Compare commits
	
		
			41 Commits
		
	
	
		
			ecb63ea0d4
			...
			23b208f16c
		
	
	| Author | SHA1 | Date | 
|---|---|---|
|  uk-bolly | 23b208f16c | |
|  uk-bolly | 6f75991455 | |
| ![pre-commit-ci[bot]](/assets/img/avatar_default.png) pre-commit-ci[bot] | 68647d4f01 | |
|  uk-bolly | ffba24432a | |
|  Mark Bolwell | f8e14db0c3 | |
|  Mark Bolwell | 1ec17228ff | |
|  Mark Bolwell | fac8eb7e02 | |
|  Mark Bolwell | a8f039cba0 | |
|  Mark Bolwell | 388331fe98 | |
|  Mark Bolwell | af372a7c73 | |
|  Mark Bolwell | 0347692661 | |
|  Mark Bolwell | d5bad97cad | |
|  uk-bolly | b631e9e2d6 | |
| ![pre-commit-ci[bot]](/assets/img/avatar_default.png) pre-commit-ci[bot] | 777971e29f | |
|  George Nalen | f90b698a57 | |
| ![pre-commit-ci[bot]](/assets/img/avatar_default.png) pre-commit-ci[bot] | f3f3622ae8 | |
|  Fred W. | 371a35d4bf | |
|  Mark Bolwell | b4239f6aef | |
|  Mark Bolwell | 86a14fdc78 | |
|  uk-bolly | 7da19e8106 | |
|  Mark Bolwell | b6fb3c7dcc | |
|  Mark Bolwell | 7f0291fbf2 | |
|  Mark Bolwell | 9ac5740127 | |
|  uk-bolly | c755e9ed71 | |
|  uk-bolly | 9d62bba61e | |
| ![pre-commit-ci[bot]](/assets/img/avatar_default.png) pre-commit-ci[bot] | 09562855b3 | |
|  Mark Bolwell | 7e3ae1d0a8 | |
|  Mark Bolwell | 38831269c9 | |
|  Mark Bolwell | 6dfa7564be | |
|  Mark Bolwell | 20cb8001e5 | |
|  Mark Bolwell | 84f4a69c2d | |
|  Mark Bolwell | a931c60b5c | |
|  Mark Bolwell | f7b504afba | |
|  Mark Bolwell | 36945eb561 | |
|  uk-bolly | 85acc99536 | |
|  Mark Bolwell | c1684508f6 | |
|  Mark Bolwell | 62c67740e4 | |
|  Mark Bolwell | 2611117b33 | |
|  Mark Bolwell | ecfee57c60 | |
|  uk-bolly | b32cd33fcb | |
| ![pre-commit-ci[bot]](/assets/img/avatar_default.png) pre-commit-ci[bot] | 7d5187fc43 | 
|  | @ -7,6 +7,7 @@ | ||||||
|         types: [opened, reopened, synchronize] |         types: [opened, reopened, synchronize] | ||||||
|         branches: |         branches: | ||||||
|             - devel |             - devel | ||||||
|  |             - benchmark* | ||||||
|         paths: |         paths: | ||||||
|             - '**.yml' |             - '**.yml' | ||||||
|             - '**.sh' |             - '**.sh' | ||||||
|  | @ -70,7 +71,6 @@ | ||||||
|                  echo IAC_BRANCH=main >> $GITHUB_ENV |                  echo IAC_BRANCH=main >> $GITHUB_ENV | ||||||
|               fi |               fi | ||||||
| 
 | 
 | ||||||
| 
 |  | ||||||
|           # Pull in terraform code for linux servers |           # Pull in terraform code for linux servers | ||||||
|           - name: Clone GitHub IaC plan |           - name: Clone GitHub IaC plan | ||||||
|             uses: actions/checkout@v4 |             uses: actions/checkout@v4 | ||||||
|  |  | ||||||
|  | @ -7,6 +7,7 @@ | ||||||
|         types: [opened, reopened, synchronize] |         types: [opened, reopened, synchronize] | ||||||
|         branches: |         branches: | ||||||
|             - main |             - main | ||||||
|  |             - latest | ||||||
|         paths: |         paths: | ||||||
|             - '**.yml' |             - '**.yml' | ||||||
|             - '**.sh' |             - '**.sh' | ||||||
|  | @ -23,17 +24,6 @@ | ||||||
|   # A workflow run is made up of one or more jobs |   # A workflow run is made up of one or more jobs | ||||||
|   # that can run sequentially or in parallel |   # that can run sequentially or in parallel | ||||||
|   jobs: |   jobs: | ||||||
|     # This will create messages for first time contributers and direct them to the Discord server |  | ||||||
|       welcome: |  | ||||||
|         runs-on: self-hosted |  | ||||||
| 
 |  | ||||||
|         steps: |  | ||||||
|             - uses: actions/first-interaction@main |  | ||||||
|               with: |  | ||||||
|                 repo-token: ${{ secrets.GITHUB_TOKEN }} |  | ||||||
|                 pr-message: |- |  | ||||||
|                     Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! |  | ||||||
|                     Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. |  | ||||||
| 
 | 
 | ||||||
|       # This workflow contains a single job that tests the playbook |       # This workflow contains a single job that tests the playbook | ||||||
|       playbook-test: |       playbook-test: | ||||||
|  |  | ||||||
|  | @ -44,5 +44,5 @@ benchparse/ | ||||||
| # GitHub Action/Workflow files | # GitHub Action/Workflow files | ||||||
| .github/ | .github/ | ||||||
| 
 | 
 | ||||||
| # Precommit | # ansible-lint cache | ||||||
| .ansible/ | .ansible/ | ||||||
|  |  | ||||||
|  | @ -41,12 +41,12 @@ repos: | ||||||
|   - id: detect-secrets |   - id: detect-secrets | ||||||
| 
 | 
 | ||||||
| - repo: https://github.com/gitleaks/gitleaks | - repo: https://github.com/gitleaks/gitleaks | ||||||
|   rev: v8.24.0 |   rev: v8.26.0 | ||||||
|   hooks: |   hooks: | ||||||
|   - id: gitleaks |   - id: gitleaks | ||||||
| 
 | 
 | ||||||
| - repo: https://github.com/ansible-community/ansible-lint | - repo: https://github.com/ansible-community/ansible-lint | ||||||
|   rev: v25.1.3 |   rev: v25.4.0 | ||||||
|   hooks: |   hooks: | ||||||
|   - id: ansible-lint |   - id: ansible-lint | ||||||
|     name: Ansible-lint |     name: Ansible-lint | ||||||
|  | @ -65,7 +65,7 @@ repos: | ||||||
|     # - ansible-core>=2.10.1 |     # - ansible-core>=2.10.1 | ||||||
| 
 | 
 | ||||||
| - repo: https://github.com/adrienverge/yamllint.git | - repo: https://github.com/adrienverge/yamllint.git | ||||||
|   rev: v1.36.2  # or higher tag |   rev: v1.37.1  # or higher tag | ||||||
|   hooks: |   hooks: | ||||||
|   - id: yamllint |   - id: yamllint | ||||||
|     name: Check YAML Lint |     name: Check YAML Lint | ||||||
|  |  | ||||||
|  | @ -24,6 +24,7 @@ | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  | [](https://github.com/pre-commit/pre-commit) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -21,6 +21,10 @@ skip_reboot: true | ||||||
| benchmark: UBUNTU24-CIS | benchmark: UBUNTU24-CIS | ||||||
| benchmark_version: v1.0.0 | benchmark_version: v1.0.0 | ||||||
| 
 | 
 | ||||||
|  | # Create managed not custom local_facts files | ||||||
|  | create_benchmark_facts: true | ||||||
|  | ansible_facts_path: /etc/ansible/facts.d | ||||||
|  | 
 | ||||||
| # Used for audit | # Used for audit | ||||||
| ubtu24cis_level_1: true | ubtu24cis_level_1: true | ||||||
| ubtu24cis_level_2: true | ubtu24cis_level_2: true | ||||||
|  | @ -102,6 +106,18 @@ audit_conf_dest: "/opt" | ||||||
| # Where the audit logs are stored | # Where the audit logs are stored | ||||||
| audit_log_dir: '/opt' | audit_log_dir: '/opt' | ||||||
| 
 | 
 | ||||||
|  | # Method of getting,uploading the summary files | ||||||
|  | ## Enable the collection of audit files | ||||||
|  | fetch_audit_output: false | ||||||
|  | ## Ensure access and permissions are available for these to occur. | ||||||
|  | ## options are | ||||||
|  | # fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller) | ||||||
|  | # copy - copies file to a location available to the managed node | ||||||
|  | audit_output_collection_method: fetch | ||||||
|  | 
 | ||||||
|  | # Location to put the audit files | ||||||
|  | audit_output_destination: /opt/audit_summaries/ | ||||||
|  | 
 | ||||||
| ### Goss Settings ## | ### Goss Settings ## | ||||||
| ####### END ######## | ####### END ######## | ||||||
| 
 | 
 | ||||||
|  | @ -628,7 +644,7 @@ ubtu24cis_purge_apt: false | ||||||
| 
 | 
 | ||||||
| ## Ignore change_when for apt update task | ## Ignore change_when for apt update task | ||||||
| # Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes | # Modifies behavior of 'changed_when' for 'apt update' task  in prelim that always changes | ||||||
| ignore_apt_update_changed_when: false | ubtu24cis_ignore_apt_update_changed_when: false | ||||||
| 
 | 
 | ||||||
| ## | ## | ||||||
| ## Section 1 Control Variables | ## Section 1 Control Variables | ||||||
|  |  | ||||||
|  | @ -21,6 +21,7 @@ | ||||||
|   listen: "Remount /tmp" |   listen: "Remount /tmp" | ||||||
| 
 | 
 | ||||||
| - name: "Remounting /tmp systemd" | - name: "Remounting /tmp systemd" | ||||||
|  |   when: ubtu24cis_tmp_svc | ||||||
|   vars: |   vars: | ||||||
|     mount_point: '/tmp' |     mount_point: '/tmp' | ||||||
|   ansible.builtin.systemd: |   ansible.builtin.systemd: | ||||||
|  | @ -257,7 +258,7 @@ | ||||||
|   listen: Restart auditd |   listen: Restart auditd | ||||||
| 
 | 
 | ||||||
| - name: Start auditd process | - name: Start auditd process | ||||||
|   ansible.builtin.systemd_service: |   ansible.builtin.systemd: | ||||||
|     name: auditd |     name: auditd | ||||||
|     state: started |     state: started | ||||||
|   listen: Restart auditd |   listen: Restart auditd | ||||||
|  |  | ||||||
|  | @ -10,14 +10,6 @@ | ||||||
|   delegate_to: localhost |   delegate_to: localhost | ||||||
|   become: false |   become: false | ||||||
| 
 | 
 | ||||||
| - name: Audit_only | Get audits from systems and put in group dir |  | ||||||
|   when: fetch_audit_files |  | ||||||
|   ansible.builtin.fetch: |  | ||||||
|     dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" |  | ||||||
|     flat: true |  | ||||||
|     mode: 'go-wx' |  | ||||||
|     src: "{{ pre_audit_outfile }}" |  | ||||||
| 
 |  | ||||||
| - name: Audit_only | Show Audit Summary | - name: Audit_only | Show Audit Summary | ||||||
|   when: audit_only |   when: audit_only | ||||||
|   ansible.builtin.debug: |   ansible.builtin.debug: | ||||||
|  |  | ||||||
|  | @ -0,0 +1,46 @@ | ||||||
|  | --- | ||||||
|  | 
 | ||||||
|  | # Stage to copy audit output to a centralised location | ||||||
|  | 
 | ||||||
|  | - name: "POST | FETCH | Fetch files and copy to controller" | ||||||
|  |   when: audit_output_collection_method == "fetch" | ||||||
|  |   ansible.builtin.fetch: | ||||||
|  |     src: "{{ item }}" | ||||||
|  |     dest: "{{ audit_output_destination }}" | ||||||
|  |     flat: true | ||||||
|  |   failed_when: false | ||||||
|  |   register: discovered_audit_fetch_state | ||||||
|  |   loop: | ||||||
|  |     - "{{ pre_audit_outfile }}" | ||||||
|  |     - "{{ post_audit_outfile }}" | ||||||
|  |   become: false | ||||||
|  | 
 | ||||||
|  | # Added this option for continuity but could be changed by adjusting the variable audit_conf_dest | ||||||
|  | # Allowing backup to one location | ||||||
|  | - name: "POST | FETCH | Copy files to location available to managed node" | ||||||
|  |   when: audit_output_collection_method == "copy" | ||||||
|  |   ansible.builtin.copy: | ||||||
|  |     src: "{{ item }}" | ||||||
|  |     dest: "{{ audit_output_destination }}" | ||||||
|  |     mode: 'u-x,go-wx' | ||||||
|  |     flat: true | ||||||
|  |   failed_when: false | ||||||
|  |   register: discovered_audit_copy_state | ||||||
|  |   loop: | ||||||
|  |     - "{{ pre_audit_outfile }}" | ||||||
|  |     - "{{ post_audit_outfile }}" | ||||||
|  | 
 | ||||||
|  | - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" | ||||||
|  |   when: | ||||||
|  |     - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or | ||||||
|  |       (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed) | ||||||
|  |   block: | ||||||
|  |     - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" | ||||||
|  |       ansible.builtin.debug: | ||||||
|  |         msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy" | ||||||
|  | 
 | ||||||
|  |     - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" | ||||||
|  |       vars: | ||||||
|  |         warn_control_id: "FETCH_AUDIT_FILES" | ||||||
|  |       ansible.builtin.import_tasks: | ||||||
|  |         file: warning_facts.yml | ||||||
|  | @ -38,7 +38,9 @@ | ||||||
|         sudo_password_rule: ubtu24cis_rule_5_2_4  # pragma: allowlist secret |         sudo_password_rule: ubtu24cis_rule_5_2_4  # pragma: allowlist secret | ||||||
| 
 | 
 | ||||||
| - name: Ensure root password is set | - name: Ensure root password is set | ||||||
|   when: ubtu24cis_rule_5_4_2_4 |   when: | ||||||
|  |     - ubtu24cis_section5 | ||||||
|  |     - ubtu24cis_rule_5_4_2_4 | ||||||
|   tags: always |   tags: always | ||||||
|   block: |   block: | ||||||
|     - name: Ensure root password is set |     - name: Ensure root password is set | ||||||
|  | @ -65,7 +67,8 @@ | ||||||
| - name: Setup rules if container | - name: Setup rules if container | ||||||
|   when: |   when: | ||||||
|     - ansible_connection == 'docker' or |     - ansible_connection == 'docker' or | ||||||
|       ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] |       (ansible_facts.virtualization_type is defined and | ||||||
|  |        ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]) | ||||||
|   tags: always |   tags: always | ||||||
|   block: |   block: | ||||||
|     - name: Discover and set container variable if required |     - name: Discover and set container variable if required | ||||||
|  | @ -169,6 +172,39 @@ | ||||||
|   ansible.builtin.import_tasks: |   ansible.builtin.import_tasks: | ||||||
|     file: post_remediation_audit.yml |     file: post_remediation_audit.yml | ||||||
| 
 | 
 | ||||||
|  | - name: Add ansible file showing Benchmark and levels applied if audit details not present | ||||||
|  |   when: | ||||||
|  |     - create_benchmark_facts | ||||||
|  |     - (post_audit_summary is defined) or | ||||||
|  |       (ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined) | ||||||
|  |   tags: | ||||||
|  |     - always | ||||||
|  |     - benchmark | ||||||
|  |   block: | ||||||
|  |     - name: Create ansible facts directory if audit facts not present | ||||||
|  |       ansible.builtin.file: | ||||||
|  |         path: "{{ ansible_facts_path }}" | ||||||
|  |         state: directory | ||||||
|  |         owner: root | ||||||
|  |         group: root | ||||||
|  |         mode: 'u=rwx,go=rx' | ||||||
|  | 
 | ||||||
|  |     - name: Create ansible facts file and levels applied if audit facts not present | ||||||
|  |       ansible.builtin.template: | ||||||
|  |         src: etc/ansible/compliance_facts.j2 | ||||||
|  |         dest: "{{ ansible_facts_path }}/compliance_facts.fact" | ||||||
|  |         owner: root | ||||||
|  |         group: root | ||||||
|  |         mode: 'u-x,go=r' | ||||||
|  | 
 | ||||||
|  | - name: Fetch audit files | ||||||
|  |   when: | ||||||
|  |     - fetch_audit_output | ||||||
|  |     - run_audit | ||||||
|  |   tags: always | ||||||
|  |   ansible.builtin.import_tasks: | ||||||
|  |     file: fetch_audit_output.yml | ||||||
|  | 
 | ||||||
| - name: Show Audit Summary | - name: Show Audit Summary | ||||||
|   when: run_audit |   when: run_audit | ||||||
|   tags: run_audit |   tags: run_audit | ||||||
|  |  | ||||||
|  | @ -55,7 +55,7 @@ | ||||||
|   tags: always |   tags: always | ||||||
|   ansible.builtin.package: |   ansible.builtin.package: | ||||||
|     update_cache: true |     update_cache: true | ||||||
|   changed_when: not ignore_apt_update_changed_when |   changed_when: not ubtu24cis_ignore_apt_update_changed_when | ||||||
| 
 | 
 | ||||||
| - name: Include audit specific variables | - name: Include audit specific variables | ||||||
|   when: |   when: | ||||||
|  | @ -150,6 +150,41 @@ | ||||||
|         max_int_uid: "{{ prelim_uid_max_id.stdout }}" |         max_int_uid: "{{ prelim_uid_max_id.stdout }}" | ||||||
|         min_int_gid: "{{ prelim_gid_min_id.stdout }}" |         min_int_gid: "{{ prelim_gid_min_id.stdout }}" | ||||||
| 
 | 
 | ||||||
|  | - name: "PRELIM | AUDIT | Capture pam configs related files" | ||||||
|  |   tags: always | ||||||
|  |   ansible.builtin.find: | ||||||
|  |     paths: | ||||||
|  |       - '/usr/share/pam-configs/' | ||||||
|  |       - '/etc/pam.d/' | ||||||
|  |   register: prelim_pam_conf_files | ||||||
|  | 
 | ||||||
|  | - name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x | ||||||
|  |   when: | ||||||
|  |     - ubtu24cis_rule_5_3_3_2_1 or | ||||||
|  |       ubtu24cis_rule_5_3_3_2_6 | ||||||
|  |   tags: always | ||||||
|  |   ansible.builtin.file: | ||||||
|  |     path: "{{ item.path }}" | ||||||
|  |     state: "{{ item.state }}" | ||||||
|  |     owner: root | ||||||
|  |     group: root | ||||||
|  |     mode: 'g-w,o-rwx' | ||||||
|  |     modification_time: preserve | ||||||
|  |     access_time: preserve | ||||||
|  |   register: prelim_pwquality_dummy | ||||||
|  |   changed_when: prelim_pwquality_dummy.diff == "absent" | ||||||
|  |   loop: | ||||||
|  |     - { path: '/etc/security/pwquality.conf.d', state: 'directory' } | ||||||
|  |     - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' } | ||||||
|  | 
 | ||||||
|  | - name: "PRELIM | AUDIT | Capture pam security related files" | ||||||
|  |   tags: always | ||||||
|  |   ansible.builtin.find: | ||||||
|  |     paths: | ||||||
|  |       - /etc/security/pwquality.conf.d/ | ||||||
|  |     patterns: '*.conf' | ||||||
|  |   register: prelim_pam_pwquality_confs | ||||||
|  | 
 | ||||||
| - name: "PRELIM | AUDIT | Interactive Users" | - name: "PRELIM | AUDIT | Interactive Users" | ||||||
|   tags: always |   tags: always | ||||||
|   ansible.builtin.shell: > |   ansible.builtin.shell: > | ||||||
|  | @ -243,6 +278,22 @@ | ||||||
|     name: acl |     name: acl | ||||||
|     state: present |     state: present | ||||||
| 
 | 
 | ||||||
|  | - name: "PRELIM | PATCH | Install cron" | ||||||
|  |   when: ubtu24cis_rule_2_4_1_1 | ||||||
|  |   tags: always | ||||||
|  |   ansible.builtin.package: | ||||||
|  |     name: cron | ||||||
|  |     state: present | ||||||
|  | 
 | ||||||
|  | - name: "PRELIM | PATCH | Install UFW" | ||||||
|  |   when: | ||||||
|  |     - ubtu24cis_rule_2_4_1_1 | ||||||
|  |     - ubtu24cis_firewall_package == "ufw" | ||||||
|  |   tags: always | ||||||
|  |   ansible.builtin.package: | ||||||
|  |     name: ufw | ||||||
|  |     state: present | ||||||
|  | 
 | ||||||
| ## Optional | ## Optional | ||||||
| 
 | 
 | ||||||
| - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings" | - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings" | ||||||
|  |  | ||||||
|  | @ -22,12 +22,12 @@ | ||||||
|       register: discovered_var_mount |       register: discovered_var_mount | ||||||
| 
 | 
 | ||||||
|     - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" |     - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" | ||||||
|       when: discovered_dev_shm_mount is undefined |       when: discovered_var_mount is undefined | ||||||
|       ansible.builtin.debug: |       ansible.builtin.debug: | ||||||
|         msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" |         msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" | ||||||
| 
 | 
 | ||||||
|     - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" |     - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" | ||||||
|       when: discovered_dev_shm_mount is undefined |       when: discovered_var_mount is undefined | ||||||
|       ansible.builtin.import_tasks: |       ansible.builtin.import_tasks: | ||||||
|         file: warning_facts.yml |         file: warning_facts.yml | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -10,7 +10,7 @@ | ||||||
|     - NIST800-53R5_SI-2 |     - NIST800-53R5_SI-2 | ||||||
|     - patch |     - patch | ||||||
|   block: |   block: | ||||||
|     - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installedi | Update" |     - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | Update" | ||||||
|       ansible.builtin.package: |       ansible.builtin.package: | ||||||
|         name: "*" |         name: "*" | ||||||
|         state: latest |         state: latest | ||||||
|  |  | ||||||
|  | @ -46,7 +46,7 @@ | ||||||
|       when: |       when: | ||||||
|         - not ubtu24cis_avahi_server |         - not ubtu24cis_avahi_server | ||||||
|         - not ubtu24cis_avahi_mask |         - not ubtu24cis_avahi_mask | ||||||
|         - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" |         - "'avahi' in ansible_facts.packages or 'avahi-autoipd' in ansible_facts.packages" | ||||||
|       ansible.builtin.package: |       ansible.builtin.package: | ||||||
|         name: |         name: | ||||||
|           - avahi-autoipd |           - avahi-autoipd | ||||||
|  | @ -672,7 +672,7 @@ | ||||||
|     - rule_2.1.21 |     - rule_2.1.21 | ||||||
|     - NIST800-53R5_CM-7 |     - NIST800-53R5_CM-7 | ||||||
|   vars: |   vars: | ||||||
|     warn_control_id: '2.2.21' |     warn_control_id: '2.1.21' | ||||||
|   block: |   block: | ||||||
|     - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" |     - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" | ||||||
|       when: "'exim4' in ansible_facts.packages" |       when: "'exim4' in ansible_facts.packages" | ||||||
|  |  | ||||||
|  | @ -15,9 +15,9 @@ | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|         src: "{{ item }}.j2" |         src: "{{ item }}.j2" | ||||||
|         dest: "/{{ item }}" |         dest: "/{{ item }}" | ||||||
|         mode: 'go-r' |         mode: 'g=r,o-rwx' | ||||||
|         owner: root |         owner: root | ||||||
|         group: root |         group: "{% if ubtu24cis_rule_2_3_3_2 %}_chrony{% else %}root{% endif %}" | ||||||
|       loop: |       loop: | ||||||
|         - etc/chrony/sources.d/pool.sources |         - etc/chrony/sources.d/pool.sources | ||||||
|         - etc/chrony/sources.d/server.sources |         - etc/chrony/sources.d/server.sources | ||||||
|  |  | ||||||
|  | @ -154,5 +154,5 @@ | ||||||
|       ansible.builtin.file: |       ansible.builtin.file: | ||||||
|         path: /etc/cron.allow |         path: /etc/cron.allow | ||||||
|         owner: root |         owner: root | ||||||
|         group: root |         group: '{{ (discovered_cron_allow_status.stat.gr_name == "crontab") | ternary(omit,"root") }}' | ||||||
|         mode: 'u-x,g-wx,o-rwx' |         mode: 'u-x,g-wx,o-rwx' | ||||||
|  |  | ||||||
|  | @ -28,12 +28,10 @@ | ||||||
|     - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" |     - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" | ||||||
|       when: discovered_faillock_deny_files.stdout | length > 0 |       when: discovered_faillock_deny_files.stdout | length > 0 | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)' |         regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)' | ||||||
|         replace: \1\2 |         replace: \1\2 | ||||||
|       with_fileglob: |       loop: "{{ prelim_pam_conf_files.files }}" | ||||||
|         - '/usr/share/pam-configs/*' |  | ||||||
|         - '/etc/pam.d/*' |  | ||||||
| 
 | 
 | ||||||
| - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" | - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" | ||||||
|   when: ubtu24cis_rule_5_3_3_1_2 |   when: ubtu24cis_rule_5_3_3_1_2 | ||||||
|  | @ -63,12 +61,10 @@ | ||||||
|     - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" |     - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" | ||||||
|       when: discovered_faillock_unlock_files.stdout | length > 0 |       when: discovered_faillock_unlock_files.stdout | length > 0 | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)' |         regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)' | ||||||
|         replace: \1\2 |         replace: \1\2 | ||||||
|       with_fileglob: |       loop: "{{ prelim_pam_conf_files.files }}" | ||||||
|         - '/usr/share/pam-configs/*' |  | ||||||
|         - '/etc/pam.d/*' |  | ||||||
| 
 | 
 | ||||||
| - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" | - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" | ||||||
|   when: ubtu24cis_rule_5_3_3_1_3 |   when: ubtu24cis_rule_5_3_3_1_3 | ||||||
|  | @ -98,9 +94,7 @@ | ||||||
|     - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" |     - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" | ||||||
|       when: discovered_faillock_rootlock_files.stdout | length > 0 |       when: discovered_faillock_rootlock_files.stdout | length > 0 | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' |         regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' | ||||||
|         replace: \1\3 |         replace: \1\3 | ||||||
|       with_fileglob: |       loop: "{{ prelim_pam_conf_files.files }}" | ||||||
|         - '/usr/share/pam-configs/*' |  | ||||||
|         - '/etc/pam.d/*' |  | ||||||
|  |  | ||||||
|  | @ -11,15 +11,15 @@ | ||||||
|     - pam |     - pam | ||||||
|   block: |   block: | ||||||
|     - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file" |     - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file" | ||||||
|       when: item != ubtu24cis_passwd_difok_file |       when: "ubtu24cis_passwd_difok_file not in item.path" | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: 'difok\s*=\s*\d+\b' |         regexp: 'difok\s*=\s*\d+\b' | ||||||
|         replace: '' |         replace: '' | ||||||
|       with_fileglob: |       with_items: | ||||||
|         - '/etc/security/pwquality.conf' |         - "{{ prelim_pam_pwquality_confs.files }}" | ||||||
|         - '/etc/security/pwquality.conf.d/*.conf' |         - { path: '/etc/security/pwquality.conf'} | ||||||
|         - '/etc/pam.d/common-password' |         - { path: '/etc/pam.d/common-password' } | ||||||
| 
 | 
 | ||||||
|     - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" |     - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|  | @ -40,15 +40,15 @@ | ||||||
|     - pam |     - pam | ||||||
|   block: |   block: | ||||||
|     - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" |     - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" | ||||||
|       when: item != ubtu24cis_passwd_minlen_file |       when: "ubtu24cis_passwd_minlen_file not in item.path" | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: 'minlen\s*=\s*\d+\b' |         regexp: 'minlen\s*=\s*\d+\b' | ||||||
|         replace: '' |         replace: '' | ||||||
|       with_fileglob: |       with_items: | ||||||
|         - '/etc/security/pwquality.conf' |         - "{{ prelim_pam_pwquality_confs.files }}" | ||||||
|         - '/etc/security/pwquality.conf.d/*.conf' |         - { path: '/etc/security/pwquality.conf'} | ||||||
|         - '/etc/pam.d/common-password' |         - { path: '/etc/pam.d/common-password' } | ||||||
| 
 | 
 | ||||||
|     - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" |     - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|  | @ -69,15 +69,15 @@ | ||||||
|     - pam |     - pam | ||||||
|   block: |   block: | ||||||
|     - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file" |     - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file" | ||||||
|       when: item != ubtu24cis_passwd_complex_file |       when: "ubtu24cis_passwd_complex_file not in item.path" | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' |         regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' | ||||||
|         replace: '' |         replace: '' | ||||||
|       with_fileglob: |       with_items: | ||||||
|         - '/etc/security/pwquality.conf' |         - "{{ prelim_pam_pwquality_confs.files }}" | ||||||
|         - '/etc/security/pwquality.conf.d/*.conf' |         - { path: '/etc/security/pwquality.conf'} | ||||||
|         - '/etc/pam.d/common-password' |         - { path: '/etc/pam.d/common-password' } | ||||||
| 
 | 
 | ||||||
|     - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" |     - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|  | @ -98,15 +98,15 @@ | ||||||
|     - pam |     - pam | ||||||
|   block: |   block: | ||||||
|     - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" |     - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" | ||||||
|       when: item != ubtu24cis_passwd_maxrepeat_file |       when: "ubtu24cis_passwd_maxrepeat_file not in item.path" | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: 'maxrepeat\s*=\s*\d+\b' |         regexp: 'maxrepeat\s*=\s*\d+\b' | ||||||
|         replace: '' |         replace: '' | ||||||
|       with_fileglob: |       with_items: | ||||||
|         - '/etc/security/pwquality.conf' |         - "{{ prelim_pam_pwquality_confs.files }}" | ||||||
|         - '/etc/security/pwquality.conf.d/*.conf' |         - { path: '/etc/security/pwquality.conf'} | ||||||
|         - '/etc/pam.d/common-password' |         - { path: '/etc/pam.d/common-password' } | ||||||
| 
 | 
 | ||||||
|     - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" |     - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|  | @ -127,15 +127,15 @@ | ||||||
|     - pam |     - pam | ||||||
|   block: |   block: | ||||||
|     - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file" |     - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file" | ||||||
|       when: item != ubtu24cis_passwd_maxsequence_file |       when: "ubtu24cis_passwd_maxsequence_file not in item.path" | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: 'maxsequence\s*=\s*\d+\b' |         regexp: 'maxsequence\s*=\s*\d+\b' | ||||||
|         replace: '' |         replace: '' | ||||||
|       with_fileglob: |       with_items: | ||||||
|         - '/etc/security/pwquality.conf' |         - "{{ prelim_pam_pwquality_confs.files }}" | ||||||
|         - '/etc/security/pwquality.conf.d/*.conf' |         - { path: '/etc/security/pwquality.conf'} | ||||||
|         - '/etc/pam.d/common-password' |         - { path: '/etc/pam.d/common-password' } | ||||||
| 
 | 
 | ||||||
|     - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" |     - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|  | @ -156,15 +156,15 @@ | ||||||
|     - pam |     - pam | ||||||
|   block: |   block: | ||||||
|     - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" |     - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" | ||||||
|       when: item != ubtu24cis_passwd_dictcheck_file |       when: "ubtu24cis_passwd_dictcheck_file not in item.path" | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: 'dictcheck\s*=\s*\d+\b' |         regexp: 'dictcheck\s*=\s*\d+\b' | ||||||
|         replace: '' |         replace: '' | ||||||
|       with_fileglob: |       with_items: | ||||||
|         - '/etc/security/pwquality.conf' |         - "{{ prelim_pam_pwquality_confs.files }}" | ||||||
|         - '/etc/security/pwquality.conf.d/*.conf' |         - { path: '/etc/security/pwquality.conf'} | ||||||
|         - '/etc/pam.d/common-password' |         - { path: '/etc/pam.d/common-password' } | ||||||
| 
 | 
 | ||||||
|     - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" |     - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|  | @ -185,15 +185,15 @@ | ||||||
|     - pam |     - pam | ||||||
|   block: |   block: | ||||||
|     - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file" |     - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file" | ||||||
|       when: item != ubtu24cis_passwd_quality_enforce_file |       when: "ubtu24cis_passwd_quality_enforce_file not in item.path" | ||||||
|       ansible.builtin.replace: |       ansible.builtin.replace: | ||||||
|         path: "{{ item }}" |         path: "{{ item.path }}" | ||||||
|         regexp: 'enforcing\s*=\s*\d+\b' |         regexp: 'enforcing\s*=\s*\d+\b' | ||||||
|         replace: '' |         replace: '' | ||||||
|       with_fileglob: |       with_items: | ||||||
|         - '/etc/security/pwquality.conf' |         - "{{ prelim_pam_pwquality_confs.files }}" | ||||||
|         - '/etc/security/pwquality.conf.d/*.conf' |         - { path: '/etc/security/pwquality.conf'} | ||||||
|         - '/etc/pam.d/common-password' |         - { path: '/etc/pam.d/common-password' } | ||||||
| 
 | 
 | ||||||
|     - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists" |     - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists" | ||||||
|       ansible.builtin.template: |       ansible.builtin.template: | ||||||
|  |  | ||||||
|  | @ -30,11 +30,14 @@ | ||||||
|       loop: "{{ discovered_logfiles.stdout_lines }}" |       loop: "{{ discovered_logfiles.stdout_lines }}" | ||||||
| 
 | 
 | ||||||
|     - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" |     - name: "6.1.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" | ||||||
|  |       when: | ||||||
|  |         - discovered_system_logfiles.stdout_lines is defined | ||||||
|  |         - item == "/var/log/btmp" | ||||||
|  |         - item == "/var/log/utmp" | ||||||
|  |         - item == "/var/log/wtmp" | ||||||
|  |         - item == "/var/log/lastlog" | ||||||
|  |         - "'sssd' in item or 'SSSD' in item" | ||||||
|       ansible.builtin.file: |       ansible.builtin.file: | ||||||
|         path: "{{ item }}" |         path: "{{ item }}" | ||||||
|         mode: 'ug-x,o-wx' |         mode: 'ug-x,o-wx' | ||||||
|       with_fileglob: |       loop: "{{ discovered_system_logfiles.stdout_lines }}" | ||||||
|         - "/var/log/*tmp" |  | ||||||
|         - "/var/log/lastlog*" |  | ||||||
|         - "/var/log/sssd*" |  | ||||||
|         - "/var/log/SSSD*" |  | ||||||
|  |  | ||||||
|  | @ -4,7 +4,7 @@ | ||||||
|   when: |   when: | ||||||
|     - ubtu24cis_rule_6_2_1_1 |     - ubtu24cis_rule_6_2_1_1 | ||||||
|     - "'auditd' not in ansible_facts.packages or |     - "'auditd' not in ansible_facts.packages or | ||||||
|       'audisd-plugins' not in ansible_facts.packages" |       'audispd-plugins' not in ansible_facts.packages" | ||||||
|   tags: |   tags: | ||||||
|     - level2-server |     - level2-server | ||||||
|     - level2-workstation |     - level2-workstation | ||||||
|  | @ -30,7 +30,7 @@ | ||||||
|     - NIST800-53R5_AU-3 |     - NIST800-53R5_AU-3 | ||||||
|     - NIST800-53R5_AU-12 |     - NIST800-53R5_AU-12 | ||||||
|     - auditd |     - auditd | ||||||
|   ansible.builtin.systemd_service: |   ansible.builtin.systemd: | ||||||
|     name: auditd |     name: auditd | ||||||
|     state: started |     state: started | ||||||
|     enabled: true |     enabled: true | ||||||
|  |  | ||||||
|  | @ -99,7 +99,7 @@ | ||||||
| {% endif %} | {% endif %} | ||||||
| {% endfor %} | {% endfor %} | ||||||
| -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod | -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>=1000 -F auid!=unset -k perm_mod | ||||||
| {% set syscalls = ["etxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} | {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} | ||||||
| {% set arch_syscalls = [] %} | {% set arch_syscalls = [] %} | ||||||
| {% for syscall in syscalls  %} | {% for syscall in syscalls  %} | ||||||
| {% if syscall in supported_syscalls %} | {% if syscall in supported_syscalls %} | ||||||
|  |  | ||||||
|  | @ -0,0 +1,40 @@ | ||||||
|  | # CIS Hardening Carried out | ||||||
|  | # Added as part of ansible-lockdown CIS baseline | ||||||
|  | # provided by Mindpoint Group - A Tyto Athene Company | ||||||
|  | 
 | ||||||
|  | [lockdown_details] | ||||||
|  | # Benchmark release | ||||||
|  | Benchmark_release = CIS-{{ benchmark_version }} | ||||||
|  | Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} | ||||||
|  | # If options set (doesn't mean it ran all controls) | ||||||
|  | level_1_hardening_enabled = {{ ubtu24cis_level_1 }} | ||||||
|  | level_2_hardening_enabled = {{ ubtu24cis_level_2 }} | ||||||
|  | 
 | ||||||
|  | {% if ansible_run_tags | length > 0 %} | ||||||
|  | # If tags used to stipulate run level | ||||||
|  | {% if 'level1-server' in ansible_run_tags %} | ||||||
|  | Level_1_Server_tag_run = true | ||||||
|  | {% endif %} | ||||||
|  | {% if 'level2-server' in ansible_run_tags %} | ||||||
|  | Level_2_Server_tag_run = true | ||||||
|  | {% endif %} | ||||||
|  | {% if 'level1-workstation' in ansible_run_tags %} | ||||||
|  | Level_1_workstation_tag_run = true | ||||||
|  | {% endif %} | ||||||
|  | {% if 'level2-workstation' in ansible_run_tags %} | ||||||
|  | Level_2_workstation_tag_run = true | ||||||
|  | {% endif %} | ||||||
|  | {% endif %} | ||||||
|  | 
 | ||||||
|  | [lockdown_audit_details] | ||||||
|  | {% if run_audit %} | ||||||
|  | # Audit run | ||||||
|  | audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} | ||||||
|  | audit_file_local_location = {{ audit_log_dir }} | ||||||
|  | {% if not audit_only %} | ||||||
|  | audit_summary = {{ post_audit_results }} | ||||||
|  | {% endif %} | ||||||
|  | {% if fetch_audit_output %} | ||||||
|  | audit_files_centralized_location = {{ audit_output_destination }} | ||||||
|  | {% endif %} | ||||||
|  | {% endif %} | ||||||
		Loading…
	
		Reference in New Issue