colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/main.yml

183 lines
6.0 KiB
YAML
Raw Permalink Blame History

---
- name: Check OS version and family
when:
- ansible_facts.distribution == 'Ubuntu'
- ansible_facts.distribution_major_version is version_compare('24', '!=')
tags: always
ansible.builtin.fail:
msg: "This role can only be run against Ubuntu 24. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
- name: Check ansible version
tags: always
ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
# This control should always run as this can pass on unintended issues.
- name: "Check password set for connecting user"
when:
- ubtu24cis_rule_5_2_4
- ansible_env.SUDO_USER is defined
tags: always
block:
- name: "Capture current password state of connecting user"
ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
changed_when: false
failed_when: false
check_mode: false
register: prelim_ansible_user_password_set
- name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" # noqa name[template]
ansible.builtin.assert:
that: prelim_ansible_user_password_set.stdout != "!!" and prelim_ansible_user_password_set.stdout | length > 10
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}"
vars:
sudo_password_rule: ubtu24cis_rule_5_2_4 # pragma: allowlist secret
- name: Ensure root password is set
when: ubtu24cis_rule_5_4_2_4
tags: always
block:
- name: Ensure root password is set
ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|root P |Password locked)"
changed_when: false
failed_when: false
register: prelim_root_passwd_set
- name: Ensure root password is set
ansible.builtin.assert:
that: prelim_root_passwd_set.rc == 0
fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set - Please manually set a root password"
success_msg: "You have a root password set"
- name: Check ubtu24cis_bootloader_password_hash variable has been changed
when:
- ubtu24cis_set_boot_pass
- ubtu24cis_rule_1_4_1
tags: always
ansible.builtin.assert:
that: ubtu24cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu24cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as ubtu24cis_bootloader_password_hash variable has not been set correctly"
- name: Setup rules if container
when:
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags: always
block:
- name: Discover and set container variable if required
ansible.builtin.set_fact:
system_is_container: true
- name: Load variable for container
ansible.builtin.include_vars:
file: "{{ container_vars_file }}"
- name: Output if discovered is a container
when: system_is_container
ansible.builtin.debug:
msg: system has been discovered as a container
- name: Gather the package facts before prelim
tags: always
ansible.builtin.package_facts:
manager: auto
- name: Run prelim tasks
tags: always
ansible.builtin.import_tasks:
file: prelim.yml
- name: Gather the package facts after prelim
tags: always
ansible.builtin.package_facts:
manager: auto
- name: Run parse /etc/passwd
when:
- ubtu24cis_section5 or
ubtu24cis_section6 or
ubtu24cis_section7
tags: always
ansible.builtin.import_tasks:
file: parse_etc_password.yml
- name: Include section 1 patches
when: ubtu24cis_section1
ansible.builtin.import_tasks:
file: section_1/main.yml
- name: Include section 2 patches
when: ubtu24cis_section2
ansible.builtin.import_tasks:
file: section_2/main.yml
- name: Include section 3 patches
when: ubtu24cis_section3
ansible.builtin.import_tasks:
file: section_3/main.yml
- name: Include section 4 patches
when: ubtu24cis_section4
ansible.builtin.import_tasks:
file: section_4/main.yml
- name: Include section 5 patches
when: ubtu24cis_section5
ansible.builtin.import_tasks:
file: section_5/main.yml
- name: Include section 6 patches
when: ubtu24cis_section6
ansible.builtin.import_tasks:
file: section_6/main.yml
- name: Include section 7 patches
when: ubtu24cis_section7
ansible.builtin.import_tasks:
file: section_7/main.yml
- name: Run auditd logic
when: update_audit_template
tags: always
ansible.builtin.import_tasks:
file: auditd.yml
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Reboot system
when: change_requires_reboot
tags: always
block:
- name: Reboot system if not skipped
when: not skip_reboot
ansible.builtin.reboot:
- name: Warning a reboot required but skip option set
when: skip_reboot
ansible.builtin.debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
- name: Run post remediation audit
when: run_audit
tags: run_audit
ansible.builtin.import_tasks:
file: post_remediation_audit.yml
- name: Show Audit Summary
when: run_audit
tags: run_audit
ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}"
- name: If Warnings found Output count and control IDs affected
when: warn_count != 0
tags: always
ansible.builtin.debug:
msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
Reference in New Issue View Git Blame Copy Permalink