From 2bb9240aae4132557a4318ebe241194cde13f051 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 11:28:10 +0000 Subject: [PATCH 01/12] addressed #9 thanks to @kerjox Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 4327503..f271f9f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -18,7 +18,7 @@ dest: "{{ ubtu24cis_grub_user_file }}" owner: root group: root - mode: 'go-w' + mode: '0755' notify: Grub update - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" From fdcee67e0a18a0cbf28b2496fbea3a4dcdfc4d71 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 11:58:46 +0000 Subject: [PATCH 02/12] addressed #15 thanks tou @WhiteRoseLK Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index e5a555a..a94f48a 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -309,7 +309,7 @@ warn_control_id: '7.2.10' block: - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" - ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w + ansible.builtin.shell: find /home/ /root/ -name "\.*" -type f -perm /u+x,g+wx,o+wx changed_when: false failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ] check_mode: false @@ -336,5 +336,5 @@ - ubtu24cis_dotperm_ansiblemanaged ansible.builtin.file: path: '{{ item }}' - mode: 'go-w' + mode: 'u-x,go-wx' with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" From dae6f8ab9f62afb42b8fc30baa1edc0908d7c463 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 11:59:54 +0000 Subject: [PATCH 03/12] issue #12 addressed moduel update thanks to @VitaliySynytskyi Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index f016fd9..2580628 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -30,7 +30,7 @@ - NIST800-53R5_AU-3 - NIST800-53R5_AU-12 - auditd - ansible.builtin.service: + ansible.builtin.systemd_service: name: auditd state: started enabled: true From 889377b507d8b90a6d4e652610878a74f8baaeb8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 12:00:29 +0000 Subject: [PATCH 04/12] updated for precommit Signed-off-by: Mark Bolwell --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 4e3ce79..5a4e7ab 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,7 @@ benchparse/ # GitHub Action/Workflow files .github/ + + +# Precommit +.ansible/ From a290776eee70723bdbfe19206ec55dd3f8368fc1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Feb 2025 12:06:57 +0000 Subject: [PATCH 05/12] issue #10 thanks to cf-sewe Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index 64b0aad..15636b6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -240,6 +240,8 @@ when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1 ansible.builtin.command: augenrules --load changed_when: true + failed_when: discovered_augenrule_load.rc not in [ 0, 1 ] + register: discovered_augenrule_load - name: Audit_immutable_fact when: From 5553ddb0a8ca460aafd2952647abe583770078b7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 09:52:24 +0000 Subject: [PATCH 06/12] updated rules for 4.4.x.x thanks to issue #19 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.4.1.x.yml | 362 -------------------------------- tasks/section_4/main.yml | 2 +- 2 files changed, 1 insertion(+), 363 deletions(-) diff --git a/tasks/section_4/cis_4.4.1.x.yml b/tasks/section_4/cis_4.4.1.x.yml index 32b0c0d..9e95182 100644 --- a/tasks/section_4/cis_4.4.1.x.yml +++ b/tasks/section_4/cis_4.4.1.x.yml @@ -48,365 +48,3 @@ ansible.builtin.package: name: ufw state: absent - -- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy" - when: - - ubtu24cis_rule_4_4_1_1 - - ubtu24cis_ipv4_required - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.1 - - iptables - block: - - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - notify: Iptables persistent - - - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - notify: Iptables persistent - with_items: - - INPUT - - FORWARD - - OUTPUT - -- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured" - when: - - ubtu24cis_rule_4_4_1_2 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.2 - - iptables - block: - - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - notify: Iptables persistent - -- name: "4.4.1.3 | PATCH | Ensure iptables outbound and established connections are configured" - when: - - ubtu24cis_rule_4_4_1_3 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.3 - - iptables - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - notify: Iptables persistent - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - -- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" - when: - - ubtu24cis_rule_4_4_1_4 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - audit - - rule_4.4.1.4 - - iptables - vars: - warn_control_id: '4.4.1.4' - block: - - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.command: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: discovered_open_ports - - - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.command: iptables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: discovered_current_rules - - - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ discovered_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ discovered_current_rules.stdout_lines }}" - - - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - -# --------------- -# --------------- -# This is not a control however using the iptables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above iptables settings permanent -# --------------- -# --------------- -# - name: "Make IPTables persistent | Not a control" -# block: -# - name: "Make IPTables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present - -# - name: "Make IPTables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: discovered_iptables_save.rc == 0 -# failed_when: discovered_iptables_save.rc > 0 -# register: discovered_iptables_save -# when: -# - ubtu24cis_firewall_package == "iptables" -# - ubtu24cis_save_iptables_cis_rules -# - ubtu24cis_rule_4_4_1_1 or -# ubtu24cis_rule_4_4_1_2 or -# ubtu24cis_rule_4_4_1_3 or -# ubtu24cis_rule_4_4_1_4 - -- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy" - when: - - ubtu24cis_rule_4_4_1_1 - - ubtu24cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.1 - - ip6tables - block: - - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - notify: Ip6tables persistent - loop: - - INPUT - - FORWARD - - OUTPUT - -- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured" - when: - - ubtu24cis_rule_4_4_1_2 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv6_required - - not ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.2 - - ip6tables - block: - - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" - ansible.builtin.iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - notify: Ip6tables persistent - -- name: "4.4.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured" - when: - - ubtu24cis_rule_4_4_1_3 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv6_required - - not ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.4.1.3 - - ip6tables - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - loop: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - -- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" - when: - - ubtu24cis_rule_4_4_1_4 - - ubtu24cis_firewall_package == "iptables" - - ubtu24cis_ipv6_required - - not ubtu24cis_ipv4_required - tags: - - level1-server - - level1-workstation - - audit - - rule_4.4.1.4 - - ip6tables - vars: - warn_control_id: '4.4.1.4' - block: - - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.command: ss -6tuln - changed_when: false - failed_when: false - check_mode: false - register: discovered_open_ports - - - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.command: ip6tables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: discovered_current_rules - - - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ discovered_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ discovered_current_rules.stdout_lines }}" - - - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - -# --------------- -# --------------- -# This is not a control however using the ip6tables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above ip6tables settings permanent -# --------------- -# --------------- -# via handler -# - name: "Make IP6Tables persistent | Not a control" -# block: -# - name: "Make IP6Tables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present -# when: "'iptables-persistent' not in ansible_facts.packages" - -# - name: "Make IP6Tables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: discovered_ip6tables_save.rc == 0 -# failed_when: discovered_ip6tables_save.rc > 0 -# register: discovered_ip6tables_save -# when: -# - ubtu24cis_firewall_package == "iptables" -# - ubtu24cis_ipv6_required -# - not ubtu24cis_ipv4_required -# - ubtu24cis_save_iptables_cis_rules -# - ubtu24cis_rule_4_4_1_1 or -# ubtu24cis_rule_4_4_1_2 or -# ubtu24cis_rule_4_4_1_3 or -# ubtu24cis_rule_4_4_1_4 diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index c8ba0ea..3343d38 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -15,7 +15,7 @@ file: cis_4.3.x.yml - name: "SECTION | 4.4.1.x | Configure iptables software" - when: ubtu24cis_firewall_package == "nftables" + when: ubtu24cis_firewall_package == "iptables" ansible.builtin.import_tasks: file: cis_4.4.1.x.yml From 764b0eaa63a7db6c1432f27b4200e77414c68716 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 09:56:37 +0000 Subject: [PATCH 07/12] removed tag typo in 5.1.7 #20 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 4f2a377..5550e18 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -187,7 +187,7 @@ - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - - sshdd + - sshd ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" From fca0434bb342b86366216601ed924361f1c8024f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 16:46:42 +0000 Subject: [PATCH 08/12] Lint Signed-off-by: Mark Bolwell --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 5a4e7ab..609a095 100644 --- a/.gitignore +++ b/.gitignore @@ -44,6 +44,5 @@ benchparse/ # GitHub Action/Workflow files .github/ - # Precommit .ansible/ From 39efaecdd25a1fd9a0415c2338d916e9197037a4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 20 Feb 2025 17:09:21 +0000 Subject: [PATCH 09/12] Added updated for 5.1.1 to ignore ec2 based ssh config perms change Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 5550e18..7261726 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -26,6 +26,7 @@ register: discovered_sshd_confs - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" + when: (item.path != "'/etc/ssh/sshd_config.d/60-cloudimg-settings.conf'" and system_is_ec2 ) ansible.builtin.file: path: "{{ item.path }}" recurse: false From 345928b74fa3a4ea4da211a9fdc689b67d39de43 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 21 Feb 2025 09:45:33 +0000 Subject: [PATCH 10/12] updated 5.1.1 logic for ec2 image Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 7261726..7a55bda 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -26,7 +26,7 @@ register: discovered_sshd_confs - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: (item.path != "'/etc/ssh/sshd_config.d/60-cloudimg-settings.conf'" and system_is_ec2 ) + when: (item.path != '/etc/ssh/sshd_config.d/60-cloudimg-settings.conf' and system_is_ec2 ) ansible.builtin.file: path: "{{ item.path }}" recurse: false From 0835a05b08b5075006d10bb3bf62f548d77bdddb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 21 Feb 2025 11:13:47 +0000 Subject: [PATCH 11/12] reset 5.1.1 settings Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 7a55bda..5550e18 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -26,7 +26,6 @@ register: discovered_sshd_confs - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: (item.path != '/etc/ssh/sshd_config.d/60-cloudimg-settings.conf' and system_is_ec2 ) ansible.builtin.file: path: "{{ item.path }}" recurse: false From 39507838e668e9af0cc2ef314901af051fd9b467 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 21 Feb 2025 11:15:52 +0000 Subject: [PATCH 12/12] added workaround for ssh-server patching breaks /run/ssh Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.2.x.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index cdf842c..92eb1c7 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -9,6 +9,14 @@ - rule_1.2.2.1 - NIST800-53R5_SI-2 - patch - ansible.builtin.package: - name: "*" - state: latest + block: + - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update" + ansible.builtin.package: + name: "*" + state: latest + register: discovered_pkg_updates + + # Resetting connection as ssh stops if patched reset connection kickstarts it + - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | reset ansible connection if ssh updated" + when: "'openssh-server' in discovered_pkg_updates.stdout" + ansible.builtin.meta: reset_connection