From d5bad97cad61a484a27eda1775a5010ae303b578 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 May 2025 14:03:06 +0100 Subject: [PATCH 1/8] Added fix for #37 thanks to @pdag Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.4.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index eb6e907..0739370 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -22,12 +22,12 @@ register: discovered_var_mount - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" - when: discovered_dev_shm_mount is undefined + when: discovered_var_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" - when: discovered_dev_shm_mount is undefined + when: discovered_var_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml From 034769266112044d9441b5159c1f726f90a7a17e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 May 2025 14:23:56 +0100 Subject: [PATCH 2/8] added fix for #33 thanks to @WhiteRoseLK Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.4.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index a81990b..d32bf66 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -154,5 +154,5 @@ ansible.builtin.file: path: /etc/cron.allow owner: root - group: root + group: '{{ (discovered_cron_allow_status.stat.gr_name == "crontab") | ternary(omit,"root") }}' mode: 'u-x,g-wx,o-rwx' From af372a7c7367c9dbeb25cdbf47b56f6e96ce42a7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 May 2025 14:25:59 +0100 Subject: [PATCH 3/8] added fix for #21 thanks to @PhilEV Signed-off-by: Mark Bolwell --- tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0ec9843..e2f1742 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -38,7 +38,9 @@ sudo_password_rule: ubtu24cis_rule_5_2_4 # pragma: allowlist secret - name: Ensure root password is set - when: ubtu24cis_rule_5_4_2_4 + when: + - ubtu24cis_section5 + - ubtu24cis_rule_5_4_2_4 tags: always block: - name: Ensure root password is set From 388331fe98a18bc7e6c5d727a6d662c856d75e7a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 May 2025 14:29:12 +0100 Subject: [PATCH 4/8] Added fix for #22 thanks to @WhiteRoseLK Signed-off-by: Mark Bolwell --- handlers/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/handlers/main.yml b/handlers/main.yml index ea1076a..494b802 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -21,6 +21,7 @@ listen: "Remount /tmp" - name: "Remounting /tmp systemd" + when: ubtu24cis_tmp_svc vars: mount_point: '/tmp' ansible.builtin.systemd: From a8f039cba054d3498774d1a90b89c4cf63be1a43 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 May 2025 14:30:38 +0100 Subject: [PATCH 5/8] added fix for PR #39 thansk to @Tjird Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 0a3ef25..411eccf 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -672,7 +672,7 @@ - rule_2.1.21 - NIST800-53R5_CM-7 vars: - warn_control_id: '2.2.21' + warn_control_id: '2.1.21' block: - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" From fac8eb7e020bafd10bf25de89cfe5a93f79369a7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 May 2025 17:08:16 +0100 Subject: [PATCH 6/8] fix typo thanks to @UZziell #40 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 92eb1c7..22664b5 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -10,7 +10,7 @@ - NIST800-53R5_SI-2 - patch block: - - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update" + - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | Update" ansible.builtin.package: name: "*" state: latest From 1ec17228ff358c8e4c1de45d1044ee98711397f5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 May 2025 17:08:31 +0100 Subject: [PATCH 7/8] Updated logic thanks to @UZziell #40 Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.3.3.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index 19177b9..4f4f516 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -15,9 +15,9 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: 'go-r' + mode: 'g=r,o-rwx' owner: root - group: root + group: "{% if ubtu24cis_rule_2_3_3_2 %}_chrony{% else %}root{% endif %}" loop: - etc/chrony/sources.d/pool.sources - etc/chrony/sources.d/server.sources From f8e14db0c304de6af6a787aadd967ce96cf87e29 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 May 2025 17:08:41 +0100 Subject: [PATCH 8/8] Added precommit badge Signed-off-by: Mark Bolwell --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index d78b0c5..ac56944 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/UBUNTU24-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/UBUNTU24-CIS?label=Closed%20Issues&&color=success) ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/UBUNTU24-CIS?label=Pull%20Requests) +[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit) ![License](https://img.shields.io/github/license/ansible-lockdown/UBUNTU24-CIS?label=License)