colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

remove fileglob 

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-04-11 11:40:11 +01:00
parent 7f0291fbf2
commit b6fb3c7dcc
No known key found for this signature in database
GPG Key ID: 997FF7FE93AEB5B9
4 changed files with 91 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
tasks/prelim.yml
View File

@ -150,6 +150,41 @@
max_int_uid: "{{ prelim_uid_max_id.stdout }}" max_int_uid: "{{ prelim_uid_max_id.stdout }}"
min_int_gid: "{{ prelim_gid_min_id.stdout }}" min_int_gid: "{{ prelim_gid_min_id.stdout }}"
- name: "PRELIM | AUDIT | Capture pam configs related files"
tags: always
ansible.builtin.find:
paths:
- '/usr/share/pam-configs/'
- '/etc/pam.d/'
register: prelim_pam_conf_files
- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x
when:
- ubtu24cis_rule_5_3_3_2_1 or
ubtu24cis_rule_5_3_3_2_6
tags: always
ansible.builtin.file:
path: "{{ item.path }}"
state: "{{ item.state }}"
owner: root
group: root
mode: 'g-w,o-rwx'
modification_time: preserve
access_time: preserve
register: prelim_pwquality_dummy
changed_when: prelim_pwquality_dummy.diff == "absent"
loop:
- { path: '/etc/security/pwquality.conf.d', state: 'directory' }
- { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }
- name: "PRELIM | AUDIT | Capture pam security related files"
tags: always
ansible.builtin.find:
paths:
- /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: prelim_pam_pwquality_confs
- name: "PRELIM | AUDIT | Interactive Users" - name: "PRELIM | AUDIT | Interactive Users"
tags: always tags: always
ansible.builtin.shell: > ansible.builtin.shell: >

18
tasks/section_5/cis_5.3.3.1.x.yml
View File

@ -28,12 +28,10 @@
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files"
when: discovered_faillock_deny_files.stdout | length > 0 when: discovered_faillock_deny_files.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)' regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)'
replace: \1\2 replace: \1\2
with_fileglob: loop: "{{ prelim_pam_conf_files.files }}"
- '/usr/share/pam-configs/*'
- '/etc/pam.d/*'
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
when: ubtu24cis_rule_5_3_3_1_2 when: ubtu24cis_rule_5_3_3_1_2
@ -63,12 +61,10 @@
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files"
when: discovered_faillock_unlock_files.stdout | length > 0 when: discovered_faillock_unlock_files.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)' regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)'
replace: \1\2 replace: \1\2
with_fileglob: loop: "{{ prelim_pam_conf_files.files }}"
- '/usr/share/pam-configs/*'
- '/etc/pam.d/*'
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when: ubtu24cis_rule_5_3_3_1_3 when: ubtu24cis_rule_5_3_3_1_3
@ -98,9 +94,7 @@
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files"
when: discovered_faillock_rootlock_files.stdout | length > 0 when: discovered_faillock_rootlock_files.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)'
replace: \1\3 replace: \1\3
with_fileglob: loop: "{{ prelim_pam_conf_files.files }}"
- '/usr/share/pam-configs/*'
- '/etc/pam.d/*'

84
tasks/section_5/cis_5.3.3.2.x.yml
View File

@ -11,15 +11,15 @@
- pam - pam
block: block:
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file" - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
when: item != ubtu24cis_passwd_difok_file when: "ubtu24cis_passwd_difok_file not in item.path"
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: 'difok\s*=\s*\d+\b' regexp: 'difok\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: with_items:
- '/etc/security/pwquality.conf' - "{{ prelim_pam_pwquality_confs.files }}"
- '/etc/security/pwquality.conf.d/*.conf' - { path: '/etc/security/pwquality.conf'}
- '/etc/pam.d/common-password' - { path: '/etc/pam.d/common-password' }
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
ansible.builtin.template: ansible.builtin.template:
@ -40,15 +40,15 @@
- pam - pam
block: block:
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
when: item != ubtu24cis_passwd_minlen_file when: "ubtu24cis_passwd_minlen_file not in item.path"
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: 'minlen\s*=\s*\d+\b' regexp: 'minlen\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: with_items:
- '/etc/security/pwquality.conf' - "{{ prelim_pam_pwquality_confs.files }}"
- '/etc/security/pwquality.conf.d/*.conf' - { path: '/etc/security/pwquality.conf'}
- '/etc/pam.d/common-password' - { path: '/etc/pam.d/common-password' }
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
ansible.builtin.template: ansible.builtin.template:
@ -69,15 +69,15 @@
- pam - pam
block: block:
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file" - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
when: item != ubtu24cis_passwd_complex_file when: "ubtu24cis_passwd_complex_file not in item.path"
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
replace: '' replace: ''
with_fileglob: with_items:
- '/etc/security/pwquality.conf' - "{{ prelim_pam_pwquality_confs.files }}"
- '/etc/security/pwquality.conf.d/*.conf' - { path: '/etc/security/pwquality.conf'}
- '/etc/pam.d/common-password' - { path: '/etc/pam.d/common-password' }
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
ansible.builtin.template: ansible.builtin.template:
@ -98,15 +98,15 @@
- pam - pam
block: block:
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
when: item != ubtu24cis_passwd_maxrepeat_file when: "ubtu24cis_passwd_maxrepeat_file not in item.path"
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: 'maxrepeat\s*=\s*\d+\b' regexp: 'maxrepeat\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: with_items:
- '/etc/security/pwquality.conf' - "{{ prelim_pam_pwquality_confs.files }}"
- '/etc/security/pwquality.conf.d/*.conf' - { path: '/etc/security/pwquality.conf'}
- '/etc/pam.d/common-password' - { path: '/etc/pam.d/common-password' }
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
ansible.builtin.template: ansible.builtin.template:
@ -127,15 +127,15 @@
- pam - pam
block: block:
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file" - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
when: item != ubtu24cis_passwd_maxsequence_file when: "ubtu24cis_passwd_maxsequence_file not in item.path"
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: 'maxsequence\s*=\s*\d+\b' regexp: 'maxsequence\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: with_items:
- '/etc/security/pwquality.conf' - "{{ prelim_pam_pwquality_confs.files }}"
- '/etc/security/pwquality.conf.d/*.conf' - { path: '/etc/security/pwquality.conf'}
- '/etc/pam.d/common-password' - { path: '/etc/pam.d/common-password' }
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
ansible.builtin.template: ansible.builtin.template:
@ -156,15 +156,15 @@
- pam - pam
block: block:
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
when: item != ubtu24cis_passwd_dictcheck_file when: "ubtu24cis_passwd_dictcheck_file not in item.path"
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: 'dictcheck\s*=\s*\d+\b' regexp: 'dictcheck\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: with_items:
- '/etc/security/pwquality.conf' - "{{ prelim_pam_pwquality_confs.files }}"
- '/etc/security/pwquality.conf.d/*.conf' - { path: '/etc/security/pwquality.conf'}
- '/etc/pam.d/common-password' - { path: '/etc/pam.d/common-password' }
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
ansible.builtin.template: ansible.builtin.template:
@ -185,15 +185,15 @@
- pam - pam
block: block:
- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file" - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file"
when: item != ubtu24cis_passwd_quality_enforce_file when: "ubtu24cis_passwd_quality_enforce_file not in item.path"
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item.path }}"
regexp: 'enforcing\s*=\s*\d+\b' regexp: 'enforcing\s*=\s*\d+\b'
replace: '' replace: ''
with_fileglob: with_items:
- '/etc/security/pwquality.conf' - "{{ prelim_pam_pwquality_confs.files }}"
- '/etc/security/pwquality.conf.d/*.conf' - { path: '/etc/security/pwquality.conf'}
- '/etc/pam.d/common-password' - { path: '/etc/pam.d/common-password' }
- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists" - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists"
ansible.builtin.template: ansible.builtin.template:

13
tasks/section_6/cis_6.1.4.1.yml
View File

@ -30,11 +30,14 @@
loop: "{{ discovered_logfiles.stdout_lines }}" loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when:
- discovered_system_logfiles.stdout_lines is defined
- item == "/var/log/btmp"
- item == "/var/log/utmp"
- item == "/var/log/wtmp"
- item == "/var/log/lastlog"
- "'sssd' in item or 'SSSD' in item"
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
mode: 'ug-x,o-wx' mode: 'ug-x,o-wx'
with_fileglob: loop: "{{ discovered_system_logfiles.stdout_lines }}"
- "/var/log/*tmp"
- "/var/log/lastlog*"
- "/var/log/sssd*"
- "/var/log/SSSD*"