Merge pull request #36 from ansible-lockdown/pre-commit-ci-update-config

[pre-commit.ci] pre-commit autoupdate

.github/workflows/devel_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - devel
+            - benchmark*
         paths:
             - '**.yml'
             - '**.sh'
@@ -70,7 +71,6 @@
                  echo IAC_BRANCH=main >> $GITHUB_ENV
               fi
 
-
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4

.github/workflows/main_pipeline_validation.yml

@@ -7,6 +7,7 @@
         types: [opened, reopened, synchronize]
         branches:
             - main
+            - latest
         paths:
             - '**.yml'
             - '**.sh'
@@ -23,17 +24,6 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
-    # This will create messages for first time contributers and direct them to the Discord server
-      welcome:
-        runs-on: self-hosted
-
-        steps:
-            - uses: actions/first-interaction@main
-              with:
-                repo-token: ${{ secrets.GITHUB_TOKEN }}
-                pr-message: |-
-                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
       # This workflow contains a single job that tests the playbook
       playbook-test:

.gitignore

@@ -43,3 +43,6 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
+
+# ansible-lint cache
+.ansible/

.pre-commit-config.yaml

@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.21.2
+  rev: v8.24.3
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.10.0
+  rev: v25.2.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -65,7 +65,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.35.1  # or higher tag
+  rev: v1.37.0  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint

defaults/main.yml

@@ -21,6 +21,10 @@ skip_reboot: true
 benchmark: UBUNTU24-CIS
 benchmark_version: v1.0.0
 
+# Create managed not custom local_facts files
+create_benchmark_facts: true
+ansible_facts_path: /etc/ansible/facts.d
+
 # Used for audit
 ubtu24cis_level_1: true
 ubtu24cis_level_2: true
@@ -102,6 +106,18 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'
 
+# Method of getting,uploading the summary files
+## Enable the collection of audit files
+fetch_audit_output: false
+## Ensure access and permissions are available for these to occur.
+## options are
+# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
+# copy - copies file to a location available to the managed node
+audit_output_collection_method: fetch
+
+# Location to put the audit files
+audit_output_destination: /opt/audit_summaries/
+
 ### Goss Settings ##
 ####### END ########
 
@@ -626,6 +642,10 @@ ubtu24cis_desktop_required: false
 # This will also purge any packages not removed via this playbook
 ubtu24cis_purge_apt: false
 
+## Ignore change_when for apt update task
+# Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes
+ubtu24cis_ignore_apt_update_changed_when: false
+
 ##
 ## Section 1 Control Variables
 ##
@@ -647,6 +667,7 @@ ubtu24cis_tmp_svc: false
 # The following variables are related to the set of rules from section 1.6.1.x
 
 ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode
+control_1_3_1_4_was_run: false
 
 # This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4
 # regarding enforcing profiles or putting them in complain mode
@@ -665,7 +686,6 @@ ubtu24cis_apparmor_mode: complain
 # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
 ubtu24cis_grub_user: root
 ubtu24cis_set_grub_user_pass: false
-ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'  # Set to changeme
 ubtu24cis_grub_user_file: /etc/grub.d/00_user
 ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword"  # pragma: allowlist secret
 ubtu24cis_set_boot_pass: false
@@ -1069,6 +1089,9 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh
 # journald or rsyslog
 ubtu24cis_syslog_service: 'journald'
 
+# Enable rsyslog logging to be managed by ansible
+ubtu24cis_rsyslog_ansible_managed: true
+
 ## Controls 6.1.1.x journald
 
 # This variable specifies the address of the remote log host where logs are being sent.
@@ -1107,7 +1130,12 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
 # ATTENTION: Uncomment the keyword below when values are set!
 ubtu24cis_journald_maxfilesec: "#MaxFileSec="
 
-# 6.1.3.8
+# 6.1.3.8 LOGRotate
+# Optional to alow logrotate to be installed
+# While it is required for 6.1.3.8 its not installed by default on minimal image
+# or required for CIS to be installed, but in order to achieve ability to install has been added
+ubtu24cis_logrotate_pkg_install: false
+
 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
 # To conform to CIS standards this just needs to comply with your site policy
 ubtu24cis_logrotate: "daily"

handlers/main.yml

@@ -237,11 +237,11 @@
   changed_when: true
 
 - name: Auditd rules reload
-  when:
+  when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
-    - not prelim_auditd_immutable_check or
-      '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
   ansible.builtin.command: augenrules --load
   changed_when: true
+  failed_when: discovered_augenrule_load.rc not in [ 0, 1 ]
+  register: discovered_augenrule_load
 
 - name: Audit_immutable_fact
   when:
@@ -257,7 +257,7 @@
   listen: Restart auditd
 
 - name: Start auditd process
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
     name: auditd
     state: started
   listen: Restart auditd

tasks/LE_audit_setup.yml

@@ -8,7 +8,7 @@
         audit_pkg_arch_name: AMD64
 
     - name: Pre Audit Setup | Set audit package name | ARM64
-      when: ansible_facts.machine == "arm64"
+      when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64")
       ansible.builtin.set_fact:
         audit_pkg_arch_name: ARM64
 

tasks/audit_only.yml

@@ -10,14 +10,6 @@
   delegate_to: localhost
   become: false
 
-- name: Audit_only | Get audits from systems and put in group dir
-  when: fetch_audit_files
-  ansible.builtin.fetch:
-    dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
-    flat: true
-    mode: 'go-wx'
-    src: "{{ pre_audit_outfile }}"
-
 - name: Audit_only | Show Audit Summary
   when: audit_only
   ansible.builtin.debug:

tasks/auditd.yml

@@ -1,7 +1,18 @@
 ---
 
+# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
+# we need to update the auditd rules depending on the architecture of the system.
+# This task passed the syscalls table to the auditd template and updates the auditd rules
+- name: "POST | AUDITD | Set supported_syscalls variable"
+  ansible.builtin.shell: ausyscall --dump |  awk  '{print $2}'
+  changed_when: false
+  failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
+  register: discovered_auditd_syscalls
+
 - name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
   when: update_audit_template
+  vars:
+    supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
   ansible.builtin.template:
     src: audit/99_auditd.rules.j2
     dest: /etc/audit/rules.d/99_auditd.rules

tasks/fetch_audit_output.yml

@@ -0,0 +1,46 @@
+---
+
+# Stage to copy audit output to a centralised location
+
+- name: "POST | FETCH | Fetch files and copy to controller"
+  when: audit_output_collection_method == "fetch"
+  ansible.builtin.fetch:
+    src: "{{ item }}"
+    dest: "{{ audit_output_destination }}"
+    flat: true
+  failed_when: false
+  register: discovered_audit_fetch_state
+  loop:
+    - "{{ pre_audit_outfile }}"
+    - "{{ post_audit_outfile }}"
+  become: false
+
+# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
+# Allowing backup to one location
+- name: "POST | FETCH | Copy files to location available to managed node"
+  when: audit_output_collection_method == "copy"
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ audit_output_destination }}"
+    mode: 'u-x,go-wx'
+    flat: true
+  failed_when: false
+  register: discovered_audit_copy_state
+  loop:
+    - "{{ pre_audit_outfile }}"
+    - "{{ post_audit_outfile }}"
+
+- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+  when:
+    - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
+      (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
+  block:
+    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+      ansible.builtin.debug:
+        msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
+
+    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
+      vars:
+        warn_control_id: "FETCH_AUDIT_FILES"
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml

tasks/main.yml

@@ -62,35 +62,11 @@
     that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
     msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
 
-- name: Check ubtu24cis_grub_user password variable has been changed
-  when: ubtu24cis_rule_1_4_1
-  tags: always
-  block:
-    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
-      ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
-      changed_when: false
-      register: ubtu24cis_password_set_grub_user
-
-    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
-      when:
-        - "'$y$' in ubtu24cis_password_set_grub_user.stdout"
-        - ubtu24cis_set_grub_user_pass
-        - ubtu24cis_rule_1_4_1
-      ansible.builtin.assert:
-        that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
-        msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"
-
-    - name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
-      when: not ubtu24cis_set_grub_user_pass
-      ansible.builtin.assert:
-        that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
-        fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
-        success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode"
-
 - name: Setup rules if container
   when:
     - ansible_connection == 'docker' or
-      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+      (ansible_facts.virtualization_type is defined and
+       ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"])
   tags: always
   block:
     - name: Discover and set container variable if required
@@ -194,6 +170,39 @@
   ansible.builtin.import_tasks:
     file: post_remediation_audit.yml
 
+- name: Add ansible file showing Benchmark and levels applied if audit details not present
+  when:
+    - create_benchmark_facts
+    - (post_audit_summary is defined) or
+      (ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined)
+  tags:
+    - always
+    - benchmark
+  block:
+    - name: Create ansible facts directory if audit facts not present
+      ansible.builtin.file:
+        path: "{{ ansible_facts_path }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 'u=rwx,go=rx'
+
+    - name: Create ansible facts file and levels applied if audit facts not present
+      ansible.builtin.template:
+        src: etc/ansible/compliance_facts.j2
+        dest: "{{ ansible_facts_path }}/compliance_facts.fact"
+        owner: root
+        group: root
+        mode: 'u-x,go=r'
+
+- name: Fetch audit files
+  when:
+    - fetch_audit_output
+    - run_audit
+  tags: always
+  ansible.builtin.import_tasks:
+    file: fetch_audit_output.yml
+
 - name: Show Audit Summary
   when: run_audit
   tags: run_audit

tasks/prelim.yml

@@ -7,7 +7,7 @@
   changed_when: false
 
 - name: "PRELIM | AUDIT | Register if snap being used"
-  when: ubtu24cis_rule_1_1_1_6
+  when: ubtu24cis_rule_1_1_1_7
   tags: always
   ansible.builtin.shell: df -h | grep -wc "/snap"
   changed_when: false
@@ -15,7 +15,7 @@
   register: prelim_snap_pkg_mgr
 
 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
-  when: ubtu24cis_rule_1_1_1_6
+  when: ubtu24cis_rule_1_1_1_7
   tags: always
   ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs"
   changed_when: false
@@ -51,6 +51,12 @@
       ansible.builtin.debug:
         msg: "{{ prelim_mount_point_fs_and_options }}"
 
+- name: "PRELIM | PATCH | Run apt update"
+  tags: always
+  ansible.builtin.package:
+    update_cache: true
+  changed_when: not ubtu24cis_ignore_apt_update_changed_when
+
 - name: Include audit specific variables
   when:
     - run_audit or audit_only
@@ -70,14 +76,6 @@
   ansible.builtin.import_tasks:
     file: pre_remediation_audit.yml
 
-- name: "PRELIM | PATCH | Run apt update"
-  when:
-    - ubtu24cis_rule_1_2_1_1 or
-      ubtu24cis_rule_1_2_2_1
-  tags: always
-  ansible.builtin.package:
-    update_cache: true
-
 - name: "PRELIM | AUDIT | Wireless adapter pre-requisites"
   when:
     - ubtu24cis_rule_3_1_2
@@ -152,6 +150,41 @@
         max_int_uid: "{{ prelim_uid_max_id.stdout }}"
         min_int_gid: "{{ prelim_gid_min_id.stdout }}"
 
+- name: "PRELIM | AUDIT | Capture pam configs related files"
+  tags: always
+  ansible.builtin.find:
+    paths:
+      - '/usr/share/pam-configs/'
+      - '/etc/pam.d/'
+  register: prelim_pam_conf_files
+
+- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x
+  when:
+    - ubtu24cis_rule_5_3_3_2_1 or
+      ubtu24cis_rule_5_3_3_2_6
+  tags: always
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: "{{ item.state }}"
+    owner: root
+    group: root
+    mode: 'g-w,o-rwx'
+    modification_time: preserve
+    access_time: preserve
+  register: prelim_pwquality_dummy
+  changed_when: prelim_pwquality_dummy.diff == "absent"
+  loop:
+    - { path: '/etc/security/pwquality.conf.d', state: 'directory' }
+    - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }
+
+- name: "PRELIM | AUDIT | Capture pam security related files"
+  tags: always
+  ansible.builtin.find:
+    paths:
+      - /etc/security/pwquality.conf.d/
+    patterns: '*.conf'
+  register: prelim_pam_pwquality_confs
+
 - name: "PRELIM | AUDIT | Interactive Users"
   tags: always
   ansible.builtin.shell: >
@@ -218,7 +251,7 @@
 - name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
   when: "'auditd' in ansible_facts.packages"
   tags: always
-  ansible.builtin.shell: auditctl -l | grep -c '-e 2'
+  ansible.builtin.shell: auditctl -s | grep "enabled 2"
   changed_when: false
   failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
   register: prelim_auditd_immutable_check
@@ -232,6 +265,7 @@
   tags: always
   ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'"
   changed_when: false
+  check_mode: false
   failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ]
   register: prelim_auditd_logfile
 
@@ -244,6 +278,22 @@
     name: acl
     state: present
 
+- name: "PRELIM | PATCH | Install cron"
+  when: ubtu24cis_rule_2_4_1_1
+  tags: always
+  ansible.builtin.package:
+    name: cron
+    state: present
+
+- name: "PRELIM | PATCH | Install UFW"
+  when:
+    - ubtu24cis_rule_2_4_1_1
+    - ubtu24cis_firewall_package == "ufw"
+  tags: always
+  ansible.builtin.package:
+    name: ufw
+    state: present
+
 ## Optional
 
 - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings"
@@ -256,3 +306,11 @@
     regexp: ^IPT_SYSCTL=.*
     line: IPT_SYSCTL=/etc/sysctl.conf
     mode: 'u-x,go-wx'
+
+- name: "OPTIONAL | PATCH | Install Logrotate if missing"
+  when:
+    - ubtu24cis_rule_6_1_3_8
+    - ubtu24cis_logrotate_pkg_install
+  ansible.builtin.package:
+    name: logrotate
+    state: present

tasks/section_1/cis_1.2.2.x.yml

@@ -9,6 +9,14 @@
     - rule_1.2.2.1
     - NIST800-53R5_SI-2
     - patch
-  ansible.builtin.package:
+  block:
-    name: "*"
+    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update"
-    state: latest
+      ansible.builtin.package:
+        name: "*"
+        state: latest
+      register: discovered_pkg_updates
+
+    # Resetting connection as ssh stops if patched reset connection kickstarts it
+    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | reset ansible connection if ssh updated"
+      when: "'openssh-server' in discovered_pkg_updates.stdout"
+      ansible.builtin.meta: reset_connection

tasks/section_1/cis_1.4.x.yml

@@ -18,7 +18,7 @@
         dest: "{{ ubtu24cis_grub_user_file }}"
         owner: root
         group: root
-        mode: 'go-w'
+        mode: '0755'
       notify: Grub update
 
     - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"

tasks/section_2/cis_2.1.x.yml

@@ -46,7 +46,7 @@
       when:
         - not ubtu24cis_avahi_server
         - not ubtu24cis_avahi_mask
-        - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
+        - "'avahi' in ansible_facts.packages or 'avahi-autoipd' in ansible_facts.packages"
       ansible.builtin.package:
         name:
           - avahi-autoipd
@@ -699,7 +699,7 @@
       notify: Restart postfix
       ansible.builtin.lineinfile:
         path: /etc/postfix/main.cf
-        regexp: '^(#)?inet_interfaces'
+        regexp: '^(#)?inet_interfaces\s*=(?!\s*loopback-only\s*).*'
         line: 'inet_interfaces = loopback-only'
 
     - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents"

tasks/section_2/cis_2.3.1.x.yml

@@ -26,14 +26,4 @@
       loop:
         - chrony
         - ntp
-
+        - systemd-timesyncd
-    - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service"
-      when:
-        - ubtu24cis_time_sync_tool != "systemd-timesyncd"
-        - "'systemd-timesyncd' in ansible_facts.packages"
-      ansible.builtin.service:
-        name: systemd-timesyncd
-        state: stopped
-        enabled: false
-        masked: true
-        daemon_reload: true

tasks/section_2/cis_2.3.2.x.yml

@@ -23,7 +23,7 @@
       ansible.builtin.template:
         src: "{{ item }}.j2"
         dest: "/{{ item }}"
-        mode: 'go-r'
+        mode: 'go-wx'
         owner: root
         group: root
       loop:

tasks/section_2/cis_2.3.3.x.yml

@@ -58,19 +58,3 @@
         name: chrony
         state: started
         enabled: true
-
-    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd"
-      when: "'systemd-timesyncd' in ansible_facts.packages"
-      ansible.builtin.systemd:
-        name: systemd-timesyncd
-        state: stopped
-        enabled: false
-        masked: true
-
-    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd"
-      when: "'ntpd' in ansible_facts.packages"
-      ansible.builtin.systemd:
-        name: ntpd
-        state: stopped
-        enabled: false
-        masked: true

tasks/section_4/cis_4.4.1.x.yml

@@ -48,365 +48,3 @@
   ansible.builtin.package:
     name: ufw
     state: absent
-
-- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy"
-  when:
-    - ubtu24cis_rule_4_4_1_1
-    - ubtu24cis_ipv4_required
-    - not system_is_ec2
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.1
-    - iptables
-  block:
-    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in"
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: tcp
-        destination_port: 22
-        jump: ACCEPT
-        ctstate: 'NEW,ESTABLISHED'
-      notify: Iptables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out"
-      ansible.builtin.iptables:
-        chain: OUTPUT
-        protocol: tcp
-        source_port: 22
-        jump: ACCEPT
-        ctstate: 'NEW,ESTABLISHED'
-      notify: Iptables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic"
-      ansible.builtin.iptables:
-        chain: INPUT
-        ctstate: 'ESTABLISHED'
-        jump: ACCEPT
-      notify: Iptables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
-      ansible.builtin.iptables:
-        policy: DROP
-        chain: "{{ item }}"
-      notify: Iptables persistent
-      with_items:
-        - INPUT
-        - FORWARD
-        - OUTPUT
-
-- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured"
-  when:
-    - ubtu24cis_rule_4_4_1_2
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.2
-    - iptables
-  block:
-    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: INPUT
-        in_interface: lo
-        jump: ACCEPT
-      notify: Iptables persistent
-
-    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: OUTPUT
-        out_interface: lo
-        jump: ACCEPT
-      notify: Iptables persistent
-
-    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: INPUT
-        source: 127.0.0.0/8
-        jump: DROP
-      notify: Iptables persistent
-
-- name: "4.4.1.3 | PATCH | Ensure iptables outbound and established connections are configured"
-  when:
-    - ubtu24cis_rule_4_4_1_3
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.3
-    - iptables
-  ansible.builtin.iptables:
-    action: append
-    chain: '{{ item.chain }}'
-    protocol: '{{ item.protocol }}'
-    match: state
-    ctstate: '{{ item.ctstate }}'
-    jump: ACCEPT
-  notify: Iptables persistent
-  with_items:
-    - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
-    - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
-    - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
-
-- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports"
-  when:
-    - ubtu24cis_rule_4_4_1_4
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - audit
-    - rule_4.4.1.4
-    - iptables
-  vars:
-    warn_control_id: '4.4.1.4'
-  block:
-    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.command: ss -4tuln
-      changed_when: false
-      failed_when: false
-      check_mode: false
-      register: discovered_open_ports
-
-    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
-      ansible.builtin.command: iptables -L INPUT -v -n
-      changed_when: false
-      failed_when: false
-      check_mode: false
-      register: discovered_current_rules
-
-    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
-      ansible.builtin.debug:
-        msg:
-          - "Warning!! Below is the list the open ports and current rules"
-          - "Please create a rule for any open port that does not have a current rule"
-          - "Open Ports:"
-          - "{{ discovered_open_ports.stdout_lines }}"
-          - "Current Rules:"
-          - "{{ discovered_current_rules.stdout_lines }}"
-
-    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
-      ansible.builtin.import_tasks:
-        file: warning_facts.yml
-
-# ---------------
-# ---------------
-# This is not a control however using the iptables module only writes to memery
-# if a reboot occurs that means changes can revert. This task will make the
-# above iptables settings permanent
-# ---------------
-# ---------------
-# - name: "Make IPTables persistent | Not a control"
-#   block:
-#       - name: "Make IPTables persistent | Install iptables-persistent"
-#         ansible.builtin.package:
-#             name: iptables-persistent
-#             state: present
-
-#       - name: "Make IPTables persistent | Save to persistent files"
-#         ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
-#         changed_when: discovered_iptables_save.rc == 0
-#         failed_when: discovered_iptables_save.rc > 0
-#         register: discovered_iptables_save
-#   when:
-#       - ubtu24cis_firewall_package == "iptables"
-#       - ubtu24cis_save_iptables_cis_rules
-#       - ubtu24cis_rule_4_4_1_1 or
-#         ubtu24cis_rule_4_4_1_2 or
-#         ubtu24cis_rule_4_4_1_3 or
-#         ubtu24cis_rule_4_4_1_4
-
-- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy"
-  when:
-    - ubtu24cis_rule_4_4_1_1
-    - ubtu24cis_ipv6_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.1
-    - ip6tables
-  block:
-    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out"
-      ansible.builtin.iptables:
-        chain: OUTPUT
-        protocol: tcp
-        source_port: 22
-        jump: ACCEPT
-        ctstate: 'NEW,ESTABLISHED'
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic"
-      ansible.builtin.iptables:
-        chain: INPUT
-        ctstate: 'ESTABLISHED'
-        jump: ACCEPT
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items"
-      ansible.builtin.iptables:
-        policy: DROP
-        chain: "{{ item }}"
-        ip_version: ipv6
-      notify: Ip6tables persistent
-      loop:
-        - INPUT
-        - FORWARD
-        - OUTPUT
-
-- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured"
-  when:
-    - ubtu24cis_rule_4_4_1_2
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv6_required
-    - not ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.2
-    - ip6tables
-  block:
-    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: INPUT
-        in_interface: lo
-        jump: ACCEPT
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: OUTPUT
-        out_interface: lo
-        jump: ACCEPT
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop"
-      ansible.builtin.iptables:
-        action: append
-        chain: INPUT
-        source: ::1
-        jump: DROP
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-- name: "4.4.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured"
-  when:
-    - ubtu24cis_rule_4_4_1_3
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv6_required
-    - not ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.3
-    - ip6tables
-  ansible.builtin.iptables:
-    action: append
-    chain: '{{ item.chain }}'
-    protocol: '{{ item.protocol }}'
-    match: state
-    ctstate: '{{ item.ctstate }}'
-    jump: ACCEPT
-    ip_version: ipv6
-  notify: Ip6tables persistent
-  loop:
-    - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
-    - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
-    - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
-
-- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports"
-  when:
-    - ubtu24cis_rule_4_4_1_4
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv6_required
-    - not ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - audit
-    - rule_4.4.1.4
-    - ip6tables
-  vars:
-    warn_control_id: '4.4.1.4'
-  block:
-    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.command: ss -6tuln
-      changed_when: false
-      failed_when: false
-      check_mode: false
-      register: discovered_open_ports
-
-    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
-      ansible.builtin.command: ip6tables -L INPUT -v -n
-      changed_when: false
-      failed_when: false
-      check_mode: false
-      register: discovered_current_rules
-
-    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
-      ansible.builtin.debug:
-        msg:
-          - "Warning!! Below is the list the open ports and current rules"
-          - "Please create a rule for any open port that does not have a current rule"
-          - "Open Ports:"
-          - "{{ discovered_open_ports.stdout_lines }}"
-          - "Current Rules:"
-          - "{{ discovered_current_rules.stdout_lines }}"
-
-    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
-      ansible.builtin.import_tasks:
-        file: warning_facts.yml
-
-# ---------------
-# ---------------
-# This is not a control however using the ip6tables module only writes to memery
-# if a reboot occurs that means changes can revert. This task will make the
-# above ip6tables settings permanent
-# ---------------
-# ---------------
-# via handler
-# - name: "Make IP6Tables persistent | Not a control"
-#   block:
-#       - name: "Make IP6Tables persistent | Install iptables-persistent"
-#         ansible.builtin.package:
-#             name: iptables-persistent
-#             state: present
-#         when: "'iptables-persistent' not in ansible_facts.packages"
-
-#       - name: "Make IP6Tables persistent | Save to persistent files"
-#         ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
-#         changed_when: discovered_ip6tables_save.rc == 0
-#         failed_when: discovered_ip6tables_save.rc > 0
-#         register: discovered_ip6tables_save
-#   when:
-#       - ubtu24cis_firewall_package == "iptables"
-#       - ubtu24cis_ipv6_required
-#       - not ubtu24cis_ipv4_required
-#       - ubtu24cis_save_iptables_cis_rules
-#       - ubtu24cis_rule_4_4_1_1 or
-#         ubtu24cis_rule_4_4_1_2 or
-#         ubtu24cis_rule_4_4_1_3 or
-#         ubtu24cis_rule_4_4_1_4

tasks/section_4/main.yml

@@ -15,7 +15,7 @@
     file: cis_4.3.x.yml
 
 - name: "SECTION | 4.4.1.x | Configure iptables software"
-  when: ubtu24cis_firewall_package == "nftables"
+  when: ubtu24cis_firewall_package == "iptables"
   ansible.builtin.import_tasks:
     file: cis_4.4.1.x.yml
 

tasks/section_5/cis_5.1.x.yml

@@ -187,7 +187,7 @@
     - NIST800-53R5_CM-6
     - NIST800-53R5_CM-7
     - NIST800-53R5_IA-5
-    - sshdd
+    - sshd
   ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
     regexp: "{{ item.regexp }}"

tasks/section_5/cis_5.3.3.1.x.yml

@@ -28,12 +28,10 @@
     - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files"
       when: discovered_faillock_deny_files.stdout | length > 0
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)'
         replace: \1\2
-      with_fileglob:
+      loop: "{{ prelim_pam_conf_files.files }}"
-        - '/usr/share/pam-configs/*'
-        - '/etc/pam.d/*'
 
 - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
   when: ubtu24cis_rule_5_3_3_1_2
@@ -63,12 +61,10 @@
     - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files"
       when: discovered_faillock_unlock_files.stdout | length > 0
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)'
         replace: \1\2
-      with_fileglob:
+      loop: "{{ prelim_pam_conf_files.files }}"
-        - '/usr/share/pam-configs/*'
-        - '/etc/pam.d/*'
 
 - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
   when: ubtu24cis_rule_5_3_3_1_3
@@ -98,9 +94,7 @@
     - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files"
       when: discovered_faillock_rootlock_files.stdout | length > 0
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)'
         replace: \1\3
-      with_fileglob:
+      loop: "{{ prelim_pam_conf_files.files }}"
-        - '/usr/share/pam-configs/*'
-        - '/etc/pam.d/*'

tasks/section_5/cis_5.3.3.2.x.yml

@@ -11,15 +11,15 @@
     - pam
   block:
     - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
-      when: item != ubtu24cis_passwd_difok_file
+      when: "ubtu24cis_passwd_difok_file not in item.path"
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: 'difok\s*=\s*\d+\b'
         replace: ''
-      with_fileglob:
+      with_items:
-        - '/etc/security/pwquality.conf'
+        - "{{ prelim_pam_pwquality_confs.files }}"
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - { path: '/etc/security/pwquality.conf'}
-        - '/etc/pam.d/common-password'
+        - { path: '/etc/pam.d/common-password' }
 
     - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
       ansible.builtin.template:
@@ -40,15 +40,15 @@
     - pam
   block:
     - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
-      when: item != ubtu24cis_passwd_minlen_file
+      when: "ubtu24cis_passwd_minlen_file not in item.path"
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: 'minlen\s*=\s*\d+\b'
         replace: ''
-      with_fileglob:
+      with_items:
-        - '/etc/security/pwquality.conf'
+        - "{{ prelim_pam_pwquality_confs.files }}"
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - { path: '/etc/security/pwquality.conf'}
-        - '/etc/pam.d/common-password'
+        - { path: '/etc/pam.d/common-password' }
 
     - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
       ansible.builtin.template:
@@ -69,15 +69,15 @@
     - pam
   block:
     - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_complex_file
+      when: "ubtu24cis_passwd_complex_file not in item.path"
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
         replace: ''
-      with_fileglob:
+      with_items:
-        - '/etc/security/pwquality.conf'
+        - "{{ prelim_pam_pwquality_confs.files }}"
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - { path: '/etc/security/pwquality.conf'}
-        - '/etc/pam.d/common-password'
+        - { path: '/etc/pam.d/common-password' }
 
     - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
       ansible.builtin.template:
@@ -98,15 +98,15 @@
     - pam
   block:
     - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_maxrepeat_file
+      when: "ubtu24cis_passwd_maxrepeat_file not in item.path"
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: 'maxrepeat\s*=\s*\d+\b'
         replace: ''
-      with_fileglob:
+      with_items:
-        - '/etc/security/pwquality.conf'
+        - "{{ prelim_pam_pwquality_confs.files }}"
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - { path: '/etc/security/pwquality.conf'}
-        - '/etc/pam.d/common-password'
+        - { path: '/etc/pam.d/common-password' }
 
     - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
       ansible.builtin.template:
@@ -127,15 +127,15 @@
     - pam
   block:
     - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_maxsequence_file
+      when: "ubtu24cis_passwd_maxsequence_file not in item.path"
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: 'maxsequence\s*=\s*\d+\b'
         replace: ''
-      with_fileglob:
+      with_items:
-        - '/etc/security/pwquality.conf'
+        - "{{ prelim_pam_pwquality_confs.files }}"
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - { path: '/etc/security/pwquality.conf'}
-        - '/etc/pam.d/common-password'
+        - { path: '/etc/pam.d/common-password' }
 
     - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
       ansible.builtin.template:
@@ -156,15 +156,15 @@
     - pam
   block:
     - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_dictcheck_file
+      when: "ubtu24cis_passwd_dictcheck_file not in item.path"
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: 'dictcheck\s*=\s*\d+\b'
         replace: ''
-      with_fileglob:
+      with_items:
-        - '/etc/security/pwquality.conf'
+        - "{{ prelim_pam_pwquality_confs.files }}"
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - { path: '/etc/security/pwquality.conf'}
-        - '/etc/pam.d/common-password'
+        - { path: '/etc/pam.d/common-password' }
 
     - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
       ansible.builtin.template:
@@ -185,15 +185,15 @@
     - pam
   block:
     - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file"
-      when: item != ubtu24cis_passwd_quality_enforce_file
+      when: "ubtu24cis_passwd_quality_enforce_file not in item.path"
       ansible.builtin.replace:
-        path: "{{ item }}"
+        path: "{{ item.path }}"
         regexp: 'enforcing\s*=\s*\d+\b'
         replace: ''
-      with_fileglob:
+      with_items:
-        - '/etc/security/pwquality.conf'
+        - "{{ prelim_pam_pwquality_confs.files }}"
-        - '/etc/security/pwquality.conf.d/*.conf'
+        - { path: '/etc/security/pwquality.conf'}
-        - '/etc/pam.d/common-password'
+        - { path: '/etc/pam.d/common-password' }
 
     - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists"
       ansible.builtin.template:

tasks/section_5/cis_5.4.1.x.yml

@@ -130,13 +130,13 @@
     - login
   block:
     - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting"
-      ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2
+      ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2
       changed_when: false
       failed_when: false
       register: discovered_passwd_inactive_setting
 
     - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users"
-      when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string
+      when: discovered_passwd_inactive_setting.stdout != (ubtu24cis_pass_inactive | string)
       ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }}
       failed_when: false
       changed_when: true

tasks/section_5/cis_5.4.3.x.yml

@@ -34,7 +34,7 @@
     state: "{{ item.state }}"
     marker: "# {mark} - CIS benchmark - Ansible-lockdown"
     create: true
-    mode: 'go-r'
+    mode: 'go-wx'
     block: |
       TMOUT={{ ubtu24cis_shell_session_timeout }}
       readonly TMOUT
@@ -54,10 +54,20 @@
     - rule_5.4.3.3
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2
-  ansible.builtin.replace:
+  block:
-    path: "{{ item.path }}"
+    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | update current settings"
-    regexp: (?i)(umask\s+\d\d\d)
+      ansible.builtin.replace:
-    replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
+        path: "{{ item.path }}"
-  loop:
+        regexp: (?i)(umask\s+\d\d\d)
-    - { path: '/etc/profile', line: 'umask' }
+        replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
-    - { path: '/etc/login.defs', line: 'UMASK' }
+      loop:
+        - { path: '/etc/profile', line: 'umask' }
+        - { path: '/etc/login.defs', line: 'UMASK' }
+
+    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | add profile script to set"
+      ansible.builtin.template:
+        src: etc/profile.d/50-umask.sh.j2
+        dest: /etc/profile.d/50-umask.sh
+        owner: root
+        group: root
+        mode: 'go+r,go-wx'

tasks/section_6/cis_6.1.3.8.yml

@@ -1,7 +1,9 @@
 ---
 
 - name: "6.1.3.8 | PATCH | Ensure logrotate is configured"
-  when: ubtu24cis_rule_6_1_3_8
+  when:
+    - ubtu24cis_rule_6_1_3_8
+    - "'logrotate' in ansible_facts.packages"
   tags:
     - level1-server
     - level1-workstation

tasks/section_6/cis_6.1.4.1.yml

@@ -30,11 +30,14 @@
       loop: "{{ discovered_logfiles.stdout_lines }}"
 
     - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
+      when:
+        - discovered_system_logfiles.stdout_lines is defined
+        - item == "/var/log/btmp"
+        - item == "/var/log/utmp"
+        - item == "/var/log/wtmp"
+        - item == "/var/log/lastlog"
+        - "'sssd' in item or 'SSSD' in item"
       ansible.builtin.file:
         path: "{{ item }}"
         mode: 'ug-x,o-wx'
-      with_fileglob:
+      loop: "{{ discovered_system_logfiles.stdout_lines }}"
-        - "/var/log/*tmp"
-        - "/var/log/lastlog*"
-        - "/var/log/sssd*"
-        - "/var/log/SSSD*"

tasks/section_6/cis_6.2.1.x.yml

@@ -4,7 +4,7 @@
   when:
     - ubtu24cis_rule_6_2_1_1
     - "'auditd' not in ansible_facts.packages or
-      'audisd-plugins' not in ansible_facts.packages"
+      'audispd-plugins' not in ansible_facts.packages"
   tags:
     - level2-server
     - level2-workstation
@@ -30,7 +30,7 @@
     - NIST800-53R5_AU-3
     - NIST800-53R5_AU-12
     - auditd
-  ansible.builtin.service:
+  ansible.builtin.systemd:
     name: auditd
     state: started
     enabled: true

tasks/section_6/cis_6.2.3.x.yml

@@ -277,3 +277,4 @@
     - auditd
   ansible.builtin.command: augenrules --check
   changed_when: false
+  register: discovered_augenrules_check

tasks/section_7/cis_7.2.x.yml

@@ -309,7 +309,7 @@
     warn_control_id: '7.2.10'
   block:
     - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
-      ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w
+      ansible.builtin.shell: find /home/ /root/ -name "\.*" -type f -perm /u+x,g+wx,o+wx
       changed_when: false
       failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]
       check_mode: false
@@ -336,5 +336,5 @@
         - ubtu24cis_dotperm_ansiblemanaged
       ansible.builtin.file:
         path: '{{ item }}'
-        mode: 'go-w'
+        mode: 'u-x,go-wx'
       with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"

templates/ansible_vars_goss.yml.j2

@@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }}
 # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
 # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
 ubtu24cis_grub_user: {{ ubtu24cis_grub_user }}
-ubtu24cis_bootloader_password_hash: {{ grub_user_pass }}  # pragma: allowlist secret
+ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }}  # pragma: allowlist secret
 
 ## Controls 1.5.x
 
@@ -580,7 +580,7 @@ ubtu24cis_ftp_client: {{ ubtu24cis_ftp_client }}
 ## Control 2.3.1.1
 # This variable choses the tool used for time synchronization
 # The two options are `chrony`and `systemd-timesyncd`.
-ubtu24cis_time_sync_tool: "systemd-timesyncd"
+ubtu24cis_time_sync_tool: {{ ubtu24cis_time_sync_tool }}
 
 ## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd
 # The following variable represents a list of of time server pools used
@@ -588,7 +588,7 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
 # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
 # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
 # of the time synchronization mechanism you are using.
-ubtu24cis_time_pool_name:
+ubtu24cis_time_pool:
 {% for pool in ubtu24cis_time_pool %}
 - name: {{ pool.name }}
   options: {{ pool.options }}
@@ -733,6 +733,9 @@ ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }}
 
 # Section 6
 
+# This variable specifies the address of the remote log host where logs are being sent.
+ubtu24cis_remote_log_server: {{ ubtu24cis_remote_log_server }}
+
 # 6.1.2
 
 # AIDE

templates/audit/99_auditd.rules.j2

@@ -10,22 +10,41 @@
 -w /etc/sudoers.d -p wa -k scope
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_2 %}
--a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
+{% set syscalls = ["execve"] %}
--a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
+-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_3 %}
 -w {{ ubtu24cis_sudo_logfile }} -p wa -k sudo_log_file
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_4 %}
--a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
+{% set syscalls = ["adjtimex","settimeofday","clock_settime"] %}
--a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
+{% set arch_syscalls = [] %}
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change
+{% for syscall in syscalls  %}
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
 -w /etc/localtime -p wa -k time-change
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_5 %}
--a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
+{% set syscalls = ["sethostname","setdomainname"] %}
--a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -41,10 +60,17 @@
 {% endif %}
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_7 %}
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+{% set arch_syscalls = [] %}
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+{% for syscall in syscalls  %}
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_8 %}
 -w /etc/group -p wa -k identity
@@ -57,16 +83,65 @@
 -w /etc/pam.d -p wa -k identity
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_9 %}
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["chmod","fchmod","fchmodat"] %}
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod
+{% set arch_syscalls = [] %}
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+{% for syscall in syscalls  %}
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
+{% if syscall in supported_syscalls %}
--a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod
+{{ arch_syscalls.append( syscall) }}
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["chmod","fchmod","fchmodat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_10 %}
--a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
+{% set syscalls = ["mount"] %}
--a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_11 %}
 -w /var/run/utmp -p wa -k session
@@ -78,8 +153,15 @@
 -w /var/run/faillock -p wa -k logins
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_13 %}
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
+{% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_14 %}
 -w /etc/apparmor/ -p wa -k MAC-policy
@@ -99,7 +181,14 @@
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_19 %}
 -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules
--a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=-1 -k kernel_modules
+{% set syscalls = ["init_module","finit_module","delete_module"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_20 %}
 -e 2

templates/etc/ansible/compliance_facts.j2

@@ -0,0 +1,40 @@
+# CIS Hardening Carried out
+# Added as part of ansible-lockdown CIS baseline
+# provided by Mindpoint Group - A Tyto Athene Company
+
+[lockdown_details]
+# Benchmark release
+Benchmark_release = CIS-{{ benchmark_version }}
+Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
+# If options set (doesn't mean it ran all controls)
+level_1_hardening_enabled = {{ ubtu24cis_level_1 }}
+level_2_hardening_enabled = {{ ubtu24cis_level_2 }}
+
+{% if ansible_run_tags | length > 0 %}
+# If tags used to stipulate run level
+{% if 'level1-server' in ansible_run_tags %}
+Level_1_Server_tag_run = true
+{% endif %}
+{% if 'level2-server' in ansible_run_tags %}
+Level_2_Server_tag_run = true
+{% endif %}
+{% if 'level1-workstation' in ansible_run_tags %}
+Level_1_workstation_tag_run = true
+{% endif %}
+{% if 'level2-workstation' in ansible_run_tags %}
+Level_2_workstation_tag_run = true
+{% endif %}
+{% endif %}
+
+[lockdown_audit_details]
+{% if run_audit %}
+# Audit run
+audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
+audit_file_local_location = {{ audit_log_dir }}
+{% if not audit_only %}
+audit_summary = {{ post_audit_results }}
+{% endif %}
+{% if fetch_audit_output %}
+audit_files_centralized_location = {{ audit_output_destination }}
+{% endif %}
+{% endif %}

templates/etc/profile.d/50-umask.sh.j2

@@ -0,0 +1,7 @@
+## Ansible controlled file
+# Added as part of ansible-lockdown CIS baseline
+# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+
+# Set umask with highest precedence
+
+umask 027