From 3e92d4b54b36ed10ffde9bc0d4456e3456258595 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 08:40:32 +0000 Subject: [PATCH 01/39] fixed permissions 5.4.3.2 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index e3e7d6b..2272c82 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -34,7 +34,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 'go-r' + mode: 'go+r' block: | TMOUT={{ ubtu24cis_shell_session_timeout }} readonly TMOUT From c129cf05520c9469df403d27ff6a2bbb7f92011c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:03:01 +0000 Subject: [PATCH 02/39] removed mask section u24 now removes time package not used automatically Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.3.1.x.yml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml index 2037c96..6242dee 100644 --- a/tasks/section_2/cis_2.3.1.x.yml +++ b/tasks/section_2/cis_2.3.1.x.yml @@ -26,14 +26,4 @@ loop: - chrony - ntp - - - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service" - when: - - ubtu24cis_time_sync_tool != "systemd-timesyncd" - - "'systemd-timesyncd' in ansible_facts.packages" - ansible.builtin.service: - name: systemd-timesyncd - state: stopped - enabled: false - masked: true - daemon_reload: true + - systemd-timesyncd From 3c628434188ede7dbfb4d6e584161b3d098ce04e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:05:37 +0000 Subject: [PATCH 03/39] fixed file permissions 2.3.2.1 Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.3.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml index 5dcc083..3101212 100644 --- a/tasks/section_2/cis_2.3.2.x.yml +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -23,7 +23,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: 'go-r' + mode: 'go-wx' owner: root group: root loop: From b7bdc7f67c44e27c05b9415c159417f64896202b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:26:52 +0000 Subject: [PATCH 04/39] Updated bootloader hash var and time tool inherit Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7ddf258..f558438 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }} # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu24cis_grub_user: {{ ubtu24cis_grub_user }} -ubtu24cis_bootloader_password_hash: {{ grub_user_pass }} # pragma: allowlist secret +ubtu24cis_bootloader_password_hash: {{ ubtu24cis_grub_user_passwd }} # pragma: allowlist secret ## Controls 1.5.x @@ -580,7 +580,7 @@ ubtu24cis_ftp_client: {{ ubtu24cis_ftp_client }} ## Control 2.3.1.1 # This variable choses the tool used for time synchronization # The two options are `chrony`and `systemd-timesyncd`. -ubtu24cis_time_sync_tool: "systemd-timesyncd" +ubtu24cis_time_sync_tool: {{ ubtu24cis_time_sync_tool }} ## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd # The following variable represents a list of of time server pools used @@ -588,7 +588,7 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd" # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. -ubtu24cis_time_pool_name: +ubtu24cis_time_pool: {% for pool in ubtu24cis_time_pool %} - name: {{ pool.name }} options: {{ pool.options }} @@ -733,6 +733,9 @@ ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }} # Section 6 +# This variable specifies the address of the remote log host where logs are being sent. +ubtu24cis_remote_log_server: {{ ubtu24cis_remote_log_server }} + # 6.1.2 # AIDE From 9709aa503bc5e26455609a404946ea7408e22e77 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 09:27:23 +0000 Subject: [PATCH 05/39] 5.4.3.2 updated permissions Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 2272c82..2ea9c2f 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -34,7 +34,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 'go+r' + mode: 'go-w' block: | TMOUT={{ ubtu24cis_shell_session_timeout }} readonly TMOUT From cc307541a9d524d8344e7a4b5cabd311192d3bf5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:37:54 +0000 Subject: [PATCH 06/39] 5.4.3.3 updated to add profile script Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.3.x.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 2ea9c2f..bac9c32 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -34,7 +34,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 'go-w' + mode: 'go-wx' block: | TMOUT={{ ubtu24cis_shell_session_timeout }} readonly TMOUT @@ -54,10 +54,20 @@ - rule_5.4.3.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.builtin.replace: - path: "{{ item.path }}" - regexp: (?i)(umask\s+\d\d\d) - replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}' - loop: - - { path: '/etc/profile', line: 'umask' } - - { path: '/etc/login.defs', line: 'UMASK' } + block: + - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | update current settings" + ansible.builtin.replace: + path: "{{ item.path }}" + regexp: (?i)(umask\s+\d\d\d) + replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}' + loop: + - { path: '/etc/profile', line: 'umask' } + - { path: '/etc/login.defs', line: 'UMASK' } + + - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | add profile script to set" + ansible.builtin.template: + src: etc/profile.d/50-umask.sh.j2 + dest: /etc/profile.d/50-umask.sh + owner: root + group: root + mode: 'go+r,go-wx' From 113b32018fe5966aa3183e771ee9f998dc2d16b8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:38:24 +0000 Subject: [PATCH 07/39] profile script Signed-off-by: Mark Bolwell --- templates/etc/profile.d/50-umask.sh.j2 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 templates/etc/profile.d/50-umask.sh.j2 diff --git a/templates/etc/profile.d/50-umask.sh.j2 b/templates/etc/profile.d/50-umask.sh.j2 new file mode 100644 index 0000000..e300e9c --- /dev/null +++ b/templates/etc/profile.d/50-umask.sh.j2 @@ -0,0 +1,7 @@ +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown + +# Set umask with highest precedence + +umask 027 From 18152bc17d5593d5c381a6f65b6635e53bb9e8b8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:39:13 +0000 Subject: [PATCH 08/39] fix conditional for snap/squashfs Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 518cfe3..eba0b21 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -7,7 +7,7 @@ changed_when: false - name: "PRELIM | AUDIT | Register if snap being used" - when: ubtu24cis_rule_1_1_1_6 + when: ubtu24cis_rule_1_1_1_7 tags: always ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false @@ -15,7 +15,7 @@ register: prelim_snap_pkg_mgr - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" - when: ubtu24cis_rule_1_1_1_6 + when: ubtu24cis_rule_1_1_1_7 tags: always ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false From 6e78559776e4cd36f3f3dfe5978f080f3d5b27ca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 12:40:06 +0000 Subject: [PATCH 09/39] tidy up grub/bootloader logic Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - tasks/main.yml | 25 ------------------------- templates/ansible_vars_goss.yml.j2 | 2 +- 3 files changed, 1 insertion(+), 27 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3a6a356..28b802e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -665,7 +665,6 @@ ubtu24cis_apparmor_mode: complain # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu24cis_grub_user: root ubtu24cis_set_grub_user_pass: false -ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme ubtu24cis_grub_user_file: /etc/grub.d/00_user ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret ubtu24cis_set_boot_pass: false diff --git a/tasks/main.yml b/tasks/main.yml index e246e7f..cfdb641 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -62,31 +62,6 @@ that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly" -- name: Check ubtu24cis_grub_user password variable has been changed - when: ubtu24cis_rule_1_4_1 - tags: always - block: - - name: Check ubtu24cis_grub_user password variable has been changed | check password is set - ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" - changed_when: false - register: ubtu24cis_password_set_grub_user - - - name: Check ubtu24cis_grub_user password variable has been changed | check password is set - when: - - "'$y$' in ubtu24cis_password_set_grub_user.stdout" - - ubtu24cis_set_grub_user_pass - - ubtu24cis_rule_1_4_1 - ansible.builtin.assert: - that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' - msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly" - - - name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set - when: not ubtu24cis_set_grub_user_pass - ansible.builtin.assert: - that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout - fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption" - success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode" - - name: Setup rules if container when: - ansible_connection == 'docker' or diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index f558438..02d8c3e 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }} # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! ubtu24cis_grub_user: {{ ubtu24cis_grub_user }} -ubtu24cis_bootloader_password_hash: {{ ubtu24cis_grub_user_passwd }} # pragma: allowlist secret +ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }} # pragma: allowlist secret ## Controls 1.5.x From e69c18fa1c94652ef95ebc6d57e4196e0229b28c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 13:16:56 +0000 Subject: [PATCH 10/39] improved audit handler and related rules Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 +--- tasks/prelim.yml | 2 +- tasks/section_6/cis_6.2.3.x.yml | 1 + 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index e3a9c38..64b0aad 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -237,9 +237,7 @@ changed_when: true - name: Auditd rules reload - when: - - not prelim_auditd_immutable_check or - '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout' + when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1 ansible.builtin.command: augenrules --load changed_when: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eba0b21..05c725c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -218,7 +218,7 @@ - name: "PRELIM | AUDIT | Check if auditd is immutable before changes" when: "'auditd' in ansible_facts.packages" tags: always - ansible.builtin.shell: auditctl -l | grep -c '-e 2' + ansible.builtin.shell: auditctl -s | grep "enabled 2" changed_when: false failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] register: prelim_auditd_immutable_check diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 58db7d6..dbcbfa4 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -277,3 +277,4 @@ - auditd ansible.builtin.command: augenrules --check changed_when: false + register: discovered_augenrules_check From d190c51fa40883fe29d2fea56b19e83c4e9c07c2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 14:00:34 +0000 Subject: [PATCH 11/39] Updated since ubuntu removes unncessary time pkgs Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.3.3.x.yml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index 68af2fc..19177b9 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -58,19 +58,3 @@ name: chrony state: started enabled: true - - - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd" - when: "'systemd-timesyncd' in ansible_facts.packages" - ansible.builtin.systemd: - name: systemd-timesyncd - state: stopped - enabled: false - masked: true - - - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd" - when: "'ntpd' in ansible_facts.packages" - ansible.builtin.systemd: - name: ntpd - state: stopped - enabled: false - masked: true From 7095fdc49f436b62fd11cdc31aa1144965b5d15d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 14:29:47 +0000 Subject: [PATCH 12/39] added rsyslog override logging option Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 28b802e..6c2af85 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1068,6 +1068,9 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh # journald or rsyslog ubtu24cis_syslog_service: 'journald' +# Enable rsyslog logging to be managed by ansible +ubtu24cis_rsyslog_ansible_managed: true + ## Controls 6.1.1.x journald # This variable specifies the address of the remote log host where logs are being sent. From 5de8d4c5586c5a242b434e9bb8e7a26c93da4e7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 15:33:10 +0000 Subject: [PATCH 13/39] Added optional logrotate install and variable, improved 6.1.3.8 logic Signed-off-by: Mark Bolwell --- defaults/main.yml | 7 ++++++- tasks/prelim.yml | 8 ++++++++ tasks/section_6/cis_6.1.3.8.yml | 4 +++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6c2af85..d37ae5e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1109,7 +1109,12 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree=" # ATTENTION: Uncomment the keyword below when values are set! ubtu24cis_journald_maxfilesec: "#MaxFileSec=" -# 6.1.3.8 +# 6.1.3.8 LOGRotate +# Optional to alow logrotate to be installed +# While it is required for 6.1.3.8 its not installed by default on minimal image +# or required for CIS to be installed, but in order to achieve ability to install has been added +ubtu24cis_logrotate_pkg_install: false + # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation # To conform to CIS standards this just needs to comply with your site policy ubtu24cis_logrotate: "daily" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 05c725c..74ee0c7 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -256,3 +256,11 @@ regexp: ^IPT_SYSCTL=.* line: IPT_SYSCTL=/etc/sysctl.conf mode: 'u-x,go-wx' + +- name: "OPTIONAL | PATCH | Install Logrotate if missing" + when: + - ubtu24cis_rule_6_1_3_8 + - ubtu24cis_logrotate_pkg_install + ansible.builtin.package: + name: logrotate + state: present diff --git a/tasks/section_6/cis_6.1.3.8.yml b/tasks/section_6/cis_6.1.3.8.yml index 932801e..1c68890 100644 --- a/tasks/section_6/cis_6.1.3.8.yml +++ b/tasks/section_6/cis_6.1.3.8.yml @@ -1,7 +1,9 @@ --- - name: "6.1.3.8 | PATCH | Ensure logrotate is configured" - when: ubtu24cis_rule_6_1_3_8 + when: + - ubtu24cis_rule_6_1_3_8 + - "'logrotate' in ansible_facts.packages" tags: - level1-server - level1-workstation From a857b1e5525dc458f1f72bf772d2cbefb6e69fcd Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 13 Jan 2025 17:50:19 +0000 Subject: [PATCH 14/39] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.21.2 → v8.23.0](https://github.com/gitleaks/gitleaks/compare/v8.21.2...v8.23.0) - [github.com/ansible-community/ansible-lint: v24.10.0 → v24.12.2](https://github.com/ansible-community/ansible-lint/compare/v24.10.0...v24.12.2) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index acdd896..4671271 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.2 + rev: v8.23.0 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.10.0 + rev: v24.12.2 hooks: - id: ansible-lint name: Ansible-lint From 46e23a7c4bb03e58ccdc9c533cb6057b9c377388 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 20 Jan 2025 17:45:16 +0000 Subject: [PATCH 15/39] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.23.0 → v8.23.1](https://github.com/gitleaks/gitleaks/compare/v8.23.0...v8.23.1) - [github.com/ansible-community/ansible-lint: v24.12.2 → v25.1.0](https://github.com/ansible-community/ansible-lint/compare/v24.12.2...v25.1.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4671271..c80dacd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.0 + rev: v8.23.1 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.12.2 + rev: v25.1.0 hooks: - id: ansible-lint name: Ansible-lint From bba53315f2496bd8589370c0ca5c3b41433ffbb1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jan 2025 08:07:27 +0000 Subject: [PATCH 16/39] moved apt update order to assist with audit Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 74ee0c7..c5eac21 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -51,6 +51,11 @@ ansible.builtin.debug: msg: "{{ prelim_mount_point_fs_and_options }}" +- name: "PRELIM | PATCH | Run apt update" + tags: always + ansible.builtin.package: + update_cache: true + - name: Include audit specific variables when: - run_audit or audit_only @@ -70,14 +75,6 @@ ansible.builtin.import_tasks: file: pre_remediation_audit.yml -- name: "PRELIM | PATCH | Run apt update" - when: - - ubtu24cis_rule_1_2_1_1 or - ubtu24cis_rule_1_2_2_1 - tags: always - ansible.builtin.package: - update_cache: true - - name: "PRELIM | AUDIT | Wireless adapter pre-requisites" when: - ubtu24cis_rule_3_1_2 From 05e9d753284f6bc73a5fdfcc9b003033480eea2c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 27 Jan 2025 17:53:22 +0000 Subject: [PATCH 17/39] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.23.1 → v8.23.2](https://github.com/gitleaks/gitleaks/compare/v8.23.1...v8.23.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c80dacd..a802c69 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.1 + rev: v8.23.2 hooks: - id: gitleaks From 043fb4451b3b701d130038ef54b3add5c05e012b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 28 Jan 2025 10:53:33 +0000 Subject: [PATCH 18/39] Added auditd arm compatibility thanks to @arousseau-coveo for the excellent work Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- tasks/auditd.yml | 11 +++ templates/audit/99_auditd.rules.j2 | 135 ++++++++++++++++++++++++----- 3 files changed, 124 insertions(+), 24 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 52fc8bd..099ed41 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -8,7 +8,7 @@ audit_pkg_arch_name: AMD64 - name: Pre Audit Setup | Set audit package name | ARM64 - when: ansible_facts.machine == "arm64" + when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64") ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 diff --git a/tasks/auditd.yml b/tasks/auditd.yml index c998195..947a141 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,7 +1,18 @@ --- +# Since auditd rules are dependent on syscalls and syscall tables are architecture specific, +# we need to update the auditd rules depending on the architecture of the system. +# This task passed the syscalls table to the auditd template and updates the auditd rules +- name: "POST | AUDITD | Set supported_syscalls variable" + ansible.builtin.shell: ausyscall --dump | awk '{print $2}' + changed_when: false + failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ] + register: discovered_auditd_syscalls + - name: "POST | AUDITD | Apply auditd template for section 6.2.4.x" when: update_audit_template + vars: + supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}" ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index bde7b88..4c888da 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -10,22 +10,41 @@ -w /etc/sudoers.d -p wa -k scope {% endif %} {% if ubtu24cis_rule_6_2_3_2 %} --a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation --a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation +{% set syscalls = ["execve"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation {% endif %} {% if ubtu24cis_rule_6_2_3_3 %} -w {{ ubtu24cis_sudo_logfile }} -p wa -k sudo_log_file {% endif %} {% if ubtu24cis_rule_6_2_3_4 %} --a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change --a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change --a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change --a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change +{% set syscalls = ["adjtimex","settimeofday","clock_settime"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change -w /etc/localtime -p wa -k time-change {% endif %} {% if ubtu24cis_rule_6_2_3_5 %} --a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale --a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale +{% set syscalls = ["sethostname","setdomainname"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale @@ -41,10 +60,17 @@ {% endif %} {% endif %} {% if ubtu24cis_rule_6_2_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access {% endif %} {% if ubtu24cis_rule_6_2_3_8 %} -w /etc/group -p wa -k identity @@ -57,16 +83,65 @@ -w /etc/pam.d -p wa -k identity {% endif %} {% if ubtu24cis_rule_6_2_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["chmod","fchmod","fchmodat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["chown","fchown","lchown","fchownat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["chmod","fchmod","fchmodat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["chown","fchown","lchown","fchownat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod +{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod {% endif %} {% if ubtu24cis_rule_6_2_3_10 %} --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts +{% set syscalls = ["mount"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts {% endif %} {% if ubtu24cis_rule_6_2_3_11 %} -w /var/run/utmp -p wa -k session @@ -78,8 +153,15 @@ -w /var/run/faillock -p wa -k logins {% endif %} {% if ubtu24cis_rule_6_2_3_13 %} --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete +{% set syscalls = ["unlink","unlinkat","rename","renameat"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete {% endif %} {% if ubtu24cis_rule_6_2_3_14 %} -w /etc/apparmor/ -p wa -k MAC-policy @@ -99,7 +181,14 @@ {% endif %} {% if ubtu24cis_rule_6_2_3_19 %} -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=-1 -k kernel_modules +{% set syscalls = ["init_module","finit_module","delete_module"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append( syscall) }} +{% endif %} +{% endfor %} +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules {% endif %} {% if ubtu24cis_rule_6_2_3_20 %} -e 2 From a167970bcf32b45bc35f975bcf10583affc27fb9 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 3 Feb 2025 18:04:53 +0000 Subject: [PATCH 19/39] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.23.2 → v8.23.3](https://github.com/gitleaks/gitleaks/compare/v8.23.2...v8.23.3) - [github.com/ansible-community/ansible-lint: v25.1.0 → v25.1.1](https://github.com/ansible-community/ansible-lint/compare/v25.1.0...v25.1.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a802c69..e4e845e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.2 + rev: v8.23.3 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.1.0 + rev: v25.1.1 hooks: - id: ansible-lint name: Ansible-lint From 8a38650658ed5fc7044395e465990c0000abe892 Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 11:59:30 -0500 Subject: [PATCH 20/39] Add ignore_apt_update_changed_when default variable to allow users to specify changed_when behavior of apt update task; allows for idempotency checks (like Molecule) Signed-off-by: Shawn Hardwick --- defaults/main.yml | 4 ++++ tasks/prelim.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index d37ae5e..54d7aac 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -626,6 +626,10 @@ ubtu24cis_desktop_required: false # This will also purge any packages not removed via this playbook ubtu24cis_purge_apt: false +## Ignore change_when for apt update task +# Modifies behavior of 'changed_when' for 'apt update' task in prelim that always changes +ignore_apt_update_changed_when: false + ## ## Section 1 Control Variables ## diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c5eac21..8dbd904 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -55,6 +55,7 @@ tags: always ansible.builtin.package: update_cache: true + changed_when: not ignore_apt_update_changed_when - name: Include audit specific variables when: From 1cf3c4d58b405072aa5e9f1e6d186f4a9cd230b0 Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 12:02:23 -0500 Subject: [PATCH 21/39] Update regexp for rule 2.1.21 to be more strict when updating line in file; allows task to be idempotent with itself Signed-off-by: Shawn Hardwick --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 19cacd2..166cd5d 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -699,7 +699,7 @@ notify: Restart postfix ansible.builtin.lineinfile: path: /etc/postfix/main.cf - regexp: '^(#)?inet_interfaces' + regexp: '^(#)?inet_interfaces\s*=(?!\s*loopback-only\s*).*' line: 'inet_interfaces = loopback-only' - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents" From 4af134cd74760fdde2cc422b470196a10077eabd Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 12:03:30 -0500 Subject: [PATCH 22/39] Update rule 5.4.1.5 to use shell task which supports pipes instead of command task; previously this would silently fail Signed-off-by: Shawn Hardwick --- tasks/section_5/cis_5.4.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index ccb0427..bb2019e 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -130,13 +130,13 @@ - login block: - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting" - ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2 + ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 changed_when: false failed_when: false register: discovered_passwd_inactive_setting - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" - when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string + when: discovered_passwd_inactive_setting.stdout != (ubtu24cis_pass_inactive | string) ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }} failed_when: false changed_when: true From a9df5eb9128470245c21d24b8155fd255a7b86f8 Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 12:06:02 -0500 Subject: [PATCH 23/39] Set a default variable value for control_1_3_1_4_was_run; if only level1-server tasks are executed, this variable is never set and tasks fail Signed-off-by: Shawn Hardwick --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 54d7aac..79c677c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -651,6 +651,7 @@ ubtu24cis_tmp_svc: false # The following variables are related to the set of rules from section 1.6.1.x ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode +control_1_3_1_4_was_run: false # This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 # regarding enforcing profiles or putting them in complain mode From 9a2a7ad96f9ee4d257e6dc6d44125fe071346503 Mon Sep 17 00:00:00 2001 From: Shawn Hardwick Date: Wed, 5 Feb 2025 12:08:20 -0500 Subject: [PATCH 24/39] If prelim_auditd_logfile does not evaluate, check mode will fail on rule 6.2.4.3 with 'file () is absent, cannot continue' error Signed-off-by: Shawn Hardwick --- tasks/prelim.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8dbd904..9930ab5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -230,6 +230,7 @@ tags: always ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" changed_when: false + check_mode: false failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ] register: prelim_auditd_logfile From a929843683d131d0424d9c29f670d639fff14d2d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 10 Feb 2025 17:53:59 +0000 Subject: [PATCH 25/39] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.1.1 → v25.1.2](https://github.com/ansible-community/ansible-lint/compare/v25.1.1...v25.1.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e4e845e..401d32e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.1.1 + rev: v25.1.2 hooks: - id: ansible-lint name: Ansible-lint From 2bb9240aae4132557a4318ebe241194cde13f051 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 11:28:10 +0000 Subject: [PATCH 26/39] addressed #9 thanks to @kerjox Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 4327503..f271f9f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -18,7 +18,7 @@ dest: "{{ ubtu24cis_grub_user_file }}" owner: root group: root - mode: 'go-w' + mode: '0755' notify: Grub update - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" From fdcee67e0a18a0cbf28b2496fbea3a4dcdfc4d71 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 11:58:46 +0000 Subject: [PATCH 27/39] addressed #15 thanks tou @WhiteRoseLK Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index e5a555a..a94f48a 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -309,7 +309,7 @@ warn_control_id: '7.2.10' block: - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" - ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w + ansible.builtin.shell: find /home/ /root/ -name "\.*" -type f -perm /u+x,g+wx,o+wx changed_when: false failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ] check_mode: false @@ -336,5 +336,5 @@ - ubtu24cis_dotperm_ansiblemanaged ansible.builtin.file: path: '{{ item }}' - mode: 'go-w' + mode: 'u-x,go-wx' with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" From dae6f8ab9f62afb42b8fc30baa1edc0908d7c463 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 11:59:54 +0000 Subject: [PATCH 28/39] issue #12 addressed moduel update thanks to @VitaliySynytskyi Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index f016fd9..2580628 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -30,7 +30,7 @@ - NIST800-53R5_AU-3 - NIST800-53R5_AU-12 - auditd - ansible.builtin.service: + ansible.builtin.systemd_service: name: auditd state: started enabled: true From 889377b507d8b90a6d4e652610878a74f8baaeb8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 12:00:29 +0000 Subject: [PATCH 29/39] updated for precommit Signed-off-by: Mark Bolwell --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 4e3ce79..5a4e7ab 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,7 @@ benchparse/ # GitHub Action/Workflow files .github/ + + +# Precommit +.ansible/ From a290776eee70723bdbfe19206ec55dd3f8368fc1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 12:06:57 +0000 Subject: [PATCH 30/39] issue #10 thanks to cf-sewe Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index 64b0aad..15636b6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -240,6 +240,8 @@ when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1 ansible.builtin.command: augenrules --load changed_when: true + failed_when: discovered_augenrule_load.rc not in [ 0, 1 ] + register: discovered_augenrule_load - name: Audit_immutable_fact when: From 5553ddb0a8ca460aafd2952647abe583770078b7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 09:52:24 +0000 Subject: [PATCH 31/39] updated rules for 4.4.x.x thanks to issue #19 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.4.1.x.yml | 362 -------------------------------- tasks/section_4/main.yml | 2 +- 2 files changed, 1 insertion(+), 363 deletions(-) diff --git a/tasks/section_4/cis_4.4.1.x.yml b/tasks/section_4/cis_4.4.1.x.yml index 32b0c0d..9e95182 100644 --- a/tasks/section_4/cis_4.4.1.x.yml +++ b/tasks/section_4/cis_4.4.1.x.yml @@ -48,365 +48,3 @@ ansible.builtin.package: name: ufw state: absent - -- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy" - when: - - ubtu24cis_rule_4_4_1_1 - - ubtu24cis_ipv4_required - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.1 - - iptables - block: - - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - notify: Iptables persistent - - - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - notify: Iptables persistent - with_items: - - INPUT - - FORWARD - - OUTPUT - -- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured" - when: - - ubtu24cis_rule_4_4_1_2 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.2 - - iptables - block: - - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - notify: Iptables persistent - -- name: "4.4.1.3 | PATCH | Ensure iptables outbound and established connections are configured" - when: - - ubtu24cis_rule_4_4_1_3 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.3 - - iptables - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - notify: Iptables persistent - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - -- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" - when: - - ubtu24cis_rule_4_4_1_4 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - audit - - rule_4.4.1.4 - - iptables - vars: - warn_control_id: '4.4.1.4' - block: - - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.command: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: discovered_open_ports - - - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.command: iptables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: discovered_current_rules - - - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ discovered_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ discovered_current_rules.stdout_lines }}" - - - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - -# --------------- -# --------------- -# This is not a control however using the iptables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above iptables settings permanent -# --------------- -# --------------- -# - name: "Make IPTables persistent | Not a control" -# block: -# - name: "Make IPTables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present - -# - name: "Make IPTables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: discovered_iptables_save.rc == 0 -# failed_when: discovered_iptables_save.rc > 0 -# register: discovered_iptables_save -# when: -# - ubtu24cis_firewall_package == "iptables" -# - ubtu24cis_save_iptables_cis_rules -# - ubtu24cis_rule_4_4_1_1 or -# ubtu24cis_rule_4_4_1_2 or -# ubtu24cis_rule_4_4_1_3 or -# ubtu24cis_rule_4_4_1_4 - -- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy" - when: - - ubtu24cis_rule_4_4_1_1 - - ubtu24cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.1 - - ip6tables - block: - - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - notify: Ip6tables persistent - loop: - - INPUT - - FORWARD - - OUTPUT - -- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured" - when: - - ubtu24cis_rule_4_4_1_2 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv6_required - - not ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.2 - - ip6tables - block: - - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" - ansible.builtin.iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - notify: Ip6tables persistent - -- name: "4.4.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured" - when: - - ubtu24cis_rule_4_4_1_3 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv6_required - - not ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.3 - - ip6tables - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - loop: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - -- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" - when: - - ubtu24cis_rule_4_4_1_4 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv6_required - - not ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - audit - - rule_4.4.1.4 - - ip6tables - vars: - warn_control_id: '4.4.1.4' - block: - - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.command: ss -6tuln - changed_when: false - failed_when: false - check_mode: false - register: discovered_open_ports - - - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.command: ip6tables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: discovered_current_rules - - - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ discovered_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ discovered_current_rules.stdout_lines }}" - - - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - -# --------------- -# --------------- -# This is not a control however using the ip6tables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above ip6tables settings permanent -# --------------- -# --------------- -# via handler -# - name: "Make IP6Tables persistent | Not a control" -# block: -# - name: "Make IP6Tables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present -# when: "'iptables-persistent' not in ansible_facts.packages" - -# - name: "Make IP6Tables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: discovered_ip6tables_save.rc == 0 -# failed_when: discovered_ip6tables_save.rc > 0 -# register: discovered_ip6tables_save -# when: -# - ubtu24cis_firewall_package == "iptables" -# - ubtu24cis_ipv6_required -# - not ubtu24cis_ipv4_required -# - ubtu24cis_save_iptables_cis_rules -# - ubtu24cis_rule_4_4_1_1 or -# ubtu24cis_rule_4_4_1_2 or -# ubtu24cis_rule_4_4_1_3 or -# ubtu24cis_rule_4_4_1_4 diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index c8ba0ea..3343d38 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -15,7 +15,7 @@ file: cis_4.3.x.yml - name: "SECTION | 4.4.1.x | Configure iptables software" - when: ubtu24cis_firewall_package == "nftables" + when: ubtu24cis_firewall_package == "iptables" ansible.builtin.import_tasks: file: cis_4.4.1.x.yml From 764b0eaa63a7db6c1432f27b4200e77414c68716 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 09:56:37 +0000 Subject: [PATCH 32/39] removed tag typo in 5.1.7 #20 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 4f2a377..5550e18 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -187,7 +187,7 @@ - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - - sshdd + - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" From fca0434bb342b86366216601ed924361f1c8024f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 16:46:42 +0000 Subject: [PATCH 33/39] Lint Signed-off-by: Mark Bolwell --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 5a4e7ab..609a095 100644 --- a/.gitignore +++ b/.gitignore @@ -44,6 +44,5 @@ benchparse/ # GitHub Action/Workflow files .github/ - # Precommit .ansible/ From 39efaecdd25a1fd9a0415c2338d916e9197037a4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 17:09:21 +0000 Subject: [PATCH 34/39] Added updated for 5.1.1 to ignore ec2 based ssh config perms change Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 5550e18..7261726 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -26,6 +26,7 @@ register: discovered_sshd_confs - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" + when: (item.path != "'/etc/ssh/sshd_config.d/60-cloudimg-settings.conf'" and system_is_ec2 ) ansible.builtin.file: path: "{{ item.path }}" recurse: false From 345928b74fa3a4ea4da211a9fdc689b67d39de43 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 21 Feb 2025 09:45:33 +0000 Subject: [PATCH 35/39] updated 5.1.1 logic for ec2 image Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 7261726..7a55bda 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -26,7 +26,7 @@ register: discovered_sshd_confs - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: (item.path != "'/etc/ssh/sshd_config.d/60-cloudimg-settings.conf'" and system_is_ec2 ) + when: (item.path != '/etc/ssh/sshd_config.d/60-cloudimg-settings.conf' and system_is_ec2 ) ansible.builtin.file: path: "{{ item.path }}" recurse: false From 0835a05b08b5075006d10bb3bf62f548d77bdddb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 21 Feb 2025 11:13:47 +0000 Subject: [PATCH 36/39] reset 5.1.1 settings Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 7a55bda..5550e18 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -26,7 +26,6 @@ register: discovered_sshd_confs - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: (item.path != '/etc/ssh/sshd_config.d/60-cloudimg-settings.conf' and system_is_ec2 ) ansible.builtin.file: path: "{{ item.path }}" recurse: false From 39507838e668e9af0cc2ef314901af051fd9b467 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 21 Feb 2025 11:15:52 +0000 Subject: [PATCH 37/39] added workaround for ssh-server patching breaks /run/ssh Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.2.x.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index cdf842c..92eb1c7 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -9,6 +9,14 @@ - rule_1.2.2.1 - NIST800-53R5_SI-2 - patch - ansible.builtin.package: - name: "*" - state: latest + block: + - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update" + ansible.builtin.package: + name: "*" + state: latest + register: discovered_pkg_updates + + # Resetting connection as ssh stops if patched reset connection kickstarts it + - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | reset ansible connection if ssh updated" + when: "'openssh-server' in discovered_pkg_updates.stdout" + ansible.builtin.meta: reset_connection From 29febe9be26d275bc03318c899a57c69ede713f1 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 24 Feb 2025 17:24:30 +0000 Subject: [PATCH 38/39] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.23.3 → v8.24.0](https://github.com/gitleaks/gitleaks/compare/v8.23.3...v8.24.0) - [github.com/ansible-community/ansible-lint: v25.1.2 → v25.1.3](https://github.com/ansible-community/ansible-lint/compare/v25.1.2...v25.1.3) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 401d32e..4791982 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.3 + rev: v8.24.0 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.1.2 + rev: v25.1.3 hooks: - id: ansible-lint name: Ansible-lint From ef9d8ef176dad20b0e603ec5e06b2e1a76435943 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 17 Mar 2025 17:28:27 +0000 Subject: [PATCH 39/39] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/adrienverge/yamllint.git: v1.35.1 → v1.36.2](https://github.com/adrienverge/yamllint.git/compare/v1.35.1...v1.36.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4791982..d7c341f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -65,7 +65,7 @@ repos: # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.35.1 # or higher tag + rev: v1.36.2 # or higher tag hooks: - id: yamllint name: Check YAML Lint