diff --git a/LICENSE b/LICENSE index e9cb70f..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 MindPoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/collections/requirements.yml b/collections/requirements.yml index 8ebc618..810c9af 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,14 +1,14 @@ --- collections: - - name: community.general - source: https://github.com/ansible-collections/community.general - type: git + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - - name: community.crypto - source: https://github.com/ansible-collections/community.crypto - type: git + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - - name: ansible.posix - source: https://github.com/ansible-collections/ansible.posix - type: git + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index c0fdc9c..19c4b5a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -828,67 +828,67 @@ ubtu24cis_sshd_default_kex_algorithms: - diffie-hellman-group18-sha512 - diffie-hellman-group14-sha256 -ubtu24cis_sshd: - # This variable is used to control the verbosity of the logging produced by the SSH server. - # The options for setting it are as follows: - # - `QUIET`: Minimal logging; - # - `FATAL`: logs only fatal errors; - # - `ERROR`: logs error messages; - # - `INFO`: logs informational messages in addition to errors; - # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; - # - `DEBUG`: generates very detailed debugging information including sensitive information. - log_level: "{{ ubtu24cis_sshd_default_log_level }}" - # This variable specifies the maximum number of authentication attempts that are - # allowed for a single SSH session. - max_auth_tries: "{{ubtu24cis_sshd_default_max_auth_tries}}" - # This variable specifies the encryption algorithms that can be used for securing - # data transmission. - ciphers: "{{ ubtu24cis_sshd_default_ciphers }}" - # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying - # the integrity of data exchanged. - macs: "{{ ubtu24cis_sshd_default_macs }}" - # This variable is used to state the key exchange algorithms used to establish secure encryption - # keys during the initial connection setup. - kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}" - # This variable sets the time interval in seconds between sending "keep-alive" - # messages from the server to the client. These types of messages are intended to - # keep the connection alive and prevent it being terminated due to inactivity. - client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}" - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}" - # This variable specifies the amount of seconds allowed for successful authentication to - # the SSH server. - login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}" - # This variables is used to set the maximum number of open sessions per connection. - max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH - # access for users whose user name matches one of the patterns. This is done - # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - allow_users: "" - # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, https://linux.die.net/man/5/sshd_config - allow_groups: "" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access - # for users whose user name matches one of the patterns. This is done - # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "" - # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" +# SSH Settings +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +ubtu24cis_sshd_log_level: "{{ ubtu24cis_sshd_default_log_level }}" +# This variable specifies the maximum number of authentication attempts that are +# allowed for a single SSH session. +ubtu24cis_sshd_max_auth_tries: "{{ ubtu24cis_sshd_default_max_auth_tries }}" +# This variable specifies the encryption algorithms that can be used for securing +# data transmission. +ubtu24cis_sshd_ciphers: "{{ ubtu24cis_sshd_default_ciphers }}" +# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying +# the integrity of data exchanged. +ubtu24cis_sshd_macs: "{{ ubtu24cis_sshd_default_macs }}" +# This variable is used to state the key exchange algorithms used to establish secure encryption +# keys during the initial connection setup. +ubtu24cis_sshd_kex_algorithms: "{{ ubtu24cis_sshd_default_kex_algorithms }}" +# This variable sets the time interval in seconds between sending "keep-alive" +# messages from the server to the client. These types of messages are intended to +# keep the connection alive and prevent it being terminated due to inactivity. +ubtu24cis_sshd_client_alive_interval: "{{ ubtu24cis_sshd_default_client_alive_interval }}" +# This variable sets the maximum number of unresponsive "keep-alive" messages +# that can be sent from the server to the client before the connection is considered +# inactive and thus, closed. +ubtu24cis_sshd_client_alive_count_max: "{{ ubtu24cis_sshd_default_client_alive_count_max }}" +# This variable specifies the amount of seconds allowed for successful authentication to +# the SSH server. +ubtu24cis_sshd_login_grace_time: "{{ ubtu24cis_sshd_default_login_grace_time }}" +# This variables is used to set the maximum number of open sessions per connection. +ubtu24cis_sshd_max_sessions: "{{ ubtu24cis_sshd_default_max_sessions }}" +# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH +# access for users whose user name matches one of the patterns. This is done +# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. +# If an USER@HOST format will be used, the specified user will be allowed only on that particular host. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu24cis_sshd_allow_users: "" +# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access +# for users whose primary group or supplementary group list matches one of the patterns. This is done +# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, https://linux.die.net/man/5/sshd_config +ubtu24cis_sshd_allow_groups: "" +# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access +# for users whose user name matches one of the patterns. This is done +# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. +# If an USER@HOST format will be used, the specified user will be restricted only on that particular host. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu24cis_sshd_deny_users: "" +# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access +# for users whose primary group or supplementary group list matches one of the patterns. This is done +# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu24cis_sshd_deny_groups: "" ## Control 5.2.1 # This variable represents the name of the sudo package to install @@ -1015,22 +1015,22 @@ ubtu24cis_pamd_pwhistory_remember: 24 ## Controls 5.4.1.x - Password settings ubtu24cis_pass: - ## Control 5.4.1.1 - # This variable governs after how many days a password expires. - # CIS requires a value of 365 or less. - max_days: 365 - ## Control 5.4.1.2 - # This variable specifies the minimum number of days allowed between changing passwords. - # CIS requires a value of at least 1. - min_days: 1 - ## Control 5.5.1.3 - # This variable governs, how many days before a password expires, the user will be warned. - # CIS requires a value of at least 7. - warn_age: 7 - ## Control 5.4.1.5 - # This variable specifies the number of days of inactivity before an account will be locked. - # CIS requires a value of 45 days or less. - inactive: 45 +## Control 5.4.1.1 +# This variable governs after how many days a password expires. +# CIS requires a value of 365 or less. +ubtu24cis_pass_max_days: 365 +## Control 5.4.1.2 +# This variable specifies the minimum number of days allowed between changing passwords. +# CIS requires a value of at least 1. +ubtu24cis_pass_min_days: 1 +## Control 5.5.1.3 +# This variable governs, how many days before a password expires, the user will be warned. +# CIS requires a value of at least 7. +ubtu24cis_pass_warn_age: 7 +## Control 5.4.1.5 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 45 days or less. +ubtu24cis_pass_inactive: 45 # 5.4.2.6 root umask ubtu24cis_root_umask: '0027' # 0027 or more restrictive @@ -1062,7 +1062,6 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh ## ## Section 6 Control Variables ## - # Set which syslog service # journald or rsyslog ubtu24cis_syslog_service: 'journald' @@ -1105,6 +1104,11 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree=" # ATTENTION: Uncomment the keyword below when values are set! ubtu24cis_journald_maxfilesec: "#MaxFileSec=" +# 6.1.3.8 +# ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation +# To conform to CIS standards this just needs to comply with your site policy +ubtu24cis_logrotate: "daily" + ## Controls 6.2.3.x - Audit template # This variable is set to true by tasks 6.2.3.1 to 6.2.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude @@ -1120,11 +1124,6 @@ ubtu24cis_allow_auditd_uid_user_exclusions: false ubtu24cis_auditd_uid_exclude: - 1999 -# 6.1.3.8 -# ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation -# To conform to CIS standards this just needs to comply with your site policy -ubtu24cis_logrotate: "daily" - ## Control 6.2.1.4 - Ensure audit_backlog_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the # system can buffer in memory, if the audit subsystem is unable to process them in real-time. @@ -1177,7 +1176,7 @@ ubtu24cis_auditd_disk_error_action: syslog ubtu24cis_auditd_space_left_action: email ubtu24cis_auditd_admin_space_left_action: halt -## Control 6.2.x - allow aide to be configured +## Control 6.3.x - allow aide to be configured # AIDE is a file integrity checking tool, similar in nature to Tripwire. # While it cannot prevent intrusions, it can detect unauthorized changes # to configuration files by alerting when the files are changed. Review @@ -1185,15 +1184,24 @@ ubtu24cis_auditd_admin_space_left_action: halt # By setting this variable to `true`, all of the settings related to AIDE will be applied! ubtu24cis_config_aide: true +# If DB file older than below will automatically rebuild DB +# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour +ubtu24cis_aide_db_file_age: 1w + +# If aide already setup this forces a new DB to be created +ubtu24cis_aide_db_recreate: false + +# allows to change db file, not config need to be adjusted too +ubtu24cis_aide_db_file: /var/lib/aide/aide.db + ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements -ubtu24cis_aide_init: - # Maximum Time in seconds - async: 45 - # Polling Interval in seconds - poll: 0 +# Maximum Time in seconds +ubtu24cis_aide_init_async: 600 +# Polling Interval in seconds +ubtu24cis_aide_init_poll: 15 -## Control 6.3 +## Control 6.3.x # Set how aide is scanned either cron or timer ubtu24cis_aide_scan: cron # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. @@ -1201,36 +1209,36 @@ ubtu24cis_aide_scan: cron # the cron job on the target system. # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled # and executed automatically at a certain point in time. -ubtu24cis_aide_cron: - # This variable represents the user account under which the cron job for AIDE will run. - cron_user: root - # This variable represents the path to the AIDE crontab file. - cron_file: /etc/cron.d/aide_cron - # This variable represents the actual command or script that the cron job - # will execute for running AIDE. - aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' - # These variables define the schedule for the cron job - # This variable governs the minute of the time of day when the AIDE cronjob is run. - # It must be in the range `0-59`. - aide_minute: 0 - # This variable governs the hour of the time of day when the AIDE cronjob is run. - # It must be in the range `0-23`. - aide_hour: 5 - # This variable governs the day of the month when the AIDE cronjob is run. - # `*` signifies that the job is run on all days; furthermore, specific days - # can be given in the range `1-31`; several days can be concatenated with a comma. - # The specified day(s) can must be in the range `1-31`. - aide_day: '*' - # This variable governs months when the AIDE cronjob is run. - # `*` signifies that the job is run in every month; furthermore, specific months - # can be given in the range `1-12`; several months can be concatenated with commas. - # The specified month(s) can must be in the range `1-12`. - aide_month: '*' - # This variable governs the weekdays, when the AIDE cronjob is run. - # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays - # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays - # can be concatenated with commas. - aide_weekday: '*' + +# This variable represents the user account under which the cron job for AIDE will run. +ubtu24cis_aide_cron_user: root +# This variable represents the path to the AIDE crontab file. +ubtu24cis_aide_cron_file: /etc/cron.d/aide_cron +# This variable represents the actual command or script that the cron job +# will execute for running AIDE. +ubtu24cis_aide_cron_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' +# These variables define the schedule for the cron job +# This variable governs the minute of the time of day when the AIDE cronjob is run. +# It must be in the range `0-59`. +ubtu24cis_aide_cron_minute: 0 +# This variable governs the hour of the time of day when the AIDE cronjob is run. +# It must be in the range `0-23`. +ubtu24cis_aide_cron_hour: 5 +# This variable governs the day of the month when the AIDE cronjob is run. +# `*` signifies that the job is run on all days; furthermore, specific days +# can be given in the range `1-31`; several days can be concatenated with a comma. +# The specified day(s) can must be in the range `1-31`. +ubtu24cis_aide_cron_day: '*' +# This variable governs months when the AIDE cronjob is run. +# `*` signifies that the job is run in every month; furthermore, specific months +# can be given in the range `1-12`; several months can be concatenated with commas. +# The specified month(s) can must be in the range `1-12`. +ubtu24cis_aide_cron_month: '*' +# This variable governs the weekdays, when the AIDE cronjob is run. +# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays +# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays +# can be concatenated with commas. +ubtu24cis_aide_cron_weekday: '*' ## ## Section 7 Control Variables diff --git a/handlers/main.yml b/handlers/main.yml index 8b5dda6..cc96914 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,7 +10,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' with_items: - "{{ ansible_facts.mounts }}" loop_control: @@ -35,15 +35,16 @@ listen: Writing and remounting tmp - name: Update_Initramfs - ansible.builtin.shell: update-initramfs -u + ansible.builtin.command: update-initramfs -u + changed_when: true notify: Set_reboot_required - name: Remount tmp + when: + - "'/tmp' in mount_names" ansible.posix.mount: path: /tmp state: remounted - when: - - "'/tmp' in mount_names" listen: Writing and remounting tmp - name: Remount var @@ -78,7 +79,8 @@ state: remounted - name: Grub update - ansible.builtin.shell: update-grub + ansible.builtin.command: update-grub + changed_when: true failed_when: false notify: Set_reboot_required @@ -92,7 +94,8 @@ daemon_reload: true - name: Update dconf - ansible.builtin.shell: dconf update + ansible.builtin.command: dconf update + changed_when: true failed_when: false - name: Restart postfix @@ -136,51 +139,51 @@ state: reloaded - name: Iptables persistent - ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" - changed_when: ubtu24cis_iptables_save.rc == 0 - failed_when: ubtu24cis_iptables_save.rc > 0 - register: ubtu24cis_iptables_save + ansible.builtin.command: bash -c "iptables-save > /etc/iptables/rules.v4" + changed_when: true - name: Ip6tables persistent - ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" - changed_when: ubtu24cis_ip6tables_save.rc == 0 - failed_when: ubtu24cis_ip6tables_save.rc > 0 - register: ubtu24cis_ip6tables_save + ansible.builtin.command: bash -c "ip6tables-save > /etc/iptables/rules.v6" + changed_when: true - name: Pam_auth_update_pwunix - ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }} + changed_when: true - name: Pam_auth_update_pwfaillock - ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }} + changed_when: true - name: Pam_auth_update_pwfaillock_notify - ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }} + changed_when: true - name: Pam_auth_update_pwquality - ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }} + changed_when: true - name: Pam_auth_update_pwhistory - ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }} + changed_when: true - name: Auditd rules reload when: - not prelim_auditd_immutable_check or '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout' - ansible.builtin.shell: augenrules --load + ansible.builtin.command: augenrules --load + changed_when: true - name: Audit_immutable_fact when: - - audit_rules_updated.changed + - discovered_audit_rules_updated.changed - auditd_immutable_check is defined ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Set_reboot_required - name: Restart auditd - when: - - audit_rules_updated is defined - tags: - - skip_ansible_lint + when: discovered_audit_rules_updated is defined + tags: skip_ansible_lint ansible.builtin.shell: service auditd restart - name: Restart sshd diff --git a/meta/main.yml b/meta/main.yml index c993c99..b69f6db 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,28 +1,28 @@ --- galaxy_info: - author: "Mark Bolwell" - description: "Apply the Ubuntu 24 CIS benchmarks" - company: "MindPoint Group" - license: MIT - namespace: mindpointgroup - role_name: ubuntu24_cis - min_ansible_version: 2.12.1 - platforms: - - name: Ubuntu - versions: - - jammy - galaxy_tags: - - system - - security - - cis - - hardening - - benchmark - - compliance - - complianceascode - - ubuntu24 + author: "Mark Bolwell" + description: "Apply the Ubuntu 24 CIS benchmarks" + company: "MindPoint Group" + license: MIT + namespace: mindpointgroup + role_name: ubuntu24_cis + min_ansible_version: 2.12.1 + platforms: + - name: Ubuntu + versions: + - jammy + galaxy_tags: + - system + - security + - cis + - hardening + - benchmark + - compliance + - complianceascode + - ubuntu24 collections: - - community.general - - community.crypto - - ansible.posix + - community.general + - community.crypto + - ansible.posix dependencies: [] diff --git a/site.yml b/site.yml index 0358dc3..55a3958 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,7 @@ --- -- hosts: all +- name: Run CIS benchmark + hosts: all become: true - roles: - - - role: "{{ playbook_dir }}" + - role: "{{ playbook_dir }}" diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index ffbb324..52fc8bd 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -20,13 +20,13 @@ owner: root group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: '0555' + mode: 'u+x,go-w' - name: Pre Audit Setup | Copy audit binary when: get_audit_binary_method == 'copy' ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: '0555' owner: root group: root + mode: 'u+x,go-w' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index f162339..008d358 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -2,29 +2,27 @@ - name: Audit_Only | Create local Directories for hosts when: fetch_audit_files - delegate_to: localhost - become: false ansible.builtin.file: - mode: '0755' + mode: 'u+x,go-w' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" recurse: true state: directory + delegate_to: localhost + become: false - name: Audit_only | Get audits from systems and put in group dir when: fetch_audit_files ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true - mode: '0644' + mode: 'go-wx' src: "{{ pre_audit_outfile }}" - name: Audit_only | Show Audit Summary - when: - - audit_only + when: audit_only ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected - when: - - audit_only + when: audit_only ansible.builtin.meta: end_play diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 889e429..c998195 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -7,8 +7,8 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: '0640' - register: audit_rules_updated + mode: 'u-x,go-wx' + register: discovered_audit_rules_updated notify: - Auditd rules reload - Audit_immutable_fact @@ -22,7 +22,7 @@ dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' notify: Restart auditd - name: POST | AUDITD | Flush handlers diff --git a/tasks/main.yml b/tasks/main.yml index 92a8b04..da77a35 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,14 +4,12 @@ when: - ansible_facts.distribution == 'Ubuntu' - ansible_facts.distribution_major_version is version_compare('24', '!=') - tags: - - always + tags: always ansible.builtin.fail: msg: "This role can only be run against Ubuntu 24. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." - name: Check ansible version - tags: - - always + tags: always ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" @@ -22,39 +20,36 @@ when: - ubtu24cis_rule_5_2_4 - ansible_env.SUDO_USER is defined - tags: - - always + tags: always block: - name: Capture current password state of connecting user" ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false - register: ansible_user_password_set + register: prelim_ansible_user_password_set - - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" # noqa name[template] ansible.builtin.assert: - that: ansible_user_password_set.stdout != "!!" and ansible_user_password_set.stdout | length > 10 + that: prelim_ansible_user_password_set.stdout != "!!" and prelim_ansible_user_password_set.stdout | length > 10 fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" vars: sudo_password_rule: ubtu24cis_rule_5_2_4 # pragma: allowlist secret - name: Ensure root password is set - when: - - ubtu24cis_rule_5_4_2_4 - tags: - - always + when: ubtu24cis_rule_5_4_2_4 + tags: always block: - name: Ensure root password is set ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|root P |Password locked)" changed_when: false failed_when: false - register: root_passwd_set + register: prelim_root_passwd_set - name: Ensure root password is set ansible.builtin.assert: - that: root_passwd_set.rc == 0 + that: prelim_root_passwd_set.rc == 0 fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set - Please manually set a root password" success_msg: "You have a root password set" @@ -62,16 +57,14 @@ when: - ubtu24cis_set_boot_pass - ubtu24cis_rule_1_4_1 - tags: - - always + tags: always ansible.builtin.assert: that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly" - name: Check ubtu24cis_grub_user password variable has been changed when: ubtu24cis_rule_1_4_1 - tags: - - always + tags: always block: - name: Check ubtu24cis_grub_user password variable has been changed | check password is set ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" @@ -88,8 +81,7 @@ msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly" - name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set - when: - - not ubtu24cis_set_grub_user_pass + when: not ubtu24cis_set_grub_user_pass ansible.builtin.assert: that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption" @@ -99,9 +91,7 @@ when: - ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - container_discovery - - always + tags: always block: - name: Discover and set container variable if required ansible.builtin.set_fact: @@ -112,28 +102,22 @@ file: "{{ container_vars_file }}" - name: Output if discovered is a container - when: - - system_is_container + when: system_is_container ansible.builtin.debug: msg: system has been discovered as a container - name: Gather the package facts before prelim - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto - name: Run prelim tasks - tags: - - prelim_tasks - - run_audit - - always + tags: always ansible.builtin.import_tasks: file: prelim.yml - name: Gather the package facts after prelim - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto @@ -142,8 +126,7 @@ - ubtu24cis_section5 or ubtu24cis_section6 or ubtu24cis_section7 - tags: - - always + tags: always ansible.builtin.import_tasks: file: parse_etc_password.yml @@ -184,8 +167,7 @@ - name: Run auditd logic when: update_audit_template - tags: - - always + tags: always ansible.builtin.import_tasks: file: auditd.yml @@ -193,42 +175,33 @@ ansible.builtin.meta: flush_handlers - name: Reboot system - tags: - - always + when: change_requires_reboot + tags: always block: - name: Reboot system if not skipped - when: - - not skip_reboot - - change_requires_reboot + when: not skip_reboot ansible.builtin.reboot: - name: Warning a reboot required but skip option set - when: - - skip_reboot - - change_requires_reboot + when: skip_reboot ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true - name: Run post remediation audit - when: - - run_audit - tags: - - run_audit + when: run_audit + tags: run_audit ansible.builtin.import_tasks: file: post_remediation_audit.yml - name: Show Audit Summary - when: - - run_audit - tags: - - run_audit + when: run_audit + tags: run_audit ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: If Warnings found Output count and control IDs affected when: warn_count != 0 - tags: - - always + tags: always ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 53ea924..9b8441a 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -5,29 +5,27 @@ - always block: - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" - ansible.builtin.shell: cat /etc/passwd + ansible.builtin.command: cat /etc/passwd changed_when: false check_mode: false - register: ubtu24cis_passwd_file_audit + register: prelim_passwd_file_audit - name: "PRELIM | Parse /etc/passwd | Split passwd entries" ansible.builtin.set_fact: - ubtu24cis_passwd: "{{ ubtu24cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - - with_items: "{{ ubtu24cis_passwd_file_audit.stdout_lines }}" + ubtu24cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) ld_passwd_yaml: | # pragma: allowlist secret - id: >-4 - \g - password: >-4 - \g - uid: \g - gid: \g - gecos: >-4 - \g - dir: >-4 - \g - shell: >-4 - \g + id: >-4 + \g + password: >-4 + \g + uid: \g + gid: \g + gecos: >-4 + \g + dir: >-4 + \g + shell: >-4 + \g diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 9b06b24..54d5785 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- -- name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" +- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" @@ -18,26 +18,24 @@ - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Post Audit | Capture audit data if json format ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 - register: post_audit_summary changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: post_audit_summary + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 6f215c3..91cc9b7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,22 +1,19 @@ --- - name: Pre Audit Setup | Setup the LE audit - when: - - setup_audit - tags: - - setup_audit + when: setup_audit + tags: setup_audit ansible.builtin.include_tasks: file: LE_audit_setup.yml -- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists +- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template] ansible.builtin.file: path: "{{ audit_conf_dir }}" + mode: 'go-w' state: directory - mode: '0755' - name: Pre Audit Setup | If using git for content set up - when: - - audit_content == 'git' + when: audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: @@ -30,57 +27,51 @@ version: "{{ audit_git_version }}" - name: Pre Audit Setup | Copy to audit content files to server - when: - - audit_content == 'copy' + when: audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server - when: - - audit_content == 'archive' + when: audit_content == 'archive' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url - when: - - audit_content == 'get_url' + when: audit_content == 'get_url' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" + remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" + extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" - name: Pre Audit Setup | Check Goss is available - when: - - run_audit + when: run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: goss_available + register: prelim_goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not goss_available.stat.exists + when: not prelim_goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + when: run_audit tags: - goss_template - run_audit - when: - - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: '0600' + mode: 'go-rwx' -- name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" +- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" @@ -88,33 +79,30 @@ AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only - when: - - audit_only + when: audit_only ansible.builtin.import_tasks: file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e4b123c..07efa1a 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -7,31 +7,25 @@ changed_when: false - name: "PRELIM | AUDIT | Register if snap being used" + when: ubtu24cis_rule_1_1_1_6 + tags: always ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ] register: prelim_snap_pkg_mgr - tags: - - rule_1.1.1.2 - - always - when: - - ubtu24cis_rule_1_1_1_6 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" + when: ubtu24cis_rule_1_1_1_6 + tags: always ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] register: prelim_squashfs_builtin - tags: - - always - when: - - ubtu24cis_rule_1_1_1_6 - name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" + tags: always ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" - tags: - - always - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type when: @@ -40,14 +34,13 @@ ubtu24cis_rule_1_1_2_1_2 or ubtu24cis_rule_1_1_2_1_3 or ubtu24cis_rule_1_1_2_1_4 - tags: - - always + tags: always block: - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - ansible.builtin.shell: systemctl is-enabled tmp.mount - register: prelim_tmp_mnt_type + ansible.builtin.command: systemctl is-enabled tmp.mount # noqa command-instead-of-module changed_when: false failed_when: prelim_tmp_mnt_type.rc not in [ 0, 1 ] + register: prelim_tmp_mnt_type - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable when: "'generated' in prelim_tmp_mnt_type.stdout" @@ -60,8 +53,7 @@ tmp_mnt_type: tmp_systemd - name: PRELIM | Initialize the mount options variable - tags: - - always + tags: always block: - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact when: "'/tmp' not in mount_names" @@ -99,8 +91,7 @@ when: - ubtu24cis_rule_1_2_1_1 or ubtu24cis_rule_1_2_2_1 - tags: - - always + tags: always ansible.builtin.package: update_cache: true @@ -108,18 +99,16 @@ when: - ubtu24cis_rule_3_1_2 - not system_is_container - tags: - - always + tags: always block: - name: "PRELIM | AUDIT | Discover is wireless adapter on system" - ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless - register: prelim_wireless_adapters + ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless changed_when: false failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ] + register: prelim_wireless_adapters - name: "PRELIM | AUDIT | If wireless adapter present capture module" - when: - - prelim_wireless_adapters.rc == 0 + when: prelim_wireless_adapters.rc == 0 ansible.builtin.shell: | for driverdir in $(find /sys/class/net/*/ -type d -name wireless | xargs -0 dirname); do basename "$(readlink -f "$driverdir"/device/driver/module)"; @@ -128,12 +117,11 @@ failed_when: prelim_wireless_modules.rc not in [ 0, 1 ] register: prelim_wireless_modules -- name: "PRELIM | PATCH | 5.3.4.5 | Find all sudoers files." +- name: "PRELIM | PATCH | Find all sudoers files." when: - ubtu24cis_rule_5_2_4 or ubtu24cis_rule_5_2_5 - tags: - - always + tags: always ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false @@ -148,20 +136,17 @@ ubtu24cis_rule_5_3_3_2_4 or ubtu24cis_rule_5_3_3_2_5 or ubtu24cis_rule_5_3_3_2_6 - tags: - - always + tags: always ansible.builtin.file: path: '/etc/security/pwquality.conf.d' state: directory owner: root group: root - mode: '0750' + mode: 'u+x,g-w,o-rwx' - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" - when: - - not discover_int_uid - tags: - - always + when: not discover_int_uid + tags: always block: - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' @@ -185,38 +170,29 @@ min_int_gid: "{{ prelim_gid_min_id.stdout }}" - name: "PRELIM | AUDIT | Interactive Users" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false register: prelim_interactive_usernames - name: "PRELIM | AUDIT | Interactive User accounts home directories" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }' changed_when: false register: prelim_interactive_users_home - name: "PRELIM | AUDIT | Interactive UIDs" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false register: prelim_interactive_uids - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" - when: - - ubtu24cis_rule_5_4_2_1 - tags: - - rule_5.4.2.1 - - level1-server - - level1-workstation - - users - - always + when: ubtu24cis_rule_5_4_2_1 + tags: always ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false @@ -227,14 +203,13 @@ - ubtu24cis_rule_6_1_2_2 or ubtu24cis_rule_6_1_2_3 or ubtu24cis_rule_6_1_2_4 - tags: - - always + tags: always ansible.builtin.file: path: /etc/systemd/journald.conf.d state: directory owner: root group: root - mode: '0755' + mode: 'u+x,go-w' - name: "PRELIM | PATCH | Ensure auditd is installed" when: @@ -242,17 +217,9 @@ ubtu24cis_rule_6_2_4_1 or ubtu24cis_rule_6_2_4_6 or ubtu24cis_rule_6_2_4_8 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - always + tags: always block: - name: "PRELIM | PATCH | Ensure auditd is installed" - when: - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" ansible.builtin.package: name: ['auditd', 'audispd-plugins'] state: present @@ -267,8 +234,7 @@ - name: "PRELIM | AUDIT | Check if auditd is immutable before changes" when: "'auditd' in ansible_facts.packages" - tags: - - always + tags: always ansible.builtin.shell: auditctl -l | grep -c '-e 2' changed_when: false failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] @@ -280,15 +246,7 @@ ubtu24cis_rule_6_2_4_2 or ubtu24cis_rule_6_2_4_3 or ubtu24cis_rule_6_2_4_4 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_6.3.4.1 - - rule_6.3.4.2 - - rule_6.3.4.3 - - rule_6.3.4.4 + tags: always ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" changed_when: false failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ] @@ -298,8 +256,7 @@ when: - ubtu24cis_rule_7_2_9 - "'acl' not in ansible_facts.packages" - tags: - - always + tags: always ansible.builtin.package: name: acl state: present @@ -310,10 +267,9 @@ when: - ubtu24cis_firewall_package == "ufw" - ubtu24cis_ufw_use_sysctl - tags: - - always + tags: always ansible.builtin.lineinfile: path: /etc/default/ufw regexp: ^IPT_SYSCTL=.* line: IPT_SYSCTL=/etc/sysctl.conf - mode: '0644' + mode: 'u-x,go-wx' diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 448e1e9..a46379a 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -18,7 +18,7 @@ regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -26,7 +26,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" when: @@ -53,7 +53,7 @@ regexp: "^(#)?install freevxfs(\\s|$)" line: "install freevxfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -61,7 +61,7 @@ regexp: "^(#)?blacklist freevxfs(\\s|$)" line: "blacklist freevxfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" when: @@ -88,7 +88,7 @@ regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -96,7 +96,7 @@ regexp: "^(#)?blacklist hfs(\\s|$)" line: "blacklist hfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" when: @@ -123,7 +123,7 @@ regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -131,7 +131,7 @@ regexp: "^(#)?blacklist hfsplus(\\s|$)" line: "blacklist hfsplus" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" when: @@ -158,7 +158,7 @@ regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -166,7 +166,7 @@ regexp: "^(#)?blacklist jffs2(\\s|$)" line: "blacklist jffs2" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" when: @@ -193,7 +193,7 @@ regexp: "^(#)?install overlayfs(\\s|$)" line: "install overlayfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure overlayfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -201,7 +201,7 @@ regexp: "^(#)?blacklist overlayfs(\\s|$)" line: "blacklist overlayfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure overlayfs kernel module is not available | Disable overlayfs" when: @@ -230,7 +230,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure squashfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -238,7 +238,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" when: @@ -265,7 +265,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure udf kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -273,7 +273,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure udf kernel module is not available | Disable udf" when: @@ -300,7 +300,7 @@ regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.9 | PATCH | Ensure usb-storage kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -308,7 +308,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.9 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" when: @@ -335,10 +335,10 @@ dest: /var/fs_with_cves.sh owner: root group: root - mode: '0744' + mode: 'u+x,go-wx' - name: "1.1.1.10 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script" - ansible.builtin.shell: /var/fs_with_cves.sh + ansible.builtin.command: /var/fs_with_cves.sh changed_when: false failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ] register: discovered_fs_modules_loaded @@ -348,7 +348,7 @@ ansible.builtin.debug: msg: | "Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task - {{ discovered_fs_modules_loaded.stdout_lines}}" + {{ discovered_fs_modules_loaded.stdout_lines }}" - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning" when: discovered_fs_modules_loaded.stdout | length > 0 diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index f43690d..fa2671d 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -39,7 +39,7 @@ vars: required_mount: '/tmp' ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" + tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nodev'] }}" changed_when: true notify: Writing and remounting tmp @@ -59,7 +59,7 @@ vars: required_mount: '/tmp' ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" + tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['nosuid'] }}" changed_when: true notify: Writing and remounting tmp @@ -79,6 +79,6 @@ vars: required_mount: '/tmp' ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" + tmp_partition_mount_options: "{{ tmp_partition_mount_options + ['noexec'] }}" changed_when: true notify: Writing and remounting tmp diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 0a66566..12969dc 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -15,7 +15,7 @@ required_mount: '/dev/shm' block: - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" - ansible.builtin.shell: findmnt -kn "{{ required_mount }}" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" changed_when: false failed_when: discovered_shm_mount.rc not in [ 0, 1 ] register: discovered_shm_mount diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index 6805f18..4283f75 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -15,11 +15,11 @@ warn_control_id: '1.2.1.1' block: - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" - ansible.builtin.shell: apt-key list + ansible.builtin.command: apt-key list changed_when: false failed_when: false check_mode: false - register: ubtu24cis_1_2_1_1_apt_gpgkeys + register: discovered_apt_gpgkeys - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" ansible.builtin.debug: @@ -27,7 +27,7 @@ - "Warning!! Below are the apt gpg keys configured" - "Please review to make sure they are configured" - "in accordance with site policy" - - "{{ ubtu24cis_1_2_1_1_apt_gpgkeys.stdout_lines }}" + - "{{ discovered_apt_gpgkeys.stdout_lines }}" - name: "1.2.1.1 | WARN | Ensure GPG keys are configured | warn_count" ansible.builtin.import_tasks: @@ -47,18 +47,18 @@ warn_control_id: '1.2.1.2' block: - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Get repositories" - ansible.builtin.shell: apt-cache policy + ansible.builtin.command: apt-cache policy changed_when: false failed_when: false check_mode: false - register: ubtu24cis_1_2_1_2_apt_policy + register: discovered_apt_policy - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" ansible.builtin.debug: msg: - "Warning!! Below are the apt package repositories" - "Please review to make sure they conform to your sites policies" - - "{{ ubtu24cis_1_2_1_2_apt_policy.stdout_lines }}" + - "{{ discovered_apt_policy.stdout_lines }}" - name: "1.2.1.2 | WARN | Ensure package manager repositories are configured | warn_count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 984534c..cdf842c 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -1,8 +1,7 @@ --- - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed" - when: - - ubtu24cis_rule_1_2_2_1 + when: ubtu24cis_rule_1_2_2_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 578304d..4419739 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -17,8 +17,7 @@ state: present - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" - when: - - ubtu24cis_rule_1_3_1_2 + when: ubtu24cis_rule_1_3_1_2 tags: - level1-server - level1-workstation @@ -32,10 +31,10 @@ changed_when: false failed_when: false check_mode: false - register: ubtu24cis_1_3_1_2_cmdline_settings + register: discovered_grub_cmdline_settings - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - when: ubtu24cis_1_3_1_2_cmdline_settings.stdout is not search('apparmor=') + when: discovered_grub_cmdline_settings.stdout is not search('apparmor=') ansible.builtin.lineinfile: path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+") @@ -44,7 +43,7 @@ notify: Grub update - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist" - when: ubtu24cis_1_3_1_2_cmdline_settings.stdout is not search('security=') + when: discovered_grub_cmdline_settings.stdout is not search('security=') ansible.builtin.lineinfile: path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+") @@ -54,19 +53,19 @@ - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" when: - - "'apparmor' not in ubtu24cis_1_3_1_2_cmdline_settings.stdout" - - "'security' not in ubtu24cis_1_3_1_2_cmdline_settings.stdout" + - "'apparmor' not in discovered_grub_cmdline_settings.stdout" + - "'security' not in discovered_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu24cis_1_3_1_2_cmdline_settings.stdout }}"' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ discovered_grub_cmdline_settings.stdout }}"' insertafter: '^GRUB_' notify: Grub update - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists" when: - - "'apparmor' in ubtu24cis_1_3_1_2_cmdline_settings.stdout or - 'security' in ubtu24cis_1_3_1_2_cmdline_settings.stdout" + - "'apparmor' in discovered_grub_cmdline_settings.stdout or + 'security' in discovered_grub_cmdline_settings.stdout" ansible.builtin.replace: path: /etc/default/grub regexp: "{{ item.regexp }}" @@ -100,10 +99,10 @@ changed_when: false - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 + ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu24cis_1_3_1_4_pre_count + register: discovered_apparmor_profilepre_count - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles" ansible.builtin.shell: aa-enforce /etc/apparmor.d/* @@ -111,13 +110,13 @@ failed_when: false - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 + ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu24cis_1_3_1_4_post_count + register: discovered_apparmor_profilepost_count - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency" - when: ubtu24cis_1_3_1_4_pre_count.stdout != ubtu24cis_1_3_1_4_post_count.stdout + when: discovered_apparmor_profilepre_count.stdout != discovered_apparmor_profilepost_count.stdout ansible.builtin.debug: msg: Changed! The profiles in /etc/apparmor.d were set to enforcing changed_when: true @@ -150,24 +149,24 @@ changed_when: false - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu24cis_apparmor_mode}} mode" | tr -d -c 0-9 + ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu24cis_apparmor_mode }} mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu24cis_1_3_1_3_pre_count + register: discovered_apparmor_profile_pre_count - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles" - ansible.builtin.shell: aa-{{ubtu24cis_apparmor_mode}} /etc/apparmor.d/* + ansible.builtin.shell: aa-{{ ubtu24cis_apparmor_mode }} /etc/apparmor.d/* changed_when: false failed_when: false - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu24cis_apparmor_mode}} mode" | tr -d -c 0-9 + ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu24cis_apparmor_mode }} mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu24cis_1_3_1_3_post_count + register: discovered_apparmor_profile_post_count - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" - when: ubtu24cis_1_3_1_3_pre_count.stdout != ubtu24cis_1_3_1_3_post_count.stdout + when: discovered_apparmor_profile_pre_count.stdout != discovered_apparmor_profile_post_count.stdout ansible.builtin.debug: - msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu24cis_apparmor_mode}} mode + msg: Changed! The profiles in /etc/apparmor.d were set to {{ ubtu24cis_apparmor_mode }} mode changed_when: true diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 92311a2..4327503 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -18,7 +18,7 @@ dest: "{{ ubtu24cis_grub_user_file }}" owner: root group: root - mode: '0755' + mode: 'go-w' notify: Grub update - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" @@ -31,8 +31,7 @@ notify: Grub update - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured" - when: - - ubtu24cis_rule_1_4_2 + when: ubtu24cis_rule_1_4_2 tags: - level1-server - level1-workstation @@ -45,11 +44,10 @@ ansible.builtin.stat: path: "{{ ubtu24cis_grub_file }}" check_mode: false - register: ubtu24cis_1_4_2_grub_cfg_status + register: discovered_grub_cfg_file - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions" - when: - - ubtu24cis_1_4_2_grub_cfg_status.stat.exists + when: discovered_grub_cfg_file.stat.exists ansible.builtin.file: path: "{{ ubtu24cis_grub_file }}" owner: root diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 9d1a965..41192ae 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,8 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - when: - - ubtu24cis_rule_1_5_1 + when: ubtu24cis_rule_1_5_1 tags: - level1-server - level1-workstation @@ -20,8 +19,7 @@ ignoreerrors: true - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" - when: - - ubtu24cis_rule_1_5_2 + when: ubtu24cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -39,8 +37,7 @@ ignoreerrors: true - name: "1.5.3 | PATCH | Ensure core dumps are restricted" - when: - - ubtu24cis_rule_1_5_3 + when: ubtu24cis_rule_1_5_3 tags: - level1-server - level1-workstation @@ -67,7 +64,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-r' - name: "1.5.3 | PATCH | Ensure core dumps are restricted | sysctl.conf" ansible.builtin.lineinfile: @@ -76,7 +73,7 @@ line: fs.suid_dumpable=0 owner: root group: root - mode: '0644' + mode: 'go-r' notify: Reload systemctl - name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf" @@ -87,7 +84,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-r' loop: - { regexp: '^Storage', line: 'Storage=none' } - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } @@ -107,7 +104,7 @@ - prelink block: - name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal" - ansible.builtin.shell: prelink -ua + ansible.builtin.command: prelink -ua changed_when: false failed_when: false @@ -118,8 +115,7 @@ purge: "{{ ubtu24cis_purge_apt }}" - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled" - when: - - ubtu24cis_rule_1_5_5 + when: ubtu24cis_rule_1_5_5 tags: - level1-server - level1-workstation @@ -136,7 +132,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-r' - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" when: diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index e0be92e..5c79f1e 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,8 +1,7 @@ --- - name: "1.6.1 | PATCH | Ensure message of the day is configured properly" - when: - - ubtu24cis_rule_1_6_1 + when: ubtu24cis_rule_1_6_1 tags: - level1-server - level1-workstation @@ -17,6 +16,7 @@ ansible.builtin.template: src: etc/motd.j2 dest: /etc/motd + mode: 'u-x,go-wx' - name: "1.6.1 | PATCH | Ensure message of the day is configured properly | disable dynamic_motd" when: ubtu24cis_disable_dynamic_motd @@ -31,8 +31,7 @@ - { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' } - name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly" - when: - - ubtu24cis_rule_1_6_2 + when: ubtu24cis_rule_1_6_2 tags: - level1-server - level1-workstation @@ -47,14 +46,14 @@ ansible.builtin.template: src: etc/issue.j2 dest: /etc/issue + mode: 'u-x,go-wx' - name: "1.6.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue" community.general.dpkg_divert: path: /etc/issue - name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly" - when: - - ubtu24cis_rule_1_6_3 + when: ubtu24cis_rule_1_6_3 tags: - level1-server - level1-workstation @@ -69,14 +68,14 @@ ansible.builtin.template: src: etc/issue.net.j2 dest: /etc/issue.net + mode: 'u-x,go-wx' - name: "1.6.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net" community.general.dpkg_divert: path: /etc/issue.net - name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured" - when: - - ubtu24cis_rule_1_6_4 + when: ubtu24cis_rule_1_6_4 tags: - level1-server - level1-workstation @@ -93,8 +92,7 @@ mode: 'u-x,go-wx' - name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured" - when: - - ubtu24cis_rule_1_6_5 + when: ubtu24cis_rule_1_6_5 tags: - level1-server - level1-workstation @@ -111,8 +109,7 @@ mode: 'u-x,go-wx' - name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - when: - - ubtu24cis_rule_1_6_6 + when: ubtu24cis_rule_1_6_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index f876ab7..de2aa7d 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,9 +1,6 @@ --- - name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed" - ansible.builtin.package: - name: gdm3 - state: absent when: - ubtu24cis_rule_1_7_1 - not ubtu24cis_desktop_required @@ -15,6 +12,9 @@ - rule_1.7.1 - NIST800-53R5_CM-11 - gnome + ansible.builtin.package: + name: gdm3 + state: absent - name: "1.7.2 | PATCH | Ensure GDM login banner is configured" when: @@ -31,13 +31,14 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - gnome + notify: Update dconf block: - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory" ansible.builtin.file: path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings" @@ -49,12 +50,11 @@ create: true owner: root group: root - mode: '0644' - loop: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} - - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu24cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } - notify: Update dconf + mode: 'u-x,go-wx' + loop: + - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } + - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} + - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu24cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled" when: @@ -71,13 +71,14 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - gnome + notify: Update dconf block: - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories" ansible.builtin.file: path: "{{ item }}" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory loop: - /etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d @@ -92,7 +93,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'} @@ -106,12 +107,11 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } - { regexp: '^system-db:{{ ubtu24cis_dconf_db_name }}', line: 'system-db:{{ ubtu24cis_dconf_db_name }}', insertafter: 'user-db:user'} - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu24cis_dconf_db_name }}'} - notify: Update dconf - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" when: @@ -132,6 +132,7 @@ line: "{{ item.line }}" insertafter: "{{ item.after | default(omit) }}" create: true + mode: 'u-x,go-wx' loop: - { regexp: 'user-db:user', line: 'user-db:user' } - { regexp: 'system-db:{{ ubtu24cis_dconf_db_name }}', line: 'system-db:{{ ubtu24cis_dconf_db_name }}', after: '^user-db.*' } @@ -141,7 +142,7 @@ path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -151,7 +152,7 @@ dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-screensaver" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden" @@ -171,7 +172,7 @@ path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -181,7 +182,7 @@ dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" @@ -205,7 +206,7 @@ path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -215,7 +216,7 @@ dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-media-automount" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" @@ -239,7 +240,7 @@ path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -249,7 +250,7 @@ dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" @@ -273,7 +274,7 @@ path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -283,7 +284,7 @@ dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/00-media-autorun" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" @@ -307,7 +308,7 @@ path: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -317,7 +318,7 @@ dest: "/etc/dconf/db/{{ ubtu24cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.10 | PATCH | Ensure XDCMP is not enabled" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index b6a710f..19cacd2 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -33,8 +33,7 @@ masked: true - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" - when: - - ubtu24cis_rule_2_1_2 + when: ubtu24cis_rule_2_1_2 tags: - level1-server - level2-workstation @@ -70,8 +69,7 @@ - avahi-daemon.service - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" - when: - - ubtu24cis_rule_2_1_3 + when: ubtu24cis_rule_2_1_3 tags: - level1-server - level1-workstation @@ -105,8 +103,7 @@ - isc-dhcp-server6.service - name: "2.1.4 | PATCH | Ensure dns server services are not in use" - when: - - ubtu24cis_rule_2_1_4 + when: ubtu24cis_rule_2_1_4 tags: - level1-server - level1-workstation @@ -137,8 +134,7 @@ masked: true - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" - when: - - ubtu24cis_rule_2_1_5 + when: ubtu24cis_rule_2_1_5 tags: - level1-server - level1-workstation @@ -169,8 +165,7 @@ masked: true - name: "2.1.6 | PATCH | Ensure ftp server services are not in use" - when: - - ubtu24cis_rule_2_1_6 + when: ubtu24cis_rule_2_1_6 tags: - level1-server - level1-workstation @@ -202,8 +197,7 @@ masked: true - name: "2.1.7 | PATCH | Ensure ldap server services are not in use" - when: - - ubtu24cis_rule_2_1_7 + when: ubtu24cis_rule_2_1_7 tags: - level1-server - level1-workstation @@ -234,8 +228,7 @@ masked: true - name: "2.1.8 | PATCH | Ensure message access server services are not in use" - when: - - ubtu24cis_rule_2_1_8 + when: ubtu24cis_rule_2_1_8 tags: - level1-server - level1-workstation @@ -273,8 +266,7 @@ - "dovecot.service" - name: "2.1.9 | PATCH | Ensure network file system services are not in use" - when: - - ubtu24cis_rule_2_1_9 + when: ubtu24cis_rule_2_1_9 tags: - level1-server - level1-workstation @@ -307,8 +299,7 @@ masked: true - name: "2.1.10 | PATCH | Ensure nis server services are not in use" - when: - - ubtu24cis_rule_2_1_10 + when: ubtu24cis_rule_2_1_10 tags: - level1-server - level1-workstation @@ -339,8 +330,7 @@ masked: true - name: "2.1.11 | PATCH | Ensure print server services are not in use" - when: - - ubtu24cis_rule_2_1_11 + when: ubtu24cis_rule_2_1_11 tags: - level1-server - patch @@ -373,8 +363,7 @@ - "cups.service" - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" - when: - - ubtu24cis_rule_2_1_12 + when: ubtu24cis_rule_2_1_12 tags: - level1-server - level1-workstation @@ -409,8 +398,7 @@ - rpcbind.socket - name: "2.1.13 | PATCH | Ensure rsync services are not in use" - when: - - ubtu24cis_rule_2_1_13 + when: ubtu24cis_rule_2_1_13 tags: - level1-server - level1-workstation @@ -441,8 +429,7 @@ masked: true - name: "2.1.14 | PATCH | Ensure samba file server services are not in use" - when: - - ubtu24cis_rule_2_1_14 + when: ubtu24cis_rule_2_1_14 tags: - level1-server - level1-workstation @@ -474,8 +461,7 @@ masked: true - name: "2.1.15 | PATCH | Ensure snmp services are not in use" - when: - - ubtu24cis_rule_2_1_15 + when: ubtu24cis_rule_2_1_15 tags: - level1-server - level1-workstation @@ -507,8 +493,7 @@ masked: true - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" - when: - - ubtu24cis_rule_2_1_16 + when: ubtu24cis_rule_2_1_16 tags: - level1-server - level1-workstation @@ -539,8 +524,7 @@ masked: true - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" - when: - - ubtu24cis_rule_2_1_17 + when: ubtu24cis_rule_2_1_17 tags: - level1-server - level1-workstation @@ -571,8 +555,7 @@ masked: true - name: "2.1.18 | PATCH | Ensure web server services are not in use" - when: - - ubtu24cis_rule_2_1_18 + when: ubtu24cis_rule_2_1_18 tags: - level1-server - level1-workstation @@ -610,7 +593,7 @@ - "'apache2' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: - name: + name: "{{ item }}" enabled: false state: stopped masked: true @@ -631,8 +614,7 @@ masked: true - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" - when: - - ubtu24cis_rule_2_1_19 + when: ubtu24cis_rule_2_1_19 tags: - level1-server - level1-workstation @@ -694,23 +676,23 @@ block: - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" - notify: Restart exim4 ansible.builtin.lineinfile: path: /etc/exim4/update-exim4.conf.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - with_items: - - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } - - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } - - { regexp: '^dc_readhost', line: "dc_readhost=''" } - - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } - - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } - - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } - - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } - - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } - - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } - - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } - - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } + loop: + - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } + - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } + - { regexp: '^dc_readhost', line: "dc_readhost=''" } + - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } + - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } + - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } + - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } + - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } + - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } + - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } + - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } + notify: Restart exim4 - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed" when: "'postfix' in ansible_facts.packages" @@ -737,8 +719,7 @@ file: warning_facts.yml - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" - when: - - ubtu24cis_rule_2_1_22 + when: ubtu24cis_rule_2_1_22 tags: - level1-server - level1-workstation @@ -750,18 +731,18 @@ warn_control_id: '2.1.22' block: - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" - ansible.builtin.shell: systemctl list-units --type=service + ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module changed_when: false - failed_when: ubtu24cis_2_1_22_services.rc not in [ 0, 1 ] + failed_when: discovered_listening_services.rc not in [ 0, 1 ] check_mode: false - register: ubtu24cis_2_1_22_services + register: discovered_listening_services - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" ansible.builtin.debug: msg: - "Warning!! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - - "{{ ubtu24cis_2_1_22_services.stdout_lines }}" + - "{{ discovered_listening_services.stdout_lines }}" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" ansible.builtin.import_tasks: diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml index f1f3874..2037c96 100644 --- a/tasks/section_2/cis_2.3.1.x.yml +++ b/tasks/section_2/cis_2.3.1.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use" - when: - - ubtu24cis_rule_2_3_1_1 + when: ubtu24cis_rule_2_3_1_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml index 98a339b..5dcc083 100644 --- a/tasks/section_2/cis_2.3.2.x.yml +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver" - when: - - ubtu24cis_rule_2_3_2_1 + when: ubtu24cis_rule_2_3_2_1 tags: - level1-server - level1-workstation @@ -17,14 +16,14 @@ path: /etc/systemd/timesyncd.conf.d owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources" ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: '0644' + mode: 'go-r' owner: root group: root loop: @@ -32,8 +31,7 @@ notify: Restart timeservice - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running" - when: - - ubtu24cis_rule_2_3_2_2 + when: ubtu24cis_rule_2_3_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index 5e9e9f0..68af2fc 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver" - when: - - ubtu24cis_rule_2_3_3_1 + when: ubtu24cis_rule_2_3_3_1 tags: - level1-server - level1-workstation @@ -16,7 +15,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: '0644' + mode: 'go-r' owner: root group: root loop: @@ -32,8 +31,7 @@ notify: Restart timeservice - name: "2.3.3.2 | PATCH | Ensure chrony is running as user _chrony" - when: - - ubtu24cis_rule_2_3_3_2 + when: ubtu24cis_rule_2_3_3_2 tags: - level1-server - level1-workstation @@ -47,8 +45,7 @@ line: 'user _chrony' - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running" - when: - - ubtu24cis_rule_2_3_3_3 + when: ubtu24cis_rule_2_3_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index 19342cb..a81990b 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running" - when: - - ubtu24cis_rule_2_4_1_1 + when: ubtu24cis_rule_2_4_1_1 tags: - level1-server - level1-workstation @@ -20,8 +19,7 @@ enabled: true - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - when: - - ubtu24cis_rule_2_4_1_2 + when: ubtu24cis_rule_2_4_1_2 tags: - level1-server - level1-workstation @@ -34,11 +32,10 @@ path: /etc/crontab owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - when: - - ubtu24cis_rule_2_4_1_3 + when: ubtu24cis_rule_2_4_1_3 tags: - level1-server - level1-workstation @@ -51,12 +48,11 @@ path: /etc/cron.hourly owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' state: directory - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - when: - - ubtu24cis_rule_2_4_1_4 + when: ubtu24cis_rule_2_4_1_4 tags: - level1-server - level1-workstation @@ -69,12 +65,11 @@ path: /etc/cron.daily owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' state: directory - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - when: - - ubtu24cis_rule_2_4_1_5 + when: ubtu24cis_rule_2_4_1_5 tags: - level1-server - level1-workstation @@ -87,12 +82,11 @@ path: /etc/cron.weekly owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' state: directory - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - when: - - ubtu24cis_rule_2_4_1_6 + when: ubtu24cis_rule_2_4_1_6 tags: - level1-server - level1-workstation @@ -105,12 +99,11 @@ path: /etc/cron.monthly owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' state: directory - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - when: - - ubtu24cis_rule_2_4_1_7 + when: ubtu24cis_rule_2_4_1_7 tags: - level1-server - level1-workstation @@ -123,12 +116,11 @@ path: /etc/cron.d owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' state: directory - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users" - when: - - ubtu24cis_rule_2_4_1_8 + when: ubtu24cis_rule_2_4_1_8 tags: - level1-server - level1-workstation @@ -146,10 +138,10 @@ - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow" ansible.builtin.stat: path: /etc/cron.allow - register: ubtu24cis_2_4_1_8_status + register: discovered_cron_allow_status - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist" - when: not ubtu24cis_2_4_1_8_status.stat.exists + when: not discovered_cron_allow_status.stat.exists ansible.builtin.file: path: /etc/cron.allow owner: root @@ -158,7 +150,7 @@ state: touch - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" - when: ubtu24cis_2_4_1_8_status.stat.exists + when: discovered_cron_allow_status.stat.exists ansible.builtin.file: path: /etc/cron.allow owner: root diff --git a/tasks/section_2/cis_2.4.2.x.yml b/tasks/section_2/cis_2.4.2.x.yml index e49b137..4a64102 100644 --- a/tasks/section_2/cis_2.4.2.x.yml +++ b/tasks/section_2/cis_2.4.2.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" - when: - - - ubtu24cis_rule_2_4_2_1 + when: ubtu24cis_rule_2_4_2_1 tags: - level1-server - level1-workstation @@ -20,10 +19,10 @@ - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check for at.allow" ansible.builtin.stat: path: /etc/at.allow - register: ubtu24cis_2_4_2_1_status + register: discovered_at_allow_status - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist" - when: not ubtu24cis_2_4_2_1_status.stat.exists + when: not discovered_at_allow_status.stat.exists ansible.builtin.file: path: /etc/at.allow owner: root @@ -32,7 +31,7 @@ state: touch - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists" - when: ubtu24cis_2_4_2_1_status.stat.exists + when: discovered_at_allow_status.stat.exists ansible.builtin.file: path: /etc/at.allow owner: root diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index e30bb08..4237bc3 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -18,7 +18,7 @@ path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' replace: '\1ipv6.disable=1\2' - register: ipv6disable_replaced + register: discovered_ipv6disable_replaced notify: Grub update - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Check grub cmdline linux" @@ -26,13 +26,13 @@ changed_when: false failed_when: false check_mode: false - register: ubtu24cis_3_1_1_cmdline_settings + register: discovered_ipv6_grub_cmdline_settings - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Insert ipv6.disable if it doesn't exist" when: - ubtu24cis_ipv6_disable == 'grub' - - ipv6disable_replaced is not changed - - "'ipv6.disable' not in ubtu24cis_3_1_1_cmdline_settings.stdout" + - discovered_ipv6disable_replaced is not changed + - "'ipv6.disable' not in discovered_ipv6_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' @@ -47,13 +47,14 @@ dest: "/{{ item }}" owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: Flush ipv6 route table loop: - etc/sysctl.d/60-disable_ipv6.conf - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" when: + - prelim_wireless_modules.stdout is defined - ubtu24cis_rule_3_1_2 tags: - level1-server @@ -70,15 +71,16 @@ regexp: '^(#)?install true(\\s|$)' line: install {{ item }} true create: true + mode: 'go-wx' loop: "{{ prelim_wireless_modules.stdout_lines }}" - - name: "3.1.2 | PATCH | Ensure dccp kernel module is not available | blacklist" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | blacklist" ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist {{ item }}(\\s|$)" line: "blacklist {{ item }}" create: true - mode: '0600' + mode: 'go-rwx' loop: "{{ prelim_wireless_modules.stdout_lines }}" - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 9c7a860..12d3833 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -18,6 +18,7 @@ regexp: '^(#)?install dccp(\\s|$)' line: "{{ item }}" create: true + mode: 'u-x,go-wx' loop: - install dccp /bin/true - blacklist dccp @@ -28,7 +29,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" when: @@ -48,6 +49,7 @@ regexp: '^(#)?install tipc(\\s|$)' line: "{{ item }}" create: true + mode: 'u-x,go-wx' loop: - install tipc /bin/true - blacklist tipc @@ -58,7 +60,7 @@ regexp: "^(#)?blacklist tipc(\\s|$)" line: "blacklist tipc" create: true - mode: '0600' + mode: 'go-rwx' - name: "3.2.3 | PATCH | Ensure rds kernel module is not available" when: @@ -78,6 +80,7 @@ regexp: '^(#)?install rds(\\s|$)' line: "{{ item }}" create: true + mode: 'u-x,go-wx' loop: - install rds /bin/true - blacklist rds @@ -88,7 +91,7 @@ regexp: "^(#)?blacklist rds(\\s|$)" line: "blacklist rds" create: true - mode: '0600' + mode: 'go-rwx' - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" when: @@ -108,6 +111,7 @@ regexp: '^(#)?install sctp(\\s|$)' line: "{{ item }}" create: true + mode: 'u-x,go-wx' loop: - install sctp /bin/true - blacklist sctp @@ -118,4 +122,4 @@ regexp: "^(#)?blacklist sctp(\\s|$)" line: "blacklist sctp" create: true - mode: '0600' + mode: 'go-rwx' diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 8aa0094..737e949 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -72,8 +72,7 @@ notify: Flush ipv4 route table - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - when: - - ubtu24cis_rule_3_3_3 + when: ubtu24cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -97,8 +96,7 @@ notify: Flush ipv4 route table - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" - when: - - ubtu24cis_rule_3_3_4 + when: ubtu24cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -122,8 +120,7 @@ notify: Flush ipv4 route table - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - when: - - ubtu24cis_rule_3_3_5 + when: ubtu24cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -167,8 +164,7 @@ notify: Flush ipv6 route table - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" - when: - - ubtu24cis_rule_3_3_6 + when: ubtu24cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -195,8 +191,7 @@ notify: Flush ipv4 route table - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - when: - - ubtu24cis_rule_3_3_7 + when: ubtu24cis_rule_3_3_7 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.1.1.yml b/tasks/section_4/cis_4.1.1.yml index 17591ca..ecae4b0 100644 --- a/tasks/section_4/cis_4.1.1.yml +++ b/tasks/section_4/cis_4.1.1.yml @@ -1,8 +1,7 @@ --- - name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use" - when: - - ubtu24cis_rule_4_1_1 + when: ubtu24cis_rule_4_1_1 tags: - level1-server - level1-workstation @@ -12,31 +11,31 @@ vars: warn_control_id: '4.1.1' block: - - - name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use | Check packages" + - name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Check packages" ansible.builtin.shell: dpkg-query -l | grep -Ec "^ii\s*ufw|^ii\s*iptables|^ii\s*nftables" changed_when: false failed_when: discovered_firewall_pkgs.rc not in [ 0, 1 ] register: discovered_firewall_pkgs - - name: "4.1.1 | PATCH | Ensure a single firewall configuration utility is in use | Check enabled" + - name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Check enabled" when: discovered_firewall_pkgs.stdout not in [ 0, 1 ] - ansible.builtin.shell: for svc in ufw nftables iptables; do if [ "$(systemctl is-enabled $svc | grep enabled &> /dev/null)" ]; then fw_enabled=$(( fw_enabled +1 )); fi; done; echo $fw_enabled + ansible.builtin.shell: | + for svc in ufw nftables iptables; do if [ "$(systemctl is-enabled $svc | grep enabled &> /dev/null)" ]; then fw_enabled=$(( fw_enabled +1 )); fi; done; echo $fw_enabled changed_when: false register: discovered_enabled_firewalls environment: - fw_enabled: 0 + fw_enabled: '0' - name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Message out warning" when: - discovered_enabled_firewalls.stdout is defined - - discovered_enabled_firewalls.stdout|int >= 2 + - (discovered_enabled_firewalls.stdout|int) >= 2 ansible.builtin.debug: msg: "Warning!! You have more than one firewalls installed and running or enabled. Please use UFW, iptables, or manually manage nftables" - name: "4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Set warning count" when: - discovered_enabled_firewalls.stdout is defined - - discovered_enabled_firewalls.stdout|int >= 2 + - (discovered_enabled_firewalls.stdout|int) >= 2 ansible.builtin.import_tasks: file: warning_facts.yml diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 04565c0..53c6682 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -33,8 +33,7 @@ # Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling - name: "4.2.3 | PATCH | Ensure ufw service is enabled" - when: - - ubtu24cis_rule_4_2_3 + when: ubtu24cis_rule_4_2_3 tags: - level1-server - level1-workstation @@ -58,8 +57,7 @@ state: started - name: "4.2.4 | PATCH | Ensure ufw loopback traffic is configured" - when: - - ubtu24cis_rule_4_2_4 + when: ubtu24cis_rule_4_2_4 tags: - level1-server - level1-workstation @@ -98,8 +96,7 @@ notify: Reload ufw - name: "4.2.5 | PATCH | Ensure ufw outbound connections are configured" - when: - - ubtu24cis_rule_4_2_5 + when: ubtu24cis_rule_4_2_5 tags: - level1-server - level1-workstation @@ -126,8 +123,7 @@ notify: Reload ufw - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" - when: - - ubtu24cis_rule_4_2_6 + when: ubtu24cis_rule_4_2_6 tags: - level1-server - level1-workstation @@ -139,18 +135,18 @@ warn_control_id: '4.2.6' block: - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln + ansible.builtin.command: ss -4tuln changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_2_6_open_listen_ports + register: discovered_ufw_open_listen_ports - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" - ansible.builtin.shell: ufw status + ansible.builtin.command: ufw status changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_2_6_firewall_rules + register: discovered_ufw_firewall_rules - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" ansible.builtin.debug: @@ -158,17 +154,16 @@ - "Warning!! Below are the listening ports and firewall rules" - "Please create firewall rule for any open ports if not already done" - "*****---Open Listen Ports---*****" - - "{{ ubtu24cis_4_2_6_open_listen_ports.stdout_lines }}" + - "{{ discovered_ufw_open_listen_ports.stdout_lines }}" - "*****---Firewall Rules---*****" - - "{{ ubtu24cis_4_2_6_firewall_rules.stdout_lines }}" + - "{{ discovered_ufw_firewall_rules.stdout_lines }}" - name: "4.2.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - name: "4.2.7 | PATCH | Ensure ufw default deny firewall policy" - when: - - ubtu24cis_rule_4_2_7 + when: ubtu24cis_rule_4_2_7 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index be19726..e3e71b8 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -96,10 +96,10 @@ ansible.builtin.debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" # ansible.builtin.shell: "nft create table {{ ubtu24cis_nftables_table_name }}" - # changed_when: ubtu24cis_4_3_4_new_table.rc == 0 + # changed_when: discovered_new_nftable.rc == 0 # failed_when: false # check_mode: false - # register: ubtu24cis_4_3_4_new_table + # register: discovered_new_nftable - name: "4.3.4 | AUDIT | Ensure a nftables table exists | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_4/cis_4.4.1.x.yml b/tasks/section_4/cis_4.4.1.x.yml index 6eabb20..32b0c0d 100644 --- a/tasks/section_4/cis_4.4.1.x.yml +++ b/tasks/section_4/cis_4.4.1.x.yml @@ -170,20 +170,22 @@ - audit - rule_4.4.1.4 - iptables + vars: + warn_control_id: '4.4.1.4' block: - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln + ansible.builtin.command: ss -4tuln changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_4_1_4_open_ports + register: discovered_open_ports - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: iptables -L INPUT -v -n + ansible.builtin.command: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_4_1_4_current_rules + register: discovered_current_rules - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -191,15 +193,13 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu24cis_4_4_1_4_open_ports.stdout_lines }}" + - "{{ discovered_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ ubtu24cis_4_4_1_4_current_rules.stdout_lines }}" + - "{{ discovered_current_rules.stdout_lines }}" - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - vars: - warn_control_id: '4.4.1.4' # --------------- # --------------- @@ -217,9 +217,9 @@ # - name: "Make IPTables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: ubtu24cis_iptables_save.rc == 0 -# failed_when: ubtu24cis_iptables_save.rc > 0 -# register: ubtu24cis_iptables_save +# changed_when: discovered_iptables_save.rc == 0 +# failed_when: discovered_iptables_save.rc > 0 +# register: discovered_iptables_save # when: # - ubtu24cis_firewall_package == "iptables" # - ubtu24cis_save_iptables_cis_rules @@ -353,18 +353,18 @@ warn_control_id: '4.4.1.4' block: - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -6tuln + ansible.builtin.command: ss -6tuln changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_4_1_4_open_ports + register: discovered_open_ports - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: ip6tables -L INPUT -v -n + ansible.builtin.command: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_4_1_4_current_rules + register: discovered_current_rules - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -372,9 +372,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu24cis_4_4_1_4_open_ports.stdout_lines }}" + - "{{ discovered_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ ubtu24cis_4_4_1_4_current_rules.stdout_lines }}" + - "{{ discovered_current_rules.stdout_lines }}" - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: @@ -398,9 +398,9 @@ # - name: "Make IP6Tables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: ubtu24cis_ip6tables_save.rc == 0 -# failed_when: ubtu24cis_ip6tables_save.rc > 0 -# register: ubtu24cis_ip6tables_save +# changed_when: discovered_ip6tables_save.rc == 0 +# failed_when: discovered_ip6tables_save.rc > 0 +# register: discovered_ip6tables_save # when: # - ubtu24cis_firewall_package == "iptables" # - ubtu24cis_ipv6_required diff --git a/tasks/section_4/cis_4.4.2.x.yml b/tasks/section_4/cis_4.4.2.x.yml index ff5338f..249f4a1 100644 --- a/tasks/section_4/cis_4.4.2.x.yml +++ b/tasks/section_4/cis_4.4.2.x.yml @@ -133,18 +133,18 @@ warn_control_id: '4.4.2.4' block: - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln + ansible.builtin.command: ss -4tuln changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_4_1_4_open_ports + register: discovered_open_ports - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: iptables -L INPUT -v -n + ansible.builtin.command: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_4_2_4_current_rules + register: discovered_current_rules - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -152,9 +152,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu24cis_4_4_2_4_open_ports.stdout_lines }}" + - "{{ discovered_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ ubtu24cis_4_4_2_4_current_rules.stdout_lines }}" + - "{{ discovered_current_rules.stdout_lines }}" - name: "4.4.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: @@ -176,9 +176,9 @@ # - name: "Make IPTables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: ubtu24cis_iptables_save.rc == 0 -# failed_when: ubtu24cis_iptables_save.rc > 0 -# register: ubtu24cis_iptables_save +# changed_when: discovered_iptables_save.rc == 0 +# failed_when: discovered_iptables_save.rc > 0 +# register: discovered_iptables_save # when: # - ubtu24cis_firewall_package == "iptables" # - ubtu24cis_save_iptables_cis_rules diff --git a/tasks/section_4/cis_4.4.3.x.yml b/tasks/section_4/cis_4.4.3.x.yml index b963698..f8ab6d5 100644 --- a/tasks/section_4/cis_4.4.3.x.yml +++ b/tasks/section_4/cis_4.4.3.x.yml @@ -1,8 +1,7 @@ --- - name: "4.4.3.1 | PATCH | Ensure ip6tables default deny firewall policy" - when: - - ubtu24cis_rule_4_4_3_1 + when: ubtu24cis_rule_4_4_3_1 tags: - level1-server - level1-workstationå @@ -126,18 +125,18 @@ warn_control_id: '4.4.3.4' block: - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -6tuln + ansible.builtin.command: ss -6tuln changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_4_3_4_open_ports + register: discovered_open_ports - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: ip6tables -L INPUT -v -n + ansible.builtin.command: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu24cis_4_4_3_4_current_rules + register: discovered_current_rules - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -145,9 +144,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu24cis_4_4_3_4_open_ports.stdout_lines }}" + - "{{ discovered_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ ubtu24cis_4_4_3_4_current_rules.stdout_lines }}" + - "{{ discovered_current_rules.stdout_lines }}" - name: "4.4.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: @@ -171,9 +170,9 @@ # - name: "Make IP6Tables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: ubtu24cis_ip6tables_save.rc == 0 -# failed_when: ubtu24cis_ip6tables_save.rc > 0 -# register: ubtu24cis_ip6tables_save +# changed_when: discovered_ip6tables_save.rc == 0 +# failed_when: discovered_ip6tables_save.rc > 0 +# register: discovered_ip6tables_save # when: # - ubtu24cis_firewall_package == "iptables" # - ubtu24cis_ipv6_required diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 18a7eef..4f2a377 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: - - ubtu24cis_rule_5_1_1 + when: ubtu24cis_rule_5_1_1 tags: - level1-server - level1-workstation @@ -36,8 +35,7 @@ loop: "{{ discovered_sshd_confs.files }}" - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" - when: - - ubtu24cis_rule_5_1_2 + when: ubtu24cis_rule_5_1_2 tags: - level1-server - level1-workstation @@ -51,7 +49,7 @@ ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key' - register: ubtu24cis_5_1_2_ssh_host_priv_keys + register: discovered_ssh_host_priv_keys - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" ansible.builtin.file: @@ -60,13 +58,12 @@ group: root mode: 'o-x,go-rwx' with_items: - - "{{ ubtu24cis_5_1_2_ssh_host_priv_keys.files }}" + - "{{ discovered_ssh_host_priv_keys.files }}" loop_control: label: "{{ item.path }}" - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" - when: - - ubtu24cis_rule_5_1_3 + when: ubtu24cis_rule_5_1_3 tags: - level1-server - level1-workstation @@ -80,22 +77,21 @@ ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' - register: ubtu24cis_5_1_3_ssh_host_pub_keys + register: discovered_ssh_host_pub_keys - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" ansible.builtin.file: path: "{{ item.path }}" owner: root group: root - mode: '0644' + mode: 'go-wx' with_items: - - "{{ ubtu24cis_5_1_3_ssh_host_pub_keys.files }}" + - "{{ discovered_ssh_host_pub_keys.files }}" loop_control: label: "{{ item.path }}" - name: "5.1.4 | PATCH | Ensure sshd access is configured" - when: - - ubtu24cis_rule_5_1_4 + when: ubtu24cis_rule_5_1_4 tags: - level1-server - level1-workstation @@ -106,44 +102,43 @@ - sshd block: - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users" - when: "ubtu24cis_sshd['allow_users']| default('') | length > 0 " + when: "ubtu24cis_sshd_allow_users| default('') | length > 0 " ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^(#|)\s*AllowUsers' - line: 'AllowUsers {{ ubtu24cis_sshd.allow_users }}' + line: 'AllowUsers {{ ubtu24cis_sshd_allow_users }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed groups" - when: "ubtu24cis_sshd['allow_groups']| default('') | length > 0" + when: "ubtu24cis_sshd_allow_groups| default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^(#|)\s*AllowGroups' - line: 'AllowGroups {{ ubtu24cis_sshd.allow_groups }}' + line: 'AllowGroups {{ ubtu24cis_sshd_allow_groups }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny users" - when: "ubtu24cis_sshd['deny_users']| default('') | length > 0" + when: "ubtu24cis_sshd_deny_users| default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '(?i)^(#|)\s*DenyUsers' - line: 'DenyUsers {{ ubtu24cis_sshd.deny_users }}' + line: 'DenyUsers {{ ubtu24cis_sshd_deny_users }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny groups" - when: "ubtu24cis_sshd['deny_groups']| default('') | length > 0" + when: "ubtu24cis_sshd_deny_groups| default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyGroups|^#DenyGroups' - line: 'DenyGroups {{ ubtu24cis_sshd.deny_groups }}' + line: 'DenyGroups {{ ubtu24cis_sshd_deny_groups }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.5| PATCH | Ensure sshd Banner is configured" - when: - - ubtu24cis_rule_5_1_5 + when: ubtu24cis_rule_5_1_5 tags: - level1-server - level1-workstation @@ -164,8 +159,7 @@ notify: Restart sshd - name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured" - when: - - ubtu24cis_rule_5_1_6 + when: ubtu24cis_rule_5_1_6 tags: - level1-server - level1-workstation @@ -176,14 +170,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: ^Ciphers - line: "Ciphers {{ ubtu24cis_sshd.ciphers | join(',') }}" + line: "Ciphers {{ ubtu24cis_sshd_ciphers | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" - when: - - ubtu24cis_rule_5_1_7 + when: ubtu24cis_rule_5_1_7 tags: - level1-server - level1-workstation @@ -201,13 +194,12 @@ line: "{{ item.line }}" validate: 'sshd -t -f %s' with_items: - - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu24cis_sshd.client_alive_interval | default(ubtu24cis_sshd_default_client_alive_interval) }}' } - - { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu24cis_sshd.client_alive_count_max | default(ubtu24cis_sshd_default_client_alive_count_max) }}' } + - { regexp: '^ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu24cis_sshd_client_alive_interval | default(ubtu24cis_sshd_default_client_alive_interval) }}' } + - { regexp: '^ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu24cis_sshd_client_alive_count_max | default(ubtu24cis_sshd_default_client_alive_count_max) }}' } notify: Restart sshd - name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled" - when: - - ubtu24cis_rule_5_1_8 + when: ubtu24cis_rule_5_1_8 tags: - level2-server - level1-workstation @@ -223,8 +215,7 @@ notify: Restart sshd - name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" - when: - - ubtu24cis_rule_5_1_9 + when: ubtu24cis_rule_5_1_9 tags: - level2-server - level1-workstation @@ -244,8 +235,7 @@ notify: Restart sshd - name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - when: - - ubtu24cis_rule_5_1_10 + when: ubtu24cis_rule_5_1_10 tags: - level1-server - level1-workstation @@ -265,8 +255,7 @@ notify: Restart sshd - name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - when: - - ubtu24cis_rule_5_1_11 + when: ubtu24cis_rule_5_1_11 tags: - level1-server - level1-workstation @@ -286,8 +275,7 @@ notify: Restart sshd - name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used" - when: - - ubtu24cis_rule_5_1_12 + when: ubtu24cis_rule_5_1_12 tags: - level1-server - level1-workstation @@ -298,14 +286,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*KexAlgorithms - line: "KexAlgorithms {{ ubtu24cis_sshd.kex_algorithms | default(ubtu24cis_sshd_default_kex_algorithms) | join(',') }}" + line: "KexAlgorithms {{ ubtu24cis_sshd_kex_algorithms | default(ubtu24cis_sshd_default_kex_algorithms) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured" - when: - - ubtu24cis_rule_5_1_13 + when: ubtu24cis_rule_5_1_13 tags: - level1-server - level1-workstation @@ -316,14 +303,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*LoginGraceTime - line: 'LoginGraceTime {{ ubtu24cis_sshd.login_grace_time | default(ubtu24cis_sshd_default_login_grace_time) }}' + line: 'LoginGraceTime {{ ubtu24cis_sshd_login_grace_time | default(ubtu24cis_sshd_default_login_grace_time) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured" - when: - - ubtu24cis_rule_5_1_14 + when: ubtu24cis_rule_5_1_14 tags: - level1-server - level1-workstation @@ -336,14 +322,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*LogLevel - line: 'LogLevel {{ ubtu24cis_sshd.log_level | default(ubtu24cis_sshd_default_log_level) }}' + line: 'LogLevel {{ ubtu24cis_sshd_log_level | default(ubtu24cis_sshd_default_log_level) }}' insertafter: '^# Logging' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used" - when: - - ubtu24cis_rule_5_1_15 + when: ubtu24cis_rule_5_1_15 tags: - level1-server - level1-workstation @@ -358,14 +343,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*MACs - line: "MACs {{ ubtu24cis_sshd.macs | default(ubtu24cis_sshd_default_macs) | join(',') }}" + line: "MACs {{ ubtu24cis_sshd_macs | default(ubtu24cis_sshd_default_macs) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - when: - - ubtu24cis_rule_5_1_16 + when: ubtu24cis_rule_5_1_16 tags: - level1-server - level1-workstation @@ -376,14 +360,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*MaxAuthTries - line: 'MaxAuthTries {{ ubtu24cis_sshd.max_auth_tries | default(ubtu24cis_sshd_default_max_auth_tries) }}' + line: 'MaxAuthTries {{ ubtu24cis_sshd_max_auth_tries | default(ubtu24cis_sshd_default_max_auth_tries) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured" - when: - - ubtu24cis_rule_5_1_17 + when: ubtu24cis_rule_5_1_17 tags: - level1-server - level1-workstation @@ -398,14 +381,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: (?i)^(#|)\s*MaxSessions - line: 'MaxSessions {{ ubtu24cis_sshd.max_sessions | default(ubtu24cis_sshd_default_max_sessions) }}' + line: 'MaxSessions {{ ubtu24cis_sshd_max_sessions | default(ubtu24cis_sshd_default_max_sessions) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured" - when: - - ubtu24cis_rule_5_1_18 + when: ubtu24cis_rule_5_1_18 tags: - level1-server - level1-workstation @@ -425,8 +407,7 @@ notify: Restart sshd - name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - when: - - ubtu24cis_rule_5_1_19 + when: ubtu24cis_rule_5_1_19 tags: - level1-server - level1-workstation @@ -447,8 +428,7 @@ notify: Restart sshd - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" - when: - - ubtu24cis_rule_5_1_20 + when: ubtu24cis_rule_5_1_20 tags: - level1-server - level1-workstation @@ -464,8 +444,7 @@ notify: Restart sshd - name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - when: - - ubtu24cis_rule_5_1_21 + when: ubtu24cis_rule_5_1_21 tags: - level1-server - level1-workstation @@ -485,8 +464,7 @@ notify: Restart sshd - name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled" - when: - - ubtu24cis_rule_5_1_22 + when: ubtu24cis_rule_5_1_22 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 6b150e3..647ba59 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,8 +1,7 @@ --- - name: "5.2.1 | PATCH | Ensure sudo is installed" - when: - - ubtu24cis_rule_5_2_1 + when: ubtu24cis_rule_5_2_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: present - name: "5.2.2 | PATCH | Ensure sudo commands use pty" - when: - - ubtu24cis_rule_5_2_2 + when: ubtu24cis_rule_5_2_2 tags: - level1-server - level1-workstation @@ -31,8 +29,7 @@ insertafter: '^\s*Defaults' - name: "5.2.3 | PATCH | Ensure sudo log file exists" - when: - - ubtu24cis_rule_5_2_3 + when: ubtu24cis_rule_5_2_3 tags: - level1-server - level1-workstation @@ -48,8 +45,7 @@ insertafter: '^\s*Defaults' - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" - when: - - ubtu24cis_rule_5_2_4 + when: ubtu24cis_rule_5_2_4 tags: - level2-server - level2-workstation @@ -75,8 +71,7 @@ loop: "{{ discovered_sudoers_nopasswd.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - when: - - ubtu24cis_rule_5_2_5 + when: ubtu24cis_rule_5_2_5 tags: - level1-server - level1-workstation @@ -92,8 +87,7 @@ loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - when: - - ubtu24cis_rule_5_2_6 + when: ubtu24cis_rule_5_2_6 tags: - level1-server - level1-workstation @@ -106,10 +100,10 @@ ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false - register: ubtu24cis_5_2_6_timeout_files + register: discovered_ubtu24cis_ssh_timeout_files - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - when: ubtu24cis_5_2_6_timeout_files.stdout | length == 0 + when: discovered_ubtu24cis_ssh_timeout_files.stdout | length == 0 ansible.builtin.lineinfile: path: /etc/sudoers regexp: '^\s*Defaults/s+timestamp_timeout=' @@ -118,17 +112,16 @@ validate: '/usr/sbin/visudo -cf %s' - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - when: ubtu24cis_5_2_6_timeout_files.stdout | length > 0 + when: discovered_ubtu24cis_ssh_timeout_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ ubtu24cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu24cis_5_2_6_timeout_files.stdout_lines }}" + loop: "{{ discovered_ubtu24cis_ssh_timeout_files.stdout_lines }}" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" - when: - - ubtu24cis_rule_5_2_7 + when: ubtu24cis_rule_5_2_7 tags: - level1-server - level1-workstation @@ -142,7 +135,6 @@ ansible.builtin.group: name: "{{ ubtu24cis_sugroup }}" state: present - register: ubtu24cis_5_2_7_sugroup - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" ansible.builtin.lineinfile: diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 89a431f..5756ba7 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -19,7 +19,7 @@ dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Pam_auth_update_pwunix - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" @@ -41,7 +41,7 @@ dest: "/{{ ubtu24cis_pam_confd_dir }}{{ item }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' loop: - "{{ ubtu24cis_pam_faillock_file }}" - "{{ ubtu24cis_pam_faillock_notify_file }}" @@ -67,7 +67,7 @@ dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwquality_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Pam_auth_update_pwquality - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" @@ -88,5 +88,5 @@ dest: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Pam_auth_update_pwhistory diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index de650f3..1b05935 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured" - when: - - ubtu24cis_rule_5_3_3_1_1 + when: ubtu24cis_rule_5_3_3_1_1 tags: - level1-server - level1-workstation @@ -18,15 +17,16 @@ line: "deny = {{ ubtu24cis_faillock_deny }}" insertafter: '^# end of pam-auth-update config' create: true + mode: 'go-wx' - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* - register: ubtu24cis_faillock_deny_files + register: discovered_faillock_deny_files changed_when: false - failed_when: ubtu24cis_faillock_deny_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_deny_files.rc not in [ 0, 1 ] - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" - when: ubtu24cis_faillock_deny_files.stdout | length > 0 + when: discovered_faillock_deny_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)' @@ -36,8 +36,7 @@ - '/etc/pam.d/*' - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" - when: - - ubtu24cis_rule_5_3_3_1_2 + when: ubtu24cis_rule_5_3_3_1_2 tags: - level1-server - level1-workstation @@ -53,15 +52,16 @@ line: "unlock_time = {{ ubtu24cis_faillock_unlock_time }}" insertafter: '^# end of pam-auth-update config' create: true + mode: 'go-wx' - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* - register: ubtu24cis_faillock_unlock_files + register: discovered_faillock_unlock_files changed_when: false - failed_when: ubtu24cis_faillock_unlock_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_unlock_files.rc not in [ 0, 1 ] - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" - when: ubtu24cis_faillock_unlock_files.stdout | length > 0 + when: discovered_faillock_unlock_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)' @@ -71,8 +71,7 @@ - '/etc/pam.d/*' - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" - when: - - ubtu24cis_rule_5_3_3_1_3 + when: ubtu24cis_rule_5_3_3_1_3 tags: - level2-server - level2-workstation @@ -88,15 +87,16 @@ line: "{{ ubtu24cis_pamroot_lock_string }}" insertafter: '^# end of pam-auth-update config' create: true + mode: 'go-wx' - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/* - register: ubtu24cis_faillock_rootlock_files + register: discovered_faillock_rootlock_files changed_when: false - failed_when: ubtu24cis_faillock_rootlock_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_rootlock_files.rc not in [ 0, 1 ] - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" - when: ubtu24cis_faillock_rootlock_files.stdout | length > 0 + when: discovered_faillock_rootlock_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index b11d4dd..33268a1 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured" - when: - - ubtu24cis_rule_5_3_3_2_1 + when: ubtu24cis_rule_5_3_3_2_1 tags: - level1-server - level1-workstation @@ -12,8 +11,7 @@ - pam block: - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file" - when: - - item != ubtu24cis_passwd_difok_file + when: item != ubtu24cis_passwd_difok_file ansible.builtin.replace: path: "{{ item }}" regexp: 'difok\s*=\s*\d+\b' @@ -29,11 +27,10 @@ dest: "/{{ ubtu24cis_passwd_difok_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured" - when: - - ubtu24cis_rule_5_3_3_2_2 + when: ubtu24cis_rule_5_3_3_2_2 tags: - level1-server - level1-workstation @@ -43,8 +40,7 @@ - pam block: - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" - when: - - item != ubtu24cis_passwd_minlen_file + when: item != ubtu24cis_passwd_minlen_file ansible.builtin.replace: path: "{{ item }}" regexp: 'minlen\s*=\s*\d+\b' @@ -60,11 +56,10 @@ dest: "/{{ ubtu24cis_passwd_minlen_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured" - when: - - ubtu24cis_rule_5_3_3_2_3 + when: ubtu24cis_rule_5_3_3_2_3 tags: - level1-server - level1-workstation @@ -74,8 +69,7 @@ - pam block: - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file" - when: - - item != ubtu24cis_passwd_complex_file + when: item != ubtu24cis_passwd_complex_file ansible.builtin.replace: path: "{{ item }}" regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' @@ -91,11 +85,10 @@ dest: "/{{ ubtu24cis_passwd_complex_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured" - when: - - ubtu24cis_rule_5_3_3_2_4 + when: ubtu24cis_rule_5_3_3_2_4 tags: - level1-server - level1-workstation @@ -105,8 +98,7 @@ - pam block: - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" - when: - - item != ubtu24cis_passwd_maxrepeat_file + when: item != ubtu24cis_passwd_maxrepeat_file ansible.builtin.replace: path: "{{ item }}" regexp: 'maxrepeat\s*=\s*\d+\b' @@ -122,11 +114,10 @@ dest: "/{{ ubtu24cis_passwd_maxrepeat_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" - when: - - ubtu24cis_rule_5_3_3_2_5 + when: ubtu24cis_rule_5_3_3_2_5 tags: - level1-server - level1-workstation @@ -136,8 +127,7 @@ - pam block: - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file" - when: - - item != ubtu24cis_passwd_maxsequence_file + when: item != ubtu24cis_passwd_maxsequence_file ansible.builtin.replace: path: "{{ item }}" regexp: 'maxsequence\s*=\s*\d+\b' @@ -153,11 +143,10 @@ dest: "/{{ ubtu24cis_passwd_maxsequence_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled" - when: - - ubtu24cis_rule_5_3_3_2_6 + when: ubtu24cis_rule_5_3_3_2_6 tags: - level1-server - level1-workstation @@ -167,8 +156,7 @@ - pam block: - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" - when: - - item != ubtu24cis_passwd_dictcheck_file + when: item != ubtu24cis_passwd_dictcheck_file ansible.builtin.replace: path: "{{ item }}" regexp: 'dictcheck\s*=\s*\d+\b' @@ -184,11 +172,10 @@ dest: "/{{ ubtu24cis_passwd_dictcheck_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced" - when: - - ubtu24cis_rule_5_3_3_2_7 + when: ubtu24cis_rule_5_3_3_2_7 tags: - level1-server - level1-workstation @@ -198,8 +185,7 @@ - pam block: - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file" - when: - - item != ubtu24cis_passwd_quality_enforce_file + when: item != ubtu24cis_passwd_quality_enforce_file ansible.builtin.replace: path: "{{ item }}" regexp: 'enforcing\s*=\s*\d+\b' @@ -215,11 +201,10 @@ dest: "/{{ ubtu24cis_passwd_quality_enforce_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.8 | PATCH | Ensure password quality is enforced for the root user" - when: - - ubtu24cis_rule_5_3_3_2_8 + when: ubtu24cis_rule_5_3_3_2_8 tags: - level1-server - level1-workstation @@ -232,4 +217,4 @@ dest: "/{{ ubtu24cis_passwd_quality_enforce_root_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 8f05a73..0a3d5fb 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -14,12 +14,12 @@ block: - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/common-password - register: ubtu24_pwhistory_remember + register: discovered_pwhistory_remember changed_when: false - failed_when: ubtu24_pwhistory_remember.rc not in [0, 1] + failed_when: discovered_pwhistory_remember.rc not in [0, 1] - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set" - when: ubtu24_pwhistory_remember.stdout | length > 0 + when: discovered_pwhistory_remember.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}" regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(remember=\d+) @@ -41,12 +41,12 @@ block: - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?enforce_for_root\b' /etc/pam.d/common-password - register: ubtu24_pwhistory_enforce_for_root + register: discovered_pwhistory_enforce_for_root changed_when: false - failed_when: ubtu24_pwhistory_enforce_for_root.rc not in [0, 1] + failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1] - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set" - when: ubtu24_pwhistory_enforce_for_root.stdout | length > 0 + when: discovered_pwhistory_enforce_for_root.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}" regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(enforce_for_root) @@ -68,12 +68,12 @@ block: - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" ansible.builtin.shell: grep -Psi -- '^\s*password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+([^#\n\r]+\s+)?use_authtok\b' /etc/pam.d/common-password - register: ubtu24_pwhistory_use_authtok + register: discovered_pwhistory_use_authtok changed_when: false - failed_when: ubtu24_pwhistory_use_authtok.rc not in [0, 1] + failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set" - when: ubtu24_pwhistory_use_authtok.stdout | length > 0 + when: discovered_pwhistory_use_authtok.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwhistory_file }}" regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(use_authtok) diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index 6d2b0fc..53cf6cd 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -15,21 +15,20 @@ - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/common-* /usr/share/pam-configs/* | cut -d ':' -f1 | uniq changed_when: false - failed_when: ubtu24cis_pam_nullok.rc not in [ 0, 1 ] - register: ubtu24cis_pam_nullok + failed_when: discovered_pam_nullok.rc not in [ 0, 1 ] + register: discovered_pam_nullok - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" - when: ubtu24cis_pam_nullok.stdout | length > 0 + when: discovered_pam_nullok.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: nullok replace: '' - loop: "{{ ubtu24cis_pam_nullok.stdout_lines }}" + loop: "{{ discovered_pam_nullok.stdout_lines }}" notify: Pam_auth_update_pwunix - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember" - when: - - ubtu24cis_rule_5_3_3_4_2 + when: ubtu24cis_rule_5_3_3_4_2 tags: - level1-server - level1-workstation @@ -41,11 +40,11 @@ - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b' changed_when: false - failed_when: ubtu24cis_pam_remember.rc not in [ 0, 1 ] - register: ubtu24cis_pam_remember + failed_when: discovered_pam_remember.rc not in [ 0, 1 ] + register: discovered_pam_remember - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed" - when: ubtu24cis_pam_remember.stdout | length > 0 + when: discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}" regexp: remember=\d+ @@ -53,8 +52,7 @@ notify: Pam_auth_update_pwunix - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm" - when: - - ubtu24cis_rule_5_3_3_4_3 + when: ubtu24cis_rule_5_3_3_4_3 tags: - level1-server - level1-workstation @@ -66,11 +64,11 @@ - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ ubtu24cis_passwd_hash_algo }}")\b' /etc/pam.d/common-password changed_when: false - failed_when: ubtu24cis_pam_pwhash.rc not in [ 0, 1 ] - register: ubtu24cis_pam_pwhash + failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ] + register: discovered_pam_pwhash - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set" - when: ubtu24cis_pam_remember.stdout | length > 0 + when: discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "/{{ ubtu24cis_pam_confd_dir }}{{ ubtu24cis_pam_pwunix_file }}" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" @@ -78,8 +76,7 @@ notify: Pam_auth_update_pwunix - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok" - when: - - ubtu24cis_rule_5_3_3_4_4 + when: ubtu24cis_rule_5_3_3_4_4 tags: - level1-server - level1-workstation @@ -91,13 +88,13 @@ - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password changed_when: false - failed_when: ubtu24cis_pam_authtok.rc not in [ 0, 1 ] - register: ubtu24cis_pam_authtok + failed_when: discovered_pam_authtok.rc not in [ 0, 1 ] + register: discovered_pam_authtok - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files" when: - - ubtu24cis_pam_authtok is defined - - ubtu24cis_pam_authtok | length > 0 + - discovered_pam_authtok is defined + - discovered_pam_authtok | length > 0 ansible.builtin.lineinfile: path: "/etc/pam.d/common-password" regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index c0846a0..ccb0427 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.4.1.1 | PATCH | Ensure password expiration is configured" - when: - - ubtu24cis_rule_5_4_1_1 + when: ubtu24cis_rule_5_4_1_1 tags: - level1-server - level1-workstation @@ -20,27 +19,26 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ ubtu24cis_pass.max_days }}' + line: 'PASS_MAX_DAYS {{ ubtu24cis_pass_max_days }}' insertafter: '# Password aging controls' - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Get existing users PASS_MAX_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu24cis_pass.max_days }} || $5<{{ ubtu24cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu24cis_pass_max_days }} || $5<{{ ubtu24cis_pass_min_days }} || $5 == -1)){print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu24cis_max_days + register: discovered_passwd_max_days - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS" when: - ubtu24cis_disruption_high - (item != 'root') or (not ubtu24cis_uses_root) - ansible.builtin.shell: chage --maxdays {{ ubtu24cis_pass.max_days }} {{ item }} + ansible.builtin.command: chage --maxdays {{ ubtu24cis_pass_max_days }} {{ item }} failed_when: false - changed_when: ubtu24cis_max_days.stdout | length > 0 - loop: "{{ ubtu24cis_max_days.stdout_lines }}" + changed_when: discovered_passwd_max_days.stdout | length > 0 + loop: "{{ discovered_passwd_max_days.stdout_lines }}" - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured" - when: - - ubtu24cis_rule_5_4_1_2 + when: ubtu24cis_rule_5_4_1_2 tags: - level2-server - level2-workstation @@ -54,22 +52,22 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ ubtu24cis_pass.min_days }}' + line: 'PASS_MIN_DAYS {{ ubtu24cis_pass_min_days }}' - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu24cis_pass.min_days }})) {print $1}' /etc/shadow" + ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu24cis_pass_min_days }})) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu24cis_passwd_min_days + register: discovered_passwd_min_days - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS" when: - ubtu24cis_disruption_high - (item != 'root') or (not ubtu24cis_uses_root) - ansible.builtin.shell: chage --mindays {{ ubtu24cis_pass.min_days }} {{ item }} + ansible.builtin.command: chage --mindays {{ ubtu24cis_pass_min_days }} {{ item }} failed_when: false - changed_when: ubtu24cis_passwd_min_days.stdout |length > 0 - loop: "{{ ubtu24cis_passwd_min_days.stdout_lines }}" + changed_when: discovered_passwd_min_days.stdout |length > 0 + loop: "{{ discovered_passwd_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" when: @@ -87,22 +85,22 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' - line: 'PASS_WARN_AGE {{ ubtu24cis_pass.warn_age }}' + line: 'PASS_WARN_AGE {{ ubtu24cis_pass_warn_age }}' - - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu24cis_pass.warn_age }}){print $1}' /etc/shadow" + - name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE" + ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu24cis_pass_warn_age }}){print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu24cis_passwd_warn_days + register: discovered_passwd_warn_days - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE" when: - ubtu24cis_disruption_high - (item != 'root') or (not ubtu24cis_uses_root) - ansible.builtin.shell: chage --maxdays {{ ubtu24cis_pass.warn_age }} {{ item }} + ansible.builtin.command: chage --maxdays {{ ubtu24cis_pass_warn_age }} {{ item }} failed_when: false - changed_when: ubtu24cis_passwd_warn_days.stdout | length > 0 - loop: "{{ ubtu24cis_passwd_warn_days.stdout_lines }}" + changed_when: discovered_passwd_warn_days.stdout | length > 0 + loop: "{{ discovered_passwd_warn_days.stdout_lines }}" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" when: @@ -132,31 +130,33 @@ - login block: - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting" - ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 + ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2 changed_when: false failed_when: false - register: ubtu24cis_passwd_inactive_setting + register: discovered_passwd_inactive_setting - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" - when: ubtu24cis_passwd_inactive_setting.stdout != ubtu24cis_pass.inactive | string - ansible.builtin.shell: useradd -D -f {{ ubtu24cis_pass.inactive }} + when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string + ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }} failed_when: false + changed_when: true - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu24cis_pass.inactive }}))) {print $1}' /etc/shadow" + ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu24cis_pass_inactive }}))) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu24cis_passwd_inactive_users + register: discovered_passwd_inactive_users - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set inactive period for existing users" when: - ubtu24cis_disruption_high - - ubtu24cis_passwd_inactive_users.stdout | length > 0 + - discovered_passwd_inactive_users.stdout | length > 0 - (item != 'root') and (not ubtu24cis_uses_root) - ansible.builtin.shell: chage --inactive {{ ubtu24cis_pass.inactive }} {{ item }} + ansible.builtin.command: chage --inactive {{ ubtu24cis_pass_inactive }} {{ item }} + changed_when: true failed_when: false with_items: - - "{{ ubtu24cis_passwd | map(attribute='id') | list | intersect(ubtu24cis_passwd_inactive_users.stdout_lines) | list }}" + - "{{ ubtu24cis_passwd | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" when: @@ -177,32 +177,33 @@ changed_when: false failed_when: false check_mode: false - register: ubtu24cis_current_time + register: discovered_current_time - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu24cis_current_time.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_current_time.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false - register: ubtu24cis_passwd_future_user_list + register: discovered_passwd_future_user_list - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Warn about users" - when: ubtu24cis_passwd_future_user_list.stdout | length > 0 + when: discovered_passwd_future_user_list.stdout | length > 0 ansible.builtin.debug: msg: - "WARNING!! The following accounts have the last PW change date in the future" - - "{{ ubtu24cis_passwd_future_user_list.stdout_lines }}" + - "{{ discovered_passwd_future_user_list.stdout_lines }}" - name: "5.4.1.6 | WARN | Ensure all users last password change date is in the past | warn_count" - when: ubtu24cis_passwd_future_user_list.stdout | length > 0 + when: discovered_passwd_future_user_list.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" when: - ubtu24cis_disruption_high - - ubtu24cis_passwd_future_user_list.stdout | length > 0 - ansible.builtin.shell: passwd --expire {{ item }} + - discovered_passwd_future_user_list.stdout | length > 0 + ansible.builtin.command: passwd --expire {{ item }} + changed_when: true failed_when: false with_items: - - "{{ ubtu24cis_passwd_future_user_list.stdout_lines }}" + - "{{ discovered_passwd_future_user_list.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index d071408..d6861bd 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -17,7 +17,7 @@ - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - ansible.builtin.shell: passwd -l {{ item }} + ansible.builtin.command: passwd -l {{ item }} changed_when: false failed_when: false loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" @@ -41,9 +41,9 @@ block: - name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0" ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'" - register: discovered_gid0_members changed_when: false failed_when: discovered_gid0_members.rc not in [ 0, 1 ] + register: discovered_gid0_members - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0" when: @@ -51,7 +51,7 @@ - discovered_gid0_members.stdout | length > 0 ansible.builtin.user: name: "{{ item }}" - gid: 0 + group: 0 state: absent loop: - discovered_gid0_members.stdout_lines @@ -174,7 +174,7 @@ state: directory owner: root group: root - mode: '0755' + mode: 'go-w' follow: false loop: "{{ discovered_root_path_perms.results }}" loop_control: @@ -196,6 +196,7 @@ regexp: \s*umask line: "umask {{ ubtu24cis_root_umask }}" create: true + mode: 'u+x,go-rwx' - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 38fe20a..e3e7d6b 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -34,7 +34,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: '0644' + mode: 'go-r' block: | TMOUT={{ ubtu24cis_shell_session_timeout }} readonly TMOUT diff --git a/tasks/section_6/cis_6.1.1.x.yml b/tasks/section_6/cis_6.1.1.x.yml index 8a56146..76a538c 100644 --- a/tasks/section_6/cis_6.1.1.x.yml +++ b/tasks/section_6/cis_6.1.1.x.yml @@ -35,31 +35,31 @@ - name: "6.1.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" ansible.builtin.file: path: /usr/lib/tmpfiles.d/systemd.conf - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: path: /etc/tmpfiles.d/systemd.conf - register: tmpfile_override + register: discovered_journald_tmpfile_override - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal" - when: tmpfile_override.stat.exists + when: discovered_journald_tmpfile_override.stat.exists ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf - register: journald_fileperms_override changed_when: false - failed_when: journald_fileperms_override.rc not in [ 0, 1 ] + failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ] + register: discovered_journald_fileperms_override - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_journald_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy" - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_journald_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: @@ -85,7 +85,7 @@ dest: /etc/systemd/journald.conf.d/rotation.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" ansible.builtin.replace: diff --git a/tasks/section_6/cis_6.1.2.x.yml b/tasks/section_6/cis_6.1.2.x.yml index 754bae8..167180c 100644 --- a/tasks/section_6/cis_6.1.2.x.yml +++ b/tasks/section_6/cis_6.1.2.x.yml @@ -96,7 +96,7 @@ dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.1.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: @@ -121,7 +121,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.1.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: @@ -146,7 +146,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.1.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: diff --git a/tasks/section_6/cis_6.1.3.8.yml b/tasks/section_6/cis_6.1.3.8.yml index 3f4e49c..932801e 100644 --- a/tasks/section_6/cis_6.1.3.8.yml +++ b/tasks/section_6/cis_6.1.3.8.yml @@ -1,8 +1,7 @@ --- - name: "6.1.3.8 | PATCH | Ensure logrotate is configured" - when: - - ubtu24cis_rule_6_1_3_8 + when: ubtu24cis_rule_6_1_3_8 tags: - level1-server - level1-workstation @@ -15,14 +14,14 @@ - name: "6.1.3.8 | AUDIT | Ensure logrotate is configured | Get logrotate settings" ansible.builtin.find: paths: /etc/logrotate.d/ - register: ubtu24cis_log_rotate_conf + register: discovered_log_rotate_conf - name: "6.1.3.8 | PATCH | Ensure logrotate is configured | conf files" ansible.builtin.replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ ubtu24cis_logrotate }}" - loop: "{{ ubtu24cis_log_rotate_conf.files }}" + loop: "{{ discovered_log_rotate_conf.files }}" - name: "6.1.3.8 | PATCH | Ensure logrotate is configured | logrotate.conf" ansible.builtin.replace: diff --git a/tasks/section_6/cis_6.1.3.x.yml b/tasks/section_6/cis_6.1.3.x.yml index bb46529..a0469fe 100644 --- a/tasks/section_6/cis_6.1.3.x.yml +++ b/tasks/section_6/cis_6.1.3.x.yml @@ -20,8 +20,7 @@ state: present - name: "6.1.3.2 | PATCH | Ensure rsyslog service is enabled" - when: - - ubtu24cis_rule_6_1_3_2 + when: ubtu24cis_rule_6_1_3_2 tags: - level1-server - level1-workstation @@ -37,8 +36,7 @@ enabled: true - name: "6.1.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - when: - - ubtu24cis_rule_6_1_3_3 + when: ubtu24cis_rule_6_1_3_3 tags: - level1-server - level1-workstation @@ -58,8 +56,7 @@ notify: Restart syslog service - name: "6.1.3.4 | PATCH | Ensure rsyslog log file creation mode is configured" - when: - - ubtu24cis_rule_6_1_3_4 + when: ubtu24cis_rule_6_1_3_4 tags: - level1-server - level1-workstation @@ -77,8 +74,7 @@ notify: Restart syslog service - name: "6.1.3.5 | PATCH | Ensure logging is configured" - when: - - ubtu24cis_rule_6_1_3_5 + when: ubtu24cis_rule_6_1_3_5 tags: - level1-server - level1-workstation @@ -97,21 +93,21 @@ changed_when: false failed_when: false check_mode: false - register: ubtu24cis_6_1_3_5_rsyslog_config_path + register: discovered_rsyslog_config_path - name: "6.1.3.5 | AUDIT | Ensure logging is configured | Gather rsyslog current config" - ansible.builtin.shell: "cat {{ ubtu24cis_6_1_3_5_rsyslog_config_path.stdout }}" + ansible.builtin.command: "cat {{ discovered_rsyslog_config_path.stdout }}" changed_when: false failed_when: false check_mode: false - register: ubtu24cis_6_1_3_5_rsyslog_config + register: discovered_rsyslog_config - name: "6.1.3.5 | AUDIT | Ensure logging is configured | Message out config" when: not ubtu24cis_rsyslog_ansible_managed ansible.builtin.debug: msg: - "Warning!! Below is the current logging configurations for rsyslog, please review" - - "{{ ubtu24cis_6_1_3_5_rsyslog_config.stdout_lines }}" + - "{{ discovered_rsyslog_config.stdout_lines }}" - name: "6.1.3.5 | PATCH | Ensure logging is configured | Set warning count" when: not ubtu24cis_rsyslog_ansible_managed @@ -121,7 +117,7 @@ - name: "6.1.3.5 | PATCH | Ensure logging is configured | Automated rsyslog configuration" when: ubtu24cis_rsyslog_ansible_managed ansible.builtin.lineinfile: - path: "{{ ubtu24cis_6_1_3_5_rsyslog_config_path.stdout }}" + path: "{{ discovered_rsyslog_config_path.stdout }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -164,8 +160,7 @@ insertafter: EOF - name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client" - when: - - ubtu24cis_rule_6_1_3_7 + when: ubtu24cis_rule_6_1_3_7 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.1.4.1.yml b/tasks/section_6/cis_6.1.4.1.yml index 14e2942..5d3d70c 100644 --- a/tasks/section_6/cis_6.1.4.1.yml +++ b/tasks/section_6/cis_6.1.4.1.yml @@ -26,7 +26,7 @@ - item != "/var/log/lastlog" ansible.builtin.file: path: "{{ item }}" - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' loop: "{{ discovered_logfiles.stdout_lines }}" - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 5c5df2b..f016fd9 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -20,8 +20,7 @@ state: present - name: "6.2.1.2 | PATCH | Ensure auditd service is enabled and active" - when: - - ubtu24cis_rule_6_2_1_2 + when: ubtu24cis_rule_6_2_1_2 tags: - level2-server - level2-workstation @@ -38,8 +37,7 @@ masked: false - name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - when: - - ubtu24cis_rule_6_2_1_3 + when: ubtu24cis_rule_6_2_1_3 tags: - level2-server - level2-workstation @@ -55,18 +53,18 @@ changed_when: false failed_when: false check_mode: false - register: ubtu24cis_6_2_1_3_cmdline_settings + register: discovered_grub_cmdline_settings - name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" - when: "'audit=' not in ubtu24cis_6_2_1_3_cmdline_settings.stdout" + when: "'audit=' not in discovered_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu24cis_6_2_1_3_cmdline_settings.stdout }} audit=1"' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"' notify: Grub update - name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" - when: "'audit=' in ubtu24cis_6_2_1_3_cmdline_settings.stdout" + when: "'audit=' in discovered_grub_cmdline_settings.stdout" ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit=([0-9]+)' @@ -76,8 +74,7 @@ notify: Grub update - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - when: - - ubtu24cis_rule_6_2_1_4 + when: ubtu24cis_rule_6_2_1_4 tags: - level2-server - level2-workstation @@ -93,14 +90,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu24cis_6_2_1_4_cmdline_settings + register: discovered_audit_backlog_grub_cmdline_settings - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" - when: "'audit_backlog_limit=' not in ubtu24cis_6_2_1_4_cmdline_settings.stdout" + when: "'audit_backlog_limit=' not in discovered_audit_backlog_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu24cis_6_2_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}"' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_audit_backlog_grub_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}"' notify: Grub update - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml index 039ea57..88b5273 100644 --- a/tasks/section_6/cis_6.2.2.x.yml +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.2.1 | PATCH | Ensure audit log storage size is configured" - when: - - ubtu24cis_rule_6_2_2_1 + when: ubtu24cis_rule_6_2_2_1 tags: - level2-server - level2-workstation @@ -18,8 +17,7 @@ notify: Restart auditd - name: "6.2.2.2 | PATCH | Ensure audit logs are not automatically deleted" - when: - - ubtu24cis_rule_6_2_2_2 + when: ubtu24cis_rule_6_2_2_2 tags: - level2-server - level2-workstation @@ -34,8 +32,7 @@ notify: Restart auditd - name: "6.2.2.3 | PATCH | Ensure system is disabled when audit logs are full" - when: - - ubtu24cis_rule_6_2_2_3 + when: ubtu24cis_rule_6_2_2_3 tags: - level2-server - level2-workstation @@ -53,8 +50,7 @@ notify: Restart auditd - name: "6.2.2.4 | PATCH | Ensure system warns when audit logs are low on space" - when: - - ubtu24cis_rule_6_2_2_4 + when: ubtu24cis_rule_6_2_2_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 979819f..58db7d6 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - when: - - ubtu24cis_rule_6_2_3_1 + when: ubtu24cis_rule_6_2_3_1 tags: - level2-server - level2-workstation @@ -14,8 +13,7 @@ update_audit_template: true - name: "6.2.3.2 | PATCH | Ensure actions as another user are always logged" - when: - - ubtu24cis_rule_6_2_3_2 + when: ubtu24cis_rule_6_2_3_2 tags: - level2-server - level2-workstation @@ -27,8 +25,7 @@ update_audit_template: true - name: "6.2.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - when: - - ubtu24cis_rule_6_2_3_3 + when: ubtu24cis_rule_6_2_3_3 tags: - level2-server - level2-workstation @@ -40,8 +37,7 @@ update_audit_template: true - name: "6.2.3.4 | PATCH | Ensure events that modify date and time information are collected" - when: - - ubtu24cis_rule_6_2_3_4 + when: ubtu24cis_rule_6_2_3_4 tags: - level2-server - level2-workstation @@ -54,8 +50,7 @@ update_audit_template: true - name: "6.2.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - when: - - ubtu24cis_rule_6_2_3_5 + when: ubtu24cis_rule_6_2_3_5 tags: - level2-server - level2-workstation @@ -68,8 +63,7 @@ update_audit_template: true - name: "6.2.3.6 | PATCH | Ensure use of privileged commands is collected" - when: - - ubtu24cis_rule_6_2_3_6 + when: ubtu24cis_rule_6_2_3_6 tags: - level2-server - level2-workstation @@ -80,17 +74,16 @@ block: - name: "6.2.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - register: priv_procs changed_when: false check_mode: false + register: discovered_privilege_processes - name: "6.2.3.6 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" ansible.builtin.set_fact: update_audit_template: true - name: "6.2.3.7 | PATCH | Ensure unsuccessful file access attempts are collected" - when: - - ubtu24cis_rule_6_2_3_7 + when: ubtu24cis_rule_6_2_3_7 tags: - level2-server - level2-workstation @@ -102,8 +95,7 @@ update_audit_template: true - name: "6.2.3.8 | PATCH | Ensure events that modify user/group information are collected" - when: - - ubtu24cis_rule_6_2_3_8 + when: ubtu24cis_rule_6_2_3_8 tags: - level2-server - level2-workstation @@ -115,8 +107,7 @@ update_audit_template: true - name: "6.2.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - when: - - ubtu24cis_rule_6_2_3_9 + when: ubtu24cis_rule_6_2_3_9 tags: - level2-server - level2-workstation @@ -129,8 +120,7 @@ update_audit_template: true - name: "6.2.3.10 | PATCH | Ensure successful file system mounts are collected" - when: - - ubtu24cis_rule_6_2_3_10 + when: ubtu24cis_rule_6_2_3_10 tags: - level2-server - level2-workstation @@ -142,8 +132,7 @@ update_audit_template: true - name: "6.2.3.11 | PATCH | Ensure session initiation information is collected" - when: - - ubtu24cis_rule_6_2_3_11 + when: ubtu24cis_rule_6_2_3_11 tags: - level2-server - level2-workstation @@ -155,8 +144,7 @@ update_audit_template: true - name: "6.2.3.12 | PATCH | Ensure login and logout events are collected" - when: - - ubtu24cis_rule_6_2_3_12 + when: ubtu24cis_rule_6_2_3_12 tags: - level2-server - level2-workstation @@ -168,8 +156,7 @@ update_audit_template: true - name: "6.2.3.13 | PATCH | Ensure file deletion events by users are collected" - when: - - ubtu24cis_rule_6_2_3_13 + when: ubtu24cis_rule_6_2_3_13 tags: - level2-server - level2-workstation @@ -182,8 +169,7 @@ update_audit_template: true - name: "6.2.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - when: - - ubtu24cis_rule_6_2_3_14 + when: ubtu24cis_rule_6_2_3_14 tags: - level2-server - level2-workstation @@ -196,8 +182,7 @@ update_audit_template: true - name: "6.2.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - when: - - ubtu24cis_rule_6_2_3_15 + when: ubtu24cis_rule_6_2_3_15 tags: - level2-server - level2-workstation @@ -211,8 +196,7 @@ update_audit_template: true - name: "6.2.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - when: - - ubtu24cis_rule_6_2_3_16 + when: ubtu24cis_rule_6_2_3_16 tags: - level2-server - level2-workstation @@ -226,8 +210,7 @@ update_audit_template: true - name: "6.2.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - when: - - ubtu24cis_rule_6_2_3_17 + when: ubtu24cis_rule_6_2_3_17 tags: - level2-server - level2-workstation @@ -241,8 +224,7 @@ update_audit_template: true - name: "6.2.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - when: - - ubtu24cis_rule_6_2_3_18 + when: ubtu24cis_rule_6_2_3_18 tags: - level2-server - level2-workstation @@ -256,8 +238,7 @@ update_audit_template: true - name: "6.2.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - when: - - ubtu24cis_rule_6_2_3_19 + when: ubtu24cis_rule_6_2_3_19 tags: - level2-server - level2-workstation @@ -270,8 +251,7 @@ update_audit_template: true - name: "6.2.3.20 | PATCH | Ensure the audit configuration is immutable" - when: - - ubtu24cis_rule_6_2_3_20 + when: ubtu24cis_rule_6_2_3_20 tags: - level2-server - level2-workstation @@ -286,8 +266,7 @@ update_audit_template: true - name: "6.2.3.21 | PATCH | Ensure the running and on disk configuration is the same" - when: - - ubtu24cis_rule_6_2_3_21 + when: ubtu24cis_rule_6_2_3_21 tags: - level2-server - level2-workstation @@ -296,6 +275,5 @@ - rule_6.2.3.21 - NIST800-53R5_AU-3 - auditd - ansible.builtin.shell: augenrules --check + ansible.builtin.command: augenrules --check changed_when: false - register: ubtu24cis_rule_6_2_3_21_augen_check diff --git a/tasks/section_6/cis_6.2.4.x.yml b/tasks/section_6/cis_6.2.4.x.yml index 10bd3da..3fb7189 100644 --- a/tasks/section_6/cis_6.2.4.x.yml +++ b/tasks/section_6/cis_6.2.4.x.yml @@ -24,8 +24,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "6.2.4.4 | PATCH | Ensure the audit log file directory mode is configured" - when: - - ubtu24cis_rule_6_2_4_4 + when: ubtu24cis_rule_6_2_4_4 tags: - level1-server - level1-workstation @@ -37,17 +36,16 @@ - name: "6.2.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" ansible.builtin.stat: path: "{{ prelim_auditd_logfile.stdout | dirname }}" - register: auditlog_dir + register: discovered_auditlog_dir - name: "6.2.4.4 | PATCH | Ensure the audit log file directory mode is configured | set permissions" ansible.builtin.file: - path: "{{ auditlog_dir.stat.path }}" + path: "{{ discovered_auditlog_dir.stat.path }}" state: directory mode: 'g-w,o-rwx' - name: "6.2.4.5 | PATCH | Ensure audit configuration files mode is configured" - when: - - ubtu24cis_rule_6_2_4_5 + when: ubtu24cis_rule_6_2_4_5 tags: - level1-server - level1-workstation @@ -63,8 +61,7 @@ label: "{{ item.path }}" - name: "6.2.4.6 | PATCH | Ensure audit configuration files owner is configured" - when: - - ubtu24cis_rule_6_2_4_6 + when: ubtu24cis_rule_6_2_4_6 tags: - level1-server - level1-workstation @@ -97,8 +94,7 @@ label: "{{ item.path }}" - name: "6.2.4.8 | PATCH | Ensure audit tools mode is configured" - when: - - ubtu24cis_rule_6_2_4_8 + when: ubtu24cis_rule_6_2_4_8 tags: - level1-server - level1-workstation @@ -106,31 +102,13 @@ - auditd - rule_6.2.4.8 - NIST800-53R5_AU-3 - block: - - name: "6.2.4.8 | AUDIT | Ensure audit tools mode is configured | get current mode" - ansible.builtin.stat: - path: "{{ item }}" - register: "audit_bins" - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - - - name: "6.2.4.8 | PATCH | Ensure audit tools mode is configured | set if required" - when: not item.stat.mode is match('07(0|5)0') - ansible.builtin.file: - path: "{{ item.item }}" - mode: '0750' - loop: "{{ audit_bins.results }}" - loop_control: - label: "{{ item.item }}" + ansible.builtin.file: + path: "{{ item }}" + mode: 'u+x,g-w,o-rwx' + loop: "{{ audit_bins }}" - name: "6.2.4.9 | PATCH | Ensure audit tools owner is configured" - when: - - ubtu24cis_rule_6_2_4_9 + when: ubtu24cis_rule_6_2_4_9 tags: - level1-server - level1-workstation @@ -142,17 +120,10 @@ path: "{{ item }}" owner: root group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules + loop: "{{ audit_bins }}" - name: "6.2.4.10 | PATCH | Ensure audit tools group owner is configured" - when: - - ubtu24cis_rule_6_2_4_10 + when: ubtu24cis_rule_6_2_4_10 tags: - level1-server - level1-workstation @@ -163,10 +134,4 @@ ansible.builtin.file: path: "{{ item }}" group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules + loop: "{{ audit_bins }}" diff --git a/tasks/section_6/cis_6.3.x.yml b/tasks/section_6/cis_6.3.x.yml index a32a0ae..4b8c54d 100644 --- a/tasks/section_6/cis_6.3.x.yml +++ b/tasks/section_6/cis_6.3.x.yml @@ -9,7 +9,6 @@ - level1-workstation - patch - rule_6.3.1 - - NIST800-53R5_AU-2 - aide block: - name: "6.3.1 | PATCH | Ensure AIDE is installed" @@ -20,22 +19,46 @@ name: ['aide', 'aide-common'] state: present update_cache: true - register: ubtu24cis_rule_6_3_1_aide_added + register: discovered_aide_pkgs_added - name: "6.3.1 | PATCH | Ensure AIDE is installed | Recapture packages" - when: ubtu24cis_rule_6_3_1_aide_added.skipped is not defined + when: discovered_aide_pkgs_added.skipped is not defined ansible.builtin.package_facts: manager: auto + - name: "6.3.1 | AUDIT | Ensure AIDE is installed | Check file exists" + ansible.builtin.stat: + path: "{{ ubtu24cis_aide_db_file }}" + register: discovered_aide_db_file + + - name: "6.3.1 | AUDIT | Ensure AIDE is installed | Check current db file age" + when: discovered_aide_db_file.stat.exists + ansible.builtin.find: + path: "{{ ubtu24cis_aide_db_file | dirname }}" + pattern: "{{ ubtu24cis_aide_db_file | basename }}" + age: "{{ ubtu24cis_aide_db_file_age }}" + register: discovered_aide_db_age + - name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - args: - creates: /var/lib/aide/aide.db - changed_when: false - failed_when: false - async: "{{ ubtu24cis_aide_init.async }}" - poll: "{{ ubtu24cis_aide_init.poll }}" - when: not ansible_check_mode + when: + - not ansible_check_mode + - not discovered_aide_db_file.stat.exists or + (discovered_aide_db_age.files | length > 0) or + ubtu24cis_aide_db_recreate + block: + - name: "6.3.1 | PATCH | Ensure AIDE is installed | Remove current db file" + ansible.builtin.file: + path: "{{ ubtu24cis_aide_db_file }}" + state: absent + + - name: "6.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + when: + - not ansible_check_mode + ansible.builtin.shell: "{{ aide_initiate_command }}" + args: + creates: "{{ ubtu24cis_aide_db_file }}" + async: "{{ ubtu24cis_aide_init_async }}" + poll: "{{ ubtu24cis_aide_init_poll }}" - name: "6.3.2 | PATCH | Ensure filesystem integrity is regularly checked" when: @@ -54,14 +77,14 @@ when: ubtu24cis_aide_scan == 'cron' ansible.builtin.cron: name: Run AIDE integrity check - cron_file: "{{ ubtu24cis_aide_cron['cron_file'] }}" - user: "{{ ubtu24cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu24cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu24cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu24cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu24cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu24cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu24cis_aide_cron['aide_job'] }}" + cron_file: "{{ ubtu24cis_aide_cron_file }}" + user: "{{ ubtu24cis_aide_cron_user }}" + minute: "{{ ubtu24cis_aide_cron_minute | default('0') }}" + hour: "{{ ubtu24cis_aide_cron_hour | default('5') }}" + day: "{{ ubtu24cis_aide_cron_day | default('*') }}" + month: "{{ ubtu24cis_aide_cron_month | default('*') }}" + weekday: "{{ ubtu24cis_aide_cron_weekday | default('*') }}" + job: "{{ ubtu24cis_aide_cron_job }}" - name: "6.3.2 | PATCH | Ensure filesystem integrity is regularly checked | timer template" when: ubtu24cis_aide_scan == 'timer' @@ -70,7 +93,7 @@ dest: "/{{ item }}" owner: root group: root - mode: '0644' + mode: 'go-r' loop: - etc/systemd/system/aidecheck.service - etc/systemd/system/aidecheck.timer diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 4655766..dce875c 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -1,8 +1,7 @@ --- - name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" - when: - - ubtu24cis_rule_7_1_1 + when: ubtu24cis_rule_7_1_1 tags: - level1-server - level1-workstation @@ -18,8 +17,7 @@ mode: 'u-x,go-wx' - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" - when: - - ubtu24cis_rule_7_1_2 + when: ubtu24cis_rule_7_1_2 tags: - level1-server - level1-workstation @@ -35,8 +33,7 @@ mode: 'u-x,go-wx' - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" - when: - - ubtu24cis_rule_7_1_3 + when: ubtu24cis_rule_7_1_3 tags: - level1-server - level1-workstation @@ -52,8 +49,7 @@ mode: 'u-x,go-wx' - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" - when: - - ubtu24cis_rule_7_1_4 + when: ubtu24cis_rule_7_1_4 tags: - level1-server - level1-workstation @@ -86,8 +82,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - when: - - ubtu24cis_rule_7_1_6 + when: ubtu24cis_rule_7_1_6 tags: - level1-server - level1-workstation @@ -103,8 +98,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" - when: - - ubtu24cis_rule_7_1_7 + when: ubtu24cis_rule_7_1_7 tags: - level1-server - level1-workstation @@ -120,8 +114,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" - when: - - ubtu24cis_rule_7_1_8 + when: ubtu24cis_rule_7_1_8 tags: - level1-server - level1-workstation @@ -137,8 +130,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" - when: - - ubtu24cis_rule_7_1_9 + when: ubtu24cis_rule_7_1_9 tags: - level1-server - level1-workstation @@ -154,11 +146,7 @@ mode: 'u-x,go-wx' - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" - loop: - - /etc/security/opasswd - - /etc/security/opasswd.old - when: - - ubtu24cis_rule_7_1_10 + when: ubtu24cis_rule_7_1_10 tags: - level1-server - level1-workstation @@ -168,14 +156,18 @@ - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.file: - path: /etc/security/opasswd + path: "{{ item }}" owner: root group: root mode: 'u-x,go-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists + loop: + - /etc/security/opasswd + - /etc/security/opasswd.old - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" - when: - - ubtu24cis_rule_7_1_11 + when: ubtu24cis_rule_7_1_11 tags: - level1-server - level1-workstation @@ -190,17 +182,17 @@ ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: ubtu24cis_worldwriteable + register: discovered_worldwriteable_files - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)" + when: + - discovered_worldwriteable_files.stdout_lines is defined + - ubtu24cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' - mode: o-w + mode: 'o-w' state: touch - loop: "{{ ubtu24cis_worldwriteable.stdout_lines }}" - when: - - ubtu24cis_worldwriteable.stdout_lines is defined - - ubtu24cis_no_world_write_adjust + loop: "{{ discovered_worldwriteable_files.stdout_lines }}" - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t @@ -208,8 +200,7 @@ failed_when: false - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" - when: - - ubtu24cis_rule_7_1_12 + when: ubtu24cis_rule_7_1_12 tags: - level1-server - level1-workstation @@ -222,7 +213,7 @@ warn_control_id: '7.1.12' block: - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - ansible.builtin.shell: find {{ ubtu24cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + ansible.builtin.command: find {{ ubtu24cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs changed_when: false failed_when: false check_mode: false @@ -265,8 +256,7 @@ file: warning_facts.yml - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" - when: - - ubtu24cis_rule_7_1_13 + when: ubtu24cis_rule_7_1_13 tags: - level1-server - level1-workstation @@ -284,7 +274,7 @@ warn_control_id: '7.1.13' block: - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" - ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 895c0b2..e5a555a 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -1,8 +1,7 @@ --- - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" - when: - - ubtu24cis_rule_7_2_1 + when: ubtu24cis_rule_7_2_1 tags: - level1-server - level1-workstation @@ -32,8 +31,7 @@ file: warning_facts.yml - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" - when: - - ubtu24cis_rule_7_2_2 + when: ubtu24cis_rule_7_2_2 tags: - level1-server - level1-workstation @@ -58,8 +56,7 @@ - "{{ discovered_empty_password_acct.stdout_lines }}" - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - when: - - ubtu24cis_rule_7_2_3 + when: ubtu24cis_rule_7_2_3 tags: - level1-server - level1-workstation @@ -84,7 +81,7 @@ - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" when: discovered_passwd_gid_check.stdout | length > 0 ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}" + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}" - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" when: discovered_passwd_gid_check.stdout | length > 0 @@ -92,8 +89,7 @@ file: warning_facts.yml - name: "7.2.4 | PATCH | Ensure shadow group is empty" - when: - - ubtu24cis_rule_7_2_4 + when: ubtu24cis_rule_7_2_4 tags: - level1-server - level1-workstation @@ -111,18 +107,17 @@ key: shadow - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + when: ansible_facts.getent_group.shadow[2] | length > 0 ansible.builtin.debug: msg: "Warning!! - You have users in the shadow group" - when: ansible_facts.getent_group.shadow[2] | length > 0 - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + when: ansible_facts.getent_group.shadow[2] | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - when: ansible_facts.getent_group.shadow[2] | length > 0 - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist" - when: - - ubtu24cis_rule_7_2_5 + when: ubtu24cis_rule_7_2_5 tags: - level1-server - level1-workstation @@ -155,8 +150,7 @@ file: warning_facts.yml - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist" - when: - - ubtu24cis_rule_7_2_6 + when: ubtu24cis_rule_7_2_6 tags: - level1-server - level1-workstation @@ -189,10 +183,7 @@ file: warning_facts.yml - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist" - vars: - warn_control_id: '7.2.67' - when: - - ubtu24cis_rule_7_2_7 + when: ubtu24cis_rule_7_2_7 tags: - level1-server - level1-workstation @@ -204,6 +195,8 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - user + vars: + warn_control_id: '7.2.67' block: - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" @@ -223,8 +216,7 @@ file: warning_facts.yml - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist" - when: - - ubtu24cis_rule_7_2_8 + when: ubtu24cis_rule_7_2_8 tags: - level1-server - level1-workstation @@ -257,8 +249,7 @@ file: warning_facts.yml - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured" - when: - - ubtu24cis_rule_7_2_9 + when: ubtu24cis_rule_7_2_9 tags: - level1-server - level1-workstation @@ -273,7 +264,8 @@ state: directory owner: "{{ item.id }}" group: "{{ item.gid }}" - loop: "{{ ubtu24cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" + mode: 'g-w,o-rwx' + loop: "{{ ubtu24cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}" loop_control: label: "{{ item.id }}" @@ -344,5 +336,5 @@ - ubtu24cis_dotperm_ansiblemanaged ansible.builtin.file: path: '{{ item }}' - mode: go-w + mode: 'go-w' with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 4549726..e43e31f 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -1,5 +1,4 @@ --- - # This task is used to create variables used in giving a warning summary for manual tasks # that need attention # @@ -14,7 +13,7 @@ # # warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 -- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." +- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template] ansible.builtin.set_fact: warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_count: "{{ warn_count | int + 1 }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 87864e5..7ddf258 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -653,10 +653,10 @@ ubtu24cis_is_syslog_server: {{ ubtu24cis_system_is_log_server }} # Note the following to understand precedence and layout ubtu24cis_sshd_access: - - AllowUser {{ ubtu24cis_sshd.allow_users }} - - AllowGroup {{ ubtu24cis_sshd.allow_groups }} - - DenyUser {{ ubtu24cis_sshd.deny_users }} - - DenyGroup {{ ubtu24cis_sshd.deny_groups }} + - AllowUser {{ ubtu24cis_sshd_allow_users }} + - AllowGroup {{ ubtu24cis_sshd_allow_groups }} + - DenyUser {{ ubtu24cis_sshd_deny_users }} + - DenyGroup {{ ubtu24cis_sshd_deny_groups }} ubtu24cis_ssh_strong_ciphers: - aes256-gcm@openssh.com @@ -721,14 +721,13 @@ ubtu24cis_pam_passwd_retry: "3" # logins.def password settings ubtu24cis_pass: - max_days: {{ ubtu24cis_pass.max_days }} - min_days: {{ ubtu24cis_pass.min_days }} - warn_age: {{ ubtu24cis_pass.warn_age }} + max_days: {{ ubtu24cis_pass_max_days }} + min_days: {{ ubtu24cis_pass_min_days }} + warn_age: {{ ubtu24cis_pass_warn_age }} # set sugroup if differs from wheel ubtu24cis_sugroup: nosugroup - # var log location variable ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 4ccf915..cd32371 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -34,8 +34,8 @@ -w /etc/netplan -p wa -k system-locale {% endif %} {% if ubtu24cis_rule_6_2_3_6 %} -{% if priv_procs is defined %} -{% for proc in priv_procs.stdout_lines -%} +{% if discovered_privilege_processes is defined %} +{% for proc in discovered_privilege_processes.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=unset -k privileged {% endfor %} {% endif %} diff --git a/templates/etc/systemd/system/aidecheck.timer.j2 b/templates/etc/systemd/system/aidecheck.timer.j2 index 99edf72..6cf1ef4 100644 --- a/templates/etc/systemd/system/aidecheck.timer.j2 +++ b/templates/etc/systemd/system/aidecheck.timer.j2 @@ -2,7 +2,7 @@ Description=Aide check [Timer] -OnCalendar={{ ubtu24cis_aide_cron.aide_day }}-{{ ubtu24cis_aide_cron.aide_month }}-{{ ubtu24cis_aide_cron.aide_weekday }} {{ ubtu24cis_aide_cron.aide_hour }}:{{ ubtu24cis_aide_cron.aide_minute }}:00 +OnCalendar={{ ubtu24cis_aide_cron_aide_day }}-{{ ubtu24cis_aide_cron_aide_month }}-{{ ubtu24cis_aide_cron_aide_weekday }} {{ ubtu24cis_aide_cron_aide_hour }}:{{ ubtu24cis_aide_cron_aide_minute }}:00 Unit=aidecheck.service [Install] diff --git a/templates/fs_with_cves.sh.j2 b/templates/fs_with_cves.sh.j2 index 27ff343..e936b7d 100644 --- a/templates/fs_with_cves.sh.j2 +++ b/templates/fs_with_cves.sh.j2 @@ -1,5 +1,4 @@ -#!/usr/bin/env bash -{% raw %} +{% raw %}#!/usr/bin/env bash # Based on original Script provided by CIS # CVEs correct at time of creation - April2024 diff --git a/vars/audit.yml b/vars/audit.yml index 1dc1cf1..2dd662e 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -35,7 +35,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} - {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} - Full breakdown can be found in {{ audit_log_dir }} + Full breakdown can be found in {{ audit_log_dir }} diff --git a/vars/is_container.yml b/vars/is_container.yml index 189d499..78b47c1 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -13,63 +13,74 @@ ubtu24cis_firewall_package: None ## Related individual rules # Aide -ubtu24cis_rule_1_4_1: false -ubtu24cis_rule_1_4_2: false +ubtu24cis_rule_6_3_1: false +ubtu24cis_rule_6_3_2: false # AppArmor -ubtu24cis_rule_1_6_1: false -ubtu24cis_rule_1_6_2: false -ubtu24cis_rule_1_6_3: false -ubtu24cis_rule_1_6_4: false +ubtu24cis_rule_1_3_1: false +ubtu24cis_rule_1_3_2: false +ubtu24cis_rule_1_3_3: false +ubtu24cis_rule_1_3_4: false # time sync -ubtu24cis_rule_2_1_1_1: false -ubtu24cis_rule_2_2_1_2: false +ubtu24cis_rule_2_3_2_1: false +ubtu24cis_rule_2_3_2_2: false # Auditd -ubtu24cis_rule_4_1_1_1: false -ubtu24cis_rule_4_1_1_2: false -ubtu24cis_rule_4_1_1_3: false -ubtu24cis_rule_4_1_1_4: false -ubtu24cis_rule_4_1_2_1: false -ubtu24cis_rule_4_1_2_2: false -ubtu24cis_rule_4_1_2_3: false +ubtu24cis_rule_6_2_1_1: false +ubtu24cis_rule_6_2_1_2: false +ubtu24cis_rule_6_2_1_3: false +ubtu24cis_rule_6_2_1_4: false +ubtu24cis_rule_6_2_2_1: false +ubtu24cis_rule_6_2_2_2: false +ubtu24cis_rule_6_2_2_3: false # Auditd rules -ubtu24cis_rule_4_1_3_1: false -ubtu24cis_rule_4_1_3_2: false -ubtu24cis_rule_4_1_3_3: false -ubtu24cis_rule_4_1_3_4: false -ubtu24cis_rule_4_1_3_5: false -ubtu24cis_rule_4_1_3_6: false -ubtu24cis_rule_4_1_3_7: false -ubtu24cis_rule_4_1_3_8: false -ubtu24cis_rule_4_1_3_9: false -ubtu24cis_rule_4_1_3_10: false -ubtu24cis_rule_4_1_3_11: false -ubtu24cis_rule_4_1_3_12: false -ubtu24cis_rule_4_1_3_13: false -ubtu24cis_rule_4_1_3_14: false -ubtu24cis_rule_4_1_3_15: false -ubtu24cis_rule_4_1_3_16: false -ubtu24cis_rule_4_1_3_17: false -ubtu24cis_rule_4_1_3_18: false -ubtu24cis_rule_4_1_3_19: false -ubtu24cis_rule_4_1_3_20: false -ubtu24cis_rule_4_1_3_21: false +ubtu24cis_rule_6_2_3_1: false +ubtu24cis_rule_6_2_3_2: false +ubtu24cis_rule_6_2_3_3: false +ubtu24cis_rule_6_2_3_4: false +ubtu24cis_rule_6_2_3_5: false +ubtu24cis_rule_6_2_3_6: false +ubtu24cis_rule_6_2_3_7: false +ubtu24cis_rule_6_2_3_8: false +ubtu24cis_rule_6_2_3_9: false +ubtu24cis_rule_6_2_3_10: false +ubtu24cis_rule_6_2_3_11: false +ubtu24cis_rule_6_2_3_12: false +ubtu24cis_rule_6_2_3_13: false +ubtu24cis_rule_6_2_3_14: false +ubtu24cis_rule_6_2_3_15: false +ubtu24cis_rule_6_2_3_16: false +ubtu24cis_rule_6_2_3_17: false +ubtu24cis_rule_6_2_3_18: false +ubtu24cis_rule_6_2_3_19: false +ubtu24cis_rule_6_2_3_20: false +ubtu24cis_rule_6_2_3_21: false # Auditd file access -ubtu24cis_rule_4_1_4_1: false -ubtu24cis_rule_4_1_4_2: false -ubtu24cis_rule_4_1_4_3: false -ubtu24cis_rule_4_1_4_4: false -ubtu24cis_rule_4_1_4_5: false -ubtu24cis_rule_4_1_4_6: false -ubtu24cis_rule_4_1_4_7: false -ubtu24cis_rule_4_1_4_8: false -ubtu24cis_rule_4_1_4_9: false -ubtu24cis_rule_4_1_4_10: false -ubtu24cis_rule_4_1_4_11: false +ubtu24cis_rule_6_2_4_1: false +ubtu24cis_rule_6_2_4_2: false +ubtu24cis_rule_6_2_4_3: false +ubtu24cis_rule_6_2_4_4: false +ubtu24cis_rule_6_2_4_5: false +ubtu24cis_rule_6_2_4_6: false +ubtu24cis_rule_6_2_4_7: false +ubtu24cis_rule_6_2_4_8: false +ubtu24cis_rule_6_2_4_9: false +ubtu24cis_rule_6_2_4_10: false +ubtu24cis_rule_6_2_4_11: false # cron +ubtu24cis_rule_2_4_1_1: false +ubtu24cis_rule_2_4_1_2: false +ubtu24cis_rule_2_4_1_3: false +ubtu24cis_rule_2_4_1_4: false +ubtu24cis_rule_2_4_1_5: false +ubtu24cis_rule_2_4_1_6: false +ubtu24cis_rule_2_4_1_7: false +ubtu24cis_rule_2_4_1_8: false +ubtu24cis_rule_2_4_2_1: false + +# ssh ubtu24cis_rule_5_1_1: false ubtu24cis_rule_5_1_2: false ubtu24cis_rule_5_1_3: false @@ -78,27 +89,17 @@ ubtu24cis_rule_5_1_5: false ubtu24cis_rule_5_1_6: false ubtu24cis_rule_5_1_7: false ubtu24cis_rule_5_1_8: false - -# ssh -ubtu24cis_rule_5_2_1: false -ubtu24cis_rule_5_2_2: false -ubtu24cis_rule_5_2_3: false -ubtu24cis_rule_5_2_4: false -ubtu24cis_rule_5_2_5: false -ubtu24cis_rule_5_2_6: false -ubtu24cis_rule_5_2_7: false -ubtu24cis_rule_5_2_8: false -ubtu24cis_rule_5_2_9: false -ubtu24cis_rule_5_2_10: false -ubtu24cis_rule_5_2_11: false -ubtu24cis_rule_5_2_12: false -ubtu24cis_rule_5_2_13: false -ubtu24cis_rule_5_2_14: false -ubtu24cis_rule_5_2_15: false -ubtu24cis_rule_5_2_16: false -ubtu24cis_rule_5_2_17: false -ubtu24cis_rule_5_2_18: false -ubtu24cis_rule_5_2_19: false -ubtu24cis_rule_5_2_20: false -ubtu24cis_rule_5_2_21: false -ubtu24cis_rule_5_2_22: false +ubtu24cis_rule_5_1_9: false +ubtu24cis_rule_5_1_10: false +ubtu24cis_rule_5_1_11: false +ubtu24cis_rule_5_1_12: false +ubtu24cis_rule_5_1_13: false +ubtu24cis_rule_5_1_14: false +ubtu24cis_rule_5_1_15: false +ubtu24cis_rule_5_1_16: false +ubtu24cis_rule_5_1_17: false +ubtu24cis_rule_5_1_18: false +ubtu24cis_rule_5_1_19: false +ubtu24cis_rule_5_1_20: false +ubtu24cis_rule_5_1_21: false +ubtu24cis_rule_5_1_22: false diff --git a/vars/main.yml b/vars/main.yml index f39cd1f..fa065e8 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -12,3 +12,16 @@ system_is_container: false # Used to control warning summary warn_control_list: "" warn_count: 0 + + +# Aide initiate command for new DB creation +aide_initiate_command: aideinit -y -f + +# Audit vars +audit_bins: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules