diff --git a/README.md b/README.md index d78b0c5..ac56944 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/UBUNTU24-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/UBUNTU24-CIS?label=Closed%20Issues&&color=success) ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/UBUNTU24-CIS?label=Pull%20Requests) +[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit) ![License](https://img.shields.io/github/license/ansible-lockdown/UBUNTU24-CIS?label=License) diff --git a/handlers/main.yml b/handlers/main.yml index ea1076a..494b802 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -21,6 +21,7 @@ listen: "Remount /tmp" - name: "Remounting /tmp systemd" + when: ubtu24cis_tmp_svc vars: mount_point: '/tmp' ansible.builtin.systemd: diff --git a/tasks/main.yml b/tasks/main.yml index 0ec9843..e2f1742 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -38,7 +38,9 @@ sudo_password_rule: ubtu24cis_rule_5_2_4 # pragma: allowlist secret - name: Ensure root password is set - when: ubtu24cis_rule_5_4_2_4 + when: + - ubtu24cis_section5 + - ubtu24cis_rule_5_4_2_4 tags: always block: - name: Ensure root password is set diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index eb6e907..0739370 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -22,12 +22,12 @@ register: discovered_var_mount - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" - when: discovered_dev_shm_mount is undefined + when: discovered_var_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" - when: discovered_dev_shm_mount is undefined + when: discovered_var_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 92eb1c7..22664b5 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -10,7 +10,7 @@ - NIST800-53R5_SI-2 - patch block: - - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update" + - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | Update" ansible.builtin.package: name: "*" state: latest diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 0a3ef25..411eccf 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -672,7 +672,7 @@ - rule_2.1.21 - NIST800-53R5_CM-7 vars: - warn_control_id: '2.2.21' + warn_control_id: '2.1.21' block: - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index 19177b9..4f4f516 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -15,9 +15,9 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: 'go-r' + mode: 'g=r,o-rwx' owner: root - group: root + group: "{% if ubtu24cis_rule_2_3_3_2 %}_chrony{% else %}root{% endif %}" loop: - etc/chrony/sources.d/pool.sources - etc/chrony/sources.d/server.sources diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index a81990b..d32bf66 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -154,5 +154,5 @@ ansible.builtin.file: path: /etc/cron.allow owner: root - group: root + group: '{{ (discovered_cron_allow_status.stat.gr_name == "crontab") | ternary(omit,"root") }}' mode: 'u-x,g-wx,o-rwx'