Merge pull request #41 from ansible-lockdown/May_25_updates

May 25 updates
2025-05-13 13:35:37 +01:00 · 2025-05-13 13:35:37 +01:00 · ffba24432a
parent b631e9e2d6 f8e14db0c3
commit ffba24432a
8 changed files with 12 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -24,6 +24,7 @@
 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/UBUNTU24-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/UBUNTU24-CIS?label=Closed%20Issues&&color=success)
 ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/UBUNTU24-CIS?label=Pull%20Requests)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)

 ![License](https://img.shields.io/github/license/ansible-lockdown/UBUNTU24-CIS?label=License)

--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -21,6 +21,7 @@
  listen: "Remount /tmp"

 - name: "Remounting /tmp systemd"
+  when: ubtu24cis_tmp_svc
  vars:
    mount_point: '/tmp'
  ansible.builtin.systemd:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -38,7 +38,9 @@
        sudo_password_rule: ubtu24cis_rule_5_2_4  # pragma: allowlist secret

 - name: Ensure root password is set
-  when: ubtu24cis_rule_5_4_2_4
+  when:
+    - ubtu24cis_section5
+    - ubtu24cis_rule_5_4_2_4
  tags: always
  block:
    - name: Ensure root password is set
--- a/tasks/section_1/cis_1.1.2.4.x.yml
+++ b/tasks/section_1/cis_1.1.2.4.x.yml
@ -22,12 +22,12 @@
      register: discovered_var_mount

    - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent"
-      when: discovered_dev_shm_mount is undefined
+      when: discovered_var_mount is undefined
      ansible.builtin.debug:
        msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"

    - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present"
-      when: discovered_dev_shm_mount is undefined
+      when: discovered_var_mount is undefined
      ansible.builtin.import_tasks:
        file: warning_facts.yml

--- a/tasks/section_1/cis_1.2.2.x.yml
+++ b/tasks/section_1/cis_1.2.2.x.yml
@ -10,7 +10,7 @@
    - NIST800-53R5_SI-2
    - patch
  block:
-    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update"
+    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | Update"
      ansible.builtin.package:
        name: "*"
        state: latest
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@ -672,7 +672,7 @@
    - rule_2.1.21
    - NIST800-53R5_CM-7
  vars:
-    warn_control_id: '2.2.21'
+    warn_control_id: '2.1.21'
  block:
    - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed"
      when: "'exim4' in ansible_facts.packages"
--- a/tasks/section_2/cis_2.3.3.x.yml
+++ b/tasks/section_2/cis_2.3.3.x.yml
@ -15,9 +15,9 @@
      ansible.builtin.template:
        src: "{{ item }}.j2"
        dest: "/{{ item }}"
-        mode: 'go-r'
+        mode: 'g=r,o-rwx'
        owner: root
-        group: root
+        group: "{% if ubtu24cis_rule_2_3_3_2 %}_chrony{% else %}root{% endif %}"
      loop:
        - etc/chrony/sources.d/pool.sources
        - etc/chrony/sources.d/server.sources
--- a/tasks/section_2/cis_2.4.1.x.yml
+++ b/tasks/section_2/cis_2.4.1.x.yml
@ -154,5 +154,5 @@
      ansible.builtin.file:
        path: /etc/cron.allow
        owner: root
-        group: root
+        group: '{{ (discovered_cron_allow_status.stat.gr_name == "crontab") | ternary(omit,"root") }}'
        mode: 'u-x,g-wx,o-rwx'