UBUNTU24-CIS/tasks/section_5/cis_5.2.x.yml

---

- name: "5.2.1 | PATCH | Ensure sudo is installed"
  when: ubtu24cis_rule_5_2_1
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.2.1
    - NIST800-53R5_AC-6
    - sudo
  ansible.builtin.package:
    name: "{{ ubtu24cis_sudo_package }}"
    state: present

- name: "5.2.2 | PATCH | Ensure sudo commands use pty"
  when: ubtu24cis_rule_5_2_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.2.2
    - NIST800-53R5_AC-6
    - sudo
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    regexp: '^Defaults\s+use_'
    line: 'Defaults        use_pty'
    insertafter: '^\s*Defaults'

- name: "5.2.3 | PATCH | Ensure sudo log file exists"
  when: ubtu24cis_rule_5_2_3
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_5.2.3
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - sudo
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    regexp: '^Defaults\s+logfile'
    line: 'Defaults        logfile="{{ ubtu24cis_sudo_logfile }}"'
    insertafter: '^\s*Defaults'

- name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
  when: ubtu24cis_rule_5_2_4
  tags:
    - level2-server
    - level2-workstation
    - patch
    - sudo
    - rule_5.2.4
    - NIST800-53R5_AC-6
  block:
    - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | discover accts with NOPASSWD"
      ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1
      become: true
      changed_when: false
      failed_when: false
      register: discovered_sudoers_nopasswd

    - name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
      when: discovered_sudoers_nopasswd.stdout | length > 0
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: '^((?!#|{% for name in ubtu24cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)'
        replace: '\1PASSWD\2'
        validate: '/usr/sbin/visudo -cf %s'
      loop: "{{ discovered_sudoers_nopasswd.stdout_lines }}"

- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
  when: ubtu24cis_rule_5_2_5
  tags:
    - level1-server
    - level1-workstation
    - patch
    - sudo
    - rule_5.2.5
    - NIST800-53R5_AC-6
  ansible.builtin.replace:
    path: "{{ item }}"
    regexp: '^([^#].*)!authenticate(.*)'
    replace: '\1authenticate\2'
    validate: '/usr/sbin/visudo -cf %s'
  loop: "{{ prelim_sudoers_files.stdout_lines }}"

- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
  when: ubtu24cis_rule_5_2_6
  tags:
    - level1-server
    - level1-workstation
    - patch
    - sudo
    - rule_5.2.6
    - NIST800-53R5_AC-6
  block:
    - name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set"
      ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
      changed_when: false
      failed_when: false
      register: discovered_ubtu24cis_ssh_timeout_files

    - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
      when: discovered_ubtu24cis_ssh_timeout_files.stdout | length == 0
      ansible.builtin.lineinfile:
        path: /etc/sudoers
        regexp: '^\s*Defaults/s+timestamp_timeout='
        line: "Defaults        timestamp_timeout={{ ubtu24cis_sudo_timestamp_timeout }}"
        insertafter: '^\s*Defaults'
        validate: '/usr/sbin/visudo -cf %s'

    - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
      when: discovered_ubtu24cis_ssh_timeout_files.stdout | length > 0
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'timestamp_timeout=(\d+)'
        replace: "timestamp_timeout={{ ubtu24cis_sudo_timestamp_timeout }}"
        validate: '/usr/sbin/visudo -cf %s'
      loop: "{{ discovered_ubtu24cis_ssh_timeout_files.stdout_lines }}"

- name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
  when: ubtu24cis_rule_5_2_7
  tags:
    - level1-server
    - level1-workstation
    - patch
    - sudo
    - rule_5.2.7
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  block:
    - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
      ansible.builtin.group:
        name: "{{ ubtu24cis_sugroup }}"
        state: present

    - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
      ansible.builtin.lineinfile:
        path: /etc/group
        regexp: '^{{ ubtu24cis_sugroup }}(:.:.*:).*$'
        line: '{{ ubtu24cis_sugroup }}\g<1>'
        backrefs: true

    - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
      ansible.builtin.lineinfile:
        path: /etc/pam.d/su
        regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
        line: 'auth           required        pam_wheel.so use_uid group={{ ubtu24cis_sugroup }}'