--- - name: "5.4.2.1 | PATCH | Ensure root is the only UID 0 account" when: - ubtu24cis_rule_5_4_2_1 - prelim_uid_zero_accounts_except_root.rc - ubtu24cis_disruption_high tags: - level1-server - level1-workstation - patch - accounts - users - rule_5.4.2.1 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.command: passwd -l {{ item }} changed_when: false failed_when: false loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account" when: - ubtu24cis_rule_5_4_2_2 - ubtu24cis_disruption_high tags: - level1-server - level1-workstation - patch - rule_5.4.2.2 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - user - system block: - name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0" ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'" changed_when: false failed_when: discovered_gid0_members.rc not in [ 0, 1 ] register: discovered_gid0_members - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0" when: - discovered_gid0_members is defined - discovered_gid0_members.stdout | length > 0 ansible.builtin.user: name: "{{ item }}" group: 0 state: absent loop: - discovered_gid0_members.stdout_lines - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" when: - ubtu24cis_rule_5_4_2_3 tags: - level1-server - level1-workstation - patch - rule_5.4.2.3 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - user - system block: - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Get groups with gid 0" ansible.builtin.shell: "awk -F: '$3==\"0\"{print $1}' /etc/group | grep -vw 'root'" register: discovered_gid0_groups changed_when: false failed_when: discovered_gid0_groups.rc not in [ 0, 1 ] - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Warning if others gid 0 groups" when: - discovered_gid0_groups is defined - discovered_gid0_groups.stdout | length > 0 ansible.builtin.debug: msg: - "Warning!! You have other groups assigned to GID 0 - Please resolve" - "{{ discovered_gid0_groups.stdout_lines }}" - name: "5.4.2.3 | WARN | Ensure group root is the only GID 0 group | warn_count" when: - discovered_gid0_groups is defined - discovered_gid0_groups.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '5.4.2.3' - name: "5.4.2.4 | PATCH | Ensure root password is set" when: - ubtu24cis_rule_5_4_2_4 tags: - level1-server - level1-workstation - patch - shadow_suite - rule_5.4.2.4 - NIST800-53R5_NA ansible.builtin.debug: msg: "This is set as an assert in tasks/main" - name: "5.4.2.5 | PATCH | Ensure root PATH Integrity" when: - ubtu24cis_rule_5_4_2_5 tags: - level1-server - level1-workstation - patch - paths - rule_5.4.2.5 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 block: - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 changed_when: false register: discovered_root_paths - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" when: discovered_root_paths is defined ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" changed_when: false register: discovered_root_paths_split - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set fact" when: discovered_root_paths is defined ansible.builtin.set_fact: root_paths: "{{ discovered_root_paths.stdout }}" - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" when: discovered_root_paths is defined ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' changed_when: false failed_when: discovered_root_path_empty_dir.rc not in [ 0, 1 ] register: discovered_root_path_empty_dir - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" when: discovered_root_paths is defined ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' changed_when: false failed_when: discovered_root_path_trailing_colon.rc not in [ 0, 1 ] register: discovered_root_path_trailing_colon - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" when: discovered_root_paths is defined block: - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" ansible.builtin.stat: path: "{{ item }}" register: discovered_root_path_perms loop: "{{ discovered_root_paths_split.stdout_lines }}" - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set permissions" when: - item.stat.exists - item.stat.isdir - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp - (item != 'root') and (not ubtu24cis_uses_root) ansible.builtin.file: path: "{{ item.stat.path }}" state: directory owner: root group: root mode: 'go-w' follow: false loop: "{{ discovered_root_path_perms.results }}" loop_control: label: "{{ item }}" - name: "5.4.2.6 | PATCH | Ensure root user umask is configured" when: - ubtu24cis_rule_5_4_2_6 tags: - level1-server - level1-workstation - patch - shadow_suite - rule_5.4.2.6 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 ansible.builtin.lineinfile: path: /root/.bash_profile regexp: \s*umask line: "umask {{ ubtu24cis_root_umask }}" create: true mode: 'u+x,go-rwx' - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: - ubtu24cis_rule_5_4_2_7 - "item.id not in prelim_interactive_usernames.stdout" - "'root' not in item.id" - ubtu24cis_disruption_high tags: - level1-server - level1-workstation - patch - shadow_suite - rule_5.4.2.7 - NIST800-53R5_AC-2 - NIST800-53R5_AC-3 - NIST800-53R5_AC-11 - NIST800-53R5_MP-2 ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin loop: "{{ ubtu24cis_passwd }}" loop_control: label: "{{ item.id }}" - name: "5.4.2.8 | PATCH | Ensure accounts without a valid login shell are locked | Lock accounts" when: - ubtu24cis_rule_5_4_2_8 - ubtu24cis_disruption_high - "item.id not in prelim_interactive_usernames.stdout" - "'root' not in item.id" tags: - level1-server - level1-workstation - patch - shadow_suite - rule_5.4.2.8 - NIST800-53R5_AC-2 - NIST800-53R5_AC-3 - NIST800-53R5_AC-11 - NIST800-53R5_MP-2 ansible.builtin.user: name: "{{ item.id }}" password_lock: true loop: "{{ ubtu24cis_passwd }}" loop_control: label: "{{ item.id }}"