.github/workflows/devel_pipeline_validation.yml

@@ -7,7 +7,6 @@
         types: [opened, reopened, synchronize]
         branches:
             - devel
-            - benchmark*
         paths:
             - '**.yml'
             - '**.sh'
@@ -71,6 +70,7 @@
                  echo IAC_BRANCH=main >> $GITHUB_ENV
               fi
 
+
           # Pull in terraform code for linux servers
           - name: Clone GitHub IaC plan
             uses: actions/checkout@v4

.github/workflows/main_pipeline_validation.yml

@@ -7,7 +7,6 @@
         types: [opened, reopened, synchronize]
         branches:
             - main
-            - latest
         paths:
             - '**.yml'
             - '**.sh'
@@ -24,6 +23,17 @@
   # A workflow run is made up of one or more jobs
   # that can run sequentially or in parallel
   jobs:
+    # This will create messages for first time contributers and direct them to the Discord server
+      welcome:
+        runs-on: self-hosted
+
+        steps:
+            - uses: actions/first-interaction@main
+              with:
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+                pr-message: |-
+                    Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+                    Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
       # This workflow contains a single job that tests the playbook
       playbook-test:

.gitignore

@@ -43,6 +43,3 @@ benchparse/
 
 # GitHub Action/Workflow files
 .github/
-
-# ansible-lint cache
-.ansible/

.pre-commit-config.yaml

@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.24.3
+  rev: v8.21.2
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.2.1
+  rev: v24.10.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -65,7 +65,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint

defaults/main.yml

@@ -21,10 +21,6 @@ skip_reboot: true
 benchmark: UBUNTU24-CIS
 benchmark_version: v1.0.0
 
-# Create managed not custom local_facts files
-create_benchmark_facts: true
-ansible_facts_path: /etc/ansible/facts.d
-
 # Used for audit
 ubtu24cis_level_1: true
 ubtu24cis_level_2: true
@@ -106,18 +102,6 @@ audit_conf_dest: "/opt"
 # Where the audit logs are stored
 audit_log_dir: '/opt'
 
-# Method of getting,uploading the summary files
-## Enable the collection of audit files
-fetch_audit_output: false
-## Ensure access and permissions are available for these to occur.
-## options are
-# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller)
-# copy - copies file to a location available to the managed node
-audit_output_collection_method: fetch
-
-# Location to put the audit files
-audit_output_destination: /opt/audit_summaries/
-
 ### Goss Settings ##
 ####### END ########
 
@@ -642,10 +626,6 @@ ubtu24cis_desktop_required: false
 # This will also purge any packages not removed via this playbook
 ubtu24cis_purge_apt: false
 
-## Ignore change_when for apt update task
-# Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes
-ubtu24cis_ignore_apt_update_changed_when: false
-
 ##
 ## Section 1 Control Variables
 ##
@@ -667,7 +647,6 @@ ubtu24cis_tmp_svc: false
 # The following variables are related to the set of rules from section 1.6.1.x
 
 ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode
-control_1_3_1_4_was_run: false
 
 # This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4
 # regarding enforcing profiles or putting them in complain mode
@@ -686,6 +665,7 @@ ubtu24cis_apparmor_mode: complain
 # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
 ubtu24cis_grub_user: root
 ubtu24cis_set_grub_user_pass: false
+ubtu24cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'  # Set to changeme
 ubtu24cis_grub_user_file: /etc/grub.d/00_user
 ubtu24cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword"  # pragma: allowlist secret
 ubtu24cis_set_boot_pass: false
@@ -1089,9 +1069,6 @@ ubtu24cis_shell_session_file: /etc/profile.d/tmout.sh
 # journald or rsyslog
 ubtu24cis_syslog_service: 'journald'
 
-# Enable rsyslog logging to be managed by ansible
-ubtu24cis_rsyslog_ansible_managed: true
-
 ## Controls 6.1.1.x journald
 
 # This variable specifies the address of the remote log host where logs are being sent.
@@ -1130,12 +1107,7 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
 # ATTENTION: Uncomment the keyword below when values are set!
 ubtu24cis_journald_maxfilesec: "#MaxFileSec="
 
-# 6.1.3.8 LOGRotate
+# 6.1.3.8
-# Optional to alow logrotate to be installed
-# While it is required for 6.1.3.8 its not installed by default on minimal image
-# or required for CIS to be installed, but in order to achieve ability to install has been added
-ubtu24cis_logrotate_pkg_install: false
-
 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
 # To conform to CIS standards this just needs to comply with your site policy
 ubtu24cis_logrotate: "daily"

handlers/main.yml

@@ -237,11 +237,11 @@
   changed_when: true
 
 - name: Auditd rules reload
-  when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
+  when:
+    - not prelim_auditd_immutable_check or
+      '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
   ansible.builtin.command: augenrules --load
   changed_when: true
-  failed_when: discovered_augenrule_load.rc not in [ 0, 1 ]
-  register: discovered_augenrule_load
 
 - name: Audit_immutable_fact
   when:
@@ -257,7 +257,7 @@
   listen: Restart auditd
 
 - name: Start auditd process
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: auditd
     state: started
   listen: Restart auditd

tasks/LE_audit_setup.yml

@@ -8,7 +8,7 @@
         audit_pkg_arch_name: AMD64
 
     - name: Pre Audit Setup | Set audit package name | ARM64
-      when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64")
+      when: ansible_facts.machine == "arm64"
       ansible.builtin.set_fact:
         audit_pkg_arch_name: ARM64
 

tasks/audit_only.yml

@@ -10,6 +10,14 @@
   delegate_to: localhost
   become: false
 
+- name: Audit_only | Get audits from systems and put in group dir
+  when: fetch_audit_files
+  ansible.builtin.fetch:
+    dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
+    flat: true
+    mode: 'go-wx'
+    src: "{{ pre_audit_outfile }}"
+
 - name: Audit_only | Show Audit Summary
   when: audit_only
   ansible.builtin.debug:

tasks/auditd.yml

@@ -1,18 +1,7 @@
 ---
 
-# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
-# we need to update the auditd rules depending on the architecture of the system.
-# This task passed the syscalls table to the auditd template and updates the auditd rules
-- name: "POST | AUDITD | Set supported_syscalls variable"
-  ansible.builtin.shell: ausyscall --dump |  awk  '{print $2}'
-  changed_when: false
-  failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
-  register: discovered_auditd_syscalls
-
 - name: "POST | AUDITD | Apply auditd template for section 6.2.4.x"
   when: update_audit_template
-  vars:
-    supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
   ansible.builtin.template:
     src: audit/99_auditd.rules.j2
     dest: /etc/audit/rules.d/99_auditd.rules

tasks/fetch_audit_output.yml

@@ -1,46 +0,0 @@
----
-
-# Stage to copy audit output to a centralised location
-
-- name: "POST | FETCH | Fetch files and copy to controller"
-  when: audit_output_collection_method == "fetch"
-  ansible.builtin.fetch:
-    src: "{{ item }}"
-    dest: "{{ audit_output_destination }}"
-    flat: true
-  failed_when: false
-  register: discovered_audit_fetch_state
-  loop:
-    - "{{ pre_audit_outfile }}"
-    - "{{ post_audit_outfile }}"
-  become: false
-
-# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
-# Allowing backup to one location
-- name: "POST | FETCH | Copy files to location available to managed node"
-  when: audit_output_collection_method == "copy"
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "{{ audit_output_destination }}"
-    mode: 'u-x,go-wx'
-    flat: true
-  failed_when: false
-  register: discovered_audit_copy_state
-  loop:
-    - "{{ pre_audit_outfile }}"
-    - "{{ post_audit_outfile }}"
-
-- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-  when:
-    - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
-      (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
-  block:
-    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-      ansible.builtin.debug:
-        msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
-
-    - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
-      vars:
-        warn_control_id: "FETCH_AUDIT_FILES"
-      ansible.builtin.import_tasks:
-        file: warning_facts.yml

tasks/main.yml

@@ -62,11 +62,35 @@
     that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
     msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
 
+- name: Check ubtu24cis_grub_user password variable has been changed
+  when: ubtu24cis_rule_1_4_1
+  tags: always
+  block:
+    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
+      ansible.builtin.shell: "grep ^{{ ubtu24cis_grub_user }} /etc/shadow | awk -F : '{print $2}'"
+      changed_when: false
+      register: ubtu24cis_password_set_grub_user
+
+    - name: Check ubtu24cis_grub_user password variable has been changed | check password is set
+      when:
+        - "'$y$' in ubtu24cis_password_set_grub_user.stdout"
+        - ubtu24cis_set_grub_user_pass
+        - ubtu24cis_rule_1_4_1
+      ansible.builtin.assert:
+        that: ubtu24cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu24cis_grub_user_passwd.find('$y$') != -1 and ubtu24cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'
+        msg: "This role will not set the {{ ubtu24cis_grub_user }} user password is not set or ubtu24cis_grub_user_passwd variable has not been set correctly"
+
+    - name: Check ubtu24cis_grub_user password variable has been changed | if password blank or incorrect type and not being set
+      when: not ubtu24cis_set_grub_user_pass
+      ansible.builtin.assert:
+        that: ( ubtu24cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu24cis_password_set_grub_user.stdout
+        fail_msg: "Grub User {{ ubtu24cis_grub_user }} has no password set or incorrect encryption"
+        success_msg: "Grub User {{ ubtu24cis_grub_user }} has a valid password set to be used in single user mode"
+
 - name: Setup rules if container
   when:
     - ansible_connection == 'docker' or
-      (ansible_facts.virtualization_type is defined and
+      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
-       ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"])
   tags: always
   block:
     - name: Discover and set container variable if required
@@ -170,39 +194,6 @@
   ansible.builtin.import_tasks:
     file: post_remediation_audit.yml
 
-- name: Add ansible file showing Benchmark and levels applied if audit details not present
-  when:
-    - create_benchmark_facts
-    - (post_audit_summary is defined) or
-      (ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined)
-  tags:
-    - always
-    - benchmark
-  block:
-    - name: Create ansible facts directory if audit facts not present
-      ansible.builtin.file:
-        path: "{{ ansible_facts_path }}"
-        state: directory
-        owner: root
-        group: root
-        mode: 'u=rwx,go=rx'
-
-    - name: Create ansible facts file and levels applied if audit facts not present
-      ansible.builtin.template:
-        src: etc/ansible/compliance_facts.j2
-        dest: "{{ ansible_facts_path }}/compliance_facts.fact"
-        owner: root
-        group: root
-        mode: 'u-x,go=r'
-
-- name: Fetch audit files
-  when:
-    - fetch_audit_output
-    - run_audit
-  tags: always
-  ansible.builtin.import_tasks:
-    file: fetch_audit_output.yml
-
 - name: Show Audit Summary
   when: run_audit
   tags: run_audit

tasks/prelim.yml

@@ -7,7 +7,7 @@
   changed_when: false
 
 - name: "PRELIM | AUDIT | Register if snap being used"
-  when: ubtu24cis_rule_1_1_1_7
+  when: ubtu24cis_rule_1_1_1_6
   tags: always
   ansible.builtin.shell: df -h | grep -wc "/snap"
   changed_when: false
@@ -15,7 +15,7 @@
   register: prelim_snap_pkg_mgr
 
 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
-  when: ubtu24cis_rule_1_1_1_7
+  when: ubtu24cis_rule_1_1_1_6
   tags: always
   ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs"
   changed_when: false
@@ -51,12 +51,6 @@
       ansible.builtin.debug:
         msg: "{{ prelim_mount_point_fs_and_options }}"
 
-- name: "PRELIM | PATCH | Run apt update"
-  tags: always
-  ansible.builtin.package:
-    update_cache: true
-  changed_when: not ubtu24cis_ignore_apt_update_changed_when
-
 - name: Include audit specific variables
   when:
     - run_audit or audit_only
@@ -76,6 +70,14 @@
   ansible.builtin.import_tasks:
     file: pre_remediation_audit.yml
 
+- name: "PRELIM | PATCH | Run apt update"
+  when:
+    - ubtu24cis_rule_1_2_1_1 or
+      ubtu24cis_rule_1_2_2_1
+  tags: always
+  ansible.builtin.package:
+    update_cache: true
+
 - name: "PRELIM | AUDIT | Wireless adapter pre-requisites"
   when:
     - ubtu24cis_rule_3_1_2
@@ -150,41 +152,6 @@
         max_int_uid: "{{ prelim_uid_max_id.stdout }}"
         min_int_gid: "{{ prelim_gid_min_id.stdout }}"
 
-- name: "PRELIM | AUDIT | Capture pam configs related files"
-  tags: always
-  ansible.builtin.find:
-    paths:
-      - '/usr/share/pam-configs/'
-      - '/etc/pam.d/'
-  register: prelim_pam_conf_files
-
-- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x
-  when:
-    - ubtu24cis_rule_5_3_3_2_1 or
-      ubtu24cis_rule_5_3_3_2_6
-  tags: always
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: "{{ item.state }}"
-    owner: root
-    group: root
-    mode: 'g-w,o-rwx'
-    modification_time: preserve
-    access_time: preserve
-  register: prelim_pwquality_dummy
-  changed_when: prelim_pwquality_dummy.diff == "absent"
-  loop:
-    - { path: '/etc/security/pwquality.conf.d', state: 'directory' }
-    - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }
-
-- name: "PRELIM | AUDIT | Capture pam security related files"
-  tags: always
-  ansible.builtin.find:
-    paths:
-      - /etc/security/pwquality.conf.d/
-    patterns: '*.conf'
-  register: prelim_pam_pwquality_confs
-
 - name: "PRELIM | AUDIT | Interactive Users"
   tags: always
   ansible.builtin.shell: >
@@ -251,7 +218,7 @@
 - name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
   when: "'auditd' in ansible_facts.packages"
   tags: always
-  ansible.builtin.shell: auditctl -s | grep "enabled 2"
+  ansible.builtin.shell: auditctl -l | grep -c '-e 2'
   changed_when: false
   failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
   register: prelim_auditd_immutable_check
@@ -265,7 +232,6 @@
   tags: always
   ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'"
   changed_when: false
-  check_mode: false
   failed_when: prelim_auditd_logfile.rc not in [ 0, 1 ]
   register: prelim_auditd_logfile
 
@@ -278,22 +244,6 @@
     name: acl
     state: present
 
-- name: "PRELIM | PATCH | Install cron"
-  when: ubtu24cis_rule_2_4_1_1
-  tags: always
-  ansible.builtin.package:
-    name: cron
-    state: present
-
-- name: "PRELIM | PATCH | Install UFW"
-  when:
-    - ubtu24cis_rule_2_4_1_1
-    - ubtu24cis_firewall_package == "ufw"
-  tags: always
-  ansible.builtin.package:
-    name: ufw
-    state: present
-
 ## Optional
 
 - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings"
@@ -306,11 +256,3 @@
     regexp: ^IPT_SYSCTL=.*
     line: IPT_SYSCTL=/etc/sysctl.conf
     mode: 'u-x,go-wx'
-
-- name: "OPTIONAL | PATCH | Install Logrotate if missing"
-  when:
-    - ubtu24cis_rule_6_1_3_8
-    - ubtu24cis_logrotate_pkg_install
-  ansible.builtin.package:
-    name: logrotate
-    state: present

tasks/section_1/cis_1.2.2.x.yml

@@ -9,14 +9,6 @@
     - rule_1.2.2.1
     - NIST800-53R5_SI-2
     - patch
-  block:
-    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update"
   ansible.builtin.package:
     name: "*"
     state: latest
-      register: discovered_pkg_updates
-
-    # Resetting connection as ssh stops if patched reset connection kickstarts it
-    - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | reset ansible connection if ssh updated"
-      when: "'openssh-server' in discovered_pkg_updates.stdout"
-      ansible.builtin.meta: reset_connection

tasks/section_1/cis_1.4.x.yml

@@ -18,7 +18,7 @@
         dest: "{{ ubtu24cis_grub_user_file }}"
         owner: root
         group: root
-        mode: '0755'
+        mode: 'go-w'
       notify: Grub update
 
     - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"

tasks/section_2/cis_2.1.x.yml

@@ -46,7 +46,7 @@
       when:
         - not ubtu24cis_avahi_server
         - not ubtu24cis_avahi_mask
-        - "'avahi' in ansible_facts.packages or 'avahi-autoipd' in ansible_facts.packages"
+        - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
       ansible.builtin.package:
         name:
           - avahi-autoipd
@@ -699,7 +699,7 @@
       notify: Restart postfix
       ansible.builtin.lineinfile:
         path: /etc/postfix/main.cf
-        regexp: '^(#)?inet_interfaces\s*=(?!\s*loopback-only\s*).*'
+        regexp: '^(#)?inet_interfaces'
         line: 'inet_interfaces = loopback-only'
 
     - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents"

tasks/section_2/cis_2.3.1.x.yml

@@ -26,4 +26,14 @@
       loop:
         - chrony
         - ntp
-        - systemd-timesyncd
+
+    - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service"
+      when:
+        - ubtu24cis_time_sync_tool != "systemd-timesyncd"
+        - "'systemd-timesyncd' in ansible_facts.packages"
+      ansible.builtin.service:
+        name: systemd-timesyncd
+        state: stopped
+        enabled: false
+        masked: true
+        daemon_reload: true

tasks/section_2/cis_2.3.2.x.yml

@@ -23,7 +23,7 @@
       ansible.builtin.template:
         src: "{{ item }}.j2"
         dest: "/{{ item }}"
-        mode: 'go-wx'
+        mode: 'go-r'
         owner: root
         group: root
       loop:

tasks/section_2/cis_2.3.3.x.yml

@@ -58,3 +58,19 @@
         name: chrony
         state: started
         enabled: true
+
+    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd"
+      when: "'systemd-timesyncd' in ansible_facts.packages"
+      ansible.builtin.systemd:
+        name: systemd-timesyncd
+        state: stopped
+        enabled: false
+        masked: true
+
+    - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd"
+      when: "'ntpd' in ansible_facts.packages"
+      ansible.builtin.systemd:
+        name: ntpd
+        state: stopped
+        enabled: false
+        masked: true

tasks/section_4/cis_4.4.1.x.yml

@@ -48,3 +48,365 @@
   ansible.builtin.package:
     name: ufw
     state: absent
+
+- name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy"
+  when:
+    - ubtu24cis_rule_4_4_1_1
+    - ubtu24cis_ipv4_required
+    - not system_is_ec2
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_4.4.1.1
+    - iptables
+  block:
+    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in"
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: 22
+        jump: ACCEPT
+        ctstate: 'NEW,ESTABLISHED'
+      notify: Iptables persistent
+
+    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out"
+      ansible.builtin.iptables:
+        chain: OUTPUT
+        protocol: tcp
+        source_port: 22
+        jump: ACCEPT
+        ctstate: 'NEW,ESTABLISHED'
+      notify: Iptables persistent
+
+    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic"
+      ansible.builtin.iptables:
+        chain: INPUT
+        ctstate: 'ESTABLISHED'
+        jump: ACCEPT
+      notify: Iptables persistent
+
+    - name: "4.4.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items"
+      ansible.builtin.iptables:
+        policy: DROP
+        chain: "{{ item }}"
+      notify: Iptables persistent
+      with_items:
+        - INPUT
+        - FORWARD
+        - OUTPUT
+
+- name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured"
+  when:
+    - ubtu24cis_rule_4_4_1_2
+    - ubtu24cis_firewall_package == "iptables"
+    - ubtu24cis_ipv4_required
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_4.4.1.2
+    - iptables
+  block:
+    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT"
+      ansible.builtin.iptables:
+        action: append
+        chain: INPUT
+        in_interface: lo
+        jump: ACCEPT
+      notify: Iptables persistent
+
+    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
+      ansible.builtin.iptables:
+        action: append
+        chain: OUTPUT
+        out_interface: lo
+        jump: ACCEPT
+      notify: Iptables persistent
+
+    - name: "4.4.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT"
+      ansible.builtin.iptables:
+        action: append
+        chain: INPUT
+        source: 127.0.0.0/8
+        jump: DROP
+      notify: Iptables persistent
+
+- name: "4.4.1.3 | PATCH | Ensure iptables outbound and established connections are configured"
+  when:
+    - ubtu24cis_rule_4_4_1_3
+    - ubtu24cis_firewall_package == "iptables"
+    - ubtu24cis_ipv4_required
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_4.4.1.3
+    - iptables
+  ansible.builtin.iptables:
+    action: append
+    chain: '{{ item.chain }}'
+    protocol: '{{ item.protocol }}'
+    match: state
+    ctstate: '{{ item.ctstate }}'
+    jump: ACCEPT
+  notify: Iptables persistent
+  with_items:
+    - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
+    - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
+    - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
+    - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
+    - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
+    - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
+
+- name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports"
+  when:
+    - ubtu24cis_rule_4_4_1_4
+    - ubtu24cis_firewall_package == "iptables"
+    - ubtu24cis_ipv4_required
+  tags:
+    - level1-server
+    - level1-workstation
+    - audit
+    - rule_4.4.1.4
+    - iptables
+  vars:
+    warn_control_id: '4.4.1.4'
+  block:
+    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports"
+      ansible.builtin.command: ss -4tuln
+      changed_when: false
+      failed_when: false
+      check_mode: false
+      register: discovered_open_ports
+
+    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules"
+      ansible.builtin.command: iptables -L INPUT -v -n
+      changed_when: false
+      failed_when: false
+      check_mode: false
+      register: discovered_current_rules
+
+    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings"
+      ansible.builtin.debug:
+        msg:
+          - "Warning!! Below is the list the open ports and current rules"
+          - "Please create a rule for any open port that does not have a current rule"
+          - "Open Ports:"
+          - "{{ discovered_open_ports.stdout_lines }}"
+          - "Current Rules:"
+          - "{{ discovered_current_rules.stdout_lines }}"
+
+    - name: "4.4.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count"
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml
+
+# ---------------
+# ---------------
+# This is not a control however using the iptables module only writes to memery
+# if a reboot occurs that means changes can revert. This task will make the
+# above iptables settings permanent
+# ---------------
+# ---------------
+# - name: "Make IPTables persistent | Not a control"
+#   block:
+#       - name: "Make IPTables persistent | Install iptables-persistent"
+#         ansible.builtin.package:
+#             name: iptables-persistent
+#             state: present
+
+#       - name: "Make IPTables persistent | Save to persistent files"
+#         ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
+#         changed_when: discovered_iptables_save.rc == 0
+#         failed_when: discovered_iptables_save.rc > 0
+#         register: discovered_iptables_save
+#   when:
+#       - ubtu24cis_firewall_package == "iptables"
+#       - ubtu24cis_save_iptables_cis_rules
+#       - ubtu24cis_rule_4_4_1_1 or
+#         ubtu24cis_rule_4_4_1_2 or
+#         ubtu24cis_rule_4_4_1_3 or
+#         ubtu24cis_rule_4_4_1_4
+
+- name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy"
+  when:
+    - ubtu24cis_rule_4_4_1_1
+    - ubtu24cis_ipv6_required
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_4.4.1.1
+    - ip6tables
+  block:
+    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out"
+      ansible.builtin.iptables:
+        chain: OUTPUT
+        protocol: tcp
+        source_port: 22
+        jump: ACCEPT
+        ctstate: 'NEW,ESTABLISHED'
+        ip_version: ipv6
+      notify: Ip6tables persistent
+
+    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic"
+      ansible.builtin.iptables:
+        chain: INPUT
+        ctstate: 'ESTABLISHED'
+        jump: ACCEPT
+        ip_version: ipv6
+      notify: Ip6tables persistent
+
+    - name: "4.4.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items"
+      ansible.builtin.iptables:
+        policy: DROP
+        chain: "{{ item }}"
+        ip_version: ipv6
+      notify: Ip6tables persistent
+      loop:
+        - INPUT
+        - FORWARD
+        - OUTPUT
+
+- name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured"
+  when:
+    - ubtu24cis_rule_4_4_1_2
+    - ubtu24cis_firewall_package == "iptables"
+    - ubtu24cis_ipv6_required
+    - not ubtu24cis_ipv4_required
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_4.4.1.2
+    - ip6tables
+  block:
+    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT"
+      ansible.builtin.iptables:
+        action: append
+        chain: INPUT
+        in_interface: lo
+        jump: ACCEPT
+        ip_version: ipv6
+      notify: Ip6tables persistent
+
+    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT"
+      ansible.builtin.iptables:
+        action: append
+        chain: OUTPUT
+        out_interface: lo
+        jump: ACCEPT
+        ip_version: ipv6
+      notify: Ip6tables persistent
+
+    - name: "4.4.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop"
+      ansible.builtin.iptables:
+        action: append
+        chain: INPUT
+        source: ::1
+        jump: DROP
+        ip_version: ipv6
+      notify: Ip6tables persistent
+
+- name: "4.4.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured"
+  when:
+    - ubtu24cis_rule_4_4_1_3
+    - ubtu24cis_firewall_package == "iptables"
+    - ubtu24cis_ipv6_required
+    - not ubtu24cis_ipv4_required
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_4.4.1.3
+    - ip6tables
+  ansible.builtin.iptables:
+    action: append
+    chain: '{{ item.chain }}'
+    protocol: '{{ item.protocol }}'
+    match: state
+    ctstate: '{{ item.ctstate }}'
+    jump: ACCEPT
+    ip_version: ipv6
+  notify: Ip6tables persistent
+  loop:
+    - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' }
+    - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' }
+    - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' }
+    - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' }
+    - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' }
+    - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' }
+
+- name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports"
+  when:
+    - ubtu24cis_rule_4_4_1_4
+    - ubtu24cis_firewall_package == "iptables"
+    - ubtu24cis_ipv6_required
+    - not ubtu24cis_ipv4_required
+  tags:
+    - level1-server
+    - level1-workstation
+    - audit
+    - rule_4.4.1.4
+    - ip6tables
+  vars:
+    warn_control_id: '4.4.1.4'
+  block:
+    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports"
+      ansible.builtin.command: ss -6tuln
+      changed_when: false
+      failed_when: false
+      check_mode: false
+      register: discovered_open_ports
+
+    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules"
+      ansible.builtin.command: ip6tables -L INPUT -v -n
+      changed_when: false
+      failed_when: false
+      check_mode: false
+      register: discovered_current_rules
+
+    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings"
+      ansible.builtin.debug:
+        msg:
+          - "Warning!! Below is the list the open ports and current rules"
+          - "Please create a rule for any open port that does not have a current rule"
+          - "Open Ports:"
+          - "{{ discovered_open_ports.stdout_lines }}"
+          - "Current Rules:"
+          - "{{ discovered_current_rules.stdout_lines }}"
+
+    - name: "4.4.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count"
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml
+
+# ---------------
+# ---------------
+# This is not a control however using the ip6tables module only writes to memery
+# if a reboot occurs that means changes can revert. This task will make the
+# above ip6tables settings permanent
+# ---------------
+# ---------------
+# via handler
+# - name: "Make IP6Tables persistent | Not a control"
+#   block:
+#       - name: "Make IP6Tables persistent | Install iptables-persistent"
+#         ansible.builtin.package:
+#             name: iptables-persistent
+#             state: present
+#         when: "'iptables-persistent' not in ansible_facts.packages"
+
+#       - name: "Make IP6Tables persistent | Save to persistent files"
+#         ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
+#         changed_when: discovered_ip6tables_save.rc == 0
+#         failed_when: discovered_ip6tables_save.rc > 0
+#         register: discovered_ip6tables_save
+#   when:
+#       - ubtu24cis_firewall_package == "iptables"
+#       - ubtu24cis_ipv6_required
+#       - not ubtu24cis_ipv4_required
+#       - ubtu24cis_save_iptables_cis_rules
+#       - ubtu24cis_rule_4_4_1_1 or
+#         ubtu24cis_rule_4_4_1_2 or
+#         ubtu24cis_rule_4_4_1_3 or
+#         ubtu24cis_rule_4_4_1_4

tasks/section_4/main.yml

@@ -15,7 +15,7 @@
     file: cis_4.3.x.yml
 
 - name: "SECTION | 4.4.1.x | Configure iptables software"
-  when: ubtu24cis_firewall_package == "iptables"
+  when: ubtu24cis_firewall_package == "nftables"
   ansible.builtin.import_tasks:
     file: cis_4.4.1.x.yml
 

tasks/section_5/cis_5.1.x.yml

@@ -187,7 +187,7 @@
     - NIST800-53R5_CM-6
     - NIST800-53R5_CM-7
     - NIST800-53R5_IA-5
-    - sshd
+    - sshdd
   ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
     regexp: "{{ item.regexp }}"

tasks/section_5/cis_5.3.3.1.x.yml

@@ -28,10 +28,12 @@
     - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files"
       when: discovered_faillock_deny_files.stdout | length > 0
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)'
         replace: \1\2
-      loop: "{{ prelim_pam_conf_files.files }}"
+      with_fileglob:
+        - '/usr/share/pam-configs/*'
+        - '/etc/pam.d/*'
 
 - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
   when: ubtu24cis_rule_5_3_3_1_2
@@ -61,10 +63,12 @@
     - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files"
       when: discovered_faillock_unlock_files.stdout | length > 0
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)'
         replace: \1\2
-      loop: "{{ prelim_pam_conf_files.files }}"
+      with_fileglob:
+        - '/usr/share/pam-configs/*'
+        - '/etc/pam.d/*'
 
 - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
   when: ubtu24cis_rule_5_3_3_1_3
@@ -94,7 +98,9 @@
     - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files"
       when: discovered_faillock_rootlock_files.stdout | length > 0
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)'
         replace: \1\3
-      loop: "{{ prelim_pam_conf_files.files }}"
+      with_fileglob:
+        - '/usr/share/pam-configs/*'
+        - '/etc/pam.d/*'

tasks/section_5/cis_5.3.3.2.x.yml

@@ -11,15 +11,15 @@
     - pam
   block:
     - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file"
-      when: "ubtu24cis_passwd_difok_file not in item.path"
+      when: item != ubtu24cis_passwd_difok_file
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: 'difok\s*=\s*\d+\b'
         replace: ''
-      with_items:
+      with_fileglob:
-        - "{{ prelim_pam_pwquality_confs.files }}"
+        - '/etc/security/pwquality.conf'
-        - { path: '/etc/security/pwquality.conf'}
+        - '/etc/security/pwquality.conf.d/*.conf'
-        - { path: '/etc/pam.d/common-password' }
+        - '/etc/pam.d/common-password'
 
     - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
       ansible.builtin.template:
@@ -40,15 +40,15 @@
     - pam
   block:
     - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file"
-      when: "ubtu24cis_passwd_minlen_file not in item.path"
+      when: item != ubtu24cis_passwd_minlen_file
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: 'minlen\s*=\s*\d+\b'
         replace: ''
-      with_items:
+      with_fileglob:
-        - "{{ prelim_pam_pwquality_confs.files }}"
+        - '/etc/security/pwquality.conf'
-        - { path: '/etc/security/pwquality.conf'}
+        - '/etc/security/pwquality.conf.d/*.conf'
-        - { path: '/etc/pam.d/common-password' }
+        - '/etc/pam.d/common-password'
 
     - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
       ansible.builtin.template:
@@ -69,15 +69,15 @@
     - pam
   block:
     - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file"
-      when: "ubtu24cis_passwd_complex_file not in item.path"
+      when: item != ubtu24cis_passwd_complex_file
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
         replace: ''
-      with_items:
+      with_fileglob:
-        - "{{ prelim_pam_pwquality_confs.files }}"
+        - '/etc/security/pwquality.conf'
-        - { path: '/etc/security/pwquality.conf'}
+        - '/etc/security/pwquality.conf.d/*.conf'
-        - { path: '/etc/pam.d/common-password' }
+        - '/etc/pam.d/common-password'
 
     - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
       ansible.builtin.template:
@@ -98,15 +98,15 @@
     - pam
   block:
     - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
-      when: "ubtu24cis_passwd_maxrepeat_file not in item.path"
+      when: item != ubtu24cis_passwd_maxrepeat_file
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: 'maxrepeat\s*=\s*\d+\b'
         replace: ''
-      with_items:
+      with_fileglob:
-        - "{{ prelim_pam_pwquality_confs.files }}"
+        - '/etc/security/pwquality.conf'
-        - { path: '/etc/security/pwquality.conf'}
+        - '/etc/security/pwquality.conf.d/*.conf'
-        - { path: '/etc/pam.d/common-password' }
+        - '/etc/pam.d/common-password'
 
     - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
       ansible.builtin.template:
@@ -127,15 +127,15 @@
     - pam
   block:
     - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file"
-      when: "ubtu24cis_passwd_maxsequence_file not in item.path"
+      when: item != ubtu24cis_passwd_maxsequence_file
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: 'maxsequence\s*=\s*\d+\b'
         replace: ''
-      with_items:
+      with_fileglob:
-        - "{{ prelim_pam_pwquality_confs.files }}"
+        - '/etc/security/pwquality.conf'
-        - { path: '/etc/security/pwquality.conf'}
+        - '/etc/security/pwquality.conf.d/*.conf'
-        - { path: '/etc/pam.d/common-password' }
+        - '/etc/pam.d/common-password'
 
     - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
       ansible.builtin.template:
@@ -156,15 +156,15 @@
     - pam
   block:
     - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
-      when: "ubtu24cis_passwd_dictcheck_file not in item.path"
+      when: item != ubtu24cis_passwd_dictcheck_file
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: 'dictcheck\s*=\s*\d+\b'
         replace: ''
-      with_items:
+      with_fileglob:
-        - "{{ prelim_pam_pwquality_confs.files }}"
+        - '/etc/security/pwquality.conf'
-        - { path: '/etc/security/pwquality.conf'}
+        - '/etc/security/pwquality.conf.d/*.conf'
-        - { path: '/etc/pam.d/common-password' }
+        - '/etc/pam.d/common-password'
 
     - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
       ansible.builtin.template:
@@ -185,15 +185,15 @@
     - pam
   block:
     - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file"
-      when: "ubtu24cis_passwd_quality_enforce_file not in item.path"
+      when: item != ubtu24cis_passwd_quality_enforce_file
       ansible.builtin.replace:
-        path: "{{ item.path }}"
+        path: "{{ item }}"
         regexp: 'enforcing\s*=\s*\d+\b'
         replace: ''
-      with_items:
+      with_fileglob:
-        - "{{ prelim_pam_pwquality_confs.files }}"
+        - '/etc/security/pwquality.conf'
-        - { path: '/etc/security/pwquality.conf'}
+        - '/etc/security/pwquality.conf.d/*.conf'
-        - { path: '/etc/pam.d/common-password' }
+        - '/etc/pam.d/common-password'
 
     - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists"
       ansible.builtin.template:

tasks/section_5/cis_5.4.1.x.yml

@@ -130,13 +130,13 @@
     - login
   block:
     - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting"
-      ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2
+      ansible.builtin.command: useradd -D | grep INACTIVE | cut -d= -f2
       changed_when: false
       failed_when: false
       register: discovered_passwd_inactive_setting
 
     - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users"
-      when: discovered_passwd_inactive_setting.stdout != (ubtu24cis_pass_inactive | string)
+      when: discovered_passwd_inactive_setting.stdout != ubtu24cis_pass_inactive | string
       ansible.builtin.command: useradd -D -f {{ ubtu24cis_pass_inactive }}
       failed_when: false
       changed_when: true

tasks/section_5/cis_5.4.3.x.yml

@@ -34,7 +34,7 @@
     state: "{{ item.state }}"
     marker: "# {mark} - CIS benchmark - Ansible-lockdown"
     create: true
-    mode: 'go-wx'
+    mode: 'go-r'
     block: |
       TMOUT={{ ubtu24cis_shell_session_timeout }}
       readonly TMOUT
@@ -54,8 +54,6 @@
     - rule_5.4.3.3
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2
-  block:
-    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | update current settings"
   ansible.builtin.replace:
     path: "{{ item.path }}"
     regexp: (?i)(umask\s+\d\d\d)
@@ -63,11 +61,3 @@
   loop:
     - { path: '/etc/profile', line: 'umask' }
     - { path: '/etc/login.defs', line: 'UMASK' }
-
-    - name: "5.4.3.3 | PATCH | Ensure default user umask is configured | add profile script to set"
-      ansible.builtin.template:
-        src: etc/profile.d/50-umask.sh.j2
-        dest: /etc/profile.d/50-umask.sh
-        owner: root
-        group: root
-        mode: 'go+r,go-wx'

tasks/section_6/cis_6.1.3.8.yml

@@ -1,9 +1,7 @@
 ---
 
 - name: "6.1.3.8 | PATCH | Ensure logrotate is configured"
-  when:
+  when: ubtu24cis_rule_6_1_3_8
-    - ubtu24cis_rule_6_1_3_8
-    - "'logrotate' in ansible_facts.packages"
   tags:
     - level1-server
     - level1-workstation

tasks/section_6/cis_6.1.4.1.yml

@@ -30,14 +30,11 @@
       loop: "{{ discovered_logfiles.stdout_lines }}"
 
     - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
-      when:
-        - discovered_system_logfiles.stdout_lines is defined
-        - item == "/var/log/btmp"
-        - item == "/var/log/utmp"
-        - item == "/var/log/wtmp"
-        - item == "/var/log/lastlog"
-        - "'sssd' in item or 'SSSD' in item"
       ansible.builtin.file:
         path: "{{ item }}"
         mode: 'ug-x,o-wx'
-      loop: "{{ discovered_system_logfiles.stdout_lines }}"
+      with_fileglob:
+        - "/var/log/*tmp"
+        - "/var/log/lastlog*"
+        - "/var/log/sssd*"
+        - "/var/log/SSSD*"

tasks/section_6/cis_6.2.1.x.yml

@@ -4,7 +4,7 @@
   when:
     - ubtu24cis_rule_6_2_1_1
     - "'auditd' not in ansible_facts.packages or
-      'audispd-plugins' not in ansible_facts.packages"
+      'audisd-plugins' not in ansible_facts.packages"
   tags:
     - level2-server
     - level2-workstation
@@ -30,7 +30,7 @@
     - NIST800-53R5_AU-3
     - NIST800-53R5_AU-12
     - auditd
-  ansible.builtin.systemd:
+  ansible.builtin.service:
     name: auditd
     state: started
     enabled: true

tasks/section_6/cis_6.2.3.x.yml

@@ -277,4 +277,3 @@
     - auditd
   ansible.builtin.command: augenrules --check
   changed_when: false
-  register: discovered_augenrules_check

tasks/section_7/cis_7.2.x.yml

@@ -309,7 +309,7 @@
     warn_control_id: '7.2.10'
   block:
     - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
-      ansible.builtin.shell: find /home/ /root/ -name "\.*" -type f -perm /u+x,g+wx,o+wx
+      ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w
       changed_when: false
       failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]
       check_mode: false
@@ -336,5 +336,5 @@
         - ubtu24cis_dotperm_ansiblemanaged
       ansible.builtin.file:
         path: '{{ item }}'
-        mode: 'u-x,go-wx'
+        mode: 'go-w'
       with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"

templates/ansible_vars_goss.yml.j2

@@ -484,7 +484,7 @@ ubtu24cis_apparmor_disable: {{ ubtu24cis_apparmor_disable }}
 # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!!
 # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!!
 ubtu24cis_grub_user: {{ ubtu24cis_grub_user }}
-ubtu24cis_bootloader_password_hash: {{ ubtu24cis_bootloader_password_hash }}  # pragma: allowlist secret
+ubtu24cis_bootloader_password_hash: {{ grub_user_pass }}  # pragma: allowlist secret
 
 ## Controls 1.5.x
 
@@ -580,7 +580,7 @@ ubtu24cis_ftp_client: {{ ubtu24cis_ftp_client }}
 ## Control 2.3.1.1
 # This variable choses the tool used for time synchronization
 # The two options are `chrony`and `systemd-timesyncd`.
-ubtu24cis_time_sync_tool: {{ ubtu24cis_time_sync_tool }}
+ubtu24cis_time_sync_tool: "systemd-timesyncd"
 
 ## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd
 # The following variable represents a list of of time server pools used
@@ -588,7 +588,7 @@ ubtu24cis_time_sync_tool: {{ ubtu24cis_time_sync_tool }}
 # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`.
 # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation
 # of the time synchronization mechanism you are using.
-ubtu24cis_time_pool:
+ubtu24cis_time_pool_name:
 {% for pool in ubtu24cis_time_pool %}
 - name: {{ pool.name }}
   options: {{ pool.options }}
@@ -733,9 +733,6 @@ ubtu24_varlog_location: {{ ubtu24cis_sudo_logfile }}
 
 # Section 6
 
-# This variable specifies the address of the remote log host where logs are being sent.
-ubtu24cis_remote_log_server: {{ ubtu24cis_remote_log_server }}
-
 # 6.1.2
 
 # AIDE

templates/audit/99_auditd.rules.j2

@@ -10,41 +10,22 @@
 -w /etc/sudoers.d -p wa -k scope
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_2 %}
-{% set syscalls = ["execve"] %}
+-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-{% set arch_syscalls = [] %}
+-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
--a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_3 %}
 -w {{ ubtu24cis_sudo_logfile }} -p wa -k sudo_log_file
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_4 %}
-{% set syscalls = ["adjtimex","settimeofday","clock_settime"] %}
+-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
-{% set arch_syscalls = [] %}
+-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
-{% for syscall in syscalls  %}
+-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change
-{% if syscall in supported_syscalls %}
+-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
 -w /etc/localtime -p wa -k time-change
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_5 %}
-{% set syscalls = ["sethostname","setdomainname"] %}
+-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-{% set arch_syscalls = [] %}
+-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -60,17 +41,10 @@
 {% endif %}
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_7 %}
-{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-{% set arch_syscalls = [] %}
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-{% for syscall in syscalls  %}
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
-{% if syscall in supported_syscalls %}
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_8 %}
 -w /etc/group -p wa -k identity
@@ -83,65 +57,16 @@
 -w /etc/pam.d -p wa -k identity
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_9 %}
-{% set syscalls = ["chmod","fchmod","fchmodat"] %}
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-{% set arch_syscalls = [] %}
+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod
-{% for syscall in syscalls  %}
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
-{% if syscall in supported_syscalls %}
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod
-{{ arch_syscalls.append( syscall) }}
+-a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod
-{% endif %}
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
-{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
-{% set arch_syscalls = [] %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
-{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
-{% set arch_syscalls = [] %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
-{% set syscalls = ["chmod","fchmod","fchmodat"] %}
-{% set arch_syscalls = [] %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
-{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
-{% set arch_syscalls = [] %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
-{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
-{% set arch_syscalls = [] %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_10 %}
-{% set syscalls = ["mount"] %}
+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts
-{% set arch_syscalls = [] %}
+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k mounts
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_11 %}
 -w /var/run/utmp -p wa -k session
@@ -153,15 +78,8 @@
 -w /var/run/faillock -p wa -k logins
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_13 %}
-{% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
-{% set arch_syscalls = [] %}
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k delete
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_14 %}
 -w /etc/apparmor/ -p wa -k MAC-policy
@@ -181,14 +99,7 @@
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_19 %}
 -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules
-{% set syscalls = ["init_module","finit_module","delete_module"] %}
+-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=-1 -k kernel_modules
-{% set arch_syscalls = [] %}
-{% for syscall in syscalls  %}
-{% if syscall in supported_syscalls %}
-{{ arch_syscalls.append( syscall) }}
-{% endif %}
-{% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=-1 -k kernel_modules
 {% endif %}
 {% if ubtu24cis_rule_6_2_3_20 %}
 -e 2

templates/etc/ansible/compliance_facts.j2

@@ -1,40 +0,0 @@
-# CIS Hardening Carried out
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company
-
-[lockdown_details]
-# Benchmark release
-Benchmark_release = CIS-{{ benchmark_version }}
-Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
-# If options set (doesn't mean it ran all controls)
-level_1_hardening_enabled = {{ ubtu24cis_level_1 }}
-level_2_hardening_enabled = {{ ubtu24cis_level_2 }}
-
-{% if ansible_run_tags | length > 0 %}
-# If tags used to stipulate run level
-{% if 'level1-server' in ansible_run_tags %}
-Level_1_Server_tag_run = true
-{% endif %}
-{% if 'level2-server' in ansible_run_tags %}
-Level_2_Server_tag_run = true
-{% endif %}
-{% if 'level1-workstation' in ansible_run_tags %}
-Level_1_workstation_tag_run = true
-{% endif %}
-{% if 'level2-workstation' in ansible_run_tags %}
-Level_2_workstation_tag_run = true
-{% endif %}
-{% endif %}
-
-[lockdown_audit_details]
-{% if run_audit %}
-# Audit run
-audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
-audit_file_local_location = {{ audit_log_dir }}
-{% if not audit_only %}
-audit_summary = {{ post_audit_results }}
-{% endif %}
-{% if fetch_audit_output %}
-audit_files_centralized_location = {{ audit_output_destination }}
-{% endif %}
-{% endif %}

templates/etc/profile.d/50-umask.sh.j2

@@ -1,7 +0,0 @@
-## Ansible controlled file
-# Added as part of ansible-lockdown CIS baseline
-# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
-
-# Set umask with highest precedence
-
-umask 027