes are set based upon facts created in Prelim
# the tmp mount type will be set, if it cannot be # these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
# correctly discovered. will force the tmp_mnt type ubtu24cis_debug_mount_data: false
# if not correctly discovered.
# Possible values are `tmp_systemd` or `fstab`- ## Control 1.1.2
expected_tmp_mnt: fstab # If set to `true`, rule will be implemented using the `tmp.mount` systemd-service,
# otherwise fstab configuration will be used.
# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards.
ubtu24cis_tmp_svc: false
## Controls 1.3.1.x - apparmor ## Controls 1.3.1.x - apparmor
# AppArmor security policies define what system resources applications can access and their privileges. # AppArmor security policies define what system resources applications can access and their privileges.

224
handlers/main.yml
View File

@ -1,83 +1,153 @@
--- ---
- name: Writing the tmp file | tmp_systemd - name: "Adding options for /tmp"
when: when: not ubtu24cis_tmp_svc
- "'/tmp' in mount_names" vars:
- item.mount == "/tmp" mount_point: '/tmp'
- tmp_mnt_type == 'tmp_systemd'
ansible.builtin.template:
src: etc/systemd/system/tmp.mount.j2
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: 'u-x,go-wx'
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"
listen: Writing and remounting tmp
- name: Writing the tmp file | fstab
when:
- "'/tmp' in mount_names"
- tmp_mnt_type == 'fstab'
- item.mount == "/tmp"
ansible.posix.mount: ansible.posix.mount:
path: /tmp path: "{{ mount_point }}"
src: "{{ item.device }}" src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
state: present state: present
fstype: "{{ item.fstype }}" fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
with_items: listen: "Remount /tmp"
- "{{ ansible_facts.mounts }}"
loop_control: - name: "Remounting /tmp"
label: "{{ item.device }}" vars:
listen: Writing and remounting tmp mount_point: '/tmp'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /tmp"
- name: "Remounting /tmp systemd"
vars:
mount_point: '/tmp'
ansible.builtin.systemd:
name: tmp.mount
state: restarted
daemon_reload: true
listen: "Remount /tmp"
- name: "Adding options for /dev/shm"
vars:
mount_point: '/dev/shm'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /dev/shm"
- name: "Remounting /dev/shm"
vars:
mount_point: '/dev/shm'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /dev/shm"
- name: "Adding options for /home"
vars:
mount_point: '/home'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /home"
- name: "Remounting /home"
vars:
mount_point: '/home'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /home"
- name: "Adding options for /var"
vars:
mount_point: '/var'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /var"
- name: "Remounting /var"
vars:
mount_point: '/var'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /var"
- name: "Adding options for /var/tmp"
vars:
mount_point: '/var/tmp'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /var/tmp"
- name: "Remounting /var/tmp"
vars:
mount_point: '/var/tmp'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /var/tmp"
- name: "Adding options for /var/log"
vars:
mount_point: '/var/log'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /var/log"
- name: "Remounting /var/log"
vars:
mount_point: '/var/log'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /var/log"
- name: "Adding options for /var/log/audit"
vars:
mount_point: '/var/log/audit'
ansible.posix.mount:
path: "{{ mount_point }}"
src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
state: present
fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
listen: "Remount /var/log/audit"
- name: "Remounting /var/log/audit"
vars:
mount_point: '/var/log/audit'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
listen: "Remount /var/log/audit"
- name: Update_Initramfs - name: Update_Initramfs
ansible.builtin.command: update-initramfs -u ansible.builtin.command: update-initramfs -u
changed_when: true changed_when: true
notify: Set_reboot_required notify: Set_reboot_required
- name: Remount tmp
when:
- "'/tmp' in mount_names"
ansible.posix.mount:
path: /tmp
state: remounted
listen: Writing and remounting tmp
- name: Remount var
ansible.posix.mount:
path: /var
state: remounted
- name: Remount var_tmp
ansible.posix.mount:
path: /var/tmp
state: remounted
- name: Remount var_log
ansible.posix.mount:
path: /var/log
state: remounted
- name: Remount var_log_audit
ansible.posix.mount:
path: /var/log/audit
state: remounted
- name: Remount home
ansible.posix.mount:
path: /home
state: remounted
- name: Remount dev_shm
ansible.posix.mount:
path: /dev/shm
src: /dev/shm
state: remounted
- name: Grub update - name: Grub update
ansible.builtin.command: update-grub ansible.builtin.command: update-grub
changed_when: true changed_when: true
@ -181,10 +251,16 @@
msg: "Reboot required for auditd to apply new rules as immutable set" msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Set_reboot_required notify: Set_reboot_required
- name: Restart auditd - name: Stop auditd process
when: discovered_audit_rules_updated is defined ansible.builtin.command: systemctl kill auditd
tags: skip_ansible_lint changed_when: true
ansible.builtin.shell: service auditd restart listen: Restart auditd
- name: Start auditd process
ansible.builtin.systemd_service:
name: auditd
state: started
listen: Restart auditd
- name: Restart sshd - name: Restart sshd
ansible.builtin.systemd: ansible.builtin.systemd:

55
tasks/prelim.yml
View File

@ -22,51 +22,34 @@
failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ]
register: prelim_squashfs_builtin register: prelim_squashfs_builtin
- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" - name: PRELIM | AUDIT | Section 1.1 | Create list of mount points
tags: always tags: always
ansible.builtin.set_fact: ansible.builtin.set_fact:
mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" prelim_mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
- name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options
when:
- "'/tmp' in mount_names"
- ubtu24cis_rule_1_1_2_1_1 or
ubtu24cis_rule_1_1_2_1_2 or
ubtu24cis_rule_1_1_2_1_3 or
ubtu24cis_rule_1_1_2_1_4
tags: always tags: always
block: block:
- name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - call mount # noqa command-instead-of-module
ansible.builtin.command: systemctl is-enabled tmp.mount # noqa command-instead-of-module ansible.builtin.shell: |
mount | awk '{print $1, $3, $5, $6}'
changed_when: false changed_when: false
failed_when: prelim_tmp_mnt_type.rc not in [ 0, 1 ] register: prelim_mount_output
register: prelim_tmp_mnt_type
- name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact # This is inherited and used in mountpoints tasks
when: "'generated' in prelim_tmp_mnt_type.stdout"
ansible.builtin.set_fact: ansible.builtin.set_fact:
tmp_mnt_type: "{{ expected_tmp_mnt }}" prelim_mount_point_fs_and_options: >-
{%- set prelim_mount_point_fs_and_options = {} -%}
{%- for line in prelim_mount_output.stdout_lines -%}
{%- set fields = line.split() -%}
{%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%}
{%- endfor -%}
{{ prelim_mount_point_fs_and_options }}
- name: PRELIM | AUDIT | Capture tmp mount type | Set systemd service - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting"
when: "'generated' not in prelim_tmp_mnt_type.stdout" when: ubtu24cis_debug_mount_data
ansible.builtin.set_fact: ansible.builtin.debug:
tmp_mnt_type: tmp_systemd msg: "{{ prelim_mount_point_fs_and_options }}"
- name: PRELIM | Initialize the mount options variable
tags: always
block:
- name: PRELIM | Initializing the var if there is no /tmp mount | set_fact
when: "'/tmp' not in mount_names"
ansible.builtin.set_fact:
tmp_partition_mount_options: []
- name: PRELIM | Initializing the var if there is a /tmp mount | set_fact
when:
- item.mount == "/tmp"
- "'/tmp' in mount_names"
ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ item.options.split(',') }}"
loop: "{{ ansible_facts.mounts }}"
- name: Include audit specific variables - name: Include audit specific variables
when: when:

106
tasks/section_1/cis_1.1.2.1.x.yml
View File

@ -1,8 +1,8 @@
--- ---
- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition" - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition"
when: when:
- required_mount not in mount_names - required_mount not in prelim_mount_names
- ubtu24cis_rule_1_1_2_1_1 - ubtu24cis_rule_1_1_2_1_1
tags: tags:
- level1-server - level1-server
@ -11,42 +11,58 @@
- mounts - mounts
- rule_1.1.2.1.1 - rule_1.1.2.1.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- tmp
vars: vars:
warn_control_id: '1.1.2.1.1' warn_control_id: "1.1.2.1.1"
required_mount: '/tmp' required_mount: "/tmp"
block: block:
- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
failed_when: discovered_tmp_mount.rc not in [ 0, 1 ]
register: discovered_tmp_mount
- name: "1.1.2.1.1 | WARN | Ensure /tmp is a separate partition | warn_count" - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent"
when: discovered_tmp_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Present"
when: discovered_tmp_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# via fstab
- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
when: when:
- required_mount in mount_names - prelim_mount_point_fs_and_options[mount_point] is defined
- not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- ubtu24cis_rule_1_1_2_1_2 - ubtu24cis_rule_1_1_2_1_2
- not ubtu24cis_tmp_svc
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.1.2 - rule_1.1.2.1.2
- NIST800-53R5_CM-7 - NIST800-53R5_AC-3
- tmp - NIST800-53R5_MP-2
vars: vars:
required_mount: '/tmp' mount_point: "/tmp"
ansible.builtin.set_fact: required_option: nodev
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nodev'] }}" notify: &mount_option_notify
changed_when: true - "Remount {{ mount_point }}"
notify: Writing and remounting tmp ansible.builtin.set_fact: &mount_option_set_fact
prelim_mount_point_fs_and_options: |
{{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition"
when: when:
- required_mount in mount_names - prelim_mount_point_fs_and_options[mount_point] is defined
- not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- ubtu24cis_rule_1_1_2_1_3 - ubtu24cis_rule_1_1_2_1_3
- not ubtu24cis_tmp_svc
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -55,18 +71,20 @@
- rule_1.1.2.1.3 - rule_1.1.2.1.3
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
- tmp
vars: vars:
required_mount: '/tmp' mount_point: "/tmp"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact: ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nosuid'] }}" <<: *mount_option_set_fact
changed_when: true changed_when: *mount_option_changed_when
notify: Writing and remounting tmp
- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition"
when: when:
- required_mount in mount_names - prelim_mount_point_fs_and_options[mount_point] is defined
- not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs"
- ubtu24cis_rule_1_1_2_1_4 - ubtu24cis_rule_1_1_2_1_4
- not ubtu24cis_tmp_svc
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -75,10 +93,40 @@
- rule_1.1.2.1.4 - rule_1.1.2.1.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
- tmp
vars: vars:
required_mount: '/tmp' mount_point: "/tmp"
required_option: noexec
notify: *mount_option_notify
ansible.builtin.set_fact: ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['noexec'] }}" <<: *mount_option_set_fact
changed_when: true changed_when: *mount_option_changed_when
notify: Writing and remounting tmp
# via systemd
- name: |
"1.1.2.1.1 | PATCH | Ensure /tmp is configured
1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition
1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition
1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition"
when:
- ubtu24cis_tmp_svc
- ubtu24cis_rule_1_1_2_1_1 or ubtu24cis_rule_1_1_2_1_2 or ubtu24cis_rule_1_1_2_1_3 or ubtu24cis_rule_1_1_2_1_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.1.1
- rule_1.1.2.1.2
- rule_1.1.2.1.3
- rule_1.1.2.1.4
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/tmp"
ansible.builtin.template:
src: etc/systemd/system/tmp.mount.j2
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: 'go-wx'
notify: *mount_option_notify

81
tasks/section_1/cis_1.1.2.2.x.yml
View File

@ -3,6 +3,7 @@
- name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_2_1 - ubtu24cis_rule_1_1_2_2_1
- required_mount not in prelim_mount_names
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -11,48 +12,84 @@
- rule_1.1.2.2.1 - rule_1.1.2.2.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.2.1' warn_control_id: "1.1.2.2.1"
required_mount: '/dev/shm' required_mount: "/dev/shm"
block: block:
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount"
ansible.builtin.command: findmnt -kn "{{ required_mount }}" ansible.builtin.command: findmnt -kn "{{ required_mount }}"
changed_when: false changed_when: false
failed_when: discovered_shm_mount.rc not in [ 0, 1 ] failed_when: discovered_dev_shm_mount.rc not in [ 0, 1 ]
register: discovered_shm_mount register: discovered_dev_shm_mount
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent"
when: discovered_shm_mount is undefined when: discovered_dev_shm_mount is undefined
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present"
when: discovered_shm_mount is undefined when: discovered_dev_shm_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
- name: | - name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition"
"1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition
1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition
1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition"
when: when:
- discovered_shm_mount is defined - prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_2_2 or - ubtu24cis_rule_1_1_2_2_2
ubtu24cis_rule_1_1_2_2_3 or
ubtu24cis_rule_1_1_2_2_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.2.1
- rule_1.1.2.2.2 - rule_1.1.2.2.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/dev/shm"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
prelim_mount_point_fs_and_options: |
{{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_2_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.2.3 - rule_1.1.2.2.3
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
notify: Set_reboot_required vars:
ansible.posix.mount: mount_point: "/dev/shm"
name: /dev/shm required_option: nosuid
src: tmpfs notify: *mount_option_notify
fstype: tmpfs ansible.builtin.set_fact:
state: mounted <<: *mount_option_set_fact
opts: defaults,{% if ubtu24cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_2_4 %}noexec{% endif %} changed_when: *mount_option_changed_when
- name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_2_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.2.4
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/dev/shm"
required_option: noexec
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when

81
tasks/section_1/cis_1.1.2.3.x.yml
View File

@ -1,55 +1,74 @@
--- ---
- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition"
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home"
when: when:
- ubtu24cis_rule_1_1_2_3_1 - ubtu24cis_rule_1_1_2_3_1
- "'/home' not in mount_names" - required_mount not in prelim_mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.3.1 - rule_1.1.2.3.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
vars: vars:
warn_control_id: '1.1.2.3.1' warn_control_id: "1.1.2.3.1"
required_mount: '/home' required_mount: "/home"
block: block:
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent" - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
register: home_mount_absent failed_when: discovered_home_mount.rc not in [ 0, 1 ]
changed_when: home_mount_absent.skipped is undefined register: discovered_home_mount
- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent"
when: discovered_dev_shm_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present"
when: discovered_dev_shm_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# skips if mount is absent - name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition"
- name: |
"1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition
1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition
when: when:
- "'/home' in mount_names" - prelim_mount_point_fs_and_options[mount_point] is defined
- item.mount == "/home" - ubtu24cis_rule_1_1_2_3_2
- ubtu24cis_rule_1_1_2_3_2 or
ubtu24cis_rule_1_1_2_3_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.3.2 - rule_1.1.2.3.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/home"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
prelim_mount_point_fs_and_options: |
{{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_3_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.3.3 - rule_1.1.2.3.3
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
notify: Set_reboot_required vars:
ansible.posix.mount: mount_point: "/home"
name: /home required_option: nosuid
src: "{{ item.device }}" notify: *mount_option_notify
fstype: "{{ item.fstype }}" ansible.builtin.set_fact:
state: present <<: *mount_option_set_fact
opts: defaults,{% if ubtu24cis_rule_1_1_2_3_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_3_3 %}nosuid{% endif %} changed_when: *mount_option_changed_when
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"

78
tasks/section_1/cis_1.1.2.4.x.yml
View File

@ -1,13 +1,13 @@
--- ---
- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" - name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition"
when: when:
- "'/var' not in mount_names"
- ubtu24cis_rule_1_1_2_4_1 - ubtu24cis_rule_1_1_2_4_1
- required_mount not in prelim_mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- patch - audit
- mounts - mounts
- rule_1.1.2.4.1 - rule_1.1.2.4.1
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
@ -15,41 +15,61 @@
warn_control_id: '1.1.2.4.1' warn_control_id: '1.1.2.4.1'
required_mount: '/var' required_mount: '/var'
block: block:
- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
register: var_mount_absent failed_when: discovered_var_mount.rc not in [ 0, 1 ]
changed_when: var_mount_absent.skipped is undefined register: discovered_var_mount
- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent"
when: discovered_dev_shm_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present"
when: discovered_dev_shm_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# skips if mount is absent - name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition"
- name: |
"1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition"
"1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
when: when:
- "'/var' in mount_names" - prelim_mount_point_fs_and_options[mount_point] is defined
- item.mount == "/var" - ubtu24cis_rule_1_1_2_4_2
- ubtu24cis_rule_1_1_2_4_2 or
ubtu24cis_rule_1_1_2_4_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.4.2 - rule_1.1.2.4.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
prelim_mount_point_fs_and_options: |
{{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_4_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.4.3 - rule_1.1.2.4.3
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
notify: Set_reboot_required vars:
ansible.posix.mount: mount_point: "/var"
name: /var required_option: nosuid
src: "{{ item.device }}" notify: *mount_option_notify
fstype: "{{ item.fstype }}" ansible.builtin.set_fact:
state: present <<: *mount_option_set_fact
opts: defaults,{% if ubtu24cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_4_3 %}nosuid{% endif %} changed_when: *mount_option_changed_when
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"

98
tasks/section_1/cis_1.1.2.5.x.yml
View File

@ -1,13 +1,12 @@
--- ---
# Skips if mount is absent - name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition"
- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp"
when: when:
- ubtu24cis_rule_1_1_2_5_1 - ubtu24cis_rule_1_1_2_5_1
- "'/var/tmp' not in mount_names" - required_mount not in prelim_mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.5.1 - rule_1.1.2.5.1
@ -16,44 +15,81 @@
warn_control_id: '1.1.2.5.1' warn_control_id: '1.1.2.5.1'
required_mount: '/var/tmp' required_mount: '/var/tmp'
block: block:
- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent" - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
register: var_tmp_mount_absent failed_when: discovered_var_tmp_mount.rc not in [ 0, 1 ]
changed_when: var_tmp_mount_absent.skipped is undefined register: discovered_var_tmp_mount
- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent"
when: discovered_var_tmp_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Present"
when: discovered_var_tmp_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# skips if mount is absent - name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition"
- name: |
"1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition"
"1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
"1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
when: when:
- "'/var/tmp' in mount_names" - prelim_mount_point_fs_and_options[mount_point] is defined
- item.mount == "/var/tmp" - ubtu24cis_rule_1_1_2_5_2
- ubtu24cis_rule_1_1_2_5_2 or
ubtu24cis_rule_1_1_2_5_3 or
ubtu24cis_rule_1_1_2_5_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.5.2 - rule_1.1.2.5.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/tmp"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
prelim_mount_point_fs_and_options: |
{{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_5_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.5.3 - rule_1.1.2.5.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/tmp"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
- name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_5_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.5.4 - rule_1.1.2.5.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
notify: Set_reboot_required vars:
ansible.posix.mount: mount_point: "/var/tmp"
name: /var/tmp required_option: noexec
src: "{{ item.device }}" notify: *mount_option_notify
fstype: "{{ item.fstype }}" ansible.builtin.set_fact:
state: present <<: *mount_option_set_fact
opts: defaults,{% if ubtu24cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_5_4 %}noexec{% endif %} changed_when: *mount_option_changed_when
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"

97
tasks/section_1/cis_1.1.2.6.x.yml
View File

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" - name: "1/.1 | PATCH | Ensure /var/log is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_6_1 - ubtu24cis_rule_1_1_2_6_1
- "'/var/log' not in mount_names" - required_mount not in prelim_mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.6.1 - rule_1.1.2.6.1
@ -15,44 +15,81 @@
warn_control_id: '1.1.2.6.1' warn_control_id: '1.1.2.6.1'
required_mount: '/var/log' required_mount: '/var/log'
block: block:
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent" - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
register: var_log_mount_absent failed_when: discovered_var_log_mount.rc not in [ 0, 1 ]
changed_when: var_log_mount_absent.skipped is undefined register: discovered_var_log_mount
- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Absent"
when: discovered_var_log_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Present"
when: discovered_var_log_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# skips if mount is absent - name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition"
- name: |
"1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition"
"1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition"
"1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
when: when:
- "'/var/log' in mount_names" - prelim_mount_point_fs_and_options[mount_point] is defined
- item.mount == "/var/log" - ubtu24cis_rule_1_1_2_6_2
- ubtu24cis_rule_1_1_2_6_2 or
ubtu24cis_rule_1_1_2_6_3 or
ubtu24cis_rule_1_1_2_6_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.6.2 - rule_1.1.2.6.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/log"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
prelim_mount_point_fs_and_options: |
{{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_6_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.6.3 - rule_1.1.2.6.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/log"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
- name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_6_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.6.4 - rule_1.1.2.6.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
notify: Set_reboot_required vars:
ansible.posix.mount: mount_point: "/var/log"
name: /var/log required_option: noexec
src: "{{ item.device }}" notify: *mount_option_notify
fstype: "{{ item.fstype }}" ansible.builtin.set_fact:
state: present <<: *mount_option_set_fact
opts: defaults,{% if ubtu24cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_6_4 %}noexec{% endif %} changed_when: *mount_option_changed_when
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"

97
tasks/section_1/cis_1.1.2.7.x.yml
View File

@ -1,12 +1,12 @@
--- ---
- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" - name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition"
when: when:
- ubtu24cis_rule_1_1_2_7_1 - ubtu24cis_rule_1_1_2_7_1
- "'/var/log/audit' not in mount_names" - required_mount not in prelim_mount_names
tags: tags:
- level2-server - level1-server
- level2-workstation - level1-workstation
- audit - audit
- mounts - mounts
- rule_1.1.2.7.1 - rule_1.1.2.7.1
@ -15,44 +15,81 @@
warn_control_id: '1.1.2.7.1' warn_control_id: '1.1.2.7.1'
required_mount: '/var/log/audit' required_mount: '/var/log/audit'
block: block:
- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent" - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | check for mount"
ansible.builtin.debug: ansible.builtin.command: findmnt -kn "{{ required_mount }}"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" changed_when: false
register: var_log_audit_mount_absent failed_when: discovered_var_log_audit_mount.rc not in [ 0, 1 ]
changed_when: var_log_audit_mount_absent.skipped is undefined register: discovered_var_log_audit_mount
- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent"
when: discovered_var_log_audit_mount is undefined
ansible.builtin.debug:
msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
- name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Present"
when: discovered_var_log_audit_mount is undefined
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
# skips if mount is absent - name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition"
- name: |
"1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition"
"1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition"
"1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
when: when:
- "'/var/log/audit' in mount_names" - prelim_mount_point_fs_and_options[mount_point] is defined
- item.mount == "/var/log/audit" - ubtu24cis_rule_1_1_2_7_2
- ubtu24cis_rule_1_1_2_7_2 or
ubtu24cis_rule_1_1_2_7_3 or
ubtu24cis_rule_1_1_2_7_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- mounts - mounts
- rule_1.1.2.7.2 - rule_1.1.2.7.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/log/audit"
required_option: nodev
notify: &mount_option_notify
- "Remount {{ mount_point }}"
ansible.builtin.set_fact: &mount_option_set_fact
prelim_mount_point_fs_and_options: |
{{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }}
changed_when: &mount_option_changed_when
- required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options']
- name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_7_3
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.7.3 - rule_1.1.2.7.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
mount_point: "/var/log/audit"
required_option: nosuid
notify: *mount_option_notify
ansible.builtin.set_fact:
<<: *mount_option_set_fact
changed_when: *mount_option_changed_when
- name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition"
when:
- prelim_mount_point_fs_and_options[mount_point] is defined
- ubtu24cis_rule_1_1_2_7_4
tags:
- level1-server
- level1-workstation
- patch
- mounts
- rule_1.1.2.7.4 - rule_1.1.2.7.4
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
notify: Set_reboot_required vars:
ansible.posix.mount: mount_point: "/var/log/audit"
name: /var/log/audit required_option: noexec
src: "{{ item.device }}" notify: *mount_option_notify
fstype: "{{ item.fstype }}" ansible.builtin.set_fact:
state: present <<: *mount_option_set_fact
opts: defaults,{% if ubtu24cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if ubtu24cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if ubtu24cis_rule_1_1_2_7_4 %}noexec{% endif %} changed_when: *mount_option_changed_when
loop: "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.device }}"

6
tasks/section_6/cis_6.3.x.yml
View File

@ -52,9 +52,9 @@
state: absent state: absent
- name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
when: when: not ansible_check_mode
- not ansible_check_mode ansible.builtin.command: "{{ aide_initiate_command }}"
ansible.builtin.shell: "{{ aide_initiate_command }}" changed_when: true
args: args:
creates: "{{ ubtu24cis_aide_db_file }}" creates: "{{ ubtu24cis_aide_db_file }}"
async: "{{ ubtu24cis_aide_init_async }}" async: "{{ ubtu24cis_aide_init_async }}"

1
vars/main.yml
View File

@ -13,7 +13,6 @@ system_is_container: false
warn_control_list: "" warn_control_list: ""
warn_count: 0 warn_count: 0
# Aide initiate command for new DB creation # Aide initiate command for new DB creation
aide_initiate_command: aideinit -y -f aide_initiate_command: aideinit -y -f