From 15511b389fc95701a3f4ff8e6ddccf2fd168dca2 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Wed, 1 May 2024 13:52:44 +0100 Subject: [PATCH] devel to main release (#27) * #18 corrected Signed-off-by: Mark Bolwell * updated due to #19 great catch Signed-off-by: Mark Bolwell * V2.0.0 final release (#24) * removed warn: false Signed-off-by: Mark Bolwell * fix typos Signed-off-by: Mark Bolwell * addressed #21 Signed-off-by: Mark Bolwell * updated 1.1.2 logic Signed-off-by: Mark Bolwell * updated handler Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell * Correct 4.1.15 sudo audit syntax (#26) Signed-off-by: Andrew Davison --------- Signed-off-by: Mark Bolwell Signed-off-by: Andrew Davison Co-authored-by: Andrew Davison --- handlers/main.yml | 12 +-- tasks/LE_audit_setup.yml | 2 +- tasks/post_remediation_audit.yml | 2 - tasks/pre_remediation_audit.yml | 3 - tasks/section_1/cis_1.1.x.yml | 89 +++++++++++++++-------- tasks/section_1/cis_1.2.x.yml | 2 - tasks/section_3/cis_3.1.x.yml | 2 - tasks/section_6/cis_6.2.x.yml | 2 - templates/audit/99_auditd.rules.j2 | 4 +- templates/etc/systemd/system/tmp.mount.j2 | 22 ++++++ 10 files changed, 89 insertions(+), 51 deletions(-) create mode 100644 templates/etc/systemd/system/tmp.mount.j2 diff --git a/handlers/main.yml b/handlers/main.yml index bfc6e4a..f8c71c6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -8,20 +8,18 @@ masked: false state: reloaded +- name: remount tmp + command: mount -o remount /tmp + - name: remount dev_shm command: mount -o remount /dev/shm - args: - warn: false - name: remount var_tmp command: mount -o remount /var/tmp - args: - warn: false - name: remount home command: mount -o remount /home - args: - warn: false + - name: systemd daemon reload systemd: daemon_reload: true @@ -61,8 +59,6 @@ command: /sbin/service auditd restart check_mode: false failed_when: false - args: - warn: false when: - not amazon2cis_skip_for_travis tags: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 61a4cdf..8321a32 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -13,7 +13,7 @@ - name: copy audit binary copy: - src: + src: "{{ copy_goss_from_path }}" dest: "{{ audit_bin }}" mode: 0555 owner: root diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index cff4432..fd1e9ec 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -3,8 +3,6 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" changed_when: true - vars: - warn: false - name: Post Audit | ensure audit files readable by users file: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index dd98183..53e66f8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -34,7 +34,6 @@ copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" - mode: 0644 when: - audit_content == 'copy' @@ -80,8 +79,6 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" changed_when: true - vars: - warn: false - name: Pre Audit | Capture audit data if json format block: diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 1f5bb8b..f269d46 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,51 +1,84 @@ --- -- name: "1.1.2 | PATCH | Ensure /tmp is configured" - systemd: - name: tmp.mount - daemon_reload: true - enabled: true - masked: false - state: started +- name: "1.1.2 | AUDIT | Ensure /tmp is configured" + block: + - name: "1.1.2 | AUDIT | Ensure /tmp is configured" + ansible.builtin.shell: findmnt -n /tmp + changed_when: false + failed_when: false + register: amazon2_tmp_exists + + - name: "1.1.2 | WARN | Ensure /tmp is configured | Absent" + ansible.builtin.debug: + msg: "Warning!! /tmp is configured to use fstab but does not exist" + changed_when: true + when: amazon2_tmp_exists.stdout | length == 0 when: - - amazon2cis_tmp_svc - amazon2cis_rule_1_1_2 + - not amazon2cis_tmp_svc tags: - - level1 + - level1-server + - level1-workstation - automated - - patch - - rule_1.1.2 + - audit - mounts + - rule_1.1.2 - name: | - "1.1.3 | PATCH | Ensure noexec option set on /tmp partition - 1.1.4 | PATCH | Ensure nodev option set on /tmp partition - 1.1.5 | PATCH | Ensure nosuid option set on /tmp partition" - mount: + "1.1.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.4 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.5 | PATCH | Ensure nosuid option set on /tmp partition" + ansible.posix.mount: name: /tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %} - notify: systemd restart tmp.mount - with_items: - - "{{ ansible_mounts }}" + opts: defaults,{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %} + notify: remount tmp + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" when: - item.mount == "/tmp" - - amazon2cis_tmp_svc + - not amazon2cis_tmp_svc + - amazon2_tmp_exists.stdout | length > 0 - amazon2cis_rule_1_1_3 or amazon2cis_rule_1_1_4 or amazon2cis_rule_1_1_5 tags: - - level1 + - level1-server + - level1-workstation - automated - patch + - mounts + +- name: | + "1.1.2 | PATCH | Ensure /tmp is configured" + "1.1.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.4 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.5 | PATCH | Ensure nosuid option set on /tmp partition" + notify: systemd restart tmp.mount + ansible.builtin.template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: '0644' + when: + - amazon2cis_tmp_svc + - amazon2cis_rule_1_1_2 or + amazon2cis_rule_1_1_3 or + amazon2cis_rule_1_1_4 or + amazon2cis_rule_1_1_5 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2 - rule_1.1.3 - rule_1.1.4 - rule_1.1.5 - - mounts - name: | "1.1.6 | PATCH | Ensure /dev/shm is configured @@ -82,7 +115,7 @@ - name: "1.1.10 | AUDIT | Ensure separate partition exists for /var | Message if present" debug: - msg: "Congradulations: /var is on a seperate partition" + msg: "Congratulations: /var is on a seperate partition" when: "'/var' in mount_names" when: - amazon2cis_rule_1_1_10 @@ -102,7 +135,7 @@ - name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Message if present" debug: - msg: "Congradulations: /var/tmp is on a seperate partition" + msg: "Congratulations: /var/tmp is on a seperate partition" when: "'/var/tmp' in mount_names" when: - amazon2cis_rule_1_1_11 @@ -153,7 +186,7 @@ - name: "1.1.15 | PATCH | Ensure separate partition exists for /var/log | Message if present" debug: - msg: "Congradulations: /var/log is on a seperate partition" + msg: "Congratulations: /var/log is on a seperate partition" when: "'/var/log' in mount_names" when: - amazon2cis_rule_1_1_15 @@ -173,7 +206,7 @@ - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Message if present" debug: - msg: "Congradulations: /var/log/audit is on a seperate partition" + msg: "Congratulations: /var/log/audit is on a seperate partition" when: "'/var/log/audit' in mount_names" when: - amazon2cis_rule_1_1_16 @@ -193,7 +226,7 @@ - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home | Message if present" debug: - msg: "Congradulations: /home is on a seperate partition" + msg: "Congratulations: /home is on a seperate partition" when: "'/home' in mount_names" when: - amazon2cis_rule_1_1_17 @@ -250,8 +283,6 @@ shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t changed_when: false failed_when: false - args: - warn: false when: - amazon2cis_rule_1_1_22 tags: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index ef6c99a..f555f4a 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -19,8 +19,6 @@ command: yum repolist changed_when: false register: amazon2cis_1_2_2_repolist - args: - warn: false - name: "AUDIT| 1.2.2 | AUDIT | Ensure package manager repositories are configured | Show repo list" debug: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 3c17f66..7bafafe 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -28,8 +28,6 @@ failed_when: false check_mode: false register: amazon2_3_1_2_nmcli_available - args: - warn: false - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" command: nmcli radio wifi diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 1a8b844..0bbb680 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -7,8 +7,6 @@ changed_when: false failed_when: false register: amazon2_6_2_1_shadow - args: - warn: false - name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords | Good News" debug: diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 19eb0be..24ca3c0 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -66,8 +66,8 @@ -w /etc/sudoers.d/ -p wa -k scope {% endif %} {% if amazon2cis_rule_4_1_15 %} --a exit,always -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions --a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions +-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions +-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions {% endif %} {% if amazon2cis_rule_4_1_16 %} -w /sbin/insmod -p x -k modules diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 new file mode 100644 index 0000000..1200d47 --- /dev/null +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -0,0 +1,22 @@ +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + + +[Unit] +Description=Temporary Directory (/tmp) +Documentation=man:hier(7) +Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +ConditionPathIsSymbolicLink=!/tmp +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target +After=swap.target + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +Options=mode=1777,strictatime,{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %} + +# Make 'systemctl enable tmp.mount' work: +[Install] +WantedBy=local-fs.target