colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

lint updated spacing and multiple improvements 

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-06 14:16:39 +00:00
parent 6484302013
commit e7d6d56fb9
No known key found for this signature in database
GPG Key ID: 997FF7FE93AEB5B9
69 changed files with 995 additions and 1224 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
LICENSE
View File

@ -1,6 +1,6 @@
MIT License
Copyright (c) 2023 MindPoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

18
collections/requirements.yml
View File

@ -1,14 +1,14 @@
---
collections:
- name: community.general
source: https://github.com/ansible-collections/community.general
type: git
- name: community.general
source: https://github.com/ansible-collections/community.general
type: git
- name: community.crypto
source: https://github.com/ansible-collections/community.crypto
type: git
- name: community.crypto
source: https://github.com/ansible-collections/community.crypto
type: git
- name: ansible.posix
source: https://github.com/ansible-collections/ansible.posix
type: git
- name: ansible.posix
source: https://github.com/ansible-collections/ansible.posix
type: git

248
defaults/main.yml
View File

@ -828,67 +828,67 @@ ubtu24cis_sshd_default_kex_algorithms:
- diffie-hellman-group18-sha512
- diffie-hellman-group14-sha256
ubtu24cis_sshd:
# This variable is used to control the verbosity of the logging produced by the SSH server.
# The options for setting it are as follows:
# - `QUIET`: Minimal logging;
# - `FATAL`: logs only fatal errors;
# - `ERROR`: logs error messages;
# - `INFO`: logs informational messages in addition to errors;
# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
# - `DEBUG`: generates very detailed debugging information including sensitive information.
log_level: "{{ ubtu24cis_sshd_default_log_level }}"
# This variable specifies the maximum number of authentication attempts that are
# allowed for a single SSH session.
max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}"
# This variable specifies the encryption algorithms that can be used for securing
# data transmission.
ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
# the integrity of data exchanged.
macs: "{{ ubtu24cis_sshd_default_macs }}"
# This variable is used to state the key exchange algorithms used to establish secure encryption
# keys during the initial connection setup.
kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
# This variable sets the time interval in seconds between sending "keep-alive"
# messages from the server to the client. These types of messages are intended to
# keep the connection alive and prevent it being terminated due to inactivity.
client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
# This variable sets the maximum number of unresponsive "keep-alive" messages
# that can be sent from the server to the client before the connection is considered
# inactive and thus, closed.
client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
# This variable specifies the amount of seconds allowed for successful authentication to
# the SSH server.
login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
# This variables is used to set the maximum number of open sessions per connection.
max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
# access for users whose user name matches one of the patterns. This is done
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
allow_users: ""
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, https://linux.die.net/man/5/sshd_config
allow_groups: ""
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
# for users whose user name matches one of the patterns. This is done
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
deny_users: ""
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
deny_groups: ""
# SSH Settings
# This variable is used to control the verbosity of the logging produced by the SSH server.
# The options for setting it are as follows:
# - `QUIET`: Minimal logging;
# - `FATAL`: logs only fatal errors;
# - `ERROR`: logs error messages;
# - `INFO`: logs informational messages in addition to errors;
# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
# - `DEBUG`: generates very detailed debugging information including sensitive information.
ubtu24cis_sshd_log_level: "{{ ubtu24cis_sshd_default_log_level }}"
# This variable specifies the maximum number of authentication attempts that are
# allowed for a single SSH session.
ubtu24cis_sshd_max_auth_tries: "{{ ubtu24cis_sshd_default_max_auth_tries }}"
# This variable specifies the encryption algorithms that can be used for securing
# data transmission.
ubtu24cis_sshd_ciphers: "{{ ubtu24cis_sshd_default_ciphers }}"
# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
# the integrity of data exchanged.
ubtu24cis_sshd_macs: "{{ ubtu24cis_sshd_default_macs }}"
# This variable is used to state the key exchange algorithms used to establish secure encryption
# keys during the initial connection setup.
ubtu24cis_sshd_kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}"
# This variable sets the time interval in seconds between sending "keep-alive"
# messages from the server to the client. These types of messages are intended to
# keep the connection alive and prevent it being terminated due to inactivity.
ubtu24cis_sshd_client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}"
# This variable sets the maximum number of unresponsive "keep-alive" messages
# that can be sent from the server to the client before the connection is considered
# inactive and thus, closed.
ubtu24cis_sshd_client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}"
# This variable specifies the amount of seconds allowed for successful authentication to
# the SSH server.
ubtu24cis_sshd_login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}"
# This variables is used to set the maximum number of open sessions per connection.
ubtu24cis_sshd_max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}"
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
# access for users whose user name matches one of the patterns. This is done
# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be allowed only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
ubtu24cis_sshd_allow_users: ""
# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, https://linux.die.net/man/5/sshd_config
ubtu24cis_sshd_allow_groups: ""
# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access
# for users whose user name matches one of the patterns. This is done
# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file.
# If an USER@HOST format will be used, the specified user will be restricted only on that particular host.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
ubtu24cis_sshd_deny_users: ""
# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access
# for users whose primary group or supplementary group list matches one of the patterns. This is done
# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file.
# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
# For more info, see https://linux.die.net/man/5/sshd_config
ubtu24cis_sshd_deny_groups: ""
## Control 5.2.1
# This variable represents the name of the sudo package to install
@ -1015,22 +1015,22 @@ ubtu24cis_pamd_pwhistory_remember: 24
## Controls 5.4.1.x - Password settings
ubtu24cis_pass:
## Control 5.4.1.1
# This variable governs after how many days a password expires.
# CIS requires a value of 365 or less.
max_days: 365
## Control 5.4.1.2
# This variable specifies the minimum number of days allowed between changing passwords.
# CIS requires a value of at least 1.
min_days: 1
## Control 5.5.1.3
# This variable governs, how many days before a password expires, the user will be warned.
# CIS requires a value of at least 7.
warn_age: 7
## Control 5.4.1.5
# This variable specifies the number of days of inactivity before an account will be locked.
# CIS requires a value of 45 days or less.
inactive: 45
## Control 5.4.1.1
# This variable governs after how many days a password expires.
# CIS requires a value of 365 or less.
ubtu24cis_pass_max_days: 365
## Control 5.4.1.2
# This variable specifies the minimum number of days allowed between changing passwords.
# CIS requires a value of at least 1.
ubtu24cis_pass_min_days: 1
## Control 5.5.1.3
# This variable governs, how many days before a password expires, the user will be warned.
# CIS requires a value of at least 7.
ubtu24cis_pass_warn_age: 7
## Control 5.4.1.5
# This variable specifies the number of days of inactivity before an account will be locked.
# CIS requires a value of 45 days or less.
ubtu24cis_pass_inactive: 45
# 5.4.2.6 root umask
ubtu24cis_root_umask: '0027' # 0027 or more restrictive
@ -1062,7 +1062,6 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh
##
## Section 6 Control Variables
##
# Set which syslog service
# journald or rsyslog
ubtu24cis_syslog_service: 'journald'
@ -1105,6 +1104,11 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
# ATTENTION: Uncomment the keyword below when values are set!
ubtu24cis_journald_maxfilesec: "#MaxFileSec="
# 6.1.3.8
# ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
# To conform to CIS standards this just needs to comply with your site policy
ubtu24cis_logrotate: "daily"
## Controls 6.2.3.x - Audit template
# This variable is set to true by tasks 6.2.3.1 to 6.2.3.20. As a result, the
# audit settings are overwritten with the role's template. In order to exclude
@ -1120,11 +1124,6 @@ ubtu24cis_allow_auditd_uid_user_exclusions: false
ubtu24cis_auditd_uid_exclude:
- 1999
# 6.1.3.8
# ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
# To conform to CIS standards this just needs to comply with your site policy
ubtu24cis_logrotate: "daily"
## Control 6.2.1.4 - Ensure audit_backlog_limit is sufficient
# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
# system can buffer in memory, if the audit subsystem is unable to process them in real-time.
@ -1177,7 +1176,7 @@ ubtu24cis_auditd_disk_error_action: syslog
ubtu24cis_auditd_space_left_action: email
ubtu24cis_auditd_admin_space_left_action: halt
## Control 6.2.x - allow aide to be configured
## Control 6.3.x - allow aide to be configured
# AIDE is a file integrity checking tool, similar in nature to Tripwire.
# While it cannot prevent intrusions, it can detect unauthorized changes
# to configuration files by alerting when the files are changed. Review
@ -1185,15 +1184,24 @@ ubtu24cis_auditd_admin_space_left_action: halt
# By setting this variable to `true`, all of the settings related to AIDE will be applied!
ubtu24cis_config_aide: true
# If DB file older than below will automatically rebuild DB
# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour
ubtu24cis_aide_db_file_age: 1w
# If aide already setup this forces a new DB to be created
ubtu24cis_aide_db_recreate: false
# allows to change db file, not config need to be adjusted too
ubtu24cis_aide_db_file: /var/lib/aide/aide.db
## When Initializing aide this can take longer on some systems
# changing the values enables user to change to thier own requirements
ubtu24cis_aide_init:
# Maximum Time in seconds
async: 45
# Polling Interval in seconds
poll: 0
# Maximum Time in seconds
ubtu24cis_aide_init_async: 600
# Polling Interval in seconds
ubtu24cis_aide_init_poll: 15
## Control 6.3
## Control 6.3.x
# Set how aide is scanned either cron or timer
ubtu24cis_aide_scan: cron
# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
@ -1201,36 +1209,36 @@ ubtu24cis_aide_scan: cron
# the cron job on the target system.
# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled
# and executed automatically at a certain point in time.
ubtu24cis_aide_cron:
# This variable represents the user account under which the cron job for AIDE will run.
cron_user: root
# This variable represents the path to the AIDE crontab file.
cron_file: /etc/cron.d/aide_cron
# This variable represents the actual command or script that the cron job
# will execute for running AIDE.
aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
# These variables define the schedule for the cron job
# This variable governs the minute of the time of day when the AIDE cronjob is run.
# It must be in the range `0-59`.
aide_minute: 0
# This variable governs the hour of the time of day when the AIDE cronjob is run.
# It must be in the range `0-23`.
aide_hour: 5
# This variable governs the day of the month when the AIDE cronjob is run.
# `*` signifies that the job is run on all days; furthermore, specific days
# can be given in the range `1-31`; several days can be concatenated with a comma.
# The specified day(s) can must be in the range `1-31`.
aide_day: '*'
# This variable governs months when the AIDE cronjob is run.
# `*` signifies that the job is run in every month; furthermore, specific months
# can be given in the range `1-12`; several months can be concatenated with commas.
# The specified month(s) can must be in the range `1-12`.
aide_month: '*'
# This variable governs the weekdays, when the AIDE cronjob is run.
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
# can be concatenated with commas.
aide_weekday: '*'
# This variable represents the user account under which the cron job for AIDE will run.
ubtu24cis_aide_cron_user: root
# This variable represents the path to the AIDE crontab file.
ubtu24cis_aide_cron_file: /etc/cron.d/aide_cron
# This variable represents the actual command or script that the cron job
# will execute for running AIDE.
ubtu24cis_aide_cron_job: '/usr/bin/aide --config /etc/aide/aide.conf --check'
# These variables define the schedule for the cron job
# This variable governs the minute of the time of day when the AIDE cronjob is run.
# It must be in the range `0-59`.
ubtu24cis_aide_cron_minute: 0
# This variable governs the hour of the time of day when the AIDE cronjob is run.
# It must be in the range `0-23`.
ubtu24cis_aide_cron_hour: 5
# This variable governs the day of the month when the AIDE cronjob is run.
# `*` signifies that the job is run on all days; furthermore, specific days
# can be given in the range `1-31`; several days can be concatenated with a comma.
# The specified day(s) can must be in the range `1-31`.
ubtu24cis_aide_cron_day: '*'
# This variable governs months when the AIDE cronjob is run.
# `*` signifies that the job is run in every month; furthermore, specific months
# can be given in the range `1-12`; several months can be concatenated with commas.
# The specified month(s) can must be in the range `1-12`.
ubtu24cis_aide_cron_month: '*'
# This variable governs the weekdays, when the AIDE cronjob is run.
# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
# can be concatenated with commas.
ubtu24cis_aide_cron_weekday: '*'
##
## Section 7 Control Variables

53
handlers/main.yml
View File

@ -10,7 +10,7 @@
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
@ -35,15 +35,16 @@
listen: Writing and remounting tmp
- name: Update_Initramfs
ansible.builtin.shell: update-initramfs -u
ansible.builtin.command: update-initramfs -u
changed_when: true
notify: Set_reboot_required
- name: Remount tmp
when:
- "'/tmp' in mount_names"
ansible.posix.mount:
path: /tmp
state: remounted
when:
- "'/tmp' in mount_names"
listen: Writing and remounting tmp
- name: Remount var
@ -78,7 +79,8 @@
state: remounted
- name: Grub update
ansible.builtin.shell: update-grub
ansible.builtin.command: update-grub
changed_when: true
failed_when: false
notify: Set_reboot_required
@ -92,7 +94,8 @@
daemon_reload: true
- name: Update dconf
ansible.builtin.shell: dconf update
ansible.builtin.command: dconf update
changed_when: true
failed_when: false
- name: Restart postfix
@ -136,51 +139,51 @@
state: reloaded
- name: Iptables persistent
ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
changed_when: ubtu24cis_iptables_save.rc == 0
failed_when: ubtu24cis_iptables_save.rc > 0
register: ubtu24cis_iptables_save
ansible.builtin.command: bash -c "iptables-save > /etc/iptables/rules.v4"
changed_when: true
- name: Ip6tables persistent
ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
changed_when: ubtu24cis_ip6tables_save.rc == 0
failed_when: ubtu24cis_ip6tables_save.rc > 0
register: ubtu24cis_ip6tables_save
ansible.builtin.command: bash -c "ip6tables-save > /etc/iptables/rules.v6"
changed_when: true
- name: Pam_auth_update_pwunix
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}
changed_when: true
- name: Pam_auth_update_pwfaillock
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}
changed_when: true
- name: Pam_auth_update_pwfaillock_notify
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}
changed_when: true
- name: Pam_auth_update_pwquality
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}
changed_when: true
- name: Pam_auth_update_pwhistory
ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}
ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}
changed_when: true
- name: Auditd rules reload
when:
- not prelim_auditd_immutable_check or
'"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
ansible.builtin.shell: augenrules --load
ansible.builtin.command: augenrules --load
changed_when: true
- name: Audit_immutable_fact
when:
- audit_rules_updated.changed
- discovered_audit_rules_updated.changed
- auditd_immutable_check is defined
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: Set_reboot_required
- name: Restart auditd
when:
- audit_rules_updated is defined
tags:
- skip_ansible_lint
when: discovered_audit_rules_updated is defined
tags: skip_ansible_lint
ansible.builtin.shell: service auditd restart
- name: Restart sshd

46
meta/main.yml
View File

@ -1,28 +1,28 @@
---
galaxy_info:
author: "Mark Bolwell"
description: "Apply the Ubuntu 24 CIS benchmarks"
company: "MindPoint Group"
license: MIT
namespace: mindpointgroup
role_name: ubuntu24_cis
min_ansible_version: 2.12.1
platforms:
- name: Ubuntu
versions:
- jammy
galaxy_tags:
- system
- security
- cis
- hardening
- benchmark
- compliance
- complianceascode
- ubuntu24
author: "Mark Bolwell"
description: "Apply the Ubuntu 24 CIS benchmarks"
company: "MindPoint Group"
license: MIT
namespace: mindpointgroup
role_name: ubuntu24_cis
min_ansible_version: 2.12.1
platforms:
- name: Ubuntu
versions:
- jammy
galaxy_tags:
- system
- security
- cis
- hardening
- benchmark
- compliance
- complianceascode
- ubuntu24
collections:
- community.general
- community.crypto
- ansible.posix
- community.general
- community.crypto
- ansible.posix
dependencies: []

7
site.yml
View File

@ -1,8 +1,7 @@
---
- hosts: all
- name: Run CIS benchmark
hosts: all
become: true
roles:
- role: "{{ playbook_dir }}"
- role: "{{ playbook_dir }}"

4
tasks/LE_audit_setup.yml
View File

@ -20,13 +20,13 @@
owner: root
group: root
checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
mode: '0555'
mode: 'u+x,go-w'
- name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy'
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}"
mode: '0555'
owner: root
group: root
mode: 'u+x,go-w'

14
tasks/audit_only.yml
View File

@ -2,29 +2,27 @@
- name: Audit_Only | Create local Directories for hosts
when: fetch_audit_files
delegate_to: localhost
become: false
ansible.builtin.file:
mode: '0755'
mode: 'u+x,go-w'
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
recurse: true
state: directory
delegate_to: localhost
become: false
- name: Audit_only | Get audits from systems and put in group dir
when: fetch_audit_files
ansible.builtin.fetch:
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
flat: true
mode: '0644'
mode: 'go-wx'
src: "{{ pre_audit_outfile }}"
- name: Audit_only | Show Audit Summary
when:
- audit_only
when: audit_only
ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}"
- name: Audit_only | Stop Playbook Audit Only selected
when:
- audit_only
when: audit_only
ansible.builtin.meta: end_play

6
tasks/auditd.yml
View File

@ -7,8 +7,8 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: '0640'
register: audit_rules_updated
mode: 'u-x,go-wx'
register: discovered_audit_rules_updated
notify:
- Auditd rules reload
- Audit_immutable_fact
@ -22,7 +22,7 @@
dest: /etc/audit/rules.d/98_auditd_exceptions.rules
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
notify: Restart auditd
- name: POST | AUDITD | Flush handlers

85
tasks/main.yml
View File

@ -4,14 +4,12 @@
when:
- ansible_facts.distribution == 'Ubuntu'
- ansible_facts.distribution_major_version is version_compare('24', '!=')
tags:
- always
tags: always
ansible.builtin.fail:
msg: "This role can only be run against Ubuntu 24. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
- name: Check ansible version
tags:
- always
tags: always
ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
@ -22,39 +20,36 @@
when:
- ubtu24cis_rule_5_2_4
- ansible_env.SUDO_USER is defined
tags:
- always
tags: always
block:
- name: Capture current password state of connecting user"
ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
changed_when: false
failed_when: false
check_mode: false
register: ansible_user_password_set
register: prelim_ansible_user_password_set
- name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked"
- name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" # noqa name[template]
ansible.builtin.assert:
that: ansible_user_password_set.stdout != "!!" and ansible_user_password_set.stdout | length > 10
that: prelim_ansible_user_password_set.stdout != "!!" and prelim_ansible_user_password_set.stdout | length > 10
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}"
vars:
sudo_password_rule: ubtu24cis_rule_5_2_4 # pragma: allowlist secret
- name: Ensure root password is set
when:
- ubtu24cis_rule_5_4_2_4
tags:
- always
when: ubtu24cis_rule_5_4_2_4
tags: always
block:
- name: Ensure root password is set
ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|root P |Password locked)"
changed_when: false
failed_when: false
register: root_passwd_set
register: prelim_root_passwd_set
- name: Ensure root password is set
ansible.builtin.assert:
that: root_passwd_set.rc == 0
that: prelim_root_passwd_set.rc == 0
fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set - Please manually set a root password"
success_msg: "You have a root password set"
@ -62,16 +57,14 @@
when:
- ubtu24cis_set_boot_pass
- ubtu24cis_rule_1_4_1
tags:
- always
tags: always
ansible.builtin.assert:
that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
- name: Check ubtu24cis_grub_user password variable has been changed
when: ubtu24cis_rule_1_4_1
tags:
- always
tags: always
block:
- name: Check ubtu24cis_grub_user password variable has been changed | check password is set
ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
@ -88,8 +81,7 @@
msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"
- name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
when:
- not ubtu24cis_set_grub_user_pass
when: not ubtu24cis_set_grub_user_pass
ansible.builtin.assert:
that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
@ -99,9 +91,7 @@
when:
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- container_discovery
- always
tags: always
block:
- name: Discover and set container variable if required
ansible.builtin.set_fact:
@ -112,28 +102,22 @@
file: "{{ container_vars_file }}"
- name: Output if discovered is a container
when:
- system_is_container
when: system_is_container
ansible.builtin.debug:
msg: system has been discovered as a container
- name: Gather the package facts before prelim
tags:
- always
tags: always
ansible.builtin.package_facts:
manager: auto
- name: Run prelim tasks
tags:
- prelim_tasks
- run_audit
- always
tags: always
ansible.builtin.import_tasks:
file: prelim.yml
- name: Gather the package facts after prelim
tags:
- always
tags: always
ansible.builtin.package_facts:
manager: auto
@ -142,8 +126,7 @@
- ubtu24cis_section5 or
ubtu24cis_section6 or
ubtu24cis_section7
tags:
- always
tags: always
ansible.builtin.import_tasks:
file: parse_etc_password.yml
@ -184,8 +167,7 @@
- name: Run auditd logic
when: update_audit_template
tags:
- always
tags: always
ansible.builtin.import_tasks:
file: auditd.yml
@ -193,42 +175,33 @@
ansible.builtin.meta: flush_handlers
- name: Reboot system
tags:
- always
when: change_requires_reboot
tags: always
block:
- name: Reboot system if not skipped
when:
- not skip_reboot
- change_requires_reboot
when: not skip_reboot
ansible.builtin.reboot:
- name: Warning a reboot required but skip option set
when:
- skip_reboot
- change_requires_reboot
when: skip_reboot
ansible.builtin.debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
- name: Run post remediation audit
when:
- run_audit
tags:
- run_audit
when: run_audit
tags: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml
- name: Show Audit Summary
when:
- run_audit
tags:
- run_audit
when: run_audit
tags: run_audit
ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}"
- name: If Warnings found Output count and control IDs affected
when: warn_count != 0
tags:
- always
tags: always
ansible.builtin.debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"

32
tasks/parse_etc_password.yml
View File

@ -5,29 +5,27 @@
- always
block:
- name: "PRELIM | Parse /etc/passwd | Get /etc/password contents"
ansible.builtin.shell: cat /etc/passwd
ansible.builtin.command: cat /etc/passwd
changed_when: false
check_mode: false
register: ubtu24cis_passwd_file_audit
register: prelim_passwd_file_audit
- name: "PRELIM | Parse /etc/passwd | Split passwd entries"
ansible.builtin.set_fact:
ubtu24cis_passwd: "{{ ubtu24cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
with_items: "{{ ubtu24cis_passwd_file_audit.stdout_lines }}"
ubtu24cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
vars:
ld_passwd_regex: >-
^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
ld_passwd_yaml: | # pragma: allowlist secret
id: >-4
\g<id>
password: >-4
\g<password>
uid: \g<uid>
gid: \g<gid>
gecos: >-4
\g<gecos>
dir: >-4
\g<dir>
shell: >-4
\g<shell>
id: >-4
\g<id>
password: >-4
\g<password>
uid: \g<uid>
gid: \g<gid>
gecos: >-4
\g<gecos>
dir: >-4
\g<dir>
shell: >-4
\g<shell>

16
tasks/post_remediation_audit.yml
View File

@ -1,7 +1,7 @@
---
- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
@ -18,26 +18,24 @@
- "{{ pre_audit_outfile }}"
- name: Post Audit | Capture audit data if json format
when:
- audit_format == "json"
when: audit_format == "json"
block:
- name: Post Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
register: post_audit_summary
changed_when: false
register: post_audit_summary
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:
post_audit_results: "{{ post_audit_summary.stdout }}"
- name: Post Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
when: audit_format == "documentation"
block:
- name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
register: post_audit_summary
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
changed_when: false
register: post_audit_summary
- name: Post Audit | Set Fact for audit summary
ansible.builtin.set_fact:

56
tasks/pre_remediation_audit.yml
View File

@ -1,22 +1,19 @@
---
- name: Pre Audit Setup | Setup the LE audit
when:
- setup_audit
tags:
- setup_audit
when: setup_audit
tags: setup_audit
ansible.builtin.include_tasks:
file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template]
ansible.builtin.file:
path: "{{ audit_conf_dir }}"
mode: 'go-w'
state: directory
mode: '0755'
- name: Pre Audit Setup | If using git for content set up
when:
- audit_content == 'git'
when: audit_content == 'git'
block:
- name: Pre Audit Setup | Install git
ansible.builtin.package:
@ -30,57 +27,51 @@
version: "{{ audit_git_version }}"
- name: Pre Audit Setup | Copy to audit content files to server
when:
- audit_content == 'copy'
when: audit_content == 'copy'
ansible.builtin.copy:
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}"
mode: preserve
- name: Pre Audit Setup | Unarchive audit content files on server
when:
- audit_content == 'archive'
when: audit_content == 'archive'
ansible.builtin.unarchive:
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}"
- name: Pre Audit Setup | Get audit content from url
when:
- audit_content == 'get_url'
when: audit_content == 'get_url'
ansible.builtin.unarchive:
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"
remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
- name: Pre Audit Setup | Check Goss is available
when:
- run_audit
when: run_audit
block:
- name: Pre Audit Setup | Check for goss file
ansible.builtin.stat:
path: "{{ audit_bin }}"
register: goss_available
register: prelim_goss_available
- name: Pre Audit Setup | If audit ensure goss is available
when:
- not goss_available.stat.exists
when: not prelim_goss_available.stat.exists
ansible.builtin.assert:
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
- name: Pre Audit Setup | Copy ansible default vars values to test audit
when: run_audit
tags:
- goss_template
- run_audit
when:
- run_audit
ansible.builtin.template:
src: ansible_vars_goss.yml.j2
dest: "{{ audit_vars_path }}"
mode: '0600'
mode: 'go-rwx'
- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template]
ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
@ -88,33 +79,30 @@
AUDIT_FILE: goss.yml
- name: Pre Audit | Capture audit data if json format
when:
- audit_format == "json"
when: audit_format == "json"
block:
- name: Pre Audit | Capture audit data if json format
ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
register: pre_audit_summary
changed_when: false
register: pre_audit_summary
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
- name: Pre Audit | Capture audit data if documentation format
when:
- audit_format == "documentation"
when: audit_format == "documentation"
block:
- name: Pre Audit | Capture audit data if documentation format
ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
register: pre_audit_summary
changed_when: false
register: pre_audit_summary
- name: Pre Audit | Set Fact for audit summary
ansible.builtin.set_fact:
pre_audit_results: "{{ pre_audit_summary.stdout }}"
- name: Audit_Only | Run Audit Only
when:
- audit_only
when: audit_only
ansible.builtin.import_tasks:
file: audit_only.yml

110
tasks/prelim.yml
View File

@ -7,31 +7,25 @@
changed_when: false
- name: "PRELIM | AUDIT | Register if snap being used"
when: ubtu24cis_rule_1_1_1_6
tags: always
ansible.builtin.shell: df -h | grep -wc "/snap"
changed_when: false
failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ]
register: prelim_snap_pkg_mgr
tags:
- rule_1.1.1.2
- always
when:
- ubtu24cis_rule_1_1_1_6
- name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
when: ubtu24cis_rule_1_1_1_6
tags: always
ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs"
changed_when: false
failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ]
register: prelim_squashfs_builtin
tags:
- always
when:
- ubtu24cis_rule_1_1_1_6
- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points"
tags: always
ansible.builtin.set_fact:
mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
tags:
- always
- name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type
when:
@ -40,14 +34,13 @@
ubtu24cis_rule_1_1_2_1_2 or
ubtu24cis_rule_1_1_2_1_3 or
ubtu24cis_rule_1_1_2_1_4
tags:
- always
tags: always
block:
- name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type
ansible.builtin.shell: systemctl is-enabled tmp.mount
register: prelim_tmp_mnt_type
ansible.builtin.command: systemctl is-enabled tmp.mount # noqa command-instead-of-module
changed_when: false
failed_when: prelim_tmp_mnt_type.rc not in [ 0, 1 ]
register: prelim_tmp_mnt_type
- name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable
when: "'generated' in prelim_tmp_mnt_type.stdout"
@ -60,8 +53,7 @@
tmp_mnt_type: tmp_systemd
- name: PRELIM | Initialize the mount options variable
tags:
- always
tags: always
block:
- name: PRELIM | Initializing the var if there is no /tmp mount | set_fact
when: "'/tmp' not in mount_names"
@ -99,8 +91,7 @@
when:
- ubtu24cis_rule_1_2_1_1 or
ubtu24cis_rule_1_2_2_1
tags:
- always
tags: always
ansible.builtin.package:
update_cache: true
@ -108,18 +99,16 @@
when:
- ubtu24cis_rule_3_1_2
- not system_is_container
tags:
- always
tags: always
block:
- name: "PRELIM | AUDIT | Discover is wireless adapter on system"
ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless
register: prelim_wireless_adapters
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
changed_when: false
failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ]
register: prelim_wireless_adapters
- name: "PRELIM | AUDIT | If wireless adapter present capture module"
when:
- prelim_wireless_adapters.rc == 0
when: prelim_wireless_adapters.rc == 0
ansible.builtin.shell: |
for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname);
do basename "$(readlink -f "$driverdir"/device/driver/module)";
@ -128,12 +117,11 @@
failed_when: prelim_wireless_modules.rc not in [ 0, 1 ]
register: prelim_wireless_modules
- name: "PRELIM | PATCH | 5.3.4.5 | Find all sudoers files."
- name: "PRELIM | PATCH | Find all sudoers files."
when:
- ubtu24cis_rule_5_2_4 or
ubtu24cis_rule_5_2_5
tags:
- always
tags: always
ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
changed_when: false
failed_when: false
@ -148,20 +136,17 @@
ubtu24cis_rule_5_3_3_2_4 or
ubtu24cis_rule_5_3_3_2_5 or
ubtu24cis_rule_5_3_3_2_6
tags:
- always
tags: always
ansible.builtin.file:
path: '/etc/security/pwquality.conf.d'
state: directory
owner: root
group: root
mode: '0750'
mode: 'u+x,g-w,o-rwx'
- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
when:
- not discover_int_uid
tags:
- always
when: not discover_int_uid
tags: always
block:
- name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
@ -185,38 +170,29 @@
min_int_gid: "{{ prelim_gid_min_id.stdout }}"
- name: "PRELIM | AUDIT | Interactive Users"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
changed_when: false
register: prelim_interactive_usernames
- name: "PRELIM | AUDIT | Interactive User accounts home directories"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }'
changed_when: false
register: prelim_interactive_users_home
- name: "PRELIM | AUDIT | Interactive UIDs"
tags:
- always
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
changed_when: false
register: prelim_interactive_uids
- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
when:
- ubtu24cis_rule_5_4_2_1
tags:
- rule_5.4.2.1
- level1-server
- level1-workstation
- users
- always
when: ubtu24cis_rule_5_4_2_1
tags: always
ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
changed_when: false
check_mode: false
@ -227,14 +203,13 @@
- ubtu24cis_rule_6_1_2_2 or
ubtu24cis_rule_6_1_2_3 or
ubtu24cis_rule_6_1_2_4
tags:
- always
tags: always
ansible.builtin.file:
path: /etc/systemd/journald.conf.d
state: directory
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
- name: "PRELIM | PATCH | Ensure auditd is installed"
when:
@ -242,17 +217,9 @@
ubtu24cis_rule_6_2_4_1 or
ubtu24cis_rule_6_2_4_6 or
ubtu24cis_rule_6_2_4_8
tags:
- level2-server
- level2-workstation
- patch
- auditd
- always
tags: always
block:
- name: "PRELIM | PATCH | Ensure auditd is installed"
when:
- "'auditd' not in ansible_facts.packages or
'auditd-plugins' not in ansible_facts.packages"
ansible.builtin.package:
name: ['auditd', 'audispd-plugins']
state: present
@ -267,8 +234,7 @@
- name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
when: "'auditd' in ansible_facts.packages"
tags:
- always
tags: always
ansible.builtin.shell: auditctl -l | grep -c '-e 2'
changed_when: false
failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
@ -280,15 +246,7 @@
ubtu24cis_rule_6_2_4_2 or
ubtu24cis_rule_6_2_4_3 or
ubtu24cis_rule_6_2_4_4
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.1
- rule_6.3.4.2
- rule_6.3.4.3
- rule_6.3.4.4
tags: always
ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'"
changed_when: false
failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ]
@ -298,8 +256,7 @@
when:
- ubtu24cis_rule_7_2_9
- "'acl' not in ansible_facts.packages"
tags:
- always
tags: always
ansible.builtin.package:
name: acl
state: present
@ -310,10 +267,9 @@
when:
- ubtu24cis_firewall_package == "ufw"
- ubtu24cis_ufw_use_sysctl
tags:
- always
tags: always
ansible.builtin.lineinfile:
path: /etc/default/ufw
regexp: ^IPT_SYSCTL=.*
line: IPT_SYSCTL=/etc/sysctl.conf
mode: '0644'
mode: 'u-x,go-wx'

42
tasks/section_1/cis_1.1.1.x.yml
View File

@ -18,7 +18,7 @@
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -26,7 +26,7 @@
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
when:
@ -53,7 +53,7 @@
regexp: "^(#)?install freevxfs(\\s|$)"
line: "install freevxfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -61,7 +61,7 @@
regexp: "^(#)?blacklist freevxfs(\\s|$)"
line: "blacklist freevxfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs"
when:
@ -88,7 +88,7 @@
regexp: "^(#)?install hfs(\\s|$)"
line: "install hfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -96,7 +96,7 @@
regexp: "^(#)?blacklist hfs(\\s|$)"
line: "blacklist hfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs"
when:
@ -123,7 +123,7 @@
regexp: "^(#)?install hfsplus(\\s|$)"
line: "install hfsplus /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -131,7 +131,7 @@
regexp: "^(#)?blacklist hfsplus(\\s|$)"
line: "blacklist hfsplus"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus"
when:
@ -158,7 +158,7 @@
regexp: "^(#)?install jffs2(\\s|$)"
line: "install jffs2 /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -166,7 +166,7 @@
regexp: "^(#)?blacklist jffs2(\\s|$)"
line: "blacklist jffs2"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2"
when:
@ -193,7 +193,7 @@
regexp: "^(#)?install overlayfs(\\s|$)"
line: "install overlayfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.6 | PATCH | Ensure overlayfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -201,7 +201,7 @@
regexp: "^(#)?blacklist overlayfs(\\s|$)"
line: "blacklist overlayfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.6 | PATCH | Ensure overlayfs kernel module is not available | Disable overlayfs"
when:
@ -230,7 +230,7 @@
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.7 | PATCH | Ensure squashfs kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -238,7 +238,7 @@
regexp: "^(#)?blacklist squashfs(\\s|$)"
line: "blacklist squashfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.7 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs"
when:
@ -265,7 +265,7 @@
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.8 | PATCH | Ensure udf kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -273,7 +273,7 @@
regexp: "^(#)?blacklist udf(\\s|$)"
line: "blacklist udf"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.8 | PATCH | Ensure udf kernel module is not available | Disable udf"
when:
@ -300,7 +300,7 @@
regexp: "^(#)?install usb-storage(\\s|$)"
line: "install usb-storage /bin/true"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.9 | PATCH | Ensure usb-storage kernel module is not available | blacklist"
ansible.builtin.lineinfile:
@ -308,7 +308,7 @@
regexp: "^(#)?blacklist usb-storage(\\s|$)"
line: "blacklist usb-storage"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "1.1.1.9 | PATCH | Ensure usb-storage kernel module is not available | Disable usb"
when:
@ -335,10 +335,10 @@
dest: /var/fs_with_cves.sh
owner: root
group: root
mode: '0744'
mode: 'u+x,go-wx'
- name: "1.1.1.10 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script"
ansible.builtin.shell: /var/fs_with_cves.sh
ansible.builtin.command: /var/fs_with_cves.sh
changed_when: false
failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
register: discovered_fs_modules_loaded
@ -348,7 +348,7 @@
ansible.builtin.debug:
msg: |
"Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task
{{ discovered_fs_modules_loaded.stdout_lines}}"
{{ discovered_fs_modules_loaded.stdout_lines }}"
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
when: discovered_fs_modules_loaded.stdout | length > 0

6
tasks/section_1/cis_1.1.2.1.x.yml
View File

@ -39,7 +39,7 @@
vars:
required_mount: '/tmp'
ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}"
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nodev'] }}"
changed_when: true
notify: Writing and remounting tmp
@ -59,7 +59,7 @@
vars:
required_mount: '/tmp'
ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}"
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nosuid'] }}"
changed_when: true
notify: Writing and remounting tmp
@ -79,6 +79,6 @@
vars:
required_mount: '/tmp'
ansible.builtin.set_fact:
tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}"
tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['noexec'] }}"
changed_when: true
notify: Writing and remounting tmp

2
tasks/section_1/cis_1.1.2.2.x.yml
View File

@ -15,7 +15,7 @@
required_mount: '/dev/shm'
block:
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount"
ansible.builtin.shell: findmnt -kn "{{ required_mount }}"
ansible.builtin.command: findmnt -kn "{{ required_mount }}"
changed_when: false
failed_when: discovered_shm_mount.rc not in [ 0, 1 ]
register: discovered_shm_mount

12
tasks/section_1/cis_1.2.1.x.yml
View File

@ -15,11 +15,11 @@
warn_control_id: '1.2.1.1'
block:
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys"
ansible.builtin.shell: apt-key list
ansible.builtin.command: apt-key list
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_1_2_1_1_apt_gpgkeys
register: discovered_apt_gpgkeys
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys"
ansible.builtin.debug:
@ -27,7 +27,7 @@
- "Warning!! Below are the apt gpg keys configured"
- "Please review to make sure they are configured"
- "in accordance with site policy"
- "{{ ubtu24cis_1_2_1_1_apt_gpgkeys.stdout_lines }}"
- "{{ discovered_apt_gpgkeys.stdout_lines }}"
- name: "1.2.1.1 | WARN | Ensure GPG keys are configured | warn_count"
ansible.builtin.import_tasks:
@ -47,18 +47,18 @@
warn_control_id: '1.2.1.2'
block:
- name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Get repositories"
ansible.builtin.shell: apt-cache policy
ansible.builtin.command: apt-cache policy
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_1_2_1_2_apt_policy
register: discovered_apt_policy
- name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs"
ansible.builtin.debug:
msg:
- "Warning!! Below are the apt package repositories"
- "Please review to make sure they conform to your sites policies"
- "{{ ubtu24cis_1_2_1_2_apt_policy.stdout_lines }}"
- "{{ discovered_apt_policy.stdout_lines }}"
- name: "1.2.1.2 | WARN | Ensure package manager repositories are configured | warn_count"
ansible.builtin.import_tasks:

3
tasks/section_1/cis_1.2.2.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed"
when:
- ubtu24cis_rule_1_2_2_1
when: ubtu24cis_rule_1_2_2_1
tags:
- level1-server
- level1-workstation

43
tasks/section_1/cis_1.3.1.x.yml
View File

@ -17,8 +17,7 @@
state: present
- name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration"
when:
- ubtu24cis_rule_1_3_1_2
when: ubtu24cis_rule_1_3_1_2
tags:
- level1-server
- level1-workstation
@ -32,10 +31,10 @@
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_1_3_1_2_cmdline_settings
register: discovered_grub_cmdline_settings
- name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist"
when: ubtu24cis_1_3_1_2_cmdline_settings.stdout is not search('apparmor=')
when: discovered_grub_cmdline_settings.stdout is not search('apparmor=')
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+")
@ -44,7 +43,7 @@
notify: Grub update
- name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist"
when: ubtu24cis_1_3_1_2_cmdline_settings.stdout is not search('security=')
when: discovered_grub_cmdline_settings.stdout is not search('security=')
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+")
@ -54,19 +53,19 @@
- name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist"
when:
- "'apparmor' not in ubtu24cis_1_3_1_2_cmdline_settings.stdout"
- "'security' not in ubtu24cis_1_3_1_2_cmdline_settings.stdout"
- "'apparmor' not in discovered_grub_cmdline_settings.stdout"
- "'security' not in discovered_grub_cmdline_settings.stdout"
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu24cis_1_3_1_2_cmdline_settings.stdout }}"'
line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ discovered_grub_cmdline_settings.stdout }}"'
insertafter: '^GRUB_'
notify: Grub update
- name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists"
when:
- "'apparmor' in ubtu24cis_1_3_1_2_cmdline_settings.stdout or
'security' in ubtu24cis_1_3_1_2_cmdline_settings.stdout"
- "'apparmor' in discovered_grub_cmdline_settings.stdout or
'security' in discovered_grub_cmdline_settings.stdout"
ansible.builtin.replace:
path: /etc/default/grub
regexp: "{{ item.regexp }}"
@ -100,10 +99,10 @@
changed_when: false
- name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
changed_when: false
failed_when: false
register: ubtu24cis_1_3_1_4_pre_count
register: discovered_apparmor_profilepre_count
- name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles"
ansible.builtin.shell: aa-enforce /etc/apparmor.d/*
@ -111,13 +110,13 @@
failed_when: false
- name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
changed_when: false
failed_when: false
register: ubtu24cis_1_3_1_4_post_count
register: discovered_apparmor_profilepost_count
- name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency"
when: ubtu24cis_1_3_1_4_pre_count.stdout != ubtu24cis_1_3_1_4_post_count.stdout
when: discovered_apparmor_profilepre_count.stdout != discovered_apparmor_profilepost_count.stdout
ansible.builtin.debug:
msg: Changed! The profiles in /etc/apparmor.d were set to enforcing
changed_when: true
@ -150,24 +149,24 @@
changed_when: false
- name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu24cis_apparmor_mode}} mode" | tr -d -c 0-9
ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu24cis_apparmor_mode }} mode" | tr -d -c 0-9
changed_when: false
failed_when: false
register: ubtu24cis_1_3_1_3_pre_count
register: discovered_apparmor_profile_pre_count
- name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles"
ansible.builtin.shell: aa-{{ubtu24cis_apparmor_mode}} /etc/apparmor.d/*
ansible.builtin.shell: aa-{{ ubtu24cis_apparmor_mode }} /etc/apparmor.d/*
changed_when: false
failed_when: false
- name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu24cis_apparmor_mode}} mode" | tr -d -c 0-9
ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu24cis_apparmor_mode }} mode" | tr -d -c 0-9
changed_when: false
failed_when: false
register: ubtu24cis_1_3_1_3_post_count
register: discovered_apparmor_profile_post_count
- name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency"
when: ubtu24cis_1_3_1_3_pre_count.stdout != ubtu24cis_1_3_1_3_post_count.stdout
when: discovered_apparmor_profile_pre_count.stdout != discovered_apparmor_profile_post_count.stdout
ansible.builtin.debug:
msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu24cis_apparmor_mode}} mode
msg: Changed! The profiles in /etc/apparmor.d were set to {{ ubtu24cis_apparmor_mode }} mode
changed_when: true

10
tasks/section_1/cis_1.4.x.yml
View File

@ -18,7 +18,7 @@
dest: "{{ ubtu24cis_grub_user_file }}"
owner: root
group: root
mode: '0755'
mode: 'go-w'
notify: Grub update
- name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"
@ -31,8 +31,7 @@
notify: Grub update
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured"
when:
- ubtu24cis_rule_1_4_2
when: ubtu24cis_rule_1_4_2
tags:
- level1-server
- level1-workstation
@ -45,11 +44,10 @@
ansible.builtin.stat:
path: "{{ ubtu24cis_grub_file }}"
check_mode: false
register: ubtu24cis_1_4_2_grub_cfg_status
register: discovered_grub_cfg_file
- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions"
when:
- ubtu24cis_1_4_2_grub_cfg_status.stat.exists
when: discovered_grub_cfg_file.stat.exists
ansible.builtin.file:
path: "{{ ubtu24cis_grub_file }}"
owner: root

22
tasks/section_1/cis_1.5.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter"
when:
- ubtu24cis_rule_1_5_1
when: ubtu24cis_rule_1_5_1
tags:
- level1-server
- level1-workstation
@ -20,8 +19,7 @@
ignoreerrors: true
- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
when:
- ubtu24cis_rule_1_5_2
when: ubtu24cis_rule_1_5_2
tags:
- level1-server
- level1-workstation
@ -39,8 +37,7 @@
ignoreerrors: true
- name: "1.5.3 | PATCH | Ensure core dumps are restricted"
when:
- ubtu24cis_rule_1_5_3
when: ubtu24cis_rule_1_5_3
tags:
- level1-server
- level1-workstation
@ -67,7 +64,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-r'
- name: "1.5.3 | PATCH | Ensure core dumps are restricted | sysctl.conf"
ansible.builtin.lineinfile:
@ -76,7 +73,7 @@
line: fs.suid_dumpable=0
owner: root
group: root
mode: '0644'
mode: 'go-r'
notify: Reload systemctl
- name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf"
@ -87,7 +84,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-r'
loop:
- { regexp: '^Storage', line: 'Storage=none' }
- { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' }
@ -107,7 +104,7 @@
- prelink
block:
- name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal"
ansible.builtin.shell: prelink -ua
ansible.builtin.command: prelink -ua
changed_when: false
failed_when: false
@ -118,8 +115,7 @@
purge: "{{ ubtu24cis_purge_apt }}"
- name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled"
when:
- ubtu24cis_rule_1_5_5
when: ubtu24cis_rule_1_5_5
tags:
- level1-server
- level1-workstation
@ -136,7 +132,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'go-r'
- name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package"
when:

21
tasks/section_1/cis_1.6.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "1.6.1 | PATCH | Ensure message of the day is configured properly"
when:
- ubtu24cis_rule_1_6_1
when: ubtu24cis_rule_1_6_1
tags:
- level1-server
- level1-workstation
@ -17,6 +16,7 @@
ansible.builtin.template:
src: etc/motd.j2
dest: /etc/motd
mode: 'u-x,go-wx'
- name: "1.6.1 | PATCH | Ensure message of the day is configured properly | disable dynamic_motd"
when: ubtu24cis_disable_dynamic_motd
@ -31,8 +31,7 @@
- { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' }
- name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly"
when:
- ubtu24cis_rule_1_6_2
when: ubtu24cis_rule_1_6_2
tags:
- level1-server
- level1-workstation
@ -47,14 +46,14 @@
ansible.builtin.template:
src: etc/issue.j2
dest: /etc/issue
mode: 'u-x,go-wx'
- name: "1.6.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue"
community.general.dpkg_divert:
path: /etc/issue
- name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly"
when:
- ubtu24cis_rule_1_6_3
when: ubtu24cis_rule_1_6_3
tags:
- level1-server
- level1-workstation
@ -69,14 +68,14 @@
ansible.builtin.template:
src: etc/issue.net.j2
dest: /etc/issue.net
mode: 'u-x,go-wx'
- name: "1.6.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net"
community.general.dpkg_divert:
path: /etc/issue.net
- name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured"
when:
- ubtu24cis_rule_1_6_4
when: ubtu24cis_rule_1_6_4
tags:
- level1-server
- level1-workstation
@ -93,8 +92,7 @@
mode: 'u-x,go-wx'
- name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured"
when:
- ubtu24cis_rule_1_6_5
when: ubtu24cis_rule_1_6_5
tags:
- level1-server
- level1-workstation
@ -111,8 +109,7 @@
mode: 'u-x,go-wx'
- name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
when:
- ubtu24cis_rule_1_6_6
when: ubtu24cis_rule_1_6_6
tags:
- level1-server
- level1-workstation

53
tasks/section_1/cis_1.7.x.yml
View File

@ -1,9 +1,6 @@
---
- name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed"
ansible.builtin.package:
name: gdm3
state: absent
when:
- ubtu24cis_rule_1_7_1
- not ubtu24cis_desktop_required
@ -15,6 +12,9 @@
- rule_1.7.1
- NIST800-53R5_CM-11
- gnome
ansible.builtin.package:
name: gdm3
state: absent
- name: "1.7.2 | PATCH | Ensure GDM login banner is configured"
when:
@ -31,13 +31,14 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- gnome
notify: Update dconf
block:
- name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory"
ansible.builtin.file:
path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
state: directory
- name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings"
@ -49,12 +50,11 @@
create: true
owner: root
group: root
mode: '0644'
loop:
- { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF }
- { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'}
- { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu24cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' }
notify: Update dconf
mode: 'u-x,go-wx'
loop:
- { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF }
- { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'}
- { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu24cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' }
- name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled"
when:
@ -71,13 +71,14 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- gnome
notify: Update dconf
block:
- name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories"
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
state: directory
loop:
- /etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d
@ -92,7 +93,7 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
loop:
- { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF }
- { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'}
@ -106,12 +107,11 @@
create: true
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
loop:
- { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF }
- { regexp: '^system-db:{{ ubtu24cis_dconf_db_name }}', line: 'system-db:{{ ubtu24cis_dconf_db_name }}', insertafter: 'user-db:user'}
- { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu24cis_dconf_db_name }}'}
notify: Update dconf
- name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle"
when:
@ -132,6 +132,7 @@
line: "{{ item.line }}"
insertafter: "{{ item.after | default(omit) }}"
create: true
mode: 'u-x,go-wx'
loop:
- { regexp: 'user-db:user', line: 'user-db:user' }
- { regexp: 'system-db:{{ ubtu24cis_dconf_db_name }}', line: 'system-db:{{ ubtu24cis_dconf_db_name }}', after: '^user-db.*' }
@ -141,7 +142,7 @@
path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
state: directory
notify: Update dconf
@ -151,7 +152,7 @@
dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-screensaver"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: Update dconf
- name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden"
@ -171,7 +172,7 @@
path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
state: directory
notify: Update dconf
@ -181,7 +182,7 @@
dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-screensaver"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: Update dconf
- name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled"
@ -205,7 +206,7 @@
path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
state: directory
notify: Update dconf
@ -215,7 +216,7 @@
dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-media-automount"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: Update dconf
- name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden"
@ -239,7 +240,7 @@
path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
state: directory
notify: Update dconf
@ -249,7 +250,7 @@
dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-automount_lock"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: Update dconf
- name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled"
@ -273,7 +274,7 @@
path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d"
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
state: directory
notify: Update dconf
@ -283,7 +284,7 @@
dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-media-autorun"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: Update dconf
- name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden"
@ -307,7 +308,7 @@
path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks"
owner: root
group: root
mode: '0755'
mode: 'u+x,go-w'
state: directory
notify: Update dconf
@ -317,7 +318,7 @@
dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-autorun_lock"
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: Update dconf
- name: "1.7.10 | PATCH | Ensure XDCMP is not enabled"

93
tasks/section_2/cis_2.1.x.yml
View File

@ -33,8 +33,7 @@
masked: true
- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
when:
- ubtu24cis_rule_2_1_2
when: ubtu24cis_rule_2_1_2
tags:
- level1-server
- level2-workstation
@ -70,8 +69,7 @@
- avahi-daemon.service
- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
when:
- ubtu24cis_rule_2_1_3
when: ubtu24cis_rule_2_1_3
tags:
- level1-server
- level1-workstation
@ -105,8 +103,7 @@
- isc-dhcp-server6.service
- name: "2.1.4 | PATCH | Ensure dns server services are not in use"
when:
- ubtu24cis_rule_2_1_4
when: ubtu24cis_rule_2_1_4
tags:
- level1-server
- level1-workstation
@ -137,8 +134,7 @@
masked: true
- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
when:
- ubtu24cis_rule_2_1_5
when: ubtu24cis_rule_2_1_5
tags:
- level1-server
- level1-workstation
@ -169,8 +165,7 @@
masked: true
- name: "2.1.6 | PATCH | Ensure ftp server services are not in use"
when:
- ubtu24cis_rule_2_1_6
when: ubtu24cis_rule_2_1_6
tags:
- level1-server
- level1-workstation
@ -202,8 +197,7 @@
masked: true
- name: "2.1.7 | PATCH | Ensure ldap server services are not in use"
when:
- ubtu24cis_rule_2_1_7
when: ubtu24cis_rule_2_1_7
tags:
- level1-server
- level1-workstation
@ -234,8 +228,7 @@
masked: true
- name: "2.1.8 | PATCH | Ensure message access server services are not in use"
when:
- ubtu24cis_rule_2_1_8
when: ubtu24cis_rule_2_1_8
tags:
- level1-server
- level1-workstation
@ -273,8 +266,7 @@
- "dovecot.service"
- name: "2.1.9 | PATCH | Ensure network file system services are not in use"
when:
- ubtu24cis_rule_2_1_9
when: ubtu24cis_rule_2_1_9
tags:
- level1-server
- level1-workstation
@ -307,8 +299,7 @@
masked: true
- name: "2.1.10 | PATCH | Ensure nis server services are not in use"
when:
- ubtu24cis_rule_2_1_10
when: ubtu24cis_rule_2_1_10
tags:
- level1-server
- level1-workstation
@ -339,8 +330,7 @@
masked: true
- name: "2.1.11 | PATCH | Ensure print server services are not in use"
when:
- ubtu24cis_rule_2_1_11
when: ubtu24cis_rule_2_1_11
tags:
- level1-server
- patch
@ -373,8 +363,7 @@
- "cups.service"
- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
when:
- ubtu24cis_rule_2_1_12
when: ubtu24cis_rule_2_1_12
tags:
- level1-server
- level1-workstation
@ -409,8 +398,7 @@
- rpcbind.socket
- name: "2.1.13 | PATCH | Ensure rsync services are not in use"
when:
- ubtu24cis_rule_2_1_13
when: ubtu24cis_rule_2_1_13
tags:
- level1-server
- level1-workstation
@ -441,8 +429,7 @@
masked: true
- name: "2.1.14 | PATCH | Ensure samba file server services are not in use"
when:
- ubtu24cis_rule_2_1_14
when: ubtu24cis_rule_2_1_14
tags:
- level1-server
- level1-workstation
@ -474,8 +461,7 @@
masked: true
- name: "2.1.15 | PATCH | Ensure snmp services are not in use"
when:
- ubtu24cis_rule_2_1_15
when: ubtu24cis_rule_2_1_15
tags:
- level1-server
- level1-workstation
@ -507,8 +493,7 @@
masked: true
- name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
when:
- ubtu24cis_rule_2_1_16
when: ubtu24cis_rule_2_1_16
tags:
- level1-server
- level1-workstation
@ -539,8 +524,7 @@
masked: true
- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
when:
- ubtu24cis_rule_2_1_17
when: ubtu24cis_rule_2_1_17
tags:
- level1-server
- level1-workstation
@ -571,8 +555,7 @@
masked: true
- name: "2.1.18 | PATCH | Ensure web server services are not in use"
when:
- ubtu24cis_rule_2_1_18
when: ubtu24cis_rule_2_1_18
tags:
- level1-server
- level1-workstation
@ -610,7 +593,7 @@
- "'apache2' in ansible_facts.packages"
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name:
name: "{{ item }}"
enabled: false
state: stopped
masked: true
@ -631,8 +614,7 @@
masked: true
- name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
when:
- ubtu24cis_rule_2_1_19
when: ubtu24cis_rule_2_1_19
tags:
- level1-server
- level1-workstation
@ -694,23 +676,23 @@
block:
- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed"
when: "'exim4' in ansible_facts.packages"
notify: Restart exim4
ansible.builtin.lineinfile:
path: /etc/exim4/update-exim4.conf.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
with_items:
- { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" }
- { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" }
- { regexp: '^dc_readhost', line: "dc_readhost=''" }
- { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" }
- { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" }
- { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" }
- { regexp: '^dc_smarthost', line: "dc_smarthost=''" }
- { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" }
- { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" }
- { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" }
- { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" }
loop:
- { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" }
- { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" }
- { regexp: '^dc_readhost', line: "dc_readhost=''" }
- { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" }
- { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" }
- { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" }
- { regexp: '^dc_smarthost', line: "dc_smarthost=''" }
- { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" }
- { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" }
- { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" }
- { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" }
notify: Restart exim4
- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed"
when: "'postfix' in ansible_facts.packages"
@ -737,8 +719,7 @@
file: warning_facts.yml
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
when:
- ubtu24cis_rule_2_1_22
when: ubtu24cis_rule_2_1_22
tags:
- level1-server
- level1-workstation
@ -750,18 +731,18 @@
warn_control_id: '2.1.22'
block:
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"
ansible.builtin.shell: systemctl list-units --type=service
ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module
changed_when: false
failed_when: ubtu24cis_2_1_22_services.rc not in [ 0, 1 ]
failed_when: discovered_listening_services.rc not in [ 0, 1 ]
check_mode: false
register: ubtu24cis_2_1_22_services
register: discovered_listening_services
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services"
ansible.builtin.debug:
msg:
- "Warning!! Below are the list of services, both active and inactive"
- "Please review to make sure all are essential"
- "{{ ubtu24cis_2_1_22_services.stdout_lines }}"
- "{{ discovered_listening_services.stdout_lines }}"
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count"
ansible.builtin.import_tasks:

3
tasks/section_2/cis_2.3.1.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use"
when:
- ubtu24cis_rule_2_3_1_1
when: ubtu24cis_rule_2_3_1_1
tags:
- level1-server
- level1-workstation

10
tasks/section_2/cis_2.3.2.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver"
when:
- ubtu24cis_rule_2_3_2_1
when: ubtu24cis_rule_2_3_2_1
tags:
- level1-server
- level1-workstation
@ -17,14 +16,14 @@
path: /etc/systemd/timesyncd.conf.d
owner: root
group: root
mode: '0755'
mode: 'go-w'
state: directory
- name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources"
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: '0644'
mode: 'go-r'
owner: root
group: root
loop:
@ -32,8 +31,7 @@
notify: Restart timeservice
- name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running"
when:
- ubtu24cis_rule_2_3_2_2
when: ubtu24cis_rule_2_3_2_2
tags:
- level1-server
- level1-workstation

11
tasks/section_2/cis_2.3.3.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver"
when:
- ubtu24cis_rule_2_3_3_1
when: ubtu24cis_rule_2_3_3_1
tags:
- level1-server
- level1-workstation
@ -16,7 +15,7 @@
ansible.builtin.template:
src: "{{ item }}.j2"
dest: "/{{ item }}"
mode: '0644'
mode: 'go-r'
owner: root
group: root
loop:
@ -32,8 +31,7 @@
notify: Restart timeservice
- name: "2.3.3.2 | PATCH | Ensure chrony is running as user _chrony"
when:
- ubtu24cis_rule_2_3_3_2
when: ubtu24cis_rule_2_3_3_2
tags:
- level1-server
- level1-workstation
@ -47,8 +45,7 @@
line: 'user _chrony'
- name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running"
when:
- ubtu24cis_rule_2_3_3_3
when: ubtu24cis_rule_2_3_3_3
tags:
- level1-server
- level1-workstation

42
tasks/section_2/cis_2.4.1.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running"
when:
- ubtu24cis_rule_2_4_1_1
when: ubtu24cis_rule_2_4_1_1
tags:
- level1-server
- level1-workstation
@ -20,8 +19,7 @@
enabled: true
- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
when:
- ubtu24cis_rule_2_4_1_2
when: ubtu24cis_rule_2_4_1_2
tags:
- level1-server
- level1-workstation
@ -34,11 +32,10 @@
path: /etc/crontab
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
when:
- ubtu24cis_rule_2_4_1_3
when: ubtu24cis_rule_2_4_1_3
tags:
- level1-server
- level1-workstation
@ -51,12 +48,11 @@
path: /etc/cron.hourly
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
state: directory
- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
when:
- ubtu24cis_rule_2_4_1_4
when: ubtu24cis_rule_2_4_1_4
tags:
- level1-server
- level1-workstation
@ -69,12 +65,11 @@
path: /etc/cron.daily
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
state: directory
- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
when:
- ubtu24cis_rule_2_4_1_5
when: ubtu24cis_rule_2_4_1_5
tags:
- level1-server
- level1-workstation
@ -87,12 +82,11 @@
path: /etc/cron.weekly
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
state: directory
- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
when:
- ubtu24cis_rule_2_4_1_6
when: ubtu24cis_rule_2_4_1_6
tags:
- level1-server
- level1-workstation
@ -105,12 +99,11 @@
path: /etc/cron.monthly
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
state: directory
- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
when:
- ubtu24cis_rule_2_4_1_7
when: ubtu24cis_rule_2_4_1_7
tags:
- level1-server
- level1-workstation
@ -123,12 +116,11 @@
path: /etc/cron.d
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
state: directory
- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users"
when:
- ubtu24cis_rule_2_4_1_8
when: ubtu24cis_rule_2_4_1_8
tags:
- level1-server
- level1-workstation
@ -146,10 +138,10 @@
- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow"
ansible.builtin.stat:
path: /etc/cron.allow
register: ubtu24cis_2_4_1_8_status
register: discovered_cron_allow_status
- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist"
when: not ubtu24cis_2_4_1_8_status.stat.exists
when: not discovered_cron_allow_status.stat.exists
ansible.builtin.file:
path: /etc/cron.allow
owner: root
@ -158,7 +150,7 @@
state: touch
- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists"
when: ubtu24cis_2_4_1_8_status.stat.exists
when: discovered_cron_allow_status.stat.exists
ansible.builtin.file:
path: /etc/cron.allow
owner: root

9
tasks/section_2/cis_2.4.2.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
when:
- - ubtu24cis_rule_2_4_2_1
when: ubtu24cis_rule_2_4_2_1
tags:
- level1-server
- level1-workstation
@ -20,10 +19,10 @@
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check for at.allow"
ansible.builtin.stat:
path: /etc/at.allow
register: ubtu24cis_2_4_2_1_status
register: discovered_at_allow_status
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist"
when: not ubtu24cis_2_4_2_1_status.stat.exists
when: not discovered_at_allow_status.stat.exists
ansible.builtin.file:
path: /etc/at.allow
owner: root
@ -32,7 +31,7 @@
state: touch
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists"
when: ubtu24cis_2_4_2_1_status.stat.exists
when: discovered_at_allow_status.stat.exists
ansible.builtin.file:
path: /etc/at.allow
owner: root

16
tasks/section_3/cis_3.1.x.yml
View File

@ -18,7 +18,7 @@
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)'
replace: '\1ipv6.disable=1\2'
register: ipv6disable_replaced
register: discovered_ipv6disable_replaced
notify: Grub update
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Check grub cmdline linux"
@ -26,13 +26,13 @@
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_3_1_1_cmdline_settings
register: discovered_ipv6_grub_cmdline_settings
- name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Insert ipv6.disable if it doesn't exist"
when:
- ubtu24cis_ipv6_disable == 'grub'
- ipv6disable_replaced is not changed
- "'ipv6.disable' not in ubtu24cis_3_1_1_cmdline_settings.stdout"
- discovered_ipv6disable_replaced is not changed
- "'ipv6.disable' not in discovered_ipv6_grub_cmdline_settings.stdout"
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX=".*)"$'
@ -47,13 +47,14 @@
dest: "/{{ item }}"
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
notify: Flush ipv6 route table
loop:
- etc/sysctl.d/60-disable_ipv6.conf
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
when:
- prelim_wireless_modules.stdout is defined
- ubtu24cis_rule_3_1_2
tags:
- level1-server
@ -70,15 +71,16 @@
regexp: '^(#)?install true(\\s|$)'
line: install {{ item }} true
create: true
mode: 'go-wx'
loop: "{{ prelim_wireless_modules.stdout_lines }}"
- name: "3.1.2 | PATCH | Ensure dccp kernel module is not available | blacklist"
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist {{ item }}(\\s|$)"
line: "blacklist {{ item }}"
create: true
mode: '0600'
mode: 'go-rwx'
loop: "{{ prelim_wireless_modules.stdout_lines }}"
- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use"

12
tasks/section_3/cis_3.2.x.yml
View File

@ -18,6 +18,7 @@
regexp: '^(#)?install dccp(\\s|$)'
line: "{{ item }}"
create: true
mode: 'u-x,go-wx'
loop:
- install dccp /bin/true
- blacklist dccp
@ -28,7 +29,7 @@
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
when:
@ -48,6 +49,7 @@
regexp: '^(#)?install tipc(\\s|$)'
line: "{{ item }}"
create: true
mode: 'u-x,go-wx'
loop:
- install tipc /bin/true
- blacklist tipc
@ -58,7 +60,7 @@
regexp: "^(#)?blacklist tipc(\\s|$)"
line: "blacklist tipc"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
when:
@ -78,6 +80,7 @@
regexp: '^(#)?install rds(\\s|$)'
line: "{{ item }}"
create: true
mode: 'u-x,go-wx'
loop:
- install rds /bin/true
- blacklist rds
@ -88,7 +91,7 @@
regexp: "^(#)?blacklist rds(\\s|$)"
line: "blacklist rds"
create: true
mode: '0600'
mode: 'go-rwx'
- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
when:
@ -108,6 +111,7 @@
regexp: '^(#)?install sctp(\\s|$)'
line: "{{ item }}"
create: true
mode: 'u-x,go-wx'
loop:
- install sctp /bin/true
- blacklist sctp
@ -118,4 +122,4 @@
regexp: "^(#)?blacklist sctp(\\s|$)"
line: "blacklist sctp"
create: true
mode: '0600'
mode: 'go-rwx'

15
tasks/section_3/cis_3.3.x.yml
View File

@ -72,8 +72,7 @@
notify: Flush ipv4 route table
- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
when:
- ubtu24cis_rule_3_3_3
when: ubtu24cis_rule_3_3_3
tags:
- level1-server
- level1-workstation
@ -97,8 +96,7 @@
notify: Flush ipv4 route table
- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
when:
- ubtu24cis_rule_3_3_4
when: ubtu24cis_rule_3_3_4
tags:
- level1-server
- level1-workstation
@ -122,8 +120,7 @@
notify: Flush ipv4 route table
- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
when:
- ubtu24cis_rule_3_3_5
when: ubtu24cis_rule_3_3_5
tags:
- level1-server
- level1-workstation
@ -167,8 +164,7 @@
notify: Flush ipv6 route table
- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
when:
- ubtu24cis_rule_3_3_6
when: ubtu24cis_rule_3_3_6
tags:
- level1-server
- level1-workstation
@ -195,8 +191,7 @@
notify: Flush ipv4 route table
- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
when:
- ubtu24cis_rule_3_3_7
when: ubtu24cis_rule_3_3_7
tags:
- level1-server
- level1-workstation

17
tasks/section_4/cis_4.1.1.yml
View File

@ -1,8 +1,7 @@
---
- name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use"
when:
- ubtu24cis_rule_4_1_1
when: ubtu24cis_rule_4_1_1
tags:
- level1-server
- level1-workstation
@ -12,31 +11,31 @@
vars:
warn_control_id: '4.1.1'
block:
- name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use | Check packages"
- name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Check packages"
ansible.builtin.shell: dpkg-query -l | grep -Ec "^ii\s*ufw|^ii\s*iptables|^ii\s*nftables"
changed_when: false
failed_when: discovered_firewall_pkgs.rc not in [ 0, 1 ]
register: discovered_firewall_pkgs
- name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use | Check enabled"
- name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Check enabled"
when: discovered_firewall_pkgs.stdout not in [ 0, 1 ]
ansible.builtin.shell: for svc in ufw nftables iptables; do if [ "$(systemctl is-enabled $svc | grep enabled &> /dev/null)" ]; then fw_enabled=$(( fw_enabled +1 )); fi; done; echo $fw_enabled
ansible.builtin.shell: |
for svc in ufw nftables iptables; do if [ "$(systemctl is-enabled $svc | grep enabled &> /dev/null)" ]; then fw_enabled=$(( fw_enabled +1 )); fi; done; echo $fw_enabled
changed_when: false
register: discovered_enabled_firewalls
environment:
fw_enabled: 0
fw_enabled: '0'
- name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Message out warning"
when:
- discovered_enabled_firewalls.stdout is defined
- discovered_enabled_firewalls.stdout|int >= 2
- (discovered_enabled_firewalls.stdout|int) >= 2
ansible.builtin.debug:
msg: "Warning!! You have more than one firewalls installed and running or enabled. Please use UFW, iptables, or manually manage nftables"
- name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Set warning count"
when:
- discovered_enabled_firewalls.stdout is defined
- discovered_enabled_firewalls.stdout|int >= 2
- (discovered_enabled_firewalls.stdout|int) >= 2
ansible.builtin.import_tasks:
file: warning_facts.yml

27
tasks/section_4/cis_4.2.x.yml
View File

@ -33,8 +33,7 @@
# Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling
- name: "4.2.3 | PATCH | Ensure ufw service is enabled"
when:
- ubtu24cis_rule_4_2_3
when: ubtu24cis_rule_4_2_3
tags:
- level1-server
- level1-workstation
@ -58,8 +57,7 @@
state: started
- name: "4.2.4 | PATCH | Ensure ufw loopback traffic is configured"
when:
- ubtu24cis_rule_4_2_4
when: ubtu24cis_rule_4_2_4
tags:
- level1-server
- level1-workstation
@ -98,8 +96,7 @@
notify: Reload ufw
- name: "4.2.5 | PATCH | Ensure ufw outbound connections are configured"
when:
- ubtu24cis_rule_4_2_5
when: ubtu24cis_rule_4_2_5
tags:
- level1-server
- level1-workstation
@ -126,8 +123,7 @@
notify: Reload ufw
- name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports"
when:
- ubtu24cis_rule_4_2_6
when: ubtu24cis_rule_4_2_6
tags:
- level1-server
- level1-workstation
@ -139,18 +135,18 @@
warn_control_id: '4.2.6'
block:
- name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.shell: ss -4tuln
ansible.builtin.command: ss -4tuln
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_2_6_open_listen_ports
register: discovered_ufw_open_listen_ports
- name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules"
ansible.builtin.shell: ufw status
ansible.builtin.command: ufw status
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_2_6_firewall_rules
register: discovered_ufw_firewall_rules
- name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings"
ansible.builtin.debug:
@ -158,17 +154,16 @@
- "Warning!! Below are the listening ports and firewall rules"
- "Please create firewall rule for any open ports if not already done"
- "*****---Open Listen Ports---*****"
- "{{ ubtu24cis_4_2_6_open_listen_ports.stdout_lines }}"
- "{{ discovered_ufw_open_listen_ports.stdout_lines }}"
- "*****---Firewall Rules---*****"
- "{{ ubtu24cis_4_2_6_firewall_rules.stdout_lines }}"
- "{{ discovered_ufw_firewall_rules.stdout_lines }}"
- name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "4.2.7 | PATCH | Ensure ufw default deny firewall policy"
when:
- ubtu24cis_rule_4_2_7
when: ubtu24cis_rule_4_2_7
tags:
- level1-server
- level1-workstation

4
tasks/section_4/cis_4.3.x.yml
View File

@ -96,10 +96,10 @@
ansible.builtin.debug:
msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning"
# ansible.builtin.shell: "nft create table {{ ubtu24cis_nftables_table_name }}"
# changed_when: ubtu24cis_4_3_4_new_table.rc == 0
# changed_when: discovered_new_nftable.rc == 0
# failed_when: false
# check_mode: false
# register: ubtu24cis_4_3_4_new_table
# register: discovered_new_nftable
- name: "4.3.4 | AUDIT | Ensure a nftables table exists | Set warning count"
ansible.builtin.import_tasks:

40
tasks/section_4/cis_4.4.1.x.yml
View File

@ -170,20 +170,22 @@
- audit
- rule_4.4.1.4
- iptables
vars:
warn_control_id: '4.4.1.4'
block:
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.shell: ss -4tuln
ansible.builtin.command: ss -4tuln
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_4_1_4_open_ports
register: discovered_open_ports
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.shell: iptables -L INPUT -v -n
ansible.builtin.command: iptables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_4_1_4_current_rules
register: discovered_current_rules
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
@ -191,15 +193,13 @@
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ ubtu24cis_4_4_1_4_open_ports.stdout_lines }}"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ ubtu24cis_4_4_1_4_current_rules.stdout_lines }}"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '4.4.1.4'
# ---------------
# ---------------
@ -217,9 +217,9 @@
# - name: "Make IPTables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
# changed_when: ubtu24cis_iptables_save.rc == 0
# failed_when: ubtu24cis_iptables_save.rc > 0
# register: ubtu24cis_iptables_save
# changed_when: discovered_iptables_save.rc == 0
# failed_when: discovered_iptables_save.rc > 0
# register: discovered_iptables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_save_iptables_cis_rules
@ -353,18 +353,18 @@
warn_control_id: '4.4.1.4'
block:
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.shell: ss -6tuln
ansible.builtin.command: ss -6tuln
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_4_1_4_open_ports
register: discovered_open_ports
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.shell: ip6tables -L INPUT -v -n
ansible.builtin.command: ip6tables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_4_1_4_current_rules
register: discovered_current_rules
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
@ -372,9 +372,9 @@
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ ubtu24cis_4_4_1_4_open_ports.stdout_lines }}"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ ubtu24cis_4_4_1_4_current_rules.stdout_lines }}"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
@ -398,9 +398,9 @@
# - name: "Make IP6Tables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
# changed_when: ubtu24cis_ip6tables_save.rc == 0
# failed_when: ubtu24cis_ip6tables_save.rc > 0
# register: ubtu24cis_ip6tables_save
# changed_when: discovered_ip6tables_save.rc == 0
# failed_when: discovered_ip6tables_save.rc > 0
# register: discovered_ip6tables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_ipv6_required

18
tasks/section_4/cis_4.4.2.x.yml
View File

@ -133,18 +133,18 @@
warn_control_id: '4.4.2.4'
block:
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.shell: ss -4tuln
ansible.builtin.command: ss -4tuln
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_4_1_4_open_ports
register: discovered_open_ports
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.shell: iptables -L INPUT -v -n
ansible.builtin.command: iptables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_4_2_4_current_rules
register: discovered_current_rules
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
@ -152,9 +152,9 @@
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ ubtu24cis_4_4_2_4_open_ports.stdout_lines }}"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ ubtu24cis_4_4_2_4_current_rules.stdout_lines }}"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
@ -176,9 +176,9 @@
# - name: "Make IPTables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
# changed_when: ubtu24cis_iptables_save.rc == 0
# failed_when: ubtu24cis_iptables_save.rc > 0
# register: ubtu24cis_iptables_save
# changed_when: discovered_iptables_save.rc == 0
# failed_when: discovered_iptables_save.rc > 0
# register: discovered_iptables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_save_iptables_cis_rules

21
tasks/section_4/cis_4.4.3.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "4.4.3.1 | PATCH | Ensure ip6tables default deny firewall policy"
when:
- ubtu24cis_rule_4_4_3_1
when: ubtu24cis_rule_4_4_3_1
tags:
- level1-server
- level1-workstationå
@ -126,18 +125,18 @@
warn_control_id: '4.4.3.4'
block:
- name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
ansible.builtin.shell: ss -6tuln
ansible.builtin.command: ss -6tuln
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_4_3_4_open_ports
register: discovered_open_ports
- name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
ansible.builtin.shell: ip6tables -L INPUT -v -n
ansible.builtin.command: ip6tables -L INPUT -v -n
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_4_4_3_4_current_rules
register: discovered_current_rules
- name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
ansible.builtin.debug:
@ -145,9 +144,9 @@
- "Warning!! Below is the list the open ports and current rules"
- "Please create a rule for any open port that does not have a current rule"
- "Open Ports:"
- "{{ ubtu24cis_4_4_3_4_open_ports.stdout_lines }}"
- "{{ discovered_open_ports.stdout_lines }}"
- "Current Rules:"
- "{{ ubtu24cis_4_4_3_4_current_rules.stdout_lines }}"
- "{{ discovered_current_rules.stdout_lines }}"
- name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
ansible.builtin.import_tasks:
@ -171,9 +170,9 @@
# - name: "Make IP6Tables persistent | Save to persistent files"
# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
# changed_when: ubtu24cis_ip6tables_save.rc == 0
# failed_when: ubtu24cis_ip6tables_save.rc > 0
# register: ubtu24cis_ip6tables_save
# changed_when: discovered_ip6tables_save.rc == 0
# failed_when: discovered_ip6tables_save.rc > 0
# register: discovered_ip6tables_save
# when:
# - ubtu24cis_firewall_package == "iptables"
# - ubtu24cis_ipv6_required

110
tasks/section_5/cis_5.1.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
when:
- ubtu24cis_rule_5_1_1
when: ubtu24cis_rule_5_1_1
tags:
- level1-server
- level1-workstation
@ -36,8 +35,7 @@
loop: "{{ discovered_sshd_confs.files }}"
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
when:
- ubtu24cis_rule_5_1_2
when: ubtu24cis_rule_5_1_2
tags:
- level1-server
- level1-workstation
@ -51,7 +49,7 @@
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*_key'
register: ubtu24cis_5_1_2_ssh_host_priv_keys
register: discovered_ssh_host_priv_keys
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions"
ansible.builtin.file:
@ -60,13 +58,12 @@
group: root
mode: 'o-x,go-rwx'
with_items:
- "{{ ubtu24cis_5_1_2_ssh_host_priv_keys.files }}"
- "{{ discovered_ssh_host_priv_keys.files }}"
loop_control:
label: "{{ item.path }}"
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
when:
- ubtu24cis_rule_5_1_3
when: ubtu24cis_rule_5_1_3
tags:
- level1-server
- level1-workstation
@ -80,22 +77,21 @@
ansible.builtin.find:
paths: /etc/ssh
patterns: 'ssh_host_*_key.pub'
register: ubtu24cis_5_1_3_ssh_host_pub_keys
register: discovered_ssh_host_pub_keys
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions"
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
group: root
mode: '0644'
mode: 'go-wx'
with_items:
- "{{ ubtu24cis_5_1_3_ssh_host_pub_keys.files }}"
- "{{ discovered_ssh_host_pub_keys.files }}"
loop_control:
label: "{{ item.path }}"
- name: "5.1.4 | PATCH | Ensure sshd access is configured"
when:
- ubtu24cis_rule_5_1_4
when: ubtu24cis_rule_5_1_4
tags:
- level1-server
- level1-workstation
@ -106,44 +102,43 @@
- sshd
block:
- name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users"
when: "ubtu24cis_sshd['allow_users']| default('') | length > 0 "
when: "ubtu24cis_sshd_allow_users| default('') | length > 0 "
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^(#|)\s*AllowUsers'
line: 'AllowUsers {{ ubtu24cis_sshd.allow_users }}'
line: 'AllowUsers {{ ubtu24cis_sshd_allow_users }}'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed groups"
when: "ubtu24cis_sshd['allow_groups']| default('') | length > 0"
when: "ubtu24cis_sshd_allow_groups| default('') | length > 0"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^(#|)\s*AllowGroups'
line: 'AllowGroups {{ ubtu24cis_sshd.allow_groups }}'
line: 'AllowGroups {{ ubtu24cis_sshd_allow_groups }}'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny users"
when: "ubtu24cis_sshd['deny_users']| default('') | length > 0"
when: "ubtu24cis_sshd_deny_users| default('') | length > 0"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '(?i)^(#|)\s*DenyUsers'
line: 'DenyUsers {{ ubtu24cis_sshd.deny_users }}'
line: 'DenyUsers {{ ubtu24cis_sshd_deny_users }}'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny groups"
when: "ubtu24cis_sshd['deny_groups']| default('') | length > 0"
when: "ubtu24cis_sshd_deny_groups| default('') | length > 0"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^DenyGroups|^#DenyGroups'
line: 'DenyGroups {{ ubtu24cis_sshd.deny_groups }}'
line: 'DenyGroups {{ ubtu24cis_sshd_deny_groups }}'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.5| PATCH | Ensure sshd Banner is configured"
when:
- ubtu24cis_rule_5_1_5
when: ubtu24cis_rule_5_1_5
tags:
- level1-server
- level1-workstation
@ -164,8 +159,7 @@
notify: Restart sshd
- name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured"
when:
- ubtu24cis_rule_5_1_6
when: ubtu24cis_rule_5_1_6
tags:
- level1-server
- level1-workstation
@ -176,14 +170,13 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: ^Ciphers
line: "Ciphers {{ ubtu24cis_sshd.ciphers | join(',') }}"
line: "Ciphers {{ ubtu24cis_sshd_ciphers | join(',') }}"
insertafter: '^# Ciphers and keying'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
when:
- ubtu24cis_rule_5_1_7
when: ubtu24cis_rule_5_1_7
tags:
- level1-server
- level1-workstation
@ -201,13 +194,12 @@
line: "{{ item.line }}"
validate: 'sshd -t -f %s'
with_items:
- { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu24cis_sshd.client_alive_interval | default(ubtu24cis_sshd_default_client_alive_interval) }}' }
- { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu24cis_sshd.client_alive_count_max | default(ubtu24cis_sshd_default_client_alive_count_max) }}' }
- { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu24cis_sshd_client_alive_interval | default(ubtu24cis_sshd_default_client_alive_interval) }}' }
- { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu24cis_sshd_client_alive_count_max | default(ubtu24cis_sshd_default_client_alive_count_max) }}' }
notify: Restart sshd
- name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled"
when:
- ubtu24cis_rule_5_1_8
when: ubtu24cis_rule_5_1_8
tags:
- level2-server
- level1-workstation
@ -223,8 +215,7 @@
notify: Restart sshd
- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled"
when:
- ubtu24cis_rule_5_1_9
when: ubtu24cis_rule_5_1_9
tags:
- level2-server
- level1-workstation
@ -244,8 +235,7 @@
notify: Restart sshd
- name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
when:
- ubtu24cis_rule_5_1_10
when: ubtu24cis_rule_5_1_10
tags:
- level1-server
- level1-workstation
@ -265,8 +255,7 @@
notify: Restart sshd
- name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
when:
- ubtu24cis_rule_5_1_11
when: ubtu24cis_rule_5_1_11
tags:
- level1-server
- level1-workstation
@ -286,8 +275,7 @@
notify: Restart sshd
- name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used"
when:
- ubtu24cis_rule_5_1_12
when: ubtu24cis_rule_5_1_12
tags:
- level1-server
- level1-workstation
@ -298,14 +286,13 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: (?i)^(#|)\s*KexAlgorithms
line: "KexAlgorithms {{ ubtu24cis_sshd.kex_algorithms | default(ubtu24cis_sshd_default_kex_algorithms) | join(',') }}"
line: "KexAlgorithms {{ ubtu24cis_sshd_kex_algorithms | default(ubtu24cis_sshd_default_kex_algorithms) | join(',') }}"
insertafter: '^# Ciphers and keying'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured"
when:
- ubtu24cis_rule_5_1_13
when: ubtu24cis_rule_5_1_13
tags:
- level1-server
- level1-workstation
@ -316,14 +303,13 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: (?i)^(#|)\s*LoginGraceTime
line: 'LoginGraceTime {{ ubtu24cis_sshd.login_grace_time | default(ubtu24cis_sshd_default_login_grace_time) }}'
line: 'LoginGraceTime {{ ubtu24cis_sshd_login_grace_time | default(ubtu24cis_sshd_default_login_grace_time) }}'
insertafter: '^# Authentication'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured"
when:
- ubtu24cis_rule_5_1_14
when: ubtu24cis_rule_5_1_14
tags:
- level1-server
- level1-workstation
@ -336,14 +322,13 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: (?i)^(#|)\s*LogLevel
line: 'LogLevel {{ ubtu24cis_sshd.log_level | default(ubtu24cis_sshd_default_log_level) }}'
line: 'LogLevel {{ ubtu24cis_sshd_log_level | default(ubtu24cis_sshd_default_log_level) }}'
insertafter: '^# Logging'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used"
when:
- ubtu24cis_rule_5_1_15
when: ubtu24cis_rule_5_1_15
tags:
- level1-server
- level1-workstation
@ -358,14 +343,13 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: (?i)^(#|)\s*MACs
line: "MACs {{ ubtu24cis_sshd.macs | default(ubtu24cis_sshd_default_macs) | join(',') }}"
line: "MACs {{ ubtu24cis_sshd_macs | default(ubtu24cis_sshd_default_macs) | join(',') }}"
insertafter: '^# Ciphers and keying'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
when:
- ubtu24cis_rule_5_1_16
when: ubtu24cis_rule_5_1_16
tags:
- level1-server
- level1-workstation
@ -376,14 +360,13 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: (?i)^(#|)\s*MaxAuthTries
line: 'MaxAuthTries {{ ubtu24cis_sshd.max_auth_tries | default(ubtu24cis_sshd_default_max_auth_tries) }}'
line: 'MaxAuthTries {{ ubtu24cis_sshd_max_auth_tries | default(ubtu24cis_sshd_default_max_auth_tries) }}'
insertafter: '^# Authentication'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured"
when:
- ubtu24cis_rule_5_1_17
when: ubtu24cis_rule_5_1_17
tags:
- level1-server
- level1-workstation
@ -398,14 +381,13 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: (?i)^(#|)\s*MaxSessions
line: 'MaxSessions {{ ubtu24cis_sshd.max_sessions | default(ubtu24cis_sshd_default_max_sessions) }}'
line: 'MaxSessions {{ ubtu24cis_sshd_max_sessions | default(ubtu24cis_sshd_default_max_sessions) }}'
insertafter: '^# Authentication'
validate: 'sshd -t -f %s'
notify: Restart sshd
- name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured"
when:
- ubtu24cis_rule_5_1_18
when: ubtu24cis_rule_5_1_18
tags:
- level1-server
- level1-workstation
@ -425,8 +407,7 @@
notify: Restart sshd
- name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
when:
- ubtu24cis_rule_5_1_19
when: ubtu24cis_rule_5_1_19
tags:
- level1-server
- level1-workstation
@ -447,8 +428,7 @@
notify: Restart sshd
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
when:
- ubtu24cis_rule_5_1_20
when: ubtu24cis_rule_5_1_20
tags:
- level1-server
- level1-workstation
@ -464,8 +444,7 @@
notify: Restart sshd
- name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
when:
- ubtu24cis_rule_5_1_21
when: ubtu24cis_rule_5_1_21
tags:
- level1-server
- level1-workstation
@ -485,8 +464,7 @@
notify: Restart sshd
- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled"
when:
- ubtu24cis_rule_5_1_22
when: ubtu24cis_rule_5_1_22
tags:
- level1-server
- level1-workstation

30
tasks/section_5/cis_5.2.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "5.2.1 | PATCH | Ensure sudo is installed"
when:
- ubtu24cis_rule_5_2_1
when: ubtu24cis_rule_5_2_1
tags:
- level1-server
- level1-workstation
@ -15,8 +14,7 @@
state: present
- name: "5.2.2 | PATCH | Ensure sudo commands use pty"
when:
- ubtu24cis_rule_5_2_2
when: ubtu24cis_rule_5_2_2
tags:
- level1-server
- level1-workstation
@ -31,8 +29,7 @@
insertafter: '^\s*Defaults'
- name: "5.2.3 | PATCH | Ensure sudo log file exists"
when:
- ubtu24cis_rule_5_2_3
when: ubtu24cis_rule_5_2_3
tags:
- level1-server
- level1-workstation
@ -48,8 +45,7 @@
insertafter: '^\s*Defaults'
- name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
when:
- ubtu24cis_rule_5_2_4
when: ubtu24cis_rule_5_2_4
tags:
- level2-server
- level2-workstation
@ -75,8 +71,7 @@
loop: "{{ discovered_sudoers_nopasswd.stdout_lines }}"
- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
when:
- ubtu24cis_rule_5_2_5
when: ubtu24cis_rule_5_2_5
tags:
- level1-server
- level1-workstation
@ -92,8 +87,7 @@
loop: "{{ prelim_sudoers_files.stdout_lines }}"
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
when:
- ubtu24cis_rule_5_2_6
when: ubtu24cis_rule_5_2_6
tags:
- level1-server
- level1-workstation
@ -106,10 +100,10 @@
ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
changed_when: false
failed_when: false
register: ubtu24cis_5_2_6_timeout_files
register: discovered_ubtu24cis_ssh_timeout_files
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
when: ubtu24cis_5_2_6_timeout_files.stdout | length == 0
when: discovered_ubtu24cis_ssh_timeout_files.stdout | length == 0
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: '^\s*Defaults/s+timestamp_timeout='
@ -118,17 +112,16 @@
validate: '/usr/sbin/visudo -cf %s'
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
when: ubtu24cis_5_2_6_timeout_files.stdout | length > 0
when: discovered_ubtu24cis_ssh_timeout_files.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'timestamp_timeout=(\d+)'
replace: "timestamp_timeout={{ ubtu24cis_sudo_timestamp_timeout }}"
validate: '/usr/sbin/visudo -cf %s'
loop: "{{ ubtu24cis_5_2_6_timeout_files.stdout_lines }}"
loop: "{{ discovered_ubtu24cis_ssh_timeout_files.stdout_lines }}"
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
when:
- ubtu24cis_rule_5_2_7
when: ubtu24cis_rule_5_2_7
tags:
- level1-server
- level1-workstation
@ -142,7 +135,6 @@
ansible.builtin.group:
name: "{{ ubtu24cis_sugroup }}"
state: present
register: ubtu24cis_5_2_7_sugroup
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
ansible.builtin.lineinfile:

8
tasks/section_5/cis_5.3.2.x.yml
View File

@ -19,7 +19,7 @@
dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
notify: Pam_auth_update_pwunix
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled"
@ -41,7 +41,7 @@
dest: "/{{ ubtu24cis_pam_confd_dir }}{{ item }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
loop:
- "{{ ubtu24cis_pam_faillock_file }}"
- "{{ ubtu24cis_pam_faillock_notify_file }}"
@ -67,7 +67,7 @@
dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwquality_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
notify: Pam_auth_update_pwquality
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled"
@ -88,5 +88,5 @@
dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
notify: Pam_auth_update_pwhistory

30
tasks/section_5/cis_5.3.3.1.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
when:
- ubtu24cis_rule_5_3_3_1_1
when: ubtu24cis_rule_5_3_3_1_1
tags:
- level1-server
- level1-workstation
@ -18,15 +17,16 @@
line: "deny = {{ ubtu24cis_faillock_deny }}"
insertafter: '^# end of pam-auth-update config'
create: true
mode: 'go-wx'
- name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny"
ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/*
register: ubtu24cis_faillock_deny_files
register: discovered_faillock_deny_files
changed_when: false
failed_when: ubtu24cis_faillock_deny_files.rc not in [ 0, 1 ]
failed_when: discovered_faillock_deny_files.rc not in [ 0, 1 ]
- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files"
when: ubtu24cis_faillock_deny_files.stdout | length > 0
when: discovered_faillock_deny_files.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)'
@ -36,8 +36,7 @@
- '/etc/pam.d/*'
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
when:
- ubtu24cis_rule_5_3_3_1_2
when: ubtu24cis_rule_5_3_3_1_2
tags:
- level1-server
- level1-workstation
@ -53,15 +52,16 @@
line: "unlock_time = {{ ubtu24cis_faillock_unlock_time }}"
insertafter: '^# end of pam-auth-update config'
create: true
mode: 'go-wx'
- name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time"
ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/*
register: ubtu24cis_faillock_unlock_files
register: discovered_faillock_unlock_files
changed_when: false
failed_when: ubtu24cis_faillock_unlock_files.rc not in [ 0, 1 ]
failed_when: discovered_faillock_unlock_files.rc not in [ 0, 1 ]
- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files"
when: ubtu24cis_faillock_unlock_files.stdout | length > 0
when: discovered_faillock_unlock_files.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)'
@ -71,8 +71,7 @@
- '/etc/pam.d/*'
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
when:
- ubtu24cis_rule_5_3_3_1_3
when: ubtu24cis_rule_5_3_3_1_3
tags:
- level2-server
- level2-workstation
@ -88,15 +87,16 @@
line: "{{ ubtu24cis_pamroot_lock_string }}"
insertafter: '^# end of pam-auth-update config'
create: true
mode: 'go-wx'
- name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time"
ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/*
register: ubtu24cis_faillock_rootlock_files
register: discovered_faillock_rootlock_files
changed_when: false
failed_when: ubtu24cis_faillock_rootlock_files.rc not in [ 0, 1 ]
failed_when: discovered_faillock_rootlock_files.rc not in [ 0, 1 ]
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files"
when: ubtu24cis_faillock_rootlock_files.stdout | length > 0
when: discovered_faillock_rootlock_files.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)'

61
tasks/section_5/cis_5.3.3.2.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured"
when:
- ubtu24cis_rule_5_3_3_2_1
when: ubtu24cis_rule_5_3_3_2_1
tags:
- level1-server
- level1-workstation
@ -12,8 +11,7 @@
- pam
block:
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
when:
- item != ubtu24cis_passwd_difok_file
when: item != ubtu24cis_passwd_difok_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'difok\s*=\s*\d+\b'
@ -29,11 +27,10 @@
dest: "/{{ ubtu24cis_passwd_difok_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured"
when:
- ubtu24cis_rule_5_3_3_2_2
when: ubtu24cis_rule_5_3_3_2_2
tags:
- level1-server
- level1-workstation
@ -43,8 +40,7 @@
- pam
block:
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
when:
- item != ubtu24cis_passwd_minlen_file
when: item != ubtu24cis_passwd_minlen_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'minlen\s*=\s*\d+\b'
@ -60,11 +56,10 @@
dest: "/{{ ubtu24cis_passwd_minlen_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured"
when:
- ubtu24cis_rule_5_3_3_2_3
when: ubtu24cis_rule_5_3_3_2_3
tags:
- level1-server
- level1-workstation
@ -74,8 +69,7 @@
- pam
block:
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
when:
- item != ubtu24cis_passwd_complex_file
when: item != ubtu24cis_passwd_complex_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
@ -91,11 +85,10 @@
dest: "/{{ ubtu24cis_passwd_complex_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured"
when:
- ubtu24cis_rule_5_3_3_2_4
when: ubtu24cis_rule_5_3_3_2_4
tags:
- level1-server
- level1-workstation
@ -105,8 +98,7 @@
- pam
block:
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
when:
- item != ubtu24cis_passwd_maxrepeat_file
when: item != ubtu24cis_passwd_maxrepeat_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'maxrepeat\s*=\s*\d+\b'
@ -122,11 +114,10 @@
dest: "/{{ ubtu24cis_passwd_maxrepeat_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
when:
- ubtu24cis_rule_5_3_3_2_5
when: ubtu24cis_rule_5_3_3_2_5
tags:
- level1-server
- level1-workstation
@ -136,8 +127,7 @@
- pam
block:
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
when:
- item != ubtu24cis_passwd_maxsequence_file
when: item != ubtu24cis_passwd_maxsequence_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'maxsequence\s*=\s*\d+\b'
@ -153,11 +143,10 @@
dest: "/{{ ubtu24cis_passwd_maxsequence_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled"
when:
- ubtu24cis_rule_5_3_3_2_6
when: ubtu24cis_rule_5_3_3_2_6
tags:
- level1-server
- level1-workstation
@ -167,8 +156,7 @@
- pam
block:
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
when:
- item != ubtu24cis_passwd_dictcheck_file
when: item != ubtu24cis_passwd_dictcheck_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'dictcheck\s*=\s*\d+\b'
@ -184,11 +172,10 @@
dest: "/{{ ubtu24cis_passwd_dictcheck_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced"
when:
- ubtu24cis_rule_5_3_3_2_7
when: ubtu24cis_rule_5_3_3_2_7
tags:
- level1-server
- level1-workstation
@ -198,8 +185,7 @@
- pam
block:
- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file"
when:
- item != ubtu24cis_passwd_quality_enforce_file
when: item != ubtu24cis_passwd_quality_enforce_file
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'enforcing\s*=\s*\d+\b'
@ -215,11 +201,10 @@
dest: "/{{ ubtu24cis_passwd_quality_enforce_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'
- name: "5.3.3.2.8 | PATCH | Ensure password quality is enforced for the root user"
when:
- ubtu24cis_rule_5_3_3_2_8
when: ubtu24cis_rule_5_3_3_2_8
tags:
- level1-server
- level1-workstation
@ -232,4 +217,4 @@
dest: "/{{ ubtu24cis_passwd_quality_enforce_root_file }}"
owner: root
group: root
mode: '0600'
mode: 'go-rwx'

18
tasks/section_5/cis_5.3.3.3.x.yml
View File

@ -14,12 +14,12 @@
block:
- name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/common-password
register: ubtu24_pwhistory_remember
register: discovered_pwhistory_remember
changed_when: false
failed_when: ubtu24_pwhistory_remember.rc not in [0, 1]
failed_when: discovered_pwhistory_remember.rc not in [0, 1]
- name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set"
when: ubtu24_pwhistory_remember.stdout | length > 0
when: discovered_pwhistory_remember.stdout | length > 0
ansible.builtin.lineinfile:
path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(remember=\d+)
@ -41,12 +41,12 @@
block:
- name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?enforce_for_root\b' /etc/pam.d/common-password
register: ubtu24_pwhistory_enforce_for_root
register: discovered_pwhistory_enforce_for_root
changed_when: false
failed_when: ubtu24_pwhistory_enforce_for_root.rc not in [0, 1]
failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set"
when: ubtu24_pwhistory_enforce_for_root.stdout | length > 0
when: discovered_pwhistory_enforce_for_root.stdout | length > 0
ansible.builtin.lineinfile:
path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(enforce_for_root)
@ -68,12 +68,12 @@
block:
- name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?use_authtok\b' /etc/pam.d/common-password
register: ubtu24_pwhistory_use_authtok
register: discovered_pwhistory_use_authtok
changed_when: false
failed_when: ubtu24_pwhistory_use_authtok.rc not in [0, 1]
failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set"
when: ubtu24_pwhistory_use_authtok.stdout | length > 0
when: discovered_pwhistory_use_authtok.stdout | length > 0
ansible.builtin.lineinfile:
path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}"
regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(use_authtok)

37
tasks/section_5/cis_5.3.3.4.x.yml
View File

@ -15,21 +15,20 @@
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state"
ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/common-* /usr/share/pam-configs/* | cut -d ':' -f1 | uniq
changed_when: false
failed_when: ubtu24cis_pam_nullok.rc not in [ 0, 1 ]
register: ubtu24cis_pam_nullok
failed_when: discovered_pam_nullok.rc not in [ 0, 1 ]
register: discovered_pam_nullok
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed"
when: ubtu24cis_pam_nullok.stdout | length > 0
when: discovered_pam_nullok.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: nullok
replace: ''
loop: "{{ ubtu24cis_pam_nullok.stdout_lines }}"
loop: "{{ discovered_pam_nullok.stdout_lines }}"
notify: Pam_auth_update_pwunix
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember"
when:
- ubtu24cis_rule_5_3_3_4_2
when: ubtu24cis_rule_5_3_3_4_2
tags:
- level1-server
- level1-workstation
@ -41,11 +40,11 @@
- name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state"
ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b'
changed_when: false
failed_when: ubtu24cis_pam_remember.rc not in [ 0, 1 ]
register: ubtu24cis_pam_remember
failed_when: discovered_pam_remember.rc not in [ 0, 1 ]
register: discovered_pam_remember
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed"
when: ubtu24cis_pam_remember.stdout | length > 0
when: discovered_pam_remember.stdout | length > 0
ansible.builtin.replace:
path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}"
regexp: remember=\d+
@ -53,8 +52,7 @@
notify: Pam_auth_update_pwunix
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm"
when:
- ubtu24cis_rule_5_3_3_4_3
when: ubtu24cis_rule_5_3_3_4_3
tags:
- level1-server
- level1-workstation
@ -66,11 +64,11 @@
- name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state"
ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ ubtu24cis_passwd_hash_algo }}")\b' /etc/pam.d/common-password
changed_when: false
failed_when: ubtu24cis_pam_pwhash.rc not in [ 0, 1 ]
register: ubtu24cis_pam_pwhash
failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ]
register: discovered_pam_pwhash
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set"
when: ubtu24cis_pam_remember.stdout | length > 0
when: discovered_pam_remember.stdout | length > 0
ansible.builtin.replace:
path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}"
regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)"
@ -78,8 +76,7 @@
notify: Pam_auth_update_pwunix
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok"
when:
- ubtu24cis_rule_5_3_3_4_4
when: ubtu24cis_rule_5_3_3_4_4
tags:
- level1-server
- level1-workstation
@ -91,13 +88,13 @@
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state"
ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password
changed_when: false
failed_when: ubtu24cis_pam_authtok.rc not in [ 0, 1 ]
register: ubtu24cis_pam_authtok
failed_when: discovered_pam_authtok.rc not in [ 0, 1 ]
register: discovered_pam_authtok
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files"
when:
- ubtu24cis_pam_authtok is defined
- ubtu24cis_pam_authtok | length > 0
- discovered_pam_authtok is defined
- discovered_pam_authtok | length > 0
ansible.builtin.lineinfile:
path: "/etc/pam.d/common-password"
regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$)

83
tasks/section_5/cis_5.4.1.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured"
when:
- ubtu24cis_rule_5_4_1_1
when: ubtu24cis_rule_5_4_1_1
tags:
- level1-server
- level1-workstation
@ -20,27 +19,26 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS'
line: 'PASS_MAX_DAYS {{ ubtu24cis_pass.max_days }}'
line: 'PASS_MAX_DAYS {{ ubtu24cis_pass_max_days }}'
insertafter: '# Password aging controls'
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Get existing users PASS_MAX_DAYS"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu24cis_pass.max_days }} || $5<{{ ubtu24cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu24cis_pass_max_days }} || $5<{{ ubtu24cis_pass_min_days }} || $5 == -1)){print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: ubtu24cis_max_days
register: discovered_passwd_max_days
- name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
when:
- ubtu24cis_disruption_high
- (item != 'root') or (not ubtu24cis_uses_root)
ansible.builtin.shell: chage --maxdays {{ ubtu24cis_pass.max_days }} {{ item }}
ansible.builtin.command: chage --maxdays {{ ubtu24cis_pass_max_days }} {{ item }}
failed_when: false
changed_when: ubtu24cis_max_days.stdout | length > 0
loop: "{{ ubtu24cis_max_days.stdout_lines }}"
changed_when: discovered_passwd_max_days.stdout | length > 0
loop: "{{ discovered_passwd_max_days.stdout_lines }}"
- name: "5.4.1.2 | PATCH | Ensure minimum password age is configured"
when:
- ubtu24cis_rule_5_4_1_2
when: ubtu24cis_rule_5_4_1_2
tags:
- level2-server
- level2-workstation
@ -54,22 +52,22 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS'
line: 'PASS_MIN_DAYS {{ ubtu24cis_pass.min_days }}'
line: 'PASS_MIN_DAYS {{ ubtu24cis_pass_min_days }}'
- name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Get existing users PASS_MIN_DAYS"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu24cis_pass.min_days }})) {print $1}' /etc/shadow"
ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu24cis_pass_min_days }})) {print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: ubtu24cis_passwd_min_days
register: discovered_passwd_min_days
- name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS"
when:
- ubtu24cis_disruption_high
- (item != 'root') or (not ubtu24cis_uses_root)
ansible.builtin.shell: chage --mindays {{ ubtu24cis_pass.min_days }} {{ item }}
ansible.builtin.command: chage --mindays {{ ubtu24cis_pass_min_days }} {{ item }}
failed_when: false
changed_when: ubtu24cis_passwd_min_days.stdout |length > 0
loop: "{{ ubtu24cis_passwd_min_days.stdout_lines }}"
changed_when: discovered_passwd_min_days.stdout |length > 0
loop: "{{ discovered_passwd_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
when:
@ -87,22 +85,22 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE'
line: 'PASS_WARN_AGE {{ ubtu24cis_pass.warn_age }}'
line: 'PASS_WARN_AGE {{ ubtu24cis_pass_warn_age }}'
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu24cis_pass.warn_age }}){print $1}' /etc/shadow"
- name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE"
ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu24cis_pass_warn_age }}){print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: ubtu24cis_passwd_warn_days
register: discovered_passwd_warn_days
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE"
when:
- ubtu24cis_disruption_high
- (item != 'root') or (not ubtu24cis_uses_root)
ansible.builtin.shell: chage --maxdays {{ ubtu24cis_pass.warn_age }} {{ item }}
ansible.builtin.command: chage --maxdays {{ ubtu24cis_pass_warn_age }} {{ item }}
failed_when: false
changed_when: ubtu24cis_passwd_warn_days.stdout | length > 0
loop: "{{ ubtu24cis_passwd_warn_days.stdout_lines }}"
changed_when: discovered_passwd_warn_days.stdout | length > 0
loop: "{{ discovered_passwd_warn_days.stdout_lines }}"
- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
when:
@ -132,31 +130,33 @@
- login
block:
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting"
ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2
ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2
changed_when: false
failed_when: false
register: ubtu24cis_passwd_inactive_setting
register: discovered_passwd_inactive_setting
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users"
when: ubtu24cis_passwd_inactive_setting.stdout != ubtu24cis_pass.inactive | string
ansible.builtin.shell: useradd -D -f {{ ubtu24cis_pass.inactive }}
when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string
ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }}
failed_when: false
changed_when: true
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu24cis_pass.inactive }}))) {print $1}' /etc/shadow"
ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu24cis_pass_inactive }}))) {print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: ubtu24cis_passwd_inactive_users
register: discovered_passwd_inactive_users
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set inactive period for existing users"
when:
- ubtu24cis_disruption_high
- ubtu24cis_passwd_inactive_users.stdout | length > 0
- discovered_passwd_inactive_users.stdout | length > 0
- (item != 'root') and (not ubtu24cis_uses_root)
ansible.builtin.shell: chage --inactive {{ ubtu24cis_pass.inactive }} {{ item }}
ansible.builtin.command: chage --inactive {{ ubtu24cis_pass_inactive }} {{ item }}
changed_when: true
failed_when: false
with_items:
- "{{ ubtu24cis_passwd | map(attribute='id') | list | intersect(ubtu24cis_passwd_inactive_users.stdout_lines) | list }}"
- "{{ ubtu24cis_passwd | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
when:
@ -177,32 +177,33 @@
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_current_time
register: discovered_current_time
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu24cis_current_time.stdout }})print$1}'"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_current_time.stdout }})print$1}'"
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_passwd_future_user_list
register: discovered_passwd_future_user_list
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Warn about users"
when: ubtu24cis_passwd_future_user_list.stdout | length > 0
when: discovered_passwd_future_user_list.stdout | length > 0
ansible.builtin.debug:
msg:
- "WARNING!! The following accounts have the last PW change date in the future"
- "{{ ubtu24cis_passwd_future_user_list.stdout_lines }}"
- "{{ discovered_passwd_future_user_list.stdout_lines }}"
- name: "5.4.1.6 | WARN | Ensure all users last password change date is in the past | warn_count"
when: ubtu24cis_passwd_future_user_list.stdout | length > 0
when: discovered_passwd_future_user_list.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates"
when:
- ubtu24cis_disruption_high
- ubtu24cis_passwd_future_user_list.stdout | length > 0
ansible.builtin.shell: passwd --expire {{ item }}
- discovered_passwd_future_user_list.stdout | length > 0
ansible.builtin.command: passwd --expire {{ item }}
changed_when: true
failed_when: false
with_items:
- "{{ ubtu24cis_passwd_future_user_list.stdout_lines }}"
- "{{ discovered_passwd_future_user_list.stdout_lines }}"

9
tasks/section_5/cis_5.4.2.x.yml
View File

@ -17,7 +17,7 @@
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.shell: passwd -l {{ item }}
ansible.builtin.command: passwd -l {{ item }}
changed_when: false
failed_when: false
loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}"
@ -41,9 +41,9 @@
block:
- name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0"
ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'"
register: discovered_gid0_members
changed_when: false
failed_when: discovered_gid0_members.rc not in [ 0, 1 ]
register: discovered_gid0_members
- name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0"
when:
@ -51,7 +51,7 @@
- discovered_gid0_members.stdout | length > 0
ansible.builtin.user:
name: "{{ item }}"
gid: 0
group: 0
state: absent
loop:
- discovered_gid0_members.stdout_lines
@ -174,7 +174,7 @@
state: directory
owner: root
group: root
mode: '0755'
mode: 'go-w'
follow: false
loop: "{{ discovered_root_path_perms.results }}"
loop_control:
@ -196,6 +196,7 @@
regexp: \s*umask
line: "umask {{ ubtu24cis_root_umask }}"
create: true
mode: 'u+x,go-rwx'
- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
when:

2
tasks/section_5/cis_5.4.3.x.yml
View File

@ -34,7 +34,7 @@
state: "{{ item.state }}"
marker: "# {mark} - CIS benchmark - Ansible-lockdown"
create: true
mode: '0644'
mode: 'go-r'
block: |
TMOUT={{ ubtu24cis_shell_session_timeout }}
readonly TMOUT

20
tasks/section_6/cis_6.1.1.x.yml
View File

@ -35,31 +35,31 @@
- name: "6.1.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions"
ansible.builtin.file:
path: /usr/lib/tmpfiles.d/systemd.conf
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
ansible.builtin.stat:
path: /etc/tmpfiles.d/systemd.conf
register: tmpfile_override
register: discovered_journald_tmpfile_override
- name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal"
when: tmpfile_override.stat.exists
when: discovered_journald_tmpfile_override.stat.exists
ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf
register: journald_fileperms_override
changed_when: false
failed_when: journald_fileperms_override.rc not in [ 0, 1 ]
failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ]
register: discovered_journald_fileperms_override
- name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
when:
- tmpfile_override.stat.exists
- journald_fileperms_override.stdout | length > 0
- discovered_journald_tmpfile_override.stat.exists
- discovered_journald_fileperms_override.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy"
- name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
when:
- tmpfile_override.stat.exists
- journald_fileperms_override.stdout | length > 0
- discovered_journald_tmpfile_override.stat.exists
- discovered_journald_fileperms_override.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
@ -85,7 +85,7 @@
dest: /etc/systemd/journald.conf.d/rotation.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries"
ansible.builtin.replace:

6
tasks/section_6/cis_6.1.2.x.yml
View File

@ -96,7 +96,7 @@
dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.1.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
ansible.builtin.replace:
@ -121,7 +121,7 @@
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.1.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace:
@ -146,7 +146,7 @@
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
mode: 'g-wx,o-rwx'
- name: "6.1.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace:

7
tasks/section_6/cis_6.1.3.8.yml
View File

@ -1,8 +1,7 @@
---
- name: "6.1.3.8 | PATCH | Ensure logrotate is configured"
when:
- ubtu24cis_rule_6_1_3_8
when: ubtu24cis_rule_6_1_3_8
tags:
- level1-server
- level1-workstation
@ -15,14 +14,14 @@
- name: "6.1.3.8 | AUDIT | Ensure logrotate is configured | Get logrotate settings"
ansible.builtin.find:
paths: /etc/logrotate.d/
register: ubtu24cis_log_rotate_conf
register: discovered_log_rotate_conf
- name: "6.1.3.8 | PATCH | Ensure logrotate is configured | conf files"
ansible.builtin.replace:
path: "{{ item.path }}"
regexp: '^(\s*)(daily|weekly|monthly|yearly)$'
replace: "\\1{{ ubtu24cis_logrotate }}"
loop: "{{ ubtu24cis_log_rotate_conf.files }}"
loop: "{{ discovered_log_rotate_conf.files }}"
- name: "6.1.3.8 | PATCH | Ensure logrotate is configured | logrotate.conf"
ansible.builtin.replace:

25
tasks/section_6/cis_6.1.3.x.yml
View File

@ -20,8 +20,7 @@
state: present
- name: "6.1.3.2 | PATCH | Ensure rsyslog service is enabled"
when:
- ubtu24cis_rule_6_1_3_2
when: ubtu24cis_rule_6_1_3_2
tags:
- level1-server
- level1-workstation
@ -37,8 +36,7 @@
enabled: true
- name: "6.1.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
when:
- ubtu24cis_rule_6_1_3_3
when: ubtu24cis_rule_6_1_3_3
tags:
- level1-server
- level1-workstation
@ -58,8 +56,7 @@
notify: Restart syslog service
- name: "6.1.3.4 | PATCH | Ensure rsyslog log file creation mode is configured"
when:
- ubtu24cis_rule_6_1_3_4
when: ubtu24cis_rule_6_1_3_4
tags:
- level1-server
- level1-workstation
@ -77,8 +74,7 @@
notify: Restart syslog service
- name: "6.1.3.5 | PATCH | Ensure logging is configured"
when:
- ubtu24cis_rule_6_1_3_5
when: ubtu24cis_rule_6_1_3_5
tags:
- level1-server
- level1-workstation
@ -97,21 +93,21 @@
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_6_1_3_5_rsyslog_config_path
register: discovered_rsyslog_config_path
- name: "6.1.3.5 | AUDIT | Ensure logging is configured | Gather rsyslog current config"
ansible.builtin.shell: "cat {{ ubtu24cis_6_1_3_5_rsyslog_config_path.stdout }}"
ansible.builtin.command: "cat {{ discovered_rsyslog_config_path.stdout }}"
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_6_1_3_5_rsyslog_config
register: discovered_rsyslog_config
- name: "6.1.3.5 | AUDIT | Ensure logging is configured | Message out config"
when: not ubtu24cis_rsyslog_ansible_managed
ansible.builtin.debug:
msg:
- "Warning!! Below is the current logging configurations for rsyslog, please review"
- "{{ ubtu24cis_6_1_3_5_rsyslog_config.stdout_lines }}"
- "{{ discovered_rsyslog_config.stdout_lines }}"
- name: "6.1.3.5 | PATCH | Ensure logging is configured | Set warning count"
when: not ubtu24cis_rsyslog_ansible_managed
@ -121,7 +117,7 @@
- name: "6.1.3.5 | PATCH | Ensure logging is configured | Automated rsyslog configuration"
when: ubtu24cis_rsyslog_ansible_managed
ansible.builtin.lineinfile:
path: "{{ ubtu24cis_6_1_3_5_rsyslog_config_path.stdout }}"
path: "{{ discovered_rsyslog_config_path.stdout }}"
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
insertafter: "{{ item.insertafter }}"
@ -164,8 +160,7 @@
insertafter: EOF
- name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
when:
- ubtu24cis_rule_6_1_3_7
when: ubtu24cis_rule_6_1_3_7
tags:
- level1-server
- level1-workstation

2
tasks/section_6/cis_6.1.4.1.yml
View File

@ -26,7 +26,7 @@
- item != "/var/log/lastlog"
ansible.builtin.file:
path: "{{ item }}"
mode: u-x,g-wx,o-rwx
mode: 'u-x,g-wx,o-rwx'
loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"

23
tasks/section_6/cis_6.2.1.x.yml
View File

@ -20,8 +20,7 @@
state: present
- name: "6.2.1.2 | PATCH | Ensure auditd service is enabled and active"
when:
- ubtu24cis_rule_6_2_1_2
when: ubtu24cis_rule_6_2_1_2
tags:
- level2-server
- level2-workstation
@ -38,8 +37,7 @@
masked: false
- name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
when:
- ubtu24cis_rule_6_2_1_3
when: ubtu24cis_rule_6_2_1_3
tags:
- level2-server
- level2-workstation
@ -55,18 +53,18 @@
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_6_2_1_3_cmdline_settings
register: discovered_grub_cmdline_settings
- name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist"
when: "'audit=' not in ubtu24cis_6_2_1_3_cmdline_settings.stdout"
when: "'audit=' not in discovered_grub_cmdline_settings.stdout"
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ ubtu24cis_6_2_1_3_cmdline_settings.stdout }} audit=1"'
line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"'
notify: Grub update
- name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists"
when: "'audit=' in ubtu24cis_6_2_1_3_cmdline_settings.stdout"
when: "'audit=' in discovered_grub_cmdline_settings.stdout"
ansible.builtin.replace:
dest: /etc/default/grub
regexp: 'audit=([0-9]+)'
@ -76,8 +74,7 @@
notify: Grub update
- name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient"
when:
- ubtu24cis_rule_6_2_1_4
when: ubtu24cis_rule_6_2_1_4
tags:
- level2-server
- level2-workstation
@ -93,14 +90,14 @@
changed_when: false
failed_when: false
check_mode: false
register: ubtu24cis_6_2_1_4_cmdline_settings
register: discovered_audit_backlog_grub_cmdline_settings
- name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist"
when: "'audit_backlog_limit=' not in ubtu24cis_6_2_1_4_cmdline_settings.stdout"
when: "'audit_backlog_limit=' not in discovered_audit_backlog_grub_cmdline_settings.stdout"
ansible.builtin.lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ ubtu24cis_6_2_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}"'
line: 'GRUB_CMDLINE_LINUX="{{ discovered_audit_backlog_grub_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}"'
notify: Grub update
- name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists"

12
tasks/section_6/cis_6.2.2.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "6.2.2.1 | PATCH | Ensure audit log storage size is configured"
when:
- ubtu24cis_rule_6_2_2_1
when: ubtu24cis_rule_6_2_2_1
tags:
- level2-server
- level2-workstation
@ -18,8 +17,7 @@
notify: Restart auditd
- name: "6.2.2.2 | PATCH | Ensure audit logs are not automatically deleted"
when:
- ubtu24cis_rule_6_2_2_2
when: ubtu24cis_rule_6_2_2_2
tags:
- level2-server
- level2-workstation
@ -34,8 +32,7 @@
notify: Restart auditd
- name: "6.2.2.3 | PATCH | Ensure system is disabled when audit logs are full"
when:
- ubtu24cis_rule_6_2_2_3
when: ubtu24cis_rule_6_2_2_3
tags:
- level2-server
- level2-workstation
@ -53,8 +50,7 @@
notify: Restart auditd
- name: "6.2.2.4 | PATCH | Ensure system warns when audit logs are low on space"
when:
- ubtu24cis_rule_6_2_2_4
when: ubtu24cis_rule_6_2_2_4
tags:
- level2-server
- level2-workstation

68
tasks/section_6/cis_6.2.3.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "6.2.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
when:
- ubtu24cis_rule_6_2_3_1
when: ubtu24cis_rule_6_2_3_1
tags:
- level2-server
- level2-workstation
@ -14,8 +13,7 @@
update_audit_template: true
- name: "6.2.3.2 | PATCH | Ensure actions as another user are always logged"
when:
- ubtu24cis_rule_6_2_3_2
when: ubtu24cis_rule_6_2_3_2
tags:
- level2-server
- level2-workstation
@ -27,8 +25,7 @@
update_audit_template: true
- name: "6.2.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
when:
- ubtu24cis_rule_6_2_3_3
when: ubtu24cis_rule_6_2_3_3
tags:
- level2-server
- level2-workstation
@ -40,8 +37,7 @@
update_audit_template: true
- name: "6.2.3.4 | PATCH | Ensure events that modify date and time information are collected"
when:
- ubtu24cis_rule_6_2_3_4
when: ubtu24cis_rule_6_2_3_4
tags:
- level2-server
- level2-workstation
@ -54,8 +50,7 @@
update_audit_template: true
- name: "6.2.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
when:
- ubtu24cis_rule_6_2_3_5
when: ubtu24cis_rule_6_2_3_5
tags:
- level2-server
- level2-workstation
@ -68,8 +63,7 @@
update_audit_template: true
- name: "6.2.3.6 | PATCH | Ensure use of privileged commands is collected"
when:
- ubtu24cis_rule_6_2_3_6
when: ubtu24cis_rule_6_2_3_6
tags:
- level2-server
- level2-workstation
@ -80,17 +74,16 @@
block:
- name: "6.2.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
register: priv_procs
changed_when: false
check_mode: false
register: discovered_privilege_processes
- name: "6.2.3.6 | PATCH | Ensure use of privileged commands is collected | Set privileged rules"
ansible.builtin.set_fact:
update_audit_template: true
- name: "6.2.3.7 | PATCH | Ensure unsuccessful file access attempts are collected"
when:
- ubtu24cis_rule_6_2_3_7
when: ubtu24cis_rule_6_2_3_7
tags:
- level2-server
- level2-workstation
@ -102,8 +95,7 @@
update_audit_template: true
- name: "6.2.3.8 | PATCH | Ensure events that modify user/group information are collected"
when:
- ubtu24cis_rule_6_2_3_8
when: ubtu24cis_rule_6_2_3_8
tags:
- level2-server
- level2-workstation
@ -115,8 +107,7 @@
update_audit_template: true
- name: "6.2.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
when:
- ubtu24cis_rule_6_2_3_9
when: ubtu24cis_rule_6_2_3_9
tags:
- level2-server
- level2-workstation
@ -129,8 +120,7 @@
update_audit_template: true
- name: "6.2.3.10 | PATCH | Ensure successful file system mounts are collected"
when:
- ubtu24cis_rule_6_2_3_10
when: ubtu24cis_rule_6_2_3_10
tags:
- level2-server
- level2-workstation
@ -142,8 +132,7 @@
update_audit_template: true
- name: "6.2.3.11 | PATCH | Ensure session initiation information is collected"
when:
- ubtu24cis_rule_6_2_3_11
when: ubtu24cis_rule_6_2_3_11
tags:
- level2-server
- level2-workstation
@ -155,8 +144,7 @@
update_audit_template: true
- name: "6.2.3.12 | PATCH | Ensure login and logout events are collected"
when:
- ubtu24cis_rule_6_2_3_12
when: ubtu24cis_rule_6_2_3_12
tags:
- level2-server
- level2-workstation
@ -168,8 +156,7 @@
update_audit_template: true
- name: "6.2.3.13 | PATCH | Ensure file deletion events by users are collected"
when:
- ubtu24cis_rule_6_2_3_13
when: ubtu24cis_rule_6_2_3_13
tags:
- level2-server
- level2-workstation
@ -182,8 +169,7 @@
update_audit_template: true
- name: "6.2.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
when:
- ubtu24cis_rule_6_2_3_14
when: ubtu24cis_rule_6_2_3_14
tags:
- level2-server
- level2-workstation
@ -196,8 +182,7 @@
update_audit_template: true
- name: "6.2.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
when:
- ubtu24cis_rule_6_2_3_15
when: ubtu24cis_rule_6_2_3_15
tags:
- level2-server
- level2-workstation
@ -211,8 +196,7 @@
update_audit_template: true
- name: "6.2.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
when:
- ubtu24cis_rule_6_2_3_16
when: ubtu24cis_rule_6_2_3_16
tags:
- level2-server
- level2-workstation
@ -226,8 +210,7 @@
update_audit_template: true
- name: "6.2.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
when:
- ubtu24cis_rule_6_2_3_17
when: ubtu24cis_rule_6_2_3_17
tags:
- level2-server
- level2-workstation
@ -241,8 +224,7 @@
update_audit_template: true
- name: "6.2.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
when:
- ubtu24cis_rule_6_2_3_18
when: ubtu24cis_rule_6_2_3_18
tags:
- level2-server
- level2-workstation
@ -256,8 +238,7 @@
update_audit_template: true
- name: "6.2.3.19 | PATCH | Ensure kernel module loading and unloading is collected"
when:
- ubtu24cis_rule_6_2_3_19
when: ubtu24cis_rule_6_2_3_19
tags:
- level2-server
- level2-workstation
@ -270,8 +251,7 @@
update_audit_template: true
- name: "6.2.3.20 | PATCH | Ensure the audit configuration is immutable"
when:
- ubtu24cis_rule_6_2_3_20
when: ubtu24cis_rule_6_2_3_20
tags:
- level2-server
- level2-workstation
@ -286,8 +266,7 @@
update_audit_template: true
- name: "6.2.3.21 | PATCH | Ensure the running and on disk configuration is the same"
when:
- ubtu24cis_rule_6_2_3_21
when: ubtu24cis_rule_6_2_3_21
tags:
- level2-server
- level2-workstation
@ -296,6 +275,5 @@
- rule_6.2.3.21
- NIST800-53R5_AU-3
- auditd
ansible.builtin.shell: augenrules --check
ansible.builtin.command: augenrules --check
changed_when: false
register: ubtu24cis_rule_6_2_3_21_augen_check

63
tasks/section_6/cis_6.2.4.x.yml
View File

@ -24,8 +24,7 @@
mode: 'u-x,g-wx,o-rwx'
- name: "6.2.4.4 | PATCH | Ensure the audit log file directory mode is configured"
when:
- ubtu24cis_rule_6_2_4_4
when: ubtu24cis_rule_6_2_4_4
tags:
- level1-server
- level1-workstation
@ -37,17 +36,16 @@
- name: "6.2.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions"
ansible.builtin.stat:
path: "{{ prelim_auditd_logfile.stdout | dirname }}"
register: auditlog_dir
register: discovered_auditlog_dir
- name: "6.2.4.4 | PATCH | Ensure the audit log file directory mode is configured | set permissions"
ansible.builtin.file:
path: "{{ auditlog_dir.stat.path }}"
path: "{{ discovered_auditlog_dir.stat.path }}"
state: directory
mode: 'g-w,o-rwx'
- name: "6.2.4.5 | PATCH | Ensure audit configuration files mode is configured"
when:
- ubtu24cis_rule_6_2_4_5
when: ubtu24cis_rule_6_2_4_5
tags:
- level1-server
- level1-workstation
@ -63,8 +61,7 @@
label: "{{ item.path }}"
- name: "6.2.4.6 | PATCH | Ensure audit configuration files owner is configured"
when:
- ubtu24cis_rule_6_2_4_6
when: ubtu24cis_rule_6_2_4_6
tags:
- level1-server
- level1-workstation
@ -97,8 +94,7 @@
label: "{{ item.path }}"
- name: "6.2.4.8 | PATCH | Ensure audit tools mode is configured"
when:
- ubtu24cis_rule_6_2_4_8
when: ubtu24cis_rule_6_2_4_8
tags:
- level1-server
- level1-workstation
@ -106,31 +102,13 @@
- auditd
- rule_6.2.4.8
- NIST800-53R5_AU-3
block:
- name: "6.2.4.8 | AUDIT | Ensure audit tools mode is configured | get current mode"
ansible.builtin.stat:
path: "{{ item }}"
register: "audit_bins"
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
- name: "6.2.4.8 | PATCH | Ensure audit tools mode is configured | set if required"
when: not item.stat.mode is match('07(0|5)0')
ansible.builtin.file:
path: "{{ item.item }}"
mode: '0750'
loop: "{{ audit_bins.results }}"
loop_control:
label: "{{ item.item }}"
ansible.builtin.file:
path: "{{ item }}"
mode: 'u+x,g-w,o-rwx'
loop: "{{ audit_bins }}"
- name: "6.2.4.9 | PATCH | Ensure audit tools owner is configured"
when:
- ubtu24cis_rule_6_2_4_9
when: ubtu24cis_rule_6_2_4_9
tags:
- level1-server
- level1-workstation
@ -142,17 +120,10 @@
path: "{{ item }}"
owner: root
group: root
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
loop: "{{ audit_bins }}"
- name: "6.2.4.10 | PATCH | Ensure audit tools group owner is configured"
when:
- ubtu24cis_rule_6_2_4_10
when: ubtu24cis_rule_6_2_4_10
tags:
- level1-server
- level1-workstation
@ -163,10 +134,4 @@
ansible.builtin.file:
path: "{{ item }}"
group: root
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
loop: "{{ audit_bins }}"

63
tasks/section_6/cis_6.3.x.yml
View File

@ -9,7 +9,6 @@
- level1-workstation
- patch
- rule_6.3.1
- NIST800-53R5_AU-2
- aide
block:
- name: "6.3.1 | PATCH | Ensure AIDE is installed"
@ -20,22 +19,46 @@
name: ['aide', 'aide-common']
state: present
update_cache: true
register: ubtu24cis_rule_6_3_1_aide_added
register: discovered_aide_pkgs_added
- name: "6.3.1 | PATCH | Ensure AIDE is installed | Recapture packages"
when: ubtu24cis_rule_6_3_1_aide_added.skipped is not defined
when: discovered_aide_pkgs_added.skipped is not defined
ansible.builtin.package_facts:
manager: auto
- name: "6.3.1 | AUDIT | Ensure AIDE is installed | Check file exists"
ansible.builtin.stat:
path: "{{ ubtu24cis_aide_db_file }}"
register: discovered_aide_db_file
- name: "6.3.1 | AUDIT | Ensure AIDE is installed | Check current db file age"
when: discovered_aide_db_file.stat.exists
ansible.builtin.find:
path: "{{ ubtu24cis_aide_db_file | dirname }}"
pattern: "{{ ubtu24cis_aide_db_file | basename }}"
age: "{{ ubtu24cis_aide_db_file_age }}"
register: discovered_aide_db_age
- name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
args:
creates: /var/lib/aide/aide.db
changed_when: false
failed_when: false
async: "{{ ubtu24cis_aide_init.async }}"
poll: "{{ ubtu24cis_aide_init.poll }}"
when: not ansible_check_mode
when:
- not ansible_check_mode
- not discovered_aide_db_file.stat.exists or
(discovered_aide_db_age.files | length > 0) or
ubtu24cis_aide_db_recreate
block:
- name: "6.3.1 | PATCH | Ensure AIDE is installed | Remove current db file"
ansible.builtin.file:
path: "{{ ubtu24cis_aide_db_file }}"
state: absent
- name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
when:
- not ansible_check_mode
ansible.builtin.shell: "{{ aide_initiate_command }}"
args:
creates: "{{ ubtu24cis_aide_db_file }}"
async: "{{ ubtu24cis_aide_init_async }}"
poll: "{{ ubtu24cis_aide_init_poll }}"
- name: "6.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
when:
@ -54,14 +77,14 @@
when: ubtu24cis_aide_scan == 'cron'
ansible.builtin.cron:
name: Run AIDE integrity check
cron_file: "{{ ubtu24cis_aide_cron['cron_file'] }}"
user: "{{ ubtu24cis_aide_cron['cron_user'] }}"
minute: "{{ ubtu24cis_aide_cron['aide_minute'] | default('0') }}"
hour: "{{ ubtu24cis_aide_cron['aide_hour'] | default('5') }}"
day: "{{ ubtu24cis_aide_cron['aide_day'] | default('*') }}"
month: "{{ ubtu24cis_aide_cron['aide_month'] | default('*') }}"
weekday: "{{ ubtu24cis_aide_cron['aide_weekday'] | default('*') }}"
job: "{{ ubtu24cis_aide_cron['aide_job'] }}"
cron_file: "{{ ubtu24cis_aide_cron_file }}"
user: "{{ ubtu24cis_aide_cron_user }}"
minute: "{{ ubtu24cis_aide_cron_minute | default('0') }}"
hour: "{{ ubtu24cis_aide_cron_hour | default('5') }}"
day: "{{ ubtu24cis_aide_cron_day | default('*') }}"
month: "{{ ubtu24cis_aide_cron_month | default('*') }}"
weekday: "{{ ubtu24cis_aide_cron_weekday | default('*') }}"
job: "{{ ubtu24cis_aide_cron_job }}"
- name: "6.3.2 | PATCH | Ensure filesystem integrity is regularly checked | timer template"
when: ubtu24cis_aide_scan == 'timer'
@ -70,7 +93,7 @@
dest: "/{{ item }}"
owner: root
group: root
mode: '0644'
mode: 'go-r'
loop:
- etc/systemd/system/aidecheck.service
- etc/systemd/system/aidecheck.timer

62
tasks/section_7/cis_7.1.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
when:
- ubtu24cis_rule_7_1_1
when: ubtu24cis_rule_7_1_1
tags:
- level1-server
- level1-workstation
@ -18,8 +17,7 @@
mode: 'u-x,go-wx'
- name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
when:
- ubtu24cis_rule_7_1_2
when: ubtu24cis_rule_7_1_2
tags:
- level1-server
- level1-workstation
@ -35,8 +33,7 @@
mode: 'u-x,go-wx'
- name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured"
when:
- ubtu24cis_rule_7_1_3
when: ubtu24cis_rule_7_1_3
tags:
- level1-server
- level1-workstation
@ -52,8 +49,7 @@
mode: 'u-x,go-wx'
- name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
when:
- ubtu24cis_rule_7_1_4
when: ubtu24cis_rule_7_1_4
tags:
- level1-server
- level1-workstation
@ -86,8 +82,7 @@
mode: 'u-x,g-wx,o-rwx'
- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
when:
- ubtu24cis_rule_7_1_6
when: ubtu24cis_rule_7_1_6
tags:
- level1-server
- level1-workstation
@ -103,8 +98,7 @@
mode: 'u-x,g-wx,o-rwx'
- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
when:
- ubtu24cis_rule_7_1_7
when: ubtu24cis_rule_7_1_7
tags:
- level1-server
- level1-workstation
@ -120,8 +114,7 @@
mode: 'u-x,g-wx,o-rwx'
- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
when:
- ubtu24cis_rule_7_1_8
when: ubtu24cis_rule_7_1_8
tags:
- level1-server
- level1-workstation
@ -137,8 +130,7 @@
mode: 'u-x,g-wx,o-rwx'
- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
when:
- ubtu24cis_rule_7_1_9
when: ubtu24cis_rule_7_1_9
tags:
- level1-server
- level1-workstation
@ -154,11 +146,7 @@
mode: 'u-x,go-wx'
- name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured"
loop:
- /etc/security/opasswd
- /etc/security/opasswd.old
when:
- ubtu24cis_rule_7_1_10
when: ubtu24cis_rule_7_1_10
tags:
- level1-server
- level1-workstation
@ -168,14 +156,18 @@
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/security/opasswd
path: "{{ item }}"
owner: root
group: root
mode: 'u-x,go-rwx'
failed_when: discovered_file_exists.state not in '[ file, absent ]'
register: discovered_file_exists
loop:
- /etc/security/opasswd
- /etc/security/opasswd.old
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
when:
- ubtu24cis_rule_7_1_11
when: ubtu24cis_rule_7_1_11
tags:
- level1-server
- level1-workstation
@ -190,17 +182,17 @@
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
failed_when: false
changed_when: false
register: ubtu24cis_worldwriteable
register: discovered_worldwriteable_files
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)"
when:
- discovered_worldwriteable_files.stdout_lines is defined
- ubtu24cis_no_world_write_adjust
ansible.builtin.file:
path: '{{ item }}'
mode: o-w
mode: 'o-w'
state: touch
loop: "{{ ubtu24cis_worldwriteable.stdout_lines }}"
when:
- ubtu24cis_worldwriteable.stdout_lines is defined
- ubtu24cis_no_world_write_adjust
loop: "{{ discovered_worldwriteable_files.stdout_lines }}"
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
@ -208,8 +200,7 @@
failed_when: false
- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
when:
- ubtu24cis_rule_7_1_12
when: ubtu24cis_rule_7_1_12
tags:
- level1-server
- level1-workstation
@ -222,7 +213,7 @@
warn_control_id: '7.1.12'
block:
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
ansible.builtin.shell: find {{ ubtu24cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
ansible.builtin.command: find {{ ubtu24cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false
@ -265,8 +256,7 @@
file: warning_facts.yml
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed"
when:
- ubtu24cis_rule_7_1_13
when: ubtu24cis_rule_7_1_13
tags:
- level1-server
- level1-workstation
@ -284,7 +274,7 @@
warn_control_id: '7.1.13'
block:
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false

42
tasks/section_7/cis_7.2.x.yml
View File

@ -1,8 +1,7 @@
---
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
when:
- ubtu24cis_rule_7_2_1
when: ubtu24cis_rule_7_2_1
tags:
- level1-server
- level1-workstation
@ -32,8 +31,7 @@
file: warning_facts.yml
- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty"
when:
- ubtu24cis_rule_7_2_2
when: ubtu24cis_rule_7_2_2
tags:
- level1-server
- level1-workstation
@ -58,8 +56,7 @@
- "{{ discovered_empty_password_acct.stdout_lines }}"
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
when:
- ubtu24cis_rule_7_2_3
when: ubtu24cis_rule_7_2_3
tags:
- level1-server
- level1-workstation
@ -84,7 +81,7 @@
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
when: discovered_passwd_gid_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}"
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}"
- name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count"
when: discovered_passwd_gid_check.stdout | length > 0
@ -92,8 +89,7 @@
file: warning_facts.yml
- name: "7.2.4 | PATCH | Ensure shadow group is empty"
when:
- ubtu24cis_rule_7_2_4
when: ubtu24cis_rule_7_2_4
tags:
- level1-server
- level1-workstation
@ -111,18 +107,17 @@
key: shadow
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
when: ansible_facts.getent_group.shadow[2] | length > 0
ansible.builtin.debug:
msg: "Warning!! - You have users in the shadow group"
when: ansible_facts.getent_group.shadow[2] | length > 0
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
when: ansible_facts.getent_group.shadow[2] | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
when: ansible_facts.getent_group.shadow[2] | length > 0
- name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist"
when:
- ubtu24cis_rule_7_2_5
when: ubtu24cis_rule_7_2_5
tags:
- level1-server
- level1-workstation
@ -155,8 +150,7 @@
file: warning_facts.yml
- name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist"
when:
- ubtu24cis_rule_7_2_6
when: ubtu24cis_rule_7_2_6
tags:
- level1-server
- level1-workstation
@ -189,10 +183,7 @@
file: warning_facts.yml
- name: "7.2.7 | AUDIT | Ensure no duplicate user names exist"
vars:
warn_control_id: '7.2.67'
when:
- ubtu24cis_rule_7_2_7
when: ubtu24cis_rule_7_2_7
tags:
- level1-server
- level1-workstation
@ -204,6 +195,8 @@
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- user
vars:
warn_control_id: '7.2.67'
block:
- name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
@ -223,8 +216,7 @@
file: warning_facts.yml
- name: "7.2.8 | AUDIT | Ensure no duplicate group names exist"
when:
- ubtu24cis_rule_7_2_8
when: ubtu24cis_rule_7_2_8
tags:
- level1-server
- level1-workstation
@ -257,8 +249,7 @@
file: warning_facts.yml
- name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured"
when:
- ubtu24cis_rule_7_2_9
when: ubtu24cis_rule_7_2_9
tags:
- level1-server
- level1-workstation
@ -273,7 +264,8 @@
state: directory
owner: "{{ item.id }}"
group: "{{ item.gid }}"
loop: "{{ ubtu24cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}"
mode: 'g-w,o-rwx'
loop: "{{ ubtu24cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}"
loop_control:
label: "{{ item.id }}"
@ -344,5 +336,5 @@
- ubtu24cis_dotperm_ansiblemanaged
ansible.builtin.file:
path: '{{ item }}'
mode: go-w
mode: 'go-w'
with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"

3
tasks/warning_facts.yml
View File

@ -1,5 +1,4 @@
---
# This task is used to create variables used in giving a warning summary for manual tasks
# that need attention
#
@ -14,7 +13,7 @@
#
# warn_count is the main variable for the number of warnings and each time a warn_control_id is added
# the count increases by a value of 1
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning."
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template]
ansible.builtin.set_fact:
warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]"
warn_count: "{{ warn_count | int + 1 }}"

15
templates/ansible_vars_goss.yml.j2
View File

@ -653,10 +653,10 @@ ubtu24cis_is_syslog_server: {{ ubtu24cis_system_is_log_server }}
# Note the following to understand precedence and layout
ubtu24cis_sshd_access:
- AllowUser {{ ubtu24cis_sshd.allow_users }}
- AllowGroup {{ ubtu24cis_sshd.allow_groups }}
- DenyUser {{ ubtu24cis_sshd.deny_users }}
- DenyGroup {{ ubtu24cis_sshd.deny_groups }}
- AllowUser {{ ubtu24cis_sshd_allow_users }}
- AllowGroup {{ ubtu24cis_sshd_allow_groups }}
- DenyUser {{ ubtu24cis_sshd_deny_users }}
- DenyGroup {{ ubtu24cis_sshd_deny_groups }}
ubtu24cis_ssh_strong_ciphers:
- aes256-gcm@openssh.com
@ -721,14 +721,13 @@ ubtu24cis_pam_passwd_retry: "3"
# logins.def password settings
ubtu24cis_pass:
max_days: {{ ubtu24cis_pass.max_days }}
min_days: {{ ubtu24cis_pass.min_days }}
warn_age: {{ ubtu24cis_pass.warn_age }}
max_days: {{ ubtu24cis_pass_max_days }}
min_days: {{ ubtu24cis_pass_min_days }}
warn_age: {{ ubtu24cis_pass_warn_age }}
# set sugroup if differs from wheel
ubtu24cis_sugroup: nosugroup
# var log location variable
ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }}

4
templates/audit/99_auditd.rules.j2
View File

@ -34,8 +34,8 @@
-w /etc/netplan -p wa -k system-locale
{% endif %}
{% if ubtu24cis_rule_6_2_3_6 %}
{% if priv_procs is defined %}
{% for proc in priv_procs.stdout_lines -%}
{% if discovered_privilege_processes is defined %}
{% for proc in discovered_privilege_processes.stdout_lines -%}
-a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=unset -k privileged
{% endfor %}
{% endif %}

2
templates/etc/systemd/system/aidecheck.timer.j2
View File

@ -2,7 +2,7 @@
Description=Aide check
[Timer]
OnCalendar={{ ubtu24cis_aide_cron.aide_day }}-{{ ubtu24cis_aide_cron.aide_month }}-{{ ubtu24cis_aide_cron.aide_weekday }} {{ ubtu24cis_aide_cron.aide_hour }}:{{ ubtu24cis_aide_cron.aide_minute }}:00
OnCalendar={{ ubtu24cis_aide_cron_aide_day }}-{{ ubtu24cis_aide_cron_aide_month }}-{{ ubtu24cis_aide_cron_aide_weekday }} {{ ubtu24cis_aide_cron_aide_hour }}:{{ ubtu24cis_aide_cron_aide_minute }}:00
Unit=aidecheck.service
[Install]

3
templates/fs_with_cves.sh.j2
View File

@ -1,5 +1,4 @@
#!/usr/bin/env bash
{% raw %}
{% raw %}#!/usr/bin/env bash
# Based on original Script provided by CIS
# CVEs correct at time of creation - April2024

6
vars/audit.yml
View File

@ -35,7 +35,7 @@ audit_format: json
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: |
The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
{% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
{% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
Full breakdown can be found in {{ audit_log_dir }}
Full breakdown can be found in {{ audit_log_dir }}

143
vars/is_container.yml
View File

@ -13,63 +13,74 @@ ubtu24cis_firewall_package: None
## Related individual rules
# Aide
ubtu24cis_rule_1_4_1: false
ubtu24cis_rule_1_4_2: false
ubtu24cis_rule_6_3_1: false
ubtu24cis_rule_6_3_2: false
# AppArmor
ubtu24cis_rule_1_6_1: false
ubtu24cis_rule_1_6_2: false
ubtu24cis_rule_1_6_3: false
ubtu24cis_rule_1_6_4: false
ubtu24cis_rule_1_3_1: false
ubtu24cis_rule_1_3_2: false
ubtu24cis_rule_1_3_3: false
ubtu24cis_rule_1_3_4: false
# time sync
ubtu24cis_rule_2_1_1_1: false
ubtu24cis_rule_2_2_1_2: false
ubtu24cis_rule_2_3_2_1: false
ubtu24cis_rule_2_3_2_2: false
# Auditd
ubtu24cis_rule_4_1_1_1: false
ubtu24cis_rule_4_1_1_2: false
ubtu24cis_rule_4_1_1_3: false
ubtu24cis_rule_4_1_1_4: false
ubtu24cis_rule_4_1_2_1: false
ubtu24cis_rule_4_1_2_2: false
ubtu24cis_rule_4_1_2_3: false
ubtu24cis_rule_6_2_1_1: false
ubtu24cis_rule_6_2_1_2: false
ubtu24cis_rule_6_2_1_3: false
ubtu24cis_rule_6_2_1_4: false
ubtu24cis_rule_6_2_2_1: false
ubtu24cis_rule_6_2_2_2: false
ubtu24cis_rule_6_2_2_3: false
# Auditd rules
ubtu24cis_rule_4_1_3_1: false
ubtu24cis_rule_4_1_3_2: false
ubtu24cis_rule_4_1_3_3: false
ubtu24cis_rule_4_1_3_4: false
ubtu24cis_rule_4_1_3_5: false
ubtu24cis_rule_4_1_3_6: false
ubtu24cis_rule_4_1_3_7: false
ubtu24cis_rule_4_1_3_8: false
ubtu24cis_rule_4_1_3_9: false
ubtu24cis_rule_4_1_3_10: false
ubtu24cis_rule_4_1_3_11: false
ubtu24cis_rule_4_1_3_12: false
ubtu24cis_rule_4_1_3_13: false
ubtu24cis_rule_4_1_3_14: false
ubtu24cis_rule_4_1_3_15: false
ubtu24cis_rule_4_1_3_16: false
ubtu24cis_rule_4_1_3_17: false
ubtu24cis_rule_4_1_3_18: false
ubtu24cis_rule_4_1_3_19: false
ubtu24cis_rule_4_1_3_20: false
ubtu24cis_rule_4_1_3_21: false
ubtu24cis_rule_6_2_3_1: false
ubtu24cis_rule_6_2_3_2: false
ubtu24cis_rule_6_2_3_3: false
ubtu24cis_rule_6_2_3_4: false
ubtu24cis_rule_6_2_3_5: false
ubtu24cis_rule_6_2_3_6: false
ubtu24cis_rule_6_2_3_7: false
ubtu24cis_rule_6_2_3_8: false
ubtu24cis_rule_6_2_3_9: false
ubtu24cis_rule_6_2_3_10: false
ubtu24cis_rule_6_2_3_11: false
ubtu24cis_rule_6_2_3_12: false
ubtu24cis_rule_6_2_3_13: false
ubtu24cis_rule_6_2_3_14: false
ubtu24cis_rule_6_2_3_15: false
ubtu24cis_rule_6_2_3_16: false
ubtu24cis_rule_6_2_3_17: false
ubtu24cis_rule_6_2_3_18: false
ubtu24cis_rule_6_2_3_19: false
ubtu24cis_rule_6_2_3_20: false
ubtu24cis_rule_6_2_3_21: false
# Auditd file access
ubtu24cis_rule_4_1_4_1: false
ubtu24cis_rule_4_1_4_2: false
ubtu24cis_rule_4_1_4_3: false
ubtu24cis_rule_4_1_4_4: false
ubtu24cis_rule_4_1_4_5: false
ubtu24cis_rule_4_1_4_6: false
ubtu24cis_rule_4_1_4_7: false
ubtu24cis_rule_4_1_4_8: false
ubtu24cis_rule_4_1_4_9: false
ubtu24cis_rule_4_1_4_10: false
ubtu24cis_rule_4_1_4_11: false
ubtu24cis_rule_6_2_4_1: false
ubtu24cis_rule_6_2_4_2: false
ubtu24cis_rule_6_2_4_3: false
ubtu24cis_rule_6_2_4_4: false
ubtu24cis_rule_6_2_4_5: false
ubtu24cis_rule_6_2_4_6: false
ubtu24cis_rule_6_2_4_7: false
ubtu24cis_rule_6_2_4_8: false
ubtu24cis_rule_6_2_4_9: false
ubtu24cis_rule_6_2_4_10: false
ubtu24cis_rule_6_2_4_11: false
# cron
ubtu24cis_rule_2_4_1_1: false
ubtu24cis_rule_2_4_1_2: false
ubtu24cis_rule_2_4_1_3: false
ubtu24cis_rule_2_4_1_4: false
ubtu24cis_rule_2_4_1_5: false
ubtu24cis_rule_2_4_1_6: false
ubtu24cis_rule_2_4_1_7: false
ubtu24cis_rule_2_4_1_8: false
ubtu24cis_rule_2_4_2_1: false
# ssh
ubtu24cis_rule_5_1_1: false
ubtu24cis_rule_5_1_2: false
ubtu24cis_rule_5_1_3: false
@ -78,27 +89,17 @@ ubtu24cis_rule_5_1_5: false
ubtu24cis_rule_5_1_6: false
ubtu24cis_rule_5_1_7: false
ubtu24cis_rule_5_1_8: false
# ssh
ubtu24cis_rule_5_2_1: false
ubtu24cis_rule_5_2_2: false
ubtu24cis_rule_5_2_3: false
ubtu24cis_rule_5_2_4: false
ubtu24cis_rule_5_2_5: false
ubtu24cis_rule_5_2_6: false
ubtu24cis_rule_5_2_7: false
ubtu24cis_rule_5_2_8: false
ubtu24cis_rule_5_2_9: false
ubtu24cis_rule_5_2_10: false
ubtu24cis_rule_5_2_11: false
ubtu24cis_rule_5_2_12: false
ubtu24cis_rule_5_2_13: false
ubtu24cis_rule_5_2_14: false
ubtu24cis_rule_5_2_15: false
ubtu24cis_rule_5_2_16: false
ubtu24cis_rule_5_2_17: false
ubtu24cis_rule_5_2_18: false
ubtu24cis_rule_5_2_19: false
ubtu24cis_rule_5_2_20: false
ubtu24cis_rule_5_2_21: false
ubtu24cis_rule_5_2_22: false
ubtu24cis_rule_5_1_9: false
ubtu24cis_rule_5_1_10: false
ubtu24cis_rule_5_1_11: false
ubtu24cis_rule_5_1_12: false
ubtu24cis_rule_5_1_13: false
ubtu24cis_rule_5_1_14: false
ubtu24cis_rule_5_1_15: false
ubtu24cis_rule_5_1_16: false
ubtu24cis_rule_5_1_17: false
ubtu24cis_rule_5_1_18: false
ubtu24cis_rule_5_1_19: false
ubtu24cis_rule_5_1_20: false
ubtu24cis_rule_5_1_21: false
ubtu24cis_rule_5_1_22: false

13
vars/main.yml
View File

@ -12,3 +12,16 @@ system_is_container: false
# Used to control warning summary
warn_control_list: ""
warn_count: 0
# Aide initiate command for new DB creation
aide_initiate_command: aideinit -y -f
# Audit vars
audit_bins:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules