From 8a38650658ed5fc7044395e465990c0000abe892 Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 11:59:30 -0500 Subject: [PATCH 1/5] Add ignore_apt_update_changed_when default variable to allow users to specify changed_when behavior of apt update task; allows for idempotency checks (like Molecule) Signed-off-by: Shawn Hardwick --- defaults/main.yml | 4 ++++ tasks/prelim.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index d37ae5e..54d7aac 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -626,6 +626,10 @@ ubtu24cis_desktop_required: false # This will also purge any packages not removed via this playbook ubtu24cis_purge_apt: false +## Ignore change_when for apt update task +# Modifies behavior of 'changed_when' for 'apt update' task in prelim that always changes +ignore_apt_update_changed_when: false + ## ## Section 1 Control Variables ## diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c5eac21..8dbd904 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -55,6 +55,7 @@ tags: always ansible.builtin.package: update_cache: true + changed_when: not ignore_apt_update_changed_when - name: Include audit specific variables when: From 1cf3c4d58b405072aa5e9f1e6d186f4a9cd230b0 Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 12:02:23 -0500 Subject: [PATCH 2/5] Update regexp for rule 2.1.21 to be more strict when updating line in file; allows task to be idempotent with itself Signed-off-by: Shawn Hardwick --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 19cacd2..166cd5d 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -699,7 +699,7 @@ notify: Restart postfix ansible.builtin.lineinfile: path: /etc/postfix/main.cf - regexp: '^(#)?inet_interfaces' + regexp: '^(#)?inet_interfaces\s*=(?!\s*loopback-only\s*).*' line: 'inet_interfaces = loopback-only' - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents" From 4af134cd74760fdde2cc422b470196a10077eabd Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 12:03:30 -0500 Subject: [PATCH 3/5] Update rule 5.4.1.5 to use shell task which supports pipes instead of command task; previously this would silently fail Signed-off-by: Shawn Hardwick --- tasks/section_5/cis_5.4.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index ccb0427..bb2019e 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -130,13 +130,13 @@ - login block: - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting" - ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2 + ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 changed_when: false failed_when: false register: discovered_passwd_inactive_setting - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" - when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string + when: discovered_passwd_inactive_setting.stdout != (ubtu24cis_pass_inactive | string) ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }} failed_when: false changed_when: true From a9df5eb9128470245c21d24b8155fd255a7b86f8 Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 12:06:02 -0500 Subject: [PATCH 4/5] Set a default variable value for control_1_3_1_4_was_run; if only level1-server tasks are executed, this variable is never set and tasks fail Signed-off-by: Shawn Hardwick --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 54d7aac..79c677c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -651,6 +651,7 @@ ubtu24cis_tmp_svc: false # The following variables are related to the set of rules from section 1.6.1.x ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode +control_1_3_1_4_was_run: false # This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 # regarding enforcing profiles or putting them in complain mode From 9a2a7ad96f9ee4d257e6dc6d44125fe071346503 Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 12:08:20 -0500 Subject: [PATCH 5/5] If prelim_auditd_logfile does not evaluate, check mode will fail on rule 6.2.4.3 with 'file () is absent, cannot continue' error Signed-off-by: Shawn Hardwick --- tasks/prelim.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8dbd904..9930ab5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -230,6 +230,7 @@ tags: always ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" changed_when: false + check_mode: false failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ] register: prelim_auditd_logfile