Merge e5d2bc840a into ffba24432a

May 25 updates

README.md

@@ -24,6 +24,7 @@
 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/UBUNTU24-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/UBUNTU24-CIS?label=Closed%20Issues&&color=success)
 ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/UBUNTU24-CIS?label=Pull%20Requests)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)
 
 ![License](https://img.shields.io/github/license/ansible-lockdown/UBUNTU24-CIS?label=License)
 

handlers/main.yml

@@ -21,6 +21,7 @@
   listen: "Remount /tmp"
 
 - name: "Remounting /tmp systemd"
+  when: ubtu24cis_tmp_svc
   vars:
     mount_point: '/tmp'
   ansible.builtin.systemd:

tasks/main.yml

@@ -38,7 +38,9 @@
         sudo_password_rule: ubtu24cis_rule_5_2_4  # pragma: allowlist secret
 
 - name: Ensure root password is set
-  when: ubtu24cis_rule_5_4_2_4
+  when:
+    - ubtu24cis_section5
+    - ubtu24cis_rule_5_4_2_4
   tags: always
   block:
     - name: Ensure root password is set

tasks/section_1/cis_1.1.2.4.x.yml

@@ -22,12 +22,12 @@
       register: discovered_var_mount
 
     - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent"
-      when: discovered_dev_shm_mount is undefined
+      when: discovered_var_mount is undefined
       ansible.builtin.debug:
         msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
 
     - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present"
-      when: discovered_dev_shm_mount is undefined
+      when: discovered_var_mount is undefined
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 

tasks/section_1/cis_1.2.2.x.yml

@@ -10,7 +10,7 @@
     - NIST800-53R5_SI-2
     - patch
   block:
-    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update"
+    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | Update"
       ansible.builtin.package:
         name: "*"
         state: latest

tasks/section_2/cis_2.1.x.yml

@@ -672,7 +672,7 @@
     - rule_2.1.21
     - NIST800-53R5_CM-7
   vars:
-    warn_control_id: '2.2.21'
+    warn_control_id: '2.1.21'
   block:
     - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed"
       when: "'exim4' in ansible_facts.packages"

tasks/section_2/cis_2.3.3.x.yml

@@ -15,9 +15,9 @@
       ansible.builtin.template:
         src: "{{ item }}.j2"
         dest: "/{{ item }}"
-        mode: 'go-r'
+        mode: 'g=r,o-rwx'
         owner: root
-        group: root
+        group: "{% if ubtu24cis_rule_2_3_3_2 %}_chrony{% else %}root{% endif %}"
       loop:
         - etc/chrony/sources.d/pool.sources
         - etc/chrony/sources.d/server.sources

tasks/section_2/cis_2.4.1.x.yml

@@ -154,5 +154,5 @@
       ansible.builtin.file:
         path: /etc/cron.allow
         owner: root
-        group: root
+        group: '{{ (discovered_cron_allow_status.stat.gr_name == "crontab") | ternary(omit,"root") }}'
         mode: 'u-x,g-wx,o-rwx'