colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
126 Commits 3 Branches 3 Tags 542 KiB
Commit Graph

126 Commits

Author SHA1 Message Date
pre-commit-ci[bot] 29febe9be2
[pre-commit.ci] pre-commit autoupdate 
updates:
- [github.com/gitleaks/gitleaks: v8.23.3 → v8.24.0](https://github.com/gitleaks/gitleaks/compare/v8.23.3...v8.24.0)
- [github.com/ansible-community/ansible-lint: v25.1.2 → v25.1.3](https://github.com/ansible-community/ansible-lint/compare/v25.1.2...v25.1.3)
 2025-02-24 17:24:30 +00:00
uk-bolly f7b759396e
Merge pull request #18 from ansible-lockdown/Feb25_updates 
Feb25 updates
 2025-02-21 15:32:43 +00:00
Mark Bolwell 39507838e6
added workaround for ssh-server patching breaks /run/ssh 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-21 11:15:52 +00:00
Mark Bolwell 0835a05b08
reset 5.1.1 settings 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-21 11:13:47 +00:00
Mark Bolwell 345928b74f
updated 5.1.1 logic for ec2 image 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-21 09:45:33 +00:00
Mark Bolwell 39efaecdd2
Added updated for 5.1.1 to ignore ec2 based ssh config perms change 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-20 17:09:21 +00:00
Mark Bolwell fca0434bb3
Lint 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-20 16:46:42 +00:00
Mark Bolwell 764b0eaa63
removed tag typo in 5.1.7 #20 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-20 09:56:37 +00:00
Mark Bolwell 5553ddb0a8
updated rules for 4.4.x.x thanks to issue #19 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-20 09:52:24 +00:00
Mark Bolwell a290776eee
issue #10 thanks to cf-sewe 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-14 12:06:57 +00:00
Mark Bolwell 889377b507
updated for precommit 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-14 12:00:29 +00:00
Mark Bolwell dae6f8ab9f
issue #12 addressed moduel update thanks to @VitaliySynytskyi 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-14 11:59:54 +00:00
Mark Bolwell fdcee67e0a
addressed #15 thanks tou @WhiteRoseLK 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-14 11:58:46 +00:00
Mark Bolwell 2bb9240aae
addressed #9 thanks to @kerjox 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-02-14 11:28:10 +00:00
uk-bolly 9aa55e5616
Merge pull request #14 from ShawnHardwick/shawn.hardwick/idempotency 
Multiple fixes around idempotency and check_mode
 2025-02-11 12:09:11 +01:00
uk-bolly 3c39ff1ed0
Merge pull request #17 from ansible-lockdown/pre-commit-ci-update-config 
[pre-commit.ci] pre-commit autoupdate
 2025-02-11 12:05:08 +01:00
pre-commit-ci[bot] a929843683
[pre-commit.ci] pre-commit autoupdate 
updates:
- [github.com/ansible-community/ansible-lint: v25.1.1 → v25.1.2](https://github.com/ansible-community/ansible-lint/compare/v25.1.1...v25.1.2)
 2025-02-10 17:53:59 +00:00
Shawn Hardwick 9a2a7ad96f
If prelim_auditd_logfile does not evaluate, check mode will fail on rule 6.2.4.3 with 'file () is absent, cannot continue' error 
Signed-off-by: Shawn Hardwick <time4swim@gmail.com>
 2025-02-05 12:54:03 -05:00
Shawn Hardwick a9df5eb912
Set a default variable value for control_1_3_1_4_was_run; if only level1-server tasks are executed, this variable is never set and tasks fail 
Signed-off-by: Shawn Hardwick <time4swim@gmail.com>
 2025-02-05 12:54:03 -05:00
Shawn Hardwick 4af134cd74
Update rule 5.4.1.5 to use shell task which supports pipes instead of command task; previously this would silently fail 
Signed-off-by: Shawn Hardwick <time4swim@gmail.com>
 2025-02-05 12:54:03 -05:00
Shawn Hardwick 1cf3c4d58b
Update regexp for rule 2.1.21 to be more strict when updating line in file; allows task to be idempotent with itself 
Signed-off-by: Shawn Hardwick <time4swim@gmail.com>
 2025-02-05 12:54:03 -05:00
Shawn Hardwick 8a38650658
Add ignore_apt_update_changed_when default variable to allow users to specify changed_when behavior of apt update task; allows for idempotency checks (like Molecule) 
Signed-off-by: Shawn Hardwick <time4swim@gmail.com>
 2025-02-05 12:53:49 -05:00
uk-bolly a41047672d
Merge pull request #13 from ansible-lockdown/pre-commit-ci-update-config 
[pre-commit.ci] pre-commit autoupdate
 2025-02-04 06:43:26 +00:00
pre-commit-ci[bot] a167970bcf
[pre-commit.ci] pre-commit autoupdate 
updates:
- [github.com/gitleaks/gitleaks: v8.23.2 → v8.23.3](https://github.com/gitleaks/gitleaks/compare/v8.23.2...v8.23.3)
- [github.com/ansible-community/ansible-lint: v25.1.0 → v25.1.1](https://github.com/ansible-community/ansible-lint/compare/v25.1.0...v25.1.1)
 2025-02-03 18:04:53 +00:00
uk-bolly 7ed58ca8a6
Merge pull request #8 from ansible-lockdown/auditd_arm64 
Added auditd arm compatibility
 2025-02-02 11:35:40 +00:00
Mark Bolwell 043fb4451b
Added auditd arm compatibility thanks to @arousseau-coveo for the excellent work 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-28 10:53:33 +00:00
uk-bolly b3ed09583c
Merge pull request #7 from ansible-lockdown/pre-commit-ci-update-config 
[pre-commit.ci] pre-commit autoupdate
 2025-01-28 10:33:55 +00:00
pre-commit-ci[bot] 05e9d75328
[pre-commit.ci] pre-commit autoupdate 
updates:
- [github.com/gitleaks/gitleaks: v8.23.1 → v8.23.2](https://github.com/gitleaks/gitleaks/compare/v8.23.1...v8.23.2)
 2025-01-27 17:53:22 +00:00
uk-bolly 30719a77b5
Merge pull request #6 from ansible-lockdown/apt_update 
moved apt update order to assist with audit
 2025-01-21 16:22:21 +00:00
uk-bolly c8e368e541
Merge pull request #5 from ansible-lockdown/pre-commit-ci-update-config 
[pre-commit.ci] pre-commit autoupdate
 2025-01-21 16:21:55 +00:00
Mark Bolwell bba53315f2
moved apt update order to assist with audit 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-21 08:07:27 +00:00
pre-commit-ci[bot] 46e23a7c4b
[pre-commit.ci] pre-commit autoupdate 
updates:
- [github.com/gitleaks/gitleaks: v8.23.0 → v8.23.1](https://github.com/gitleaks/gitleaks/compare/v8.23.0...v8.23.1)
- [github.com/ansible-community/ansible-lint: v24.12.2 → v25.1.0](https://github.com/ansible-community/ansible-lint/compare/v24.12.2...v25.1.0)
 2025-01-20 17:45:16 +00:00
uk-bolly 7a1b8b5250
Merge pull request #4 from ansible-lockdown/pre-commit-ci-update-config 
[pre-commit.ci] pre-commit autoupdate
 2025-01-14 08:14:20 +00:00
uk-bolly 1b98e1ed7b
Merge pull request #3 from ansible-lockdown/jan25_updates 
Jan25 updates
 2025-01-13 20:04:27 +00:00
pre-commit-ci[bot] a857b1e552
[pre-commit.ci] pre-commit autoupdate 
updates:
- [github.com/gitleaks/gitleaks: v8.21.2 → v8.23.0](https://github.com/gitleaks/gitleaks/compare/v8.21.2...v8.23.0)
- [github.com/ansible-community/ansible-lint: v24.10.0 → v24.12.2](https://github.com/ansible-community/ansible-lint/compare/v24.10.0...v24.12.2)
 2025-01-13 17:50:19 +00:00
Mark Bolwell 5de8d4c558
Added optional logrotate install and variable, improved 6.1.3.8 logic 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 15:33:10 +00:00
Mark Bolwell 7095fdc49f
added rsyslog override logging option 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 14:29:47 +00:00
Mark Bolwell d190c51fa4
Updated since ubuntu removes unncessary time pkgs 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 14:00:34 +00:00
Mark Bolwell e69c18fa1c
improved audit handler and related rules 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 13:16:56 +00:00
Mark Bolwell 6e78559776
tidy up grub/bootloader logic 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 12:40:06 +00:00
Mark Bolwell 18152bc17d
fix conditional for snap/squashfs 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 12:39:13 +00:00
Mark Bolwell 113b32018f
profile script 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 12:38:24 +00:00
Mark Bolwell cc307541a9
5.4.3.3 updated to add profile script 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 12:37:54 +00:00
Mark Bolwell 9709aa503b
5.4.3.2 updated permissions 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 09:27:23 +00:00
Mark Bolwell b7bdc7f67c
Updated bootloader hash var and time tool inherit 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 09:26:52 +00:00
Mark Bolwell 3c62843418
fixed file permissions 2.3.2.1 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 09:05:37 +00:00
Mark Bolwell c129cf0552
removed mask section u24 now removes time package not used automatically 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 09:03:01 +00:00
Mark Bolwell 3e92d4b54b
fixed permissions 5.4.3.2 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-10 08:40:32 +00:00
uk-bolly cffe5e4056
Merge pull request #1 from ansible-lockdown/quote_fix 
Minor update
 2025-01-07 19:02:40 +00:00
Mark Bolwell 01df043bdd
moved welcome to github self-hosted 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
 2025-01-07 18:32:29 +00:00