colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
UBUNTU24-CIS/tasks/section_7/cis_7.2.x.yml

341 lines
12 KiB
YAML
Raw Permalink Blame History

---
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
when: ubtu24cis_rule_7_2_1
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.1
- NIST800-53R5_IA-5
- user_accounts
vars:
warn_control_id: '7.2.1'
block:
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords"
ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd
changed_when: false
failed_when: false
register: discovered_nonshadowed_users
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings"
when: discovered_nonshadowed_users.stdout | length > 0
ansible.builtin.debug:
msg:
- "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password"
- "{{ discovered_nonshadowed_users.stdout_lines }}"
- name: "7.2.1 | WARNING | Ensure accounts in /etc/passwd use shadowed passwords | warn_count"
when: discovered_nonshadowed_users.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty"
when: ubtu24cis_rule_7_2_2
tags:
- level1-server
- level1-workstation
- patch
- rule_7.2.2
- NIST800-53R5_IA-5
- user
- permissions
block:
- name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password"
ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow
changed_when: false
check_mode: false
register: discovered_empty_password_acct
- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password"
when: discovered_empty_password_acct.stdout | length > 0
ansible.builtin.user:
name: "{{ item }}"
password_lock: true
loop:
- "{{ discovered_empty_password_acct.stdout_lines }}"
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
when: ubtu24cis_rule_7_2_3
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.3
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- groups
vars:
warn_control_id: '7.2.3'
block:
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
changed_when: false
failed_when: false
check_mode: false
register: discovered_passwd_gid_check
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
when: discovered_passwd_gid_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}"
- name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count"
when: discovered_passwd_gid_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.4 | PATCH | Ensure shadow group is empty"
when: ubtu24cis_rule_7_2_4
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.4
- NIST800-53R5_IA-5
- user
vars:
warn_control_id: '7.2.4'
block:
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
ansible.builtin.getent:
database: group
split: ':'
key: shadow
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
when: ansible_facts.getent_group.shadow[2] | length > 0
ansible.builtin.debug:
msg: "Warning!! - You have users in the shadow group"
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
when: ansible_facts.getent_group.shadow[2] | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist"
when: ubtu24cis_rule_7_2_5
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.5
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- user
vars:
warn_control_id: '7.2.5'
block:
- name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
changed_when: false
failed_when: false
check_mode: false
register: discovered_user_uid_check
- name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
when: discovered_user_uid_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}"
- name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Set warning count"
when: discovered_user_uid_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist"
when: ubtu24cis_rule_7_2_6
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.6
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- groups
vars:
warn_control_id: '7.2.6'
block:
- name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
changed_when: false
failed_when: false
check_mode: false
register: discovered_user_gid_check
- name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
when: discovered_user_gid_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}"
- name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Set warning count"
when: discovered_user_gid_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.7 | AUDIT | Ensure no duplicate user names exist"
when: ubtu24cis_rule_7_2_7
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.7
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- user
vars:
warn_control_id: '7.2.67'
block:
- name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
changed_when: false
failed_when: false
check_mode: false
register: discovered_username_check
- name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
when: discovered_username_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}"
- name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Set warning count"
when: discovered_username_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.8 | AUDIT | Ensure no duplicate group names exist"
when: ubtu24cis_rule_7_2_8
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.8
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- groups
vars:
warn_control_id: '7.2.8'
block:
- name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
changed_when: false
failed_when: false
check_mode: false
register: discovered_group_check
- name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
when: discovered_group_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}"
- name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count"
when: discovered_group_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured"
when: ubtu24cis_rule_7_2_9
tags:
- level1-server
- level1-workstation
- patch
- users
- rule_7.2.9
- NIST800-53R5_NA
block:
- name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent"
ansible.builtin.file:
path: "{{ item.dir }}"
state: directory
owner: "{{ item.id }}"
group: "{{ item.gid }}"
mode: 'g-w,o-rwx'
loop: "{{ ubtu24cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}"
loop_control:
label: "{{ item.id }}"
# set default ACLs so the homedir has an effective umask of 0027
- name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Set group ACL"
when: not system_is_container
ansible.posix.acl:
path: "{{ item }}"
default: true
etype: group
permissions: rx
state: present
loop: "{{ prelim_interactive_users_home.stdout_lines }}"
- name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Set other ACL"
when: not system_is_container
ansible.posix.acl:
path: "{{ item }}"
default: true
etype: other
permissions: 0
state: present
loop: "{{ prelim_interactive_users_home.stdout_lines }}"
- name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured"
when:
- ubtu24cis_rule_7_2_10
- ubtu24cis_disruption_high
tags:
- level1-server
- level1-workstation
- patch
- rule_7.2.10
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- user
vars:
warn_control_id: '7.2.10'
block:
- name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
ansible.builtin.shell: find /home/ /root/ -name "\.*" -type f -perm /u+x,g+wx,o+wx
changed_when: false
failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]
check_mode: false
register: discovered_homedir_dot_files
- name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found"
when:
- discovered_homedir_dot_files.stdout | length > 0
- ubtu24cis_dotperm_ansiblemanaged
ansible.builtin.debug:
msg:
- "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further."
- name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Set warning count"
when:
- discovered_homedir_dot_files.stdout | length > 0
- ubtu24cis_dotperm_ansiblemanaged
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
when:
- discovered_homedir_dot_files.stdout | length > 0
- ubtu24cis_dotperm_ansiblemanaged
ansible.builtin.file:
path: '{{ item }}'
mode: 'u-x,go-wx'
with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"
Reference in New Issue View Git Blame Copy Permalink