Merge pull request #26 from ansible-lockdown/devel

Release to main

.gitignore

@@ -43,3 +43,6 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
+
+# Precommit
+.ansible/

.pre-commit-config.yaml

@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.21.2
+  rev: v8.24.0
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.10.0
+  rev: v25.1.3
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -65,7 +65,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.35.1  # or higher tag
+  rev: v1.36.2  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint

defaults/main.yml

@@ -626,6 +626,10 @@ ubtu24cis_desktop_required: false
 # This will also purge any packages not removed via this playbook
 ubtu24cis_purge_apt: false
 
+## Ignore change_when for apt update task
+# Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes
+ignore_apt_update_changed_when: false
+
 ##
 ## Section 1 Control Variables
 ##
@@ -647,6 +651,7 @@ ubtu24cis_tmp_svc: false
 # The following variables are related to the set of rules from section 1.6.1.x
 
 ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode
+control_1_3_1_4_was_run: false
 
 # This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4
 # regarding enforcing profiles or putting them in complain mode
@@ -665,7 +670,6 @@ ubtu24cis_apparmor_mode: complain
 # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
 ubtu24cis_grub_user: root
 ubtu24cis_set_grub_user_pass: false
-ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'  # Set to changeme
 ubtu24cis_grub_user_file: /etc/grub.d/00_user
 ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword"  # pragma: allowlist secret
 ubtu24cis_set_boot_pass: false
@@ -1069,6 +1073,9 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh
 # journald or rsyslog
 ubtu24cis_syslog_service: 'journald'
 
+# Enable rsyslog logging to be managed by ansible
+ubtu24cis_rsyslog_ansible_managed: true
+
 ## Controls 6.1.1.x journald
 
 # This variable specifies the address of the remote log host where logs are being sent.
@@ -1107,7 +1114,12 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
 # ATTENTION: Uncomment the keyword below when values are set!
 ubtu24cis_journald_maxfilesec: "#MaxFileSec="
 
-# 6.1.3.8
+# 6.1.3.8 LOGRotate
+# Optional to alow logrotate to be installed
+# While it is required for 6.1.3.8 its not installed by default on minimal image
+# or required for CIS to be installed, but in order to achieve ability to install has been added
+ubtu24cis_logrotate_pkg_install: false
+
 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
 # To conform to CIS standards this just needs to comply with your site policy
 ubtu24cis_logrotate: "daily"

handlers/main.yml

@@ -237,11 +237,11 @@
   changed_when: true
 
 - name: Auditd rules reload
-  when:
-    - not prelim_auditd_immutable_check or
-      '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
+  when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
   ansible.builtin.command: augenrules --load
   changed_when: true
+  failed_when: discovered_augenrule_load.rc not in [ 0, 1 ]
+  register: discovered_augenrule_load
 
 - name: Audit_immutable_fact
   when:

tasks/LE_audit_setup.yml

@@ -8,7 +8,7 @@
         audit_pkg_arch_name: AMD64
 
     - name: Pre Audit Setup | Set audit package name | ARM64
-      when: ansible_facts.machine == "arm64"
+      when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64")
       ansible.builtin.set_fact:
         audit_pkg_arch_name: ARM64
 

tasks/auditd.yml

@@ -1,7 +1,18 @@
 ---
 
+# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
+# we need to update the auditd rules depending on the architecture of the system.
+# This task passed the syscalls table to the auditd template and updates the auditd rules
+- name: "POST | AUDITD | Set supported_syscalls variable"
+  ansible.builtin.shell: ausyscall --dump |  awk  '{print $2}'
+  changed_when: false
+  failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
+  register: discovered_auditd_syscalls
+
 - name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
   when: update_audit_template
+  vars:
+    supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
   ansible.builtin.template:
     src: audit/99_auditd.rules.j2
     dest: /etc/audit/rules.d/99_auditd.rules

tasks/main.yml

@@ -62,31 +62,6 @@
     that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
     msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
 
-- name: Check ubtu24cis_grub_user password variable has been changed
-  when: ubtu24cis_rule_1_4_1
-  tags: always
-  block:
-    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
-      ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
-      changed_when: false
-      register: ubtu24cis_password_set_grub_user
-
-    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
-      when:
-        - "'$y$' in ubtu24cis_password_set_grub_user.stdout"
-        - ubtu24cis_set_grub_user_pass
-        - ubtu24cis_rule_1_4_1
-      ansible.builtin.assert:
-        that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
-        msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"
-
-    - name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
-      when: not ubtu24cis_set_grub_user_pass
-      ansible.builtin.assert:
-        that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
-        fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
-        success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode"
-
 - name: Setup rules if container
   when:
     - ansible_connection == 'docker' or

tasks/prelim.yml

@@ -7,7 +7,7 @@
   changed_when: false
 
 - name: "PRELIM | AUDIT | Register if snap being used"
-  when: ubtu24cis_rule_1_1_1_6
+  when: ubtu24cis_rule_1_1_1_7
   tags: always
   ansible.builtin.shell: df -h | grep -wc "/snap"
   changed_when: false
@@ -15,7 +15,7 @@
   register: prelim_snap_pkg_mgr
 
 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
-  when: ubtu24cis_rule_1_1_1_6
+  when: ubtu24cis_rule_1_1_1_7
   tags: always
   ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs"
   changed_when: false
@@ -51,6 +51,12 @@
       ansible.builtin.debug:
         msg: "{{ prelim_mount_point_fs_and_options }}"
 
+- name: "PRELIM | PATCH | Run apt update"
+  tags: always
+  ansible.builtin.package:
+    update_cache: true
+  changed_when: not ignore_apt_update_changed_when
+
 - name: Include audit specific variables
   when:
     - run_audit or audit_only
@@ -70,14 +76,6 @@
   ansible.builtin.import_tasks:
     file: pre_remediation_audit.yml
 
-- name: "PRELIM | PATCH | Run apt update"
-  when:
-    - ubtu24cis_rule_1_2_1_1 or
-      ubtu24cis_rule_1_2_2_1
-  tags: always
-  ansible.builtin.package:
-    update_cache: true
-
 - name: "PRELIM | AUDIT | Wireless adapter pre-requisites"
   when:
     - ubtu24cis_rule_3_1_2
@@ -218,7 +216,7 @@
 - name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
   when: "'auditd' in ansible_facts.packages"
   tags: always
-  ansible.builtin.shell: auditctl -l | grep -c '-e 2'
+  ansible.builtin.shell: auditctl -s | grep "enabled 2"
   changed_when: false
   failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
   register: prelim_auditd_immutable_check
@@ -232,6 +230,7 @@
   tags: always
   ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'"
   changed_when: false
+  check_mode: false
   failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ]
   register: prelim_auditd_logfile
 
@@ -256,3 +255,11 @@
     regexp: ^IPT_SYSCTL=.*
     line: IPT_SYSCTL=/etc/sysctl.conf
     mode: 'u-x,go-wx'
+
+- name: "OPTIONAL | PATCH | Install Logrotate if missing"
+  when:
+    - ubtu24cis_rule_6_1_3_8
+    - ubtu24cis_logrotate_pkg_install
+  ansible.builtin.package:
+    name: logrotate
+    state: present

tasks/section_1/cis_1.2.2.x.yml

@@ -9,6 +9,14 @@
     - rule_1.2.2.1
     - NIST800-53R5_SI-2
     - patch
-  ansible.builtin.package:
-    name: "*"
-    state: latest
+  block:
+    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update"
+      ansible.builtin.package:
+        name: "*"
+        state: latest
+      register: discovered_pkg_updates
+
+    # Resetting connection as ssh stops if patched reset connection kickstarts it
+    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | reset ansible connection if ssh updated"
+      when: "'openssh-server' in discovered_pkg_updates.stdout"
+      ansible.builtin.meta: reset_connection

tasks/section_1/cis_1.4.x.yml

@@ -18,7 +18,7 @@
         dest: "{{ ubtu24cis_grub_user_file }}"
         owner: root
         group: root
-        mode: 'go-w'
+        mode: '0755'
       notify: Grub update
 
     - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"

tasks/section_2/cis_2.1.x.yml

@@ -699,7 +699,7 @@
       notify: Restart postfix
       ansible.builtin.lineinfile:
         path: /etc/postfix/main.cf
-        regexp: '^(#)?inet_interfaces'
+        regexp: '^(#)?inet_interfaces\s*=(?!\s*loopback-only\s*).*'
         line: 'inet_interfaces = loopback-only'
 
     - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents"

tasks/section_2/cis_2.3.1.x.yml

@@ -26,14 +26,4 @@
       loop:
         - chrony
         - ntp
-
-    - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service"
-      when:
-        - ubtu24cis_time_sync_tool != "systemd-timesyncd"
-        - "'systemd-timesyncd' in ansible_facts.packages"
-      ansible.builtin.service:
-        name: systemd-timesyncd
-        state: stopped
-        enabled: false
-        masked: true
-        daemon_reload: true
+        - systemd-timesyncd

tasks/section_2/cis_2.3.2.x.yml

@@ -23,7 +23,7 @@
       ansible.builtin.template:
         src: "{{ item }}.j2"
         dest: "/{{ item }}"
-        mode: 'go-r'
+        mode: 'go-wx'
         owner: root
         group: root
       loop:

tasks/section_2/cis_2.3.3.x.yml

@@ -58,19 +58,3 @@
         name: chrony
         state: started
         enabled: true
-
-    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd"
-      when: "'systemd-timesyncd' in ansible_facts.packages"
-      ansible.builtin.systemd:
-        name: systemd-timesyncd
-        state: stopped
-        enabled: false
-        masked: true
-
-    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd"
-      when: "'ntpd' in ansible_facts.packages"
-      ansible.builtin.systemd:
-        name: ntpd
-        state: stopped
-        enabled: false
-        masked: true

tasks/section_4/cis_4.4.1.x.yml

@@ -48,365 +48,3 @@
   ansible.builtin.package:
     name: ufw
     state: absent
-
-- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy"
-  when:
-    - ubtu24cis_rule_4_4_1_1
-    - ubtu24cis_ipv4_required
-    - not system_is_ec2
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.1
-    - iptables
-  block:
-    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in"
-      ansible.builtin.iptables:
-        chain: INPUT
-        protocol: tcp
-        destination_port: 22
-        jump: ACCEPT
-        ctstate: 'NEW,ESTABLISHED'
-      notify: Iptables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out"
-      ansible.builtin.iptables:
-        chain: OUTPUT
-        protocol: tcp
-        source_port: 22
-        jump: ACCEPT
-        ctstate: 'NEW,ESTABLISHED'
-      notify: Iptables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic"
-      ansible.builtin.iptables:
-        chain: INPUT
-        ctstate: 'ESTABLISHED'
-        jump: ACCEPT
-      notify: Iptables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
-      ansible.builtin.iptables:
-        policy: DROP
-        chain: "{{ item }}"
-      notify: Iptables persistent
-      with_items:
-        - INPUT
-        - FORWARD
-        - OUTPUT
-
-- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured"
-  when:
-    - ubtu24cis_rule_4_4_1_2
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.2
-    - iptables
-  block:
-    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: INPUT
-        in_interface: lo
-        jump: ACCEPT
-      notify: Iptables persistent
-
-    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: OUTPUT
-        out_interface: lo
-        jump: ACCEPT
-      notify: Iptables persistent
-
-    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: INPUT
-        source: 127.0.0.0/8
-        jump: DROP
-      notify: Iptables persistent
-
-- name: "4.4.1.3 | PATCH | Ensure iptables outbound and established connections are configured"
-  when:
-    - ubtu24cis_rule_4_4_1_3
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.3
-    - iptables
-  ansible.builtin.iptables:
-    action: append
-    chain: '{{ item.chain }}'
-    protocol: '{{ item.protocol }}'
-    match: state
-    ctstate: '{{ item.ctstate }}'
-    jump: ACCEPT
-  notify: Iptables persistent
-  with_items:
-    - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
-    - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
-    - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
-
-- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports"
-  when:
-    - ubtu24cis_rule_4_4_1_4
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - audit
-    - rule_4.4.1.4
-    - iptables
-  vars:
-    warn_control_id: '4.4.1.4'
-  block:
-    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.command: ss -4tuln
-      changed_when: false
-      failed_when: false
-      check_mode: false
-      register: discovered_open_ports
-
-    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
-      ansible.builtin.command: iptables -L INPUT -v -n
-      changed_when: false
-      failed_when: false
-      check_mode: false
-      register: discovered_current_rules
-
-    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
-      ansible.builtin.debug:
-        msg:
-          - "Warning!! Below is the list the open ports and current rules"
-          - "Please create a rule for any open port that does not have a current rule"
-          - "Open Ports:"
-          - "{{ discovered_open_ports.stdout_lines }}"
-          - "Current Rules:"
-          - "{{ discovered_current_rules.stdout_lines }}"
-
-    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
-      ansible.builtin.import_tasks:
-        file: warning_facts.yml
-
-# ---------------
-# ---------------
-# This is not a control however using the iptables module only writes to memery
-# if a reboot occurs that means changes can revert. This task will make the
-# above iptables settings permanent
-# ---------------
-# ---------------
-# - name: "Make IPTables persistent | Not a control"
-#   block:
-#       - name: "Make IPTables persistent | Install iptables-persistent"
-#         ansible.builtin.package:
-#             name: iptables-persistent
-#             state: present
-
-#       - name: "Make IPTables persistent | Save to persistent files"
-#         ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
-#         changed_when: discovered_iptables_save.rc == 0
-#         failed_when: discovered_iptables_save.rc > 0
-#         register: discovered_iptables_save
-#   when:
-#       - ubtu24cis_firewall_package == "iptables"
-#       - ubtu24cis_save_iptables_cis_rules
-#       - ubtu24cis_rule_4_4_1_1 or
-#         ubtu24cis_rule_4_4_1_2 or
-#         ubtu24cis_rule_4_4_1_3 or
-#         ubtu24cis_rule_4_4_1_4
-
-- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy"
-  when:
-    - ubtu24cis_rule_4_4_1_1
-    - ubtu24cis_ipv6_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.1
-    - ip6tables
-  block:
-    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out"
-      ansible.builtin.iptables:
-        chain: OUTPUT
-        protocol: tcp
-        source_port: 22
-        jump: ACCEPT
-        ctstate: 'NEW,ESTABLISHED'
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic"
-      ansible.builtin.iptables:
-        chain: INPUT
-        ctstate: 'ESTABLISHED'
-        jump: ACCEPT
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items"
-      ansible.builtin.iptables:
-        policy: DROP
-        chain: "{{ item }}"
-        ip_version: ipv6
-      notify: Ip6tables persistent
-      loop:
-        - INPUT
-        - FORWARD
-        - OUTPUT
-
-- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured"
-  when:
-    - ubtu24cis_rule_4_4_1_2
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv6_required
-    - not ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.2
-    - ip6tables
-  block:
-    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: INPUT
-        in_interface: lo
-        jump: ACCEPT
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT"
-      ansible.builtin.iptables:
-        action: append
-        chain: OUTPUT
-        out_interface: lo
-        jump: ACCEPT
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop"
-      ansible.builtin.iptables:
-        action: append
-        chain: INPUT
-        source: ::1
-        jump: DROP
-        ip_version: ipv6
-      notify: Ip6tables persistent
-
-- name: "4.4.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured"
-  when:
-    - ubtu24cis_rule_4_4_1_3
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv6_required
-    - not ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - patch
-    - rule_4.4.1.3
-    - ip6tables
-  ansible.builtin.iptables:
-    action: append
-    chain: '{{ item.chain }}'
-    protocol: '{{ item.protocol }}'
-    match: state
-    ctstate: '{{ item.ctstate }}'
-    jump: ACCEPT
-    ip_version: ipv6
-  notify: Ip6tables persistent
-  loop:
-    - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
-    - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
-    - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
-    - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
-
-- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports"
-  when:
-    - ubtu24cis_rule_4_4_1_4
-    - ubtu24cis_firewall_package == "iptables"
-    - ubtu24cis_ipv6_required
-    - not ubtu24cis_ipv4_required
-  tags:
-    - level1-server
-    - level1-workstation
-    - audit
-    - rule_4.4.1.4
-    - ip6tables
-  vars:
-    warn_control_id: '4.4.1.4'
-  block:
-    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
-      ansible.builtin.command: ss -6tuln
-      changed_when: false
-      failed_when: false
-      check_mode: false
-      register: discovered_open_ports
-
-    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
-      ansible.builtin.command: ip6tables -L INPUT -v -n
-      changed_when: false
-      failed_when: false
-      check_mode: false
-      register: discovered_current_rules
-
-    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
-      ansible.builtin.debug:
-        msg:
-          - "Warning!! Below is the list the open ports and current rules"
-          - "Please create a rule for any open port that does not have a current rule"
-          - "Open Ports:"
-          - "{{ discovered_open_ports.stdout_lines }}"
-          - "Current Rules:"
-          - "{{ discovered_current_rules.stdout_lines }}"
-
-    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
-      ansible.builtin.import_tasks:
-        file: warning_facts.yml
-
-# ---------------
-# ---------------
-# This is not a control however using the ip6tables module only writes to memery
-# if a reboot occurs that means changes can revert. This task will make the
-# above ip6tables settings permanent
-# ---------------
-# ---------------
-# via handler
-# - name: "Make IP6Tables persistent | Not a control"
-#   block:
-#       - name: "Make IP6Tables persistent | Install iptables-persistent"
-#         ansible.builtin.package:
-#             name: iptables-persistent
-#             state: present
-#         when: "'iptables-persistent' not in ansible_facts.packages"
-
-#       - name: "Make IP6Tables persistent | Save to persistent files"
-#         ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
-#         changed_when: discovered_ip6tables_save.rc == 0
-#         failed_when: discovered_ip6tables_save.rc > 0
-#         register: discovered_ip6tables_save
-#   when:
-#       - ubtu24cis_firewall_package == "iptables"
-#       - ubtu24cis_ipv6_required
-#       - not ubtu24cis_ipv4_required
-#       - ubtu24cis_save_iptables_cis_rules
-#       - ubtu24cis_rule_4_4_1_1 or
-#         ubtu24cis_rule_4_4_1_2 or
-#         ubtu24cis_rule_4_4_1_3 or
-#         ubtu24cis_rule_4_4_1_4

tasks/section_4/main.yml

@@ -15,7 +15,7 @@
     file: cis_4.3.x.yml
 
 - name: "SECTION | 4.4.1.x | Configure iptables software"
-  when: ubtu24cis_firewall_package == "nftables"
+  when: ubtu24cis_firewall_package == "iptables"
   ansible.builtin.import_tasks:
     file: cis_4.4.1.x.yml
 

tasks/section_5/cis_5.1.x.yml

@@ -187,7 +187,7 @@
     - NIST800-53R5_CM-6
     - NIST800-53R5_CM-7
     - NIST800-53R5_IA-5
-    - sshdd
+    - sshd
   ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
     regexp: "{{ item.regexp }}"

tasks/section_5/cis_5.4.1.x.yml

@@ -130,13 +130,13 @@
     - login
   block:
     - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting"
-      ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2
+      ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2
       changed_when: false
       failed_when: false
       register: discovered_passwd_inactive_setting
 
     - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users"
-      when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string
+      when: discovered_passwd_inactive_setting.stdout != (ubtu24cis_pass_inactive | string)
       ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }}
       failed_when: false
       changed_when: true

tasks/section_5/cis_5.4.3.x.yml

@@ -34,7 +34,7 @@
     state: "{{ item.state }}"
     marker: "# {mark} - CIS benchmark - Ansible-lockdown"
     create: true
-    mode: 'go-r'
+    mode: 'go-wx'
     block: |
       TMOUT={{ ubtu24cis_shell_session_timeout }}
       readonly TMOUT
@@ -54,10 +54,20 @@
     - rule_5.4.3.3
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2
-  ansible.builtin.replace:
-    path: "{{ item.path }}"
-    regexp: (?i)(umask\s+\d\d\d)
-    replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
-  loop:
-    - { path: '/etc/profile', line: 'umask' }
-    - { path: '/etc/login.defs', line: 'UMASK' }
+  block:
+    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | update current settings"
+      ansible.builtin.replace:
+        path: "{{ item.path }}"
+        regexp: (?i)(umask\s+\d\d\d)
+        replace: '{{ item.line }} {{ ubtu24cis_bash_umask }}'
+      loop:
+        - { path: '/etc/profile', line: 'umask' }
+        - { path: '/etc/login.defs', line: 'UMASK' }
+
+    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | add profile script to set"
+      ansible.builtin.template:
+        src: etc/profile.d/50-umask.sh.j2
+        dest: /etc/profile.d/50-umask.sh
+        owner: root
+        group: root
+        mode: 'go+r,go-wx'

tasks/section_6/cis_6.1.3.8.yml

@@ -1,7 +1,9 @@
 ---
 
 - name: "6.1.3.8 | PATCH | Ensure logrotate is configured"
-  when: ubtu24cis_rule_6_1_3_8
+  when:
+    - ubtu24cis_rule_6_1_3_8
+    - "'logrotate' in ansible_facts.packages"
   tags:
     - level1-server
     - level1-workstation

tasks/section_6/cis_6.2.1.x.yml

@@ -30,7 +30,7 @@
     - NIST800-53R5_AU-3
     - NIST800-53R5_AU-12
     - auditd
-  ansible.builtin.service:
+  ansible.builtin.systemd_service:
     name: auditd
     state: started
     enabled: true

tasks/section_6/cis_6.2.3.x.yml

@@ -277,3 +277,4 @@
     - auditd
   ansible.builtin.command: augenrules --check
   changed_when: false
+  register: discovered_augenrules_check

tasks/section_7/cis_7.2.x.yml

@@ -309,7 +309,7 @@
     warn_control_id: '7.2.10'
   block:
     - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
-      ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w
+      ansible.builtin.shell: find /home/ /root/ -name "\.*" -type f -perm /u+x,g+wx,o+wx
       changed_when: false
       failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]
       check_mode: false
@@ -336,5 +336,5 @@
         - ubtu24cis_dotperm_ansiblemanaged
       ansible.builtin.file:
         path: '{{ item }}'
-        mode: 'go-w'
+        mode: 'u-x,go-wx'
       with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"

templates/ansible_vars_goss.yml.j2

@@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }}
 # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
 # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
 ubtu24cis_grub_user: {{ ubtu24cis_grub_user }}
-ubtu24cis_bootloader_password_hash: {{ grub_user_pass }}  # pragma: allowlist secret
+ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }}  # pragma: allowlist secret
 
 ## Controls 1.5.x
 
@@ -580,7 +580,7 @@ ubtu24cis_ftp_client: {{ ubtu24cis_ftp_client }}
 ## Control 2.3.1.1
 # This variable choses the tool used for time synchronization
 # The two options are `chrony`and `systemd-timesyncd`.
-ubtu24cis_time_sync_tool: "systemd-timesyncd"
+ubtu24cis_time_sync_tool: {{ ubtu24cis_time_sync_tool }}
 
 ## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd
 # The following variable represents a list of of time server pools used
@@ -588,7 +588,7 @@ ubtu24cis_time_sync_tool: "systemd-timesyncd"
 # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
 # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
 # of the time synchronization mechanism you are using.
-ubtu24cis_time_pool_name:
+ubtu24cis_time_pool:
 {% for pool in ubtu24cis_time_pool %}
 - name: {{ pool.name }}
   options: {{ pool.options }}
@@ -733,6 +733,9 @@ ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }}
 
 # Section 6
 
+# This variable specifies the address of the remote log host where logs are being sent.
+ubtu24cis_remote_log_server: {{ ubtu24cis_remote_log_server }}
+
 # 6.1.2
 
 # AIDE

templates/audit/99_auditd.rules.j2

@@ -10,22 +10,41 @@
 -w /etc/sudoers.d -p wa -k scope
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_2 %}
--a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
--a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
+{% set syscalls = ["execve"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
+-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_3 %}
 -w {{ ubtu24cis_sudo_logfile }} -p wa -k sudo_log_file
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_4 %}
--a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
--a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
--a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change
--a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change
+{% set syscalls = ["adjtimex","settimeofday","clock_settime"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
 -w /etc/localtime -p wa -k time-change
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_5 %}
--a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
--a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
+{% set syscalls = ["sethostname","setdomainname"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }}  -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -41,10 +60,17 @@
 {% endif %}
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_7 %}
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_8 %}
 -w /etc/group -p wa -k identity
@@ -57,16 +83,65 @@
 -w /etc/pam.d -p wa -k identity
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_9 %}
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["chmod","fchmod","fchmodat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["chmod","fchmod","fchmodat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
+{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_10 %}
--a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
--a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
+{% set syscalls = ["mount"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_11 %}
 -w /var/run/utmp -p wa -k session
@@ -78,8 +153,15 @@
 -w /var/run/faillock -p wa -k logins
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_13 %}
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
+{% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_14 %}
 -w /etc/apparmor/ -p wa -k MAC-policy
@@ -99,7 +181,14 @@
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_19 %}
 -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules
--a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=-1 -k kernel_modules
+{% set syscalls = ["init_module","finit_module","delete_module"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append( syscall) }}
+{% endif %}
+{% endfor %}
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_20 %}
 -e 2

templates/etc/profile.d/50-umask.sh.j2

@@ -0,0 +1,7 @@
+## Ansible controlled file
+# Added as part of ansible-lockdown CIS baseline
+# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
+
+# Set umask with highest precedence
+
+umask 027